Breaking Down Security Silos with Standards and Coalitions

Ask any chief security officer which is more difficult: Defending against cyber attacks or getting all of the elements of his or her organization’s security systems and tools to work well together? This isn’t really a fair question, of course, because achieving the cyber defense goal ultimately depends on first addressing the component integration challenge.

And as any CSO will tell you, achieving security component integration and optimization can be a devilishly difficult undertaking.

Many mid-to-large-sized organizations have amassed a collection of cyber security tools over the years, often in a disjointed, uncoordinated fashion. The resulting security infrastructures may even include many best-of-breed tools, but they often reside in operational silos that don’t communicate easily, if at all, with one another.

The inability of security tools and solutions from different vendors to play well together has many negative consequences. At a minimum, getting the disparate components to share threat information and team up in other ways means overburdened security professionals must do much integration and analysis manually. These tasks can cause the security team to become focused on security “trees” rather than the overall “forest” threat environment. Worst case, the gaps between security silos can result in open vulnerabilities that bad actors are ready and willing to exploit.

Meeting the Challenge

Broadly speaking, there are two interdependent ways to address the security interoperability problem.

First, following in the steps of other IT-related disciplines ranging from data storage to web services to networking, security vendors and their customers must agree upon and implement a comprehensive set of security standards.

Second, the tools vendors and service providers must put their competitions aside in some instances, not only to collectively embrace common standards but to collaborate and share information with one another to achieve the greater good of more universal and robust cyber security.

What’s obvious in theory, of course, is far from simple in practice. Consider that there are three types of entities involved in developing and/or promoting cyber security standards: 1) formal standards bodies such the Organization for the Advancement of Structured Information Standards (OASIS) and the International Standards Organization (ISO); 2) Federal agencies and departments such as the National Institute of Standards (NIST) and the Department of Homeland Security (DHS); and 3) individual security vendors or, preferably, coalitions of multiple security vendors.

Across all of these standards players – which sometimes collaborate and sometimes compete – there are dozens of existing, in-development, or proposed standards in the security interoperability space alone. Still, a few key standards have gained significant traction, including:

Structured Threat Information eXpression (STIX), Trusted Automated eXchange of Indicator Information (TAXII), and Cyber Observable eXpression (CybOX). Collectively these three OASIS-driven standards are designed give tools a common language and common mechanisms to describe and share cyber threat information.

Open Command and Control (OpenC2). Another OASIS standard, OpenC2, aims to provide a standard way to respond to suspicious activity seen at endpoint devices and other systems.

As these and other security standards initiatives progress, security solution vendors have been gradually coming to terms with their own need to sometimes put down their swords and act as “frenemies.”

“Threat information sharing has been a challenge, since we and other vendors of intelligence products don’t want to give up our intellectual property,” acknowledges Aubrey Merchant-Dest, Federal Chief Technology Officer at Symantec. “That said, we all want to make our customers, our country, and other countries around the globe more secure.”

With cyber attack volumes and sophistication both increasing rapidly, security providers have been taking steps along a tightrope balanced between threat information sharing on one side and the indiscriminate divulging of proprietary IP on the other. One of the most successful efforts in this regard has been the Cyber Threat Alliance, launched by six leading security vendors, including Symantec, in 2014.

The alliance’s members, now numbering 16, have agreed to share cyber threat information with each other so that all member organizations can improve their respective security solutions and their customers’ defenses. Beyond sharing threat information, the Cyber Threat Alliance members are also collaborating on research into identifying and countering specific threats.

Still, given the fluid and unsettled state of many cyber security standards, it can be difficult for companies to determine what to look for when purchasing security tools and services. As is the case in other standards areas, the most certain course of action is to buy comprehensive solutions from a single vendor who can assure that all of the elements work well together.

That said, it simply isn’t practical or possible to sole-source security solutions that address every security need, meaning that organizations must do their best to stay abreast of key security standards activity and adoption. Meanwhile, and somewhat ironically, one of the safest courses of action isn’t directly tied to any specific standard or combination of such standards.

“The number one thing I’d do from square one when purchasing security solutions is to ensure that everything I buy has a standard set of APIs built into the products,” says Merchant-Dest. He notes that many vendors, Symantec included, are adopting representational state transfer (REST) as a preferred architectural style and API mechanism. “Once you have that standard API foundation, you can then look for a product’s adoption of more-targeted security standards,” he advises.