Cybersecurity is among the most siloed disciplines in all of IT. The industry is exceedingly fragmented between many highly specialized companies. In fact, according to IBM estimates, the average enterprise uses 80 different products from 40 vendors. To put this in perspective, imagine a law enforcement officer trying to piece together the events surrounding a crime based solely on witness statements written in multiple languages — one in Chinese, another in Arabic, a third in Italian, etc. Security operations centers (SOCs) face a similar challenge all the time.

Security professionals are increasingly taking on the role of investigator, sorting through multiple data sources to track down slippery foes. Third-party integration tools don’t exist, so the customer is responsible for bringing together data from multiple sources and applying insights across an increasingly complex environment.

For example, a security team may need to coordinate access records with Lightweight Directory Access Protocol (LDAP) profiles, database access logs and network activity monitoring data to determine whether a suspicious behavior is legitimate or the work of an impostor. Security information may even need to be brought in from external sources such as social networks to validate an identity. The process is equivalent to performing a massive database join, but with incompatible data spread across a global network.

What Can We Learn About Collaboration From Threat Actors?

Organizations would be wise to observe the strategy of today’s threat actors, who freely share tactics, tools and vulnerabilities on the dark web, accelerating both the speed and impact of their attacks. As defenders of cybersecurity, we need to take a similar approach to sharing security information and building collaborative solutions that will address the evolving cybersecurity threat landscape.

This is easier said than done, as the cybersecurity industry has not been successful in enabling information to be shared, federated and contextualized in a way that drives effective security outcomes. But the barriers aren’t solely technical; corporate policies, customer privacy concerns and regulations all combine to inhibit information sharing. We must enable collaboration in ways that don’t undermine the interests of the collaborators.

Security information sharing is not only useful for threat management, but also for accurately determining IT risk, enabling secure business transformation, accelerating innovation, helping with continuous compliance and minimizing friction for end users. For example, organizations can leverage the identity context of an individual from multiple sources to evaluate the person’s reputation and minimize fraud for both new account creation and continuous transaction validation. This type of risk-based approach allows organizations to quickly support new initiatives, such as open banking application programming interfaces (APIs), and regulations, such as the European Union’s revised Payment Service Directive (PSD2).

The Keys to Building a Community Across Cybersecurity Silos

Sharing security data and insights and developing an ecosystem across cybersecurity silos is a transformational concept for the industry — one that requires people, process and technology adaptations. As organizations embrace secure digital transformations, security professionals need to adopt a risk-based approach to security management built on insights from several sources that include both technical and business contexts.

As security becomes more distributed within an organization, processes need to evolve to support integrated and collaborative operations. Sharing of data and insights will enable multiple business units to coordinate and deliver unified security. Technology needs to be API-driven and delivered as a service so it can integrate with others to facilitate sharing. Security solutions also need to evolve to deliver outcome-based security though capabilities that take advantage of data and insights from multiple vendors, platforms and locations.

The security industry is taking steps to address the complexity problem with standards designed to efficiently share data and insights. Standards such as STIX/TAXII, OpenC2 and CACAO are rapidly maturing and gaining adoption for their ability to enable vendors and their customers to choose what data to share. More than 50 cybersecurity vendors have adopted or plan to adopt STIX as a standard for data interchange, according to OASIS.

However, more work needs to be done. Standards and practices need to evolve to enable information sharing within and between industries, as well as ways to exchange methodologies, indicators of compromise (IoCs), response strategies and the like.

Finally, we need a cloud-based community platform that supports open standards-based collaboration for the delivery of integrated cybersecurity solutions. A platform-based approach will bring together people, process, tools, data and insights without expensive customization and integration projects. By increasing the adoption of such a platform, we can create a cybersecurity ecosystem that can address complexity, combat the evolving threat landscape and reduce the need for specialized security skills.

Bringing the Industry Together With IBM Security Connect

IBM has been on a journey to reduce complexity through a security immune system approach, enabling open collaboration through initiatives such as X-Force Exchange and Quad9, and driving open industry standards such as STIX/TAXII. We are furthering our commitment to strengthening cybersecurity with the recent announcement of IBM Security Connect, an open cloud platform for developing solutions based on distributed capabilities and federated data and insights.

Security Connect provides an open data integration service for sharing and normalizing threat intelligence, federated data searching across on-premises and cloud data repositories, and real-time sharing of security alerts, events and insights that can be leveraged by any integrated application or solution. This will pave the way for new methods of delivering innovative outcome-based security solutions powered by artificial intelligence (AI).

Clients and partners can take advantage of this open, cloud-native platform by combining their own data and insights with capabilities from IBM and other vendor technologies. We have already partnered with 15 major security software providers and look forward to adding more.

We are very excited about bringing this concept of data and insights collaboration to life, and grateful for the opportunity to bring cybersecurity silos together to reduce complexity and keep up with the evolving cybersecurity landscape. Early feedback has been gratifying, and we’d love to hear your comments and suggestions. I hope you will join us in this endeavor by learning more about IBM Security Connect and participating in the early field trial.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…