The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting, remediating or investigating incidents, especially at scale. New solutions are needed that enable IT operations and incident response teams to move quicker and act smarter across distributed networks, distributed clouds, and OS platforms while maintaining scalable performance.
The government would also benefit from reexamining the thinking behind how it approaches cybersecurity. A reevaluation of the efficacy of siloed efforts could help the government move from a layered approach to a more holistic approach. Siloed tools—which collect fragmented and outdated data—create a disconnect between the detection and remediation of security issues, making it much more difficult to boost the cybersecurity posture of the government as a whole.
Threat intelligence sharing requires technologies and platforms that are open, structured and designed to support popular industry standards and formats. They need to provide the necessary hooks and APIs to structure and feed information into any external system of authority for analysis, correlation, visualization and reporting as needed. Equally as important, essential technology platforms must provide native support to edit and consolidate threat intelligence in the form of standards-based Indicators of Compromise (IOCs), including Yara, TAXII, OpenIOC, and IOCBucket, which allows the immediate use and customization of new IOCs as soon as they are published. This open platform, standards-based approach is critical to ensure technologies can easily adapt to—and facilitate—the rapid sharing and deployment of threat intelligence to combat rapidly evolving threats.