Industry calls for more cyber threat context from DHS

The Department of Homeland Security is not providing enough context around the cyber threat indicators it shares with the private sector for firms to use the data effectively, industry leaders say.

"The sharing of individual indicators of compromise without context leaves practitioners asking more questions than having them answered," Intel Security Group vice president Scott Montgomery said at a March 9 hearing of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee.

"The ability to extract information from a generic individual [indicator of compromise], like a domain name, or a URL or a fingerprint of a file, unless the IOC is so damning…typically it's simply one of the needles in the pile of needles," he said.

While Montgomery said that industry and government are developing good "muscle memory" by increasing the amount of sharing, "what's actually being shared and its usefulness and its timeliness, yes, we do need to improve."

Jeffrey Greene, senior director of global government affairs and policy at Symantec said the company is in the process of evaluating whether to join DHS's automated information sharing program. He said they are trying to determine how much work it will take to make sense of the indicators shared by DHS.

"We're in a little different position just because of the volume of data that we get in through our own sensors -- a lot of information we have obtained on our own," he said.

Ryan Gillis, vice president of cybersecurity strategy and global policy for Palo Alto Networks and a member of the Cyber Threat Alliance, said participants are increasingly focused on context -- such as the phase of an attack, whether the indicator is linked to a known campaign -- when sharing indicators with alliance members.

He said DHS needs to adopt more of that technological best practice for automated information sharing to be more valuable to industry.

But, as a former DHS official, he said that making programmatic changes at DHS is not easy. "They're short-staffed and there's not a real customer service focus to outreach to the private sector and bring even willing participants on in a timely and effective manner," Gillis said.

He told FCW that DHS needs to work more closely with recipients to learn what data and context actually matters so they can plug that into their operations. He added that DHS needs to make clear at the top operational levels that the agency needs to focus more on gathering context from the providers of indicators and pushing that out to recipients.

DHS, which was not invited to participate in the hearing, told FCW by email that it is continuing to make improvements to AIS and more organizations are connecting to the system, which is still in its early stages.

"Input from our partners is essential in ensuring that AIS helps our public and private sector stakeholders manage cybersecurity risk," said DHS spokesperson Scott McConnell. "DHS will continue this essential collaboration to improve [automated information sharing]."

In addition to context, witnesses at the hearing said DHS needs to resist its "knee-jerk" reaction to over classify and hold back information around attacks and threats.

"By classifying the event, what we're doing is restricting the number of people who can lend assistance and also allowing the adversary to operate with impunity," Montgomery said.