Ransonware

One of the great myths of executive travel is the benefit of racking up hospitality rewards for grand vacations in Fiji or the Swiss Alps. In reality, trips are frequent, exhausting and sometimes bound for undesirable destinations that present a slew of security issues.

Travel Security Challenges and Best Practices

While you may not have much say in when and where you travel, understanding your trip’s goals can help determine the best business security practices. A quick, one-day trip to meet a business partner might mean you can leave your computer at home, for example. A month-long globe trot to multiple satellite offices, client meetings and a little R&R would require a more rigorous approach to securing all of your devices.

It is equally important to know the purpose of your trip, the systems and access you will require while traveling, the sensitivity of information you will be handling and the available security resources. These points will determine what travel security precautions you should take before you even pull out your suitcase.

Bring a Bat Phone

Ideally, you would never take your own phone on a trip. Instead, take a burner phone that contains no personal data. Cybercriminals can use information you may not consider sensitive to facilitate attacks or steal your identity. They can use your contact list, phone call history, texts, personal email and calendar to target other members of your organization or compromise even more sensitive data.

Do not leave any IT device, including mobile phones, unattended. Hotel safes offer little protection from determined attackers, corrupt hotel employees or the host government. If you must leave your things unattended for social or cultural reasons, assign a trusted member of your party to watch all computer and communications gear. If possible, leave them secured at the local embassy or consulate.

Consider disabling your computer’s USB ports as well. You should also use a video camera cover, a laptop screen privacy cover and microphone jack disabler.

Software Security

Be sure to complete virus definition and patch update activities before your departure. Always assume your devices will be compromised upon arrival. In addition to local intelligence services, you may be targeted by agencies from other nations, criminal organizations and commercial competitors.

To avoid a compromise, review and harden the software build of all your equipment prior to your trip. This may include disabling unnecessary features such as the microphone, camera and Bluetooth capabilities.

You should expect any online services you use to be compromised the moment you arrive, but there are steps you can take to protect yourself. Have an assistant forward email to a temporary account that you will delete once you return home, for example. Forwarded emails or excerpts should never contain sensitive information.

Additionally, never update software while connected to an untrusted access point. Disable Java and all noncritical plugins and only allow JavaScript on trusted sites. Don’t click on ads or pop-ups or open email attachments from untrusted senders.

Handling Classified Information

Deleting or moving sensitive information prior to travel is not always sufficient. Take a separate device when traveling to countries of concern so you can minimize the sensitive files — including email history — on your devices. Accept no media or files from untrusted parties, including your host. You can view files on your host’s devices when required.

Bring your PowerPoint or other documents to be shared with hosts on a USB drive, then securely dispose of the device when it’s no longer needed. Do not download files to a device in-country. Most importantly, be sure to promptly and securely delete files once they are no longer needed. Never plug anything into your computer that has been in contact with untrusted systems or media. Upon return, dispose of devices used in countries of concern, or at least have them forensically wiped and rebuilt.

Use strong encryption — including full-disk encryption — on all devices that will accept it to protect data at rest. However, you must recognize that these systems can be defeated. When a device passes through customs, for example, it is subject to inspection and may need to be powered up. If so, use trusted platform module (TPM)-based disk encryption and minimum Federal Information Processing Standard (FIPS) 140-2 level 3 devices or the highest level available.

It’s easier to follow these best practices if noncritical features and ports are disabled because it eliminates the social awkwardness of a perceived lack of trust. This awkwardness can be used as a social engineering attack vector.

Destination Unknown

Have devices transported to the local embassy of your destination in a diplomatic pouch, if possible. If your party can travel with an accredited diplomat, he or she can use diplomatic immunity to protect the entire party’s devices from inspection. If you cannot travel with an accredited diplomat, try to have one meet you at the airport ahead of customs.

Assume that hotel rooms, conference rooms, etc. are under video and audio surveillance at all times. Additionally, shredders that are made available to you can have hidden scanners that deliver the documents you are trying to destroy directly to cybercriminals. Similarly, all voice, data and text carried by local telecommunications companies can be compromised. Access all information via secure tunneling with strong end-to-end encryption vetted by your IT department or a competent consultant.

