Even with the Department of Homeland Security’s ability to push threat indicators at machine speed, top cyber experts say those machines can only take the nation’s cybersecurity posture so far.
Two DHS officials outlined how the agency’s automated indicator sharing is only part of a holistic practice the agency is preaching when it comes to protecting large-scale enterprise systems.
Thomas Millar, the chief of communications for DHS’s Computer Emergency Readiness Team said that even at machine speed, sharing indicators of compromise can only go so far in boosting security. By definition, such data is historical.
“Every indicator of compromise that we share is stale when we get it. That’s what makes an ‘indicator of compromise’ — it already happened to somebody,” Millar said Tuesday at the AFCEA Bethesda Cyber Technology Symposium “So, what you are basically doing at machine speed, you are shipping all the stuff around that you already saw somewhere else.”
However, Millar looks at the threat sharing as a way for companies to start a conversation with experts that can then suggest more advanced models for an organization’s specific pain points.
“All the free information sharing is a complimentary beverage that brings you into the community of knowledgeable, trustworthy people who have already operationalized it [and] set different anomalies and tripwires in their organization that they can share with you,” Millar said. “It gets you in the room, and then we talk about the more advanced things that you can do that don’t rely on indicators of compromise in order to protect their networks.”
Yet getting people in the room has been an early challenge for the AIS program.
John Felker, the director of the agency’s National Cybersecurity and Communications Integration Center said DHS has yet to receive a good number of threats from the private sector.
“We’re not getting a whole lot coming in,” Felker said. “We had AIS signups with [organizations] X,Y and Z, but they haven’t started sharing back with us yet, and I haven’t figured out why.”
One line of reasoning Felker posited was that companies are still wrestling with ways to trust the federal government with this information. The Cybersecurity Act of 2015 gives companies liability protection when sharing threat info, yet the private sector has been hesitant to fully jump into the program. Felker said this trust will come as the program continues.
“I have to establish a relationship with you,” Felker said. “If I establish a relationship with you, are you going to share with me right away? You’re not. Maybe a little. Over time, I want to develop a relationship with you.”
Millar said that trust on the private side needs to built from within. He advised companies to have one person that possess both highly technical and highly personal skills to work with threat exchanges when information sharing can only go so far.
“The whole point of all of this is to be part of a community and spend more time on people and processes, and not as much time on the tools,” he said. “You have to be receptive to what you learn from your peers.”
This knowledge is vital because even with the programs DHS has set up, Felker said there is only so much the agency can do to protect private systems.
“The NCCIC is not a cyber defender,” Felker said. “We are not responsible for defending your network. You are.”