Threat Intelligence Sharing: The Only Way to Combat Our Growing Skills Gap

Despite phenomenal growth, continued investment and a proliferation of new technologies, the cybersecurity industry is still fighting its biggest challenge yet – that of finding and retaining talented security professionals.

The cybersecurity skills gap is serious and growing – Frost & Sullivan forecasts a shortfall of 1.5 million IT security staff by 2020. In order to overcome this problem, it’s vital that the industry find ways to work together more effectively. Rather than just being a fad, the sharing of threat intelligence is a key step in learning how to pool our resources more effectively so that we can stay ahead of the hackers.

Considering our fascination with technology, the high salaries and the hundreds of jobs available, it seems strange that there is such a severe skills shortage in the IT security industry. Yet companies are finding it extremely difficult to find skilled IT security professionals and when they do, they have trouble retaining them. Some vendors estimate that there are already more than one million unfulfilled security jobs around the world, and many believe that this shortage will worsen in the next few years, as immigration rules make it more difficult to recruit people outside of the EU. To address this gap, companies will have to become more creative in how they attract talent, and forge close alliances with educational institutes to build a pipeline of fresh graduates.

However, such changes could take years to realize – while in the meantime, we can expect that hackers will continue to become more organized, better-funded and increasingly able to harness sophisticated techniques. So to really turn a corner in our fight against cybercrime, the industry needs a complete cultural change.

Just like different emergency services all come together in a crisis, or members of a community look out for each other as part of a neighborhood watch, we can achieve more when we work together.

Look at the recent collaboration between leading security companies who tracked and unveiled the bad actors behind the 2014 Sony Pictures hack. The Lazarus Group was responsible for a lot of malicious activity beyond the infamous Sony hack, such as a devastating attack conducted against companies in the financial and media sectors in 2013. The tactics used by this group were vast and advanced, including an extensive toolset for delivering malware, with capabilities including DDoS malware, keyloggers, RATs and even a P2P malware family that allows operators to establish remote administration across infected machines.

This kind of threat is far too complex for a single security team to really understand. However, by working together and pooling their knowledge, the researchers behind Operation Blockbuster were able to put the pieces of the puzzle together and reveal the full scale of malicious activity undertaken by the Lazarus Group.

But beyond such flagship projects, what is the situation on the ground? Lots of organizations share threat intelligence with the government and expect to be kept updated on malicious activity which could affect them. According to the results of a recent survey, 34% of security professionals view the government as a trusted partner when it comes to protecting their business from hostile nations and major threats. But over three quarters (81%) viewed this relationship as a one-way street, by saying that the government in return needs to share more threat intelligence with the private sector.

As with sharing any sort of sensitive information, it’s clear that swapping information on cyber threats requires a degree of trust. This explains the current trend towards sharing of threat intelligence within individual sectors, such as the Financial Services Information Sharing and Analysis Center, (FS-ISAC), and similar initiatives developing in other sectors such as healthcare and automotive. These groups are a great start, and can address each industry’s specific threats and concerns, but in order to really collaborate, the infosec community needs to take this a step further and begin to share threat data across industries.

So what’s stopping us? One of the main factors might be that people are nervous about inadvertently exposing sensitive company information when sharing threat intelligence. While this is a legitimate concern for many, it doesn’t need to cover the entire spectrum of threat intelligence, because items such as hash values, suspicious IP addresses and domain names can easily be shared without exposing any internal information.

Crowdsourcing threat intelligence is vital because no one vendor or researcher has all the answers.  When you pool their collective resources, such as event logs, firewalls, IPS/IDS, proxies etc, then you start to get a holistic view of what's happening in the threat landscape and this can significantly improve your security posture.

With shared insight, it’s much easier to prioritize the biggest threats to your organization, and effectively streamline processes. Without taking these measures, however, it’s difficult to see how the industry can overcome the chronic skills shortage and also turn the tables in our fight against the latest threats.

What’s Hot on Infosecurity Magazine?