If you find that this system is not working when in-country, consider that and adversary may have disabled it to force you to use a less secure form of communication. Also consider that internet activity conducted through public terminals or wireless networks may point to real or perceived vulnerabilities that intelligence services or others could leverage to provoke, recruit or embarrass you.

Obviously, all these travel security insights and recommendations are not appropriate for every employee on every trip. But maintaining a high level of awareness and pre-travel preparation always provides added security and peace of mind.


Security Intelligence

To state the obvious, organizations of all shapes and sizes are under constant attack in cyberspace. Some ignore the risk, hoping that it will simply go away or that they won’t suffer a breach. Others opt to weather the storm even if a breach occurs, willingly risking their critical data. Others still deny that a breach would dramatically affect their business. Is this a risk your organization is willing to take?

Take Action to Protect Critical Data

Some forward-looking organizations focus on protecting their critical data assets because they are vital to their business operations and competitive positioning. These organizations understand they must protect critical data to sustain competitiveness in today’s global economy. Assets such as intellectual property, trade secrets, customer information, information about mergers and acquisitions, health information and other sensitive data are extremely valuable to cybercriminals.

Organizations are taking action to understand the type of data they possess, the value of that data to the organization, the controls that are in place and the potential impact to business processes should the data be breached or corrupted. They are implementing the controls required to protect these sensitive assets and monitor potential risks.

Watch the on-demand webinar to learn more about protecting your critical data

A Collaborative Effort

Discussion should not solely be focused on the type of controls in place, the number of patches applied or the number of incidents detected. We need to discuss potential business disruptions due to cyberattacks and the business processes that may be affected. Risk management should be a collaborative effort between business leaders and the IT team.

Are your line-of-business (LOB) owners and executives aware of the risk to their critical data? Do they know which LOBs carry the greatest risk, what sensitive data is at risk, how valuable the data is, who owns the data and which users are putting the data at risk?

Executive boards must understand the need to protect critical data — it’s no longer just an IT issue. In turn, IT leaders must make sure business leaders have the insight they need to protect their assets.

Learn More

For more information, check out the on-demand webinar titled “Stop Playing ‘Chicken’ With Your Data-Related Business Risk — Protect Your Critical Data.”

To learn more about why traditional security metrics are irrelevant to most executives, download the Gartner report titled “Develop Key Risk Indicators and Security Metrics That Influence Business Decision-Making.”


Security Intelligence

Welcome to “In Security,” the new web comic that takes a lighter look at the dark wave of threats crashing across business networks, endpoints, data and users. Click here for an introduction to the team and be sure to read Episode 001 and Episode 002.

Every App team visits the X-Force Cyber Range

Now that EveryApp has seen the Pandapocalypse attacks occur in real time, will they need to sing another chorus of “Where do we go from here?” next episode? Most likely!

How the Command Center Can Help

Network and IT security is no longer a point solution placed on the perimeter. It’s no longer one simple scenario that has a linear playbook of answers. Today’s malicious actors are attackers on all fronts of the ever-expanding enterprise. When businesses make a move to enable themselves with new technology, those that would cause harm won’t be far behind in exploiting any open and available sieves.

The EveryApp team made the right call to visit the Cambridge Command Center to assess the current threat landscape and learn the steps toward rapid remediation. But tomorrow will be a different day.

What about your organization? Are you prepared for today’s threats? What about tomorrow’s unknowns?

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats? You can:

  • Visit the XFCC website.
  • Read the data sheet, “How IBM X-Force Command Centers Are Changing Security.”
  • Download the white paper, “The Role of Cyber Ranges and Capture the Flag Exercises in Security Incident Response Planning.”
  • Watch the video.


Security Intelligence

The TrickBot Trojan, which emerged in the wild only this summer, continues to widen its attack scope, spreading farther in its target geographies and developing new redirection attacks. The most recent additions to TrickBot’s redirection targets are three Canadian banks.

According to IBM X-Force researchers following the TrickBot Trojan’s ongoing technical advances, the malware operators frequently release new configurations. The gang continues to focus on the U.K. and Australia, but it’s now setting its sights on Canada with enhanced capabilities to attack banks in the country.

