Want 'perfect' security? Then threat data must be shared

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://akamai.infoworld.com/t/cyber-crime/want-perfect-security-then-threat-data-must-be-shared-242383

Here's a surprise for you: We actually have a fairly good understanding of
who is attacking us on the Internet and why. Various entities know not only
which groups are doing the attacking, but also the names of the people in
those groups. They know where they live, who their family members are,
where they went to school, and when they go on vacation.

A great example of this is the Russian Business Network crimeware group.
With a little searching, you can find a decade of evidence trails, pictures
of the leader, and even business relationships. Want to see who's sending
all that spam? Then check this link out. Want to know who is doing most of
the industrial espionage? Then read this report. They even give you the
hacker's physical address.

When I tell friends about this, especially after their computer has been
thoroughly compromised, they ask the obvious: Why aren't these criminals in
jail?

The answer is pretty easy. For the most part, these criminals work across
international boarders, so there are issues of legal jurisdiction -- and
their home countries often can't or don't want to stop them. Even if we
have all the evidence in the world, we can't just invade a country and
arrest its citizens. Yes, many countries do have treaties that support
extradition, but most countries don't. Not surprisingly, the countries with
the most prolific hacking cultures don't, which why most of the world's
malicious hackers live in them.

Persons of interest
Many industries have groups in which they share industry-targeted
information. For example, U.S. retailers share cyber threat data. Other
industries have been doing the same for years.

Most of the big anti-malware companies not only understand who is doing the
crime and what they are after, but know within minutes whenever one of
these groups initiates a new "campaign" (such as using a new malware
program or new phishing strategy) or when they are initiating from new IP
addresses.

There are literally a hundred companies and thousands of people that have a
pretty good understanding about the badness on the Internet. They can see
the new trends as they are happening.  Individually, none of the groups has
all the information. But if you put all these groups together sharing
information we'd have a pretty good lock on all the bad guys.

So why isn't this information collected and shared with everyone
immediately?

The answer is that information and knowledge is valuable, and most
companies don't want to give away such telemetry for free. Information is
power. When a security company has that information, it's going to be
better at protecting us from those threats than we would be on our own.

I mean, it's great if you tell me that a new phishing campaign is underway
with the email subject line "Nude pictures of Kate Upton," but to be
honest, I'd rather my anti-malware product handle the email and block it
before it gets to my desktop. In fact, this is the way most anti-malware is
supposed to work. It just doesn't work super-accurately.

All together now
The real disconnect is that many times, a new malware campaign may take
just a few minutes to be noticed by one anti-malware vendor, but it may
take hours or even several days to be noticed by your particular
anti-malware vendor.

For example, I love to submit new malware files to VirusTotal. It takes
your suspected malicious files and runs it against dozens and dozens of
anti-malware programs. No matter what malicious file I submit, there always
some anti-malware engines that recognize the malware and some that don't.
While writing this sentence, I submitted an old copy of the Melissa macro
virus from 1999. Only one out of the 51 anti-malware engines recognized it,
and it was not the one you would guess.

Why didn't more of them recognize it? I don't know. But what I do know is
that when I submit a brand new malware program, rarely does at least one
anti-malware engine fail to recognize it. Individually, each engine misses
stuff -- but together they are deadly accurate. Give me the collective
thoughts and information from all malware vendors, and I have nearly
perfect information. Give me less, and I end up with gaps.

I would love a world where all anti-malware vendors submitted their
verified telemetry with a centralized Internet service, which could be
queried by any software or device to deliver protection to end users.
VirusTotal does this on a limited scale, but we need more. Let's put all
this information into the cloud and make it accessible by anyone.
Anti-malware vendors would certainly use this enriched information -- and
produce products that will protect us better.

Instead, we have imperfect collectors, each in their own silos, trying to
use incomplete information to deliver perfect protection. It doesn't work
that way. It would be better if all the information collectors submitted
their information to the centralized database, improving the database as a
whole, and then used that improved database to better the world.

The current model isn't working. I have this fantasy where all buyers
refuse to buy inaccurate products (most of which promise us 100 percent
protection nonetheless). This would force all the individual vendors to
play better together, share more information. We would all benefit.

I have a dream, too.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!