Information Sharing


Cybersecurity is a shared problem, and information sharing is critical to solving it. Most organizations do not have cybersecurity as their primary mission, meaning the onus is on vendors and the private and public sectors to contribute to and use trusted, shared intelligence that will augment and enhance our collective security defenses. Trellix has an extensive background in sharing cyber threat information through our products, our industry and our governmental partnerships.

Threat information is the lifeblood of cyber defense. Trellix supports robust, real-time information sharing of threat data to help protect citizens and organizations from cyber-attacks, while at the same time, working with law enforcement globally to respond to successful attacks. Yet information sharing needs to go beyond humans sharing information with each other. Sharing threat information should be an integral part of an adaptive and responsive network defense that does not require humans in every part of the loop. Every aspect of the network should be able to defend itself with information that is timely, actionable, responsive and shared at wire speeds. The implementation of cyber threat sharing standards allow us to improve our security defenses at a more manageable cost to the operational landscape. By using standard interfaces for data, data exchange and services, we help reduce costs while providing a foundation for innovative advanced tools and data analysis development to take place.

Trellix believes that sharing threat information is one of the best ways to mitigate cyber threats while defeating cyber-attacks. We are members of key industry and governmental groups and activities that support information sharing. Examples include the IT Sector Coordinating Council, a U.S. Department of Homeland Security (DHS) run, public private partnership. We are members of the Defense Industrial Base, an information sharing program with the U.S. Department of Defense.

We are a member of the Cyber Threat Alliance, a group of cybersecurity companies that collaborate on sharing cyber threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers.

We are a member of the Cyber Threat Alliance, a group of cybersecurity companies that collaborate on sharing cyber threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers.

We are historically founding member of the No More Ransom initiative where, working with global law enforcement and cybersecurity companies, we provide a resource to assist victims of ransomware by finding and providing decryption keys.

We are leading and participating in various industry standards and guidance development efforts to improve the sharing of threat information. These efforts are run by organizations such as OASIS, DHS, NIST, NCCoE, IST RTF, NTIA, ISAO, Cybersecurity Coalition, MITRE, and FIRST efforts. We have also opened up (open sourced) our Data Exchange Layer communications fabric to the public in order to allow tools in a network to communicate rapidly and effectively with each other.

Information sharing is an essential part of what we do and who we are.

Key Points

  • It is impossible for a single organization to have a clear view of all the potential threats, vulnerabilities and attacks across the globally connected environment. By acquiring and sharing cyber threat information with other trusted organizations, we get a better understanding of the actual threat landscape that we can apply to the benefit of our customers.
  • Cyber threats are not just a U.S. problem but a global epidemic, and as such, what we and the industry collectively develop should be equally useful. Products, processes and guidance must be applicable globally.
  • Sharing cyber threat information should use an outcomes-based approach as a mechanism to achieve specific security objectives.
  • Trellix believes information sharing between government and the private sector should be voluntary and mutually beneficial. To foster public-private information sharing, government should partner with industry to reduce legal and policy barriers that can impede information sharing.
  • Trellix believes developing threat sharing standards will benefit and advance the evolving cyber threat intelligence sharing and analysis ecosystem while providing a foundation for innovation. The establishment and use of standards, procedures and practices will allow for more interoperability between differing types of sharing organizations.
  • Trellix is actively participating and providing leadership in various cyber threat information sharing initiatives for our customers and the global community.

Recommendations

  • Trellix encourages the U.S. government to seek innovative ways to further grow the information sharing ecosystem.
  • Trellix believes that U.S. government efforts such as the DHS Automated Indicator Sharing capability have been useful in the past but do not go far enough. There is a need to be able to move beyond simple indicators and provide a means to allow trusted community enrichment of the shared information. The Administration should double down on working with the private sector to further evolve the way cyber threat information is represented, enriched and distributed in a timely fashion. Doing so will help create a high functioning eco-system of information sharing that enables the public and private sectors to compete with global networks of sophisticated hackers.
  • Governments should be actively working together to share cybercrime related operational information to reduce the areas where cybercriminals can hide, while disrupting their operations and services globally. Alignment and focused collaboration at global governmental levels brings the transparency needed to properly respond in a timely manner.
  • As a member of the CISA Joint Cyber Defense Collaborative (JCDC), Trellix sees a future for sharing truly relevant operational intelligence in a way that is positive and constructive. The Collaborative is acting as a trusted community, sharing cyber threat intelligence in support of the JCDC’s mission of protecting the nation's critical functions. While the JCDC is in its early stages of development, it is clear it could easily become a model for other trusted communities to address cyber threats in their industry sectors or communities of interest.
  • Too few companies are actively sharing threat information with the government and among themselves or trusted industry partners. This restricts the realization of our goal: a high functioning ecosystem of information sharing that enables the public and private sectors to compete with global networks of sophisticated, malicious actors.
  • Policymakers should consider establishing tax credits that would incentivize businesses of all sizes to join information sharing and analysis organizations, such as ISACs or ISAOs, by providing refundable tax credits for costs associated with joining the appropriate sharing organizations.
  • Trellix encourages federal agencies to declassify larger categories of threat data and actively share them with the private sector. DHS should issue many more security clearances to qualified company representatives to enable access to the most sensitive, and potentially most valuable, pieces or classes of threat data.
  • Trellix encourages the U.S. government to push for a common operating architecture designed to improve the context of analysis, shorten workflows of the threat defense lifecycle, reduce complexities across security products and vendors, and increase the value of previously deployed applications.

 

Trellix believes cyber threat intelligence sharing is vital. We must work together to address and minimize the problems cybercrime and nation state activities have on our digital ecosystem. The cyber ecosystem uses are changing and evolving. As such, we must prepare for our common defense by working together and share what we see and know.