TrickBot research

Figure 1: TrickBot’s current bank targets — per locale, per URL count (November 2016, IBM Security)

Redirection Attacks, Mafia Style

TrickBot is the fourth known gang-operated banking Trojan to bring redirection attacks to Canada. Redirection attacks first targeted Canadian banks in 2015, when the Dyre malware launched its nefarious web browser manipulation techniques. At the time, Dyre targeted business accounts of a handful of banks in Canada. After Dyre’s disappearance, the Dridex Trojan started using redirections against businesses in Canada. Next, GozNym created redirection attacks designed to target business banking in Canada, and now TrickBot is entering that same turf.

This matters because the only malware operators with the extra resources to build and carry out redirection attacks are the top-known organized cybercrime gangs in the fraud arena today. The fact that all these heavy hitters invest in attacks specific to Canadian banks suggests that they’ll see more attacks, more potential fraud and a level of operational sophistication comparable to organized crime.

These mob-style cybercrime gangs are higher up on the food chain of online fraud than other malware operators, and they are nothing short of devastating to individuals and businesses. To make stolen funds disappear, gangs keep elaborate crews on their payroll, maintaining a large number of foot soldiers to funnel stolen money from one account to another and either act as money mules to cash the funds out.

Recent events in the news, such as the arrest of two Dridex gang members who were caught in October with access to more than 220 compromised U.K. bank accounts and £2.5 million, bring the concept to life. In a larger case made public in November, authorities arrested 14 ex-Dyre and ex-Dridex members who laundered over $ 13 million in the past two years. In both cases, only the low-level crooks linked with these gangs’ activity were apprehended.

Canada’s Cybercrime Landscape

Given the rising threat from the most sophisticated malware gangs, it’s surprising that the Canadian government has yet to establish a federal reporting agency for financial cybercrime. This makes it rather difficult to tally specific complaints and losses. Overall, statistics from previous years are alarming: Canadian police observed a 40 percent increase in cybercrime incidents around the country between 2011 and 2013. That number has likely risen in the three years since.

Canadian businesses are also struggling with other types of cyberattacks. According to the Ponemon Institute’s “2016 Cost of a Data Breach Study: Canada,” Canada suffered the highest detection and escalation costs. The cost of a breach rose 12.5 percent for Canadian companies, and the average total cost of a breach was $ 6.03 million in 2016.

Canada weathers attacks from similar cybercrime groups as those observed on the global map. Commercial malware factions top the chart, followed by the organized crime groups that operate malware such as GootKit, Dridex, URLZone, GozNym and others.

Financial Malware Families 2016

Figure 2: Most active malware in Canada by attack volume (November 2016, IBM Security)

TrickBot Takes On Canada

At this time, TrickBot’s activity in Canada is only beginning, but the malware is advancing rapidly and aggressively, according to X-Force researchers. TrickBot’s operators appear to be connected to well-known spamming and infection services, use redirection attacks and seem to have some ties to the Dyre crew. For this reason, we expect to see this malware’s activity increase during the holiday season and into 2017.

For TrickBot indicators of compromise (IOCs), check out — and share — via X-Force Exchange. Banks looking for technology solutions to mitigate threats like TrickBot and other sophisticated malware are invited to learn more about the IBM Trusteer anti-fraud suite. As always, users should reference these security tips to mitigate threats like the TrickBot Trojan and reduce risk.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection


Security Intelligence

IBM launched its IBM Security App Exchange at the tail end of 2015, so it has been live for almost a year now. We always thought the App Exchange had significant potential, but we’ve been blown away by its success with our customers and other security vendors. We now have security information and event management (SIEM) customers imploring other vendors to provide a QRadar app as a prerequisite to joining their security operations. It has also helped IBM demonstrate its security immune system in a tangible way.

App Exchange Offers Market Insights

The program has been so successful that we passed our 12-month target for third-party vendors and apps on the Exchange after only seven months. We are currently seeing approximate monthly totals of:

  • 3,500 downloads;
  • 35,000 visits; and
  • 11,000 unique visitors.

These numbers illustrate the App Exchange’s value to IBM customers, partners and the overall market. We’ve also trained over 90 security vendors in app development and have a vibrant backlog of third-party and IBM apps that we are planning to launch over the next few months.

