lolloj - Fotolia

RSAC16: Security industry needs to do more, says Intel Security Group head

Chris Young calls on security industry to pay more attention to cyber threat intelligence sharing and encouraging people to become information security professionals

Intel Security Group head Chris Young has called on the security industry to do more to share threat intelligence and address the skills gap.

“We are all working hard to ensure that alarming headlines about cyber attacks do not come true, but at an industry level, there is certain more we can do together,” he told the RSA Conference 2016 in San Francisco.

Young said greater focus is needed on threat intelligence sharing and the lack of cyber security skills because they are “material to the long-term success” of the security industry.

“They are also issues that we can address collectively,” he said. “They rise above anything that individual people or companies are involved in.”

Intelligence sharing is nothing new, said Young, but there are limitations on what has happened so far, and in the light of the complexity and volume of threats, there is an urgent need to scale up the response.

In the past 10 years, the number of new threats seen by McAfee labs has increased from 25 a day to about 500,000, said Young. “Our response has to be of equal scale if we are going to meet our adversary,” he added.

To help meet this challenge, Intel Security has joined some of its competitors in the Cyber Threat Alliance (CTA) to work on threat intelligence sharing.

“We are doing this because we know we have got to solve this problem one way or the other,” said Young.

Working in the CTA, Intel Security has learned that it all starts with a focus on solving a particular problem rather than just assembling data that is not actionable, he said.

Read more about threat intelligence

  • Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.
  • Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
  • Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.

After making little progress, the CTA decided to focus on the single ransomware campaign using Cryptowall version 3, and by tracking accounts, the group saw there were bitcoin movements worth $325m between cyber criminals and their victims.

By focusing on the ransomware itself, the CTA was able to create countermeasures by combining the unique contributions of all its members, who each had different strengths based on their businesses and customer bases.

“Each member was able to benefit because we were able to come together and share information, such as the indicators of compromise that we found, all of which was published in a whitepaper for the entire industry to use and learn from,” said Young.

New business model

Intel Security also learned that to enable intelligence sharing, the security industry’s business model has to be redefined because “sharing as charity” will not work at scale, he said.

“I believe that we can still compete, and we can differentiate, not on the intelligence data itself, but on how we use it and put it into action,” said Young.

Intel Security also learned the importance of creating a platform to score the exchange of information to ensure equal-value contributions from all participants and to automate the process of turning the raw intelligence data into the countermeasures that need to be deployed.

“What we found in the CTA on Cryptowall, we were able to turn into blocked IP addresses and updates that we were able to deploy on the endpoints on the networks across the customer bases of our collective organisations to protect hundreds of millions of users around the world,” said Young.

Read more about the cyber skills shortage

“The bottom line is that threat intelligence is only as good as the countermeasures that it informs, and that has got to be our ultimate goal,” he added.

Young called on other security organisations to join the CTA to create more collective value for the industry and the people its members are trying to protect.

“We are not going to solve the problem through intelligence sharing, but we can make a much bigger impact than any of us can do alone,” he said.

Turning to the issue of cyber security talent, Young said that in the US alone there are about 200,000 unfilled positions, and by the year 2020, the global cyber security talent shortage is expected to reach two million.  

One way of addressing this problem, he said, is to automate as many cyber security processes as possible to make information security professionals more efficient and effective.

“But that’s not going to be enough – we have got to get more people into the game,” said Young.

Pipeline of professionals

Although there is a lot of work going on through organisations such as the SANS Institute through its NetWars programme to attract particularly young people to the cyber security profession, much more needs to be done to build a pipeline of potential cyber security professionals, he said.

The skills shortage should be the collective mission of the security industry and not just individual governments and information security organisations, said Young.

“We have to act now as an industry to solve this problem,” he said, starting with mentorship programmes to provide opportunities for young people to study and work in the field of information security. An example is the Pathmaker programme run by the state of Indiana and Purdue University which enables students to perform entry-level technical jobs for companies while still enrolled full-time.

“We have got to find ways to ensure we are really engaged and encouraging more young people to join us,” said Young.

“Everyone in the security industry has a role to play, but we have to act. We have to do something, whether it is resources, technology or expertise.”

Read more on Hackers and cybercrime prevention