In May of 2011, five Democratic senators sent a letter to U.S. Securities Exchange Commission Chairwoman Mary Schapiro asking for a motion that will require companies to disclose their cyber risk. The intent is to protect investors by exposing information that will allow them to make more educated decisions. We need similar disclosure requirements about security breaches to help fortify our defenses.
Recent data breaches are a result of targeted attacks that start with a malware source and initial infection. Once inside, the program calls out to command and control systems and then moves laterally through the enterprise, infecting more hosts and seeking higher levels of privilege and direct access to valuable information. Targeted information is staged and exfiltrated across the network perimeter.
By definition, every targeted attack is unique, engineered specifically to infiltrate organizations and steal information, but they all follow similar patterns and leave trails. Collectively, we can follow these footprints and monitor the paths the bad guys use, but we need to share information about each breach to prevent future attacks.
Because of the economic potential, we know that even if we stop one attack it will just be re-routed to go after another target. The only way to battle these adversaries is to go on the offensive, and that requires sharing knowledge about the attacks - and the knowledge sharing has to span federal agencies and the private sector.
As an initial step, the government needs to create a clearing house of information that corporations can access if they agree to follow a set of rigid reporting requirements. We also need to mandate that corporations provide information about breaches to this clearinghouse. All information will be located centrally and a communication and collaboration process will be put in place to keep track of each foreign fingerprint found on a corporation's network.
Companies should disclose both cyber intrusions and the forensics about such intrusions. This is essential to preventing these attacks from compromising the viability of our businesses and our national security interests.
While there are times when the federal government and private sector come together, this collaboration needs to be standardized. Today the government might warn an enterprise about suspicious activity, and leave it to the company to discover what's going on within its network. But that company is not required to circle back to verify the activity and share what was learned - which means no one is the wiser. Why not disclose the information collected?
While it's thrilling to see some teamwork on this front, the time has come to put the effort into motion. Right now the bad guys have the advantage.
Changing the balance of power requires working together better, sharing information, and committing to a better security posture by innovating technologies and improving our processes. We cannot treat breaches as individual threats anymore, but as pieces to a larger puzzle that will someday allow us to detect threats before they enter our networks.
Pearl Harbor was a crystallizing moment that proved the need for sharing military intelligence. In hindsight the government learned that this single event was the result of a major intelligence lapse: a result of misleading analysis, collection gaps and adversaries giving false information, trying to muddle in the middle of it all.
In the cyber world, we've had a series of smaller crystallizing moments that are serving as warning signs. We shouldn't need a crippling event like Pearl Harbor to prod us into action. We're seeing signs, so we cannot sit back and wait. Data breaches can be prevented with appropriate analysis, information and collaboration, and sharing information is the first step in understanding and preventing future breaches.
Since 2002 Fidelis Security Systems has been providing organizations with the network visibility, analysis and control necessary to manage advanced threats and prevent data breaches.