One thing that was clear from the outset was the wide variety of security operations that the apps are addressing. This offers some interesting insights into what products are hot in the security market. While the IBM Security App Exchange is product-agnostic, it is currently dominated by apps for the QRadar Security Intelligence Platform, followed by IBM BigFix and IBM X-Force. Because QRadar sits right in the center of organizations’ threat detection and response processes, most systems involved in security operations should interface with it in some way.

Since the App Exchange launched, we’ve added over 70 apps that fall into the following broad categories:

  • Visualizations;
  • Threat Intelligence;
  • User Behavior Analytics (UBA);
  • Incident Response;
  • Endpoint Detection and Response;
  • Hunting;
  • Compliance Use Cases; and
  • Other Threat Detection Use Cases.

High Demand for Use Cases

The first set of stats shows the relative number of apps on the App Exchange in each category. Apps that fall into the categories of Threat Detection Use Cases and Compliance Use Cases account for more than half the offerings. Demand is high because these are the first use cases that most organizations address when implementing security operations.

The third most common set of apps fall into the category of User Behavior Analytics. The market is piping hot for these apps due to the fact that more than 50 percent of threats fall into this category. Demand for apps that fall into the Threat Intelligence category is similarly high.

App use representation on IBM Security App Exchange

Download Ratios

The second set of stats show the relative ratio of app downloads in each category. Again, the top category is Threat Detection Use Cases. This is very closely followed by User Behavior Analytics, with both Visualizations and Threat Intelligence hot on its heels. It’s interesting that Visualizations ranks so high in downloads while the category includes a relatively small set of apps. This may represent an unmet need.

Of course, download statistics are skewed by the length of time some apps have been available on the App Exchange. QRadar UBA, for example, has only been available for four months, but is already the third most downloaded app. Some newer apps in the areas of Endpoint Detection and Response, Incident Response and Hunting, while low in volume and relative downloads, are growing quickly. It’ll be interesting to review this trend in another six months to a year.

Proportion of app downloads on IBM Security App Exchange

Key Takeaways

In summary, the key insights we can take away from this data are:

  • Threat Detection Use Cases, Threat Intelligence and User Behavior Analytics are at the forefront of most security programs.
  • Organizations place great value in threat, risk and incident visualizations, and there may be unmet demand in this area.
  • Compliance use cases are still an important foundation.
  • We’re starting to see a real pickup in areas of Endpoint Detection and Response, Hunting and Incident Response.

That’s just a sampling of the insights we can draw from the App Exchange statistics. We’ll continue to track the App Exchange’s development and shine a light on what apps are gaining traction in the market. Stay tuned!

Visit the IBM Security App Exchange


Security Intelligence

The number one challenge for security leaders today is reducing average incident response and resolution times.” — IBM IBV Cognitive Security Report

In November, IBM’s Institute for Business Value (IBV) released a report titled “Cybersecurity in the Cognitive Era: Priming Your Digital Immune System.” The report provides insights gleaned from a study of over 700 security leaders from across the globe and seeks to uncover the security challenges organizations face, all while shedding light on how to address them. The study also evaluated the impact of cognitive security solutions and gauged the industry’s current level of readiness for the oncoming cognitive era.

The study identified three main gaps that cognitive solutions might fill to improve an organization’s security posture: a speed gap to significantly improve incident response times, an intelligence gap to improve detection and incident response decision-making capabilities, and an accuracy gap to provide increased confidence to discriminate between events and true incidents.

A Short Primer on Cognitive Security

“Cognitive computing has the ability to tap into and make sense of security data that has previously been dark to an organization’s defenses, enabling security analysts to gain new insights and respond to threats with greater confidence at scale and speed,” wrote Marc van Zadelhoff in a previous article.

According to an IBM cognitive security white paper, this type of security is “characterized by technology that is able to understand, reason and learn.” In short, it is about analyzing security trends, distilling enormous volumes of data into information and further refining it into knowledge that can be turned into action.

The Incident Response Speed Gap

Respondents to the IBV study identified the speed gap as the top security challenge. Forty-five percent ranked reducing average incident response and resolution time as the top challenge today, and 53 percent identified the same area as the top challenge for the next two to three years.

