How does your group compare with organizations like Infragard, which is another regional group that shares threat intelligence, as I understand it.
BENWAY: Infragard is led by the FBI and my understanding is they're a bit more strategic. There is some information shared but there is not the same level of open sharing and two-way communication, mostly due to liability concerns.
GUENTHER: If you look at the president's executive order and the whole thrust from the federal government, there's a recognition that the best kind of initiative starts in the private sector and then engages the government. When the government creates forums, to Charlie's point, it sometimes leads to a more restricted conversation. But we need a lot more information sharing of all types, and the ISACs (Information Sharing and Analysis Centers) are playing an important role on a large scale basis, sector by sector.
BENWAY: We're not trying to compete with ISAC, Infragard or for-profit services. We're a nonprofit organization. We're really looking to fill the gaps in the marketplace and we're looking to complement other capabilities that enterprises have available to them.
You require members to sign a non-disclosure policy, which I presume helps people feel more comfortable about sharing high level threat intelligence.
BENWAY: We have what's called the Participation Agreement which was negotiated by a council of all the founding members and every member signs this agreement. It does two things. Not only does it do what you just suggested, makes them feel comfortable, but it also gives them the authorization from their inside legal counsel and their management chain to participate and share information.
Is there an example you can give where ACSC threat intelligence helped an organization nip something in the bud?
BENWAY: I could give you several. At one Cyber Tuesday [members meet twice each month on Tuesdays] we had a member bring to the table the issue of vulnerabilities related to international domain-naming services, and the example that was used was www.google.com. The analyst threw up on the screen three versions of that URL, which all looked identical, and asked the security experts around the table which one was not real. It was difficult for anybody to figure out. It turned out to be the one that had a small mark under the g that looked like a piece of dirt on the screen. Everybody took that back and integrated that into their security awareness campaigns and some folks found employees had in fact clicked on a couple of these URLs which had malware behind them.
It's not just about the technology, after all. There's a tremendous human factor. We're all risks. We all create some of the vulnerabilities. On the other hand, that can be flipped on its head — we can be sensors too.
Sign up for Computerworld eNewsletters.