45% (today) and 53% (next 2-3 years) say reducing average incident response time is the top challenge

This is somewhat surprising given the fact that 80 percent of the survey participants indicated that their incident response speeds have improved by an average of 16 percent in the past two years. Additionally, 37 percent believe that cognitive security solutions will significantly improve this response time.

Reading between the lines, security leaders have been pushing their teams to improve incident reaction times, but they also realized that the current level of improvements are inadequate to keep up with the ever-increasing pace of attacks. For that 37 percent of security leaders, cognitive security offers a ray of hope.

A Skills Gap Too?

It’s no secret that the cybersecurity field faces a skills gap of enormous proportions. In fact, Forbes estimated that the skills gap has reached 209,000 unfilled positions in the U.S. Additionally, a Cisco report tallied 1 million unfilled positions worldwide, a situation that’s unlikely to change anytime soon given the large volume of senior and highly seasoned security professionals preparing to retire and the relatively small investment in recruiting bright young minds into cybersecurity education and, eventually, cybersecurity careers.

The good news is that cognitive security solutions can help maximize the current workforce by reducing the amount of time before an anomaly is detected. They can provide better context and background information to those tasked with analyzing incidents.

Superhuman Capabilities

According to the IBM Cognitive Security white paper, “a cognitive system comprehends and processes new information at a speed that far surpasses any human.” It also noted that “cognitive computing is driving transformational change by harnessing not just data, but meaning, knowledge, process flows and progression of activity at a lightning-fast speed and scope.”

The prospect of turning over more of our incident response processes to machines might bring chills to those tasked with responding to incidents and analyzing their severity and impact. However, the goal isn’t to replace humans, but to supplement their capabilities, much like an exosuit turns a human into a superhuman. Cognitive security solutions can accomplish in minutes what would take human analysts hours or even days.

Cognitive technology is still in its infancy. Those who get there first, however, will likely reap a significant competitive advantage over those who take a wait-and-see approach. As the saying goes, you don’t have to run faster than the bear — you just have to run faster than the guy behind you. Can your business truly afford to take a wait-and-see approach?

Read the full IBM Report: Priming your digital immune system


Security Intelligence

As we approach Thanksgiving in the U.S., the one thing I look forward to the most — aside from turkey and spending time with my family — is football. As I watch the games, the security geek in me can’t help but notice some parallels between football and network security, particularly firewalls and intrusion prevention.

Network Security Playbook

During a passing play, for example, the tailback needs to protect the quarterback from any defender who breaks through the offensive line. That is critical to the success of the specific play and the quarterback’s long-term health. A firewall is like that offensive line. Even the latest next-generation firewalls (NGFW) occasionally allow threats to break through. Your organization needs a game plan for blocking those attacks that get past the firewall.

That’s why it makes sense to deploy a next-generation intrusion prevention system (IPS) behind your NGFW. By complementing the protection provided by a NGFW, the IPS can stop attacks that firewalls miss, such as those launched from within the enterprise, zero-day attacks, mutated threats, obfuscated exploits and attacks embedded in encrypted channels.

Why not use the built-in IPS capability found in most NGFWs? That’s certainly an option, if you take into the account the additional performance overhead needed to power the IPS feature and size the NGFW properly for your network. But even so, don’t forget about the internal segments of your network that need protection as well.

This an ideal use case for a standalone IPS, since it is a level 2 network device that just sits as a bump in the wire. There is no re-architecting needed to deploy it. You might also consider the fact that 55 percent of security professionals think that a standalone IPS is more effective that one built into a NGFW.

Read More About Firewalls and Securing Your Network

Teamwork Makes the Network

It is also important to remember that the IPS needs to be a good teammate to all the other security solutions you have already deployed, especially since it is capable of stopping threats at the point of attack. For example, your IPS should provide an out-of-the-box integration with your organization’s SIEM so that an attacker can be quarantined when an offense is detected.

Automating containment of threats reduces the spread of malware, halts an attacker’s subsequent lateral movement and stops additional data exfiltration. It’s important to choose an IPS that provides a web server application program interface (WSAPI) so that it can be integrated with the organization’s existing security products.

IBM Security Network Protection (XGS) is a next-generation intrusion prevention system that has a long track record of protecting against both known and unknown threats, often months or years before specific vulnerabilities are disclosed. Read our free solution brief, “A Firewall Is Just the Beginning When Securing Your Network,” to learn how you can significantly improve network security by deploying IBM XGS with your NGFW.


Security Intelligence

The holiday season is a time to reflect on what is really important in life and what brings us all together. That, of course, is identity governance.

IBM Security’s Identity Governance and Intelligence solution will be celebrated at three major upcoming events: the 2016 Gartner IAM Summit, a webinar focused on health care and an analyst webinar in which IBM will host Forrester. At each of these events, IBM will showcase its identity and access management (IAM) portfolio, including real-world use cases, product demonstrations, interactions with the experts and more.

Identity Governance and Intelligence Stars at Gartner IAM Summit

From Nov. 29 to Dec. 1, Gartner will host IAM vendors, business partners and customers in Las Vegas for its annual IAM Summit, arguably the largest IAM event of the year. As a major sponsor of the event, IBM will have a booth and is set to host two speaking sessions by Jason Keenaghan, program director of IAM Offering Management, and Eric Maass, director of IAM Cloud Services Strategy.

The theme of the IBM booth is “Security Starts with People.” It will feature ongoing demonstrations of IBM Security’s IAM solutions, including IBM Security Identity Governance and Intelligence, as well as experts in each area to answer any questions attendees may have. Please stop by one of IBM’s sessions or visit us at booth No. 301. We look forward to seeing you there.

IBM Takes On Health Care

On Dec. 5, IBM will host a webinar focused on governance and health care titled “Safeguard Healthcare Identities and Data With Identity Governance and Intelligence.” Believe it or not, health care is one of the hardest hit industries from an information security perspective due to the difficulty of managing and governing identities with so many complex systems in place.

Join this webinar to learn about IBM’s success in the health care industry with IBM Security Identity Governance and Intelligence, including integration with Epic and other complex electronic medical record (EMR) systems.

Register for the Dec. 5 webinar on Safeguarding Healthcare Identities and Data

Dig Into IAM Trends

On Dec. 8, 2016, IBM is very proud to be hosting Andras Cser, vice president and principle analyst serving security and risk professionals at Forrester, for a webinar titled “Identity and Access Management: What Are the Trends? How Do You Solve Them?”

As the title suggests, Andras and IBM’s Jason Keenaghan will dig into the current trends in IAM and discuss how we can solve new issues as they arise. With a particular focus on identity governance and access management, and what promises to be a lively Q&A session at the end, this is one webinar you won’t want to miss.

Register for the Dec. 8 Webinar on trends in identity and access management


Security Intelligence

There is little question that the perpetrators of cyberthreats spend little time thinking inside the box — that’s how they stay ahead of their victims. It’s time for some out-of-the-box thinking of our own to get serious about fighting back. It’s time for the democratization of cybersecurity data.

Here is the challenge to users, organizations and security vendors alike: First, we should aggressively democratize the threat data we all have and share it securely yet freely with each other. Second, we should pivot a full 180 degrees from the accepted practice of automatically classifying, by default, all cyberthreat data. Instead, we should declassify threat data by default. Hence, the democratization of cybersecurity data.

Thinking Outside the Box

Cybercrime information sharing is nothing new. Unfortunately, the wrong people have been doing the sharing, and they have elevated the practice to a commercial art form. Cooperating and collaborating on the Dark Web, the most sophisticated cybercriminals build and peddle attack software to each other. They even have seller ratings and rankings for their malware, with the most effective earning five stars. They offer gold, silver and bronze levels of service — even money-back guarantees if the malicious efforts fail.

With thieves as organized and sophisticated as they are, it is a small wonder that estimates of their annual take in illegal profits total $ 455 billion These aren’t amateurs. The United Nations estimated that highly organized, well-funded criminal gangs account for 80 percent of breaches today.

For these and so many other good reasons, the time is now for businesses, governments and other organizations to elevate cyberthreat information sharing to entirely new levels. The public sector has initiated steps in this direction. Last year the U.S. passed the Cyber Information Security Act (CISA). Its goal is to help organizations share cyberthreat information and actual attack data anonymously and without fear of liability.

Democratization of Cybersecurity Data Dents Cybercrime

There are massive collections of cybercrime data largely kept under lock and key in individual organizations. Security vendors, including IBM, typically have the largest repositories.

Why has it been kept secret? Both security vendors and businesses tend hold onto this data for its perceived competitive value. It is valuable to some extent, but the potential gains of having that much threat data and information can be an even more formidable competitive weapon. After all, it isn’t possessing the data that yields an advantage; it’s what each organization or vendor does with it.

This kind of sharing is not new in our business. The whole open source movement that gave us Linux, OpenStack, Hadoop, Spark and so much more resulted from aggressive information sharing. It can be the same with cyberthreat data. Large-scale sharing of threat data will signal a new high water mark in fighting cybercrime.

We are walking the walk at IBM, recognizing that we were as much a part of the problem as any other business or organization. That is why IBM published all of its actionable, third-party global threat data — all 700 terabytes of it. This includes real-time indicators of live attacks.

We believe the free consumption and sharing of real-time threat data from our repository can put a sizable dent in cybercrime efforts. Think of what else we can accomplish with the democratization of cybersecurity data.

Information Sharing at the Speed of Business

As mentioned earlier, sharing is only one part of the out-of-the-box thinking we need to adopt. We have to share this information as soon as possible, not weeks or months after a major breach.

The default action today is to immediately classify such information, rendering it unshareable until it is eventually declassified. Instead, put a timeline on classification of new threat data — maybe 48 or 72 hours, no more. If no valid, justifiable case is made for continued classification within that period, release it to be shared among other organizations. The aforementioned CISA spells out methods for doing this securely so the information doesn’t fall into the wrong hands.

We must abandon the Cold War mentality that leads us to classify all information and share nothing. We are all engaged in a very hot war with cybercriminals. Speed matters when it comes to using relevant data to stop active attacks and thwart future threats. Information sharing at the speed of business can be a formidable weapon — we just need to unleash it.

Learn more about staying ahead of threats with global threat intelligence and automated protection


Security Intelligence

The 2016 presidential election put the spotlight on cybersecurity in a way that no one could have imagined ahead of time. When we looked at cybersecurity as an election issue earlier this year, the focus was on how cybersecurity policy in general might emerge as a campaign issue in relation to issues such as privacy and surveillance.

Instead, cybersecurity became a leading driver of the presidential campaign — including concerns about security posture of the election itself. In the process, the election offered many cybersecurity lessons, and a year of teachable moments about protecting data and networks.

Cybersecurity Lessons From the Campaign Trail

Most recent public and business awareness about data security has revolved around personally identifiable information (PII), especially financial information such as credit card data. Consumers fear identity theft and companies fear theft of customers’ account data.

Thanks to the presidential election, we have all learned — again — that email is insecure. It can easily be compromised and released online with potentially dramatic consequences. It is unlikely that analysts will ever be able to conclude whether controversies over email had a major impact on the election, but the very word became an effective campaign slogan.

More Than Meets the Eye

At the basis of this surprising turn are issues related to how email is secured and the consequences of email being compromised, whether it contains classified materials or merely unguarded and potentially embarrassing remarks. These considerations figured into the high-profile Sony breach of 2014, but the election brought them back into the public spotlight. The lesson here is applicable beyond just email: All kinds of unstructured data, such as social media content, is potentially sensitive and potentially vulnerable to compromise.

Similarly, the cybersecurity lessons of the 2016 election extend to the election process itself. Worries about compromised voting machines are not entirely new, but they were front and center this year. The Department of Homeland Security (DHS) also warned that state election systems were being probed and encouraged officials to share information regarding election cybersecurity.

Cybersecurity in the National Spotlight

The 2016 election ultimately went smoothly, with unexpected results but no hint of cybercrime. U.S. elections are, in fact, difficult to breach. This is partly because they are decentralized, carried out by thousands of local authorities, and partly because voting machines are simple devices and not connected to the internet, even where votes are tabulated electronically.

Nevertheless, election security has now emerged as a key component of national security policy. Although there was little formal discussion about cybersecurity as a policy issue, the 2016 election offered countless cybersecurity lessons and informed the public about the need to protect all kinds of information, not just financial or health data.


Security Intelligence