In February Facebook announced a wonderful initiative: ThreatExchange. The new platform will assist security researchers to share their findings. In particular, it enables them to share their own security information and insights with peers, collaborate, and gain more information. However, the reward Vs. risk element of the platform should be carefully weighed up when designing an overall enterprise sharing policy.
“ThreatExchange is a platform created by Facebook that enables security professionals anywhere to share threat information more easily, learn from each other’s discoveries, and make their own systems safer.” Facebook ThreatExchange
We all live online to some level and share personal information, often without realizing it, on multiple platforms. We’ve been auto-programmed to differentiate between when we’re okay with sharing our sensitive, personal information with individuals and when we’re okay with it being viewed by the masses. We wouldn’t turn to a newspaper with our private information, and we may think twice before sharing it with a journalist who thrives on stories, even if he/she is our closest friend. When it comes to cyber security, we’re overly cautious about information sharing, and for good reason.
Who’s Accessing Your Data?
Broadly speaking, there are two camps:
- Companies and platforms that depend on your data – security-related or other, as part of their business model.
- Companies and platforms that don’t rely on data commercialization and thus the data you share is of no business interest to them.
Facebook, as well as many other sharing (and feed) providers rely on accessing data, yours also; it’s in their ‘DNA’ and is part of their business model.
Importantly due to the fact that data is very often stored and processed by third parties, you don’t and won’t know who else is accessing it (for example, can Amazon see my data?). It’s crucial to do your homework, assess whether or not that data is protected, who has access to it, and where it can end up. Security feed providers are widely used to gain more context and dive deeper into researching malware issues, therefore, a lot of sensitive data is shared with them. However, it is important to understand which providers you should share this information with, based on their skills, relevant knowledge, and of course, their trustworthiness level. As useful as they may be, some of these providers’ key incentive is to trade data, which would be a conflict of interest if you plan on keeping your data private.
Alongside the dilemma of whether to share or not, we are often forbidden from sharing with a platform which is exposed to large and/or unspecified audiences mainly due to privacy, data protection and few other relevant regulations.
So Who Does Own Your Data?
In cyber security, “the more the merrier” is not a healthy approach. Assuming we all want to keep our jobs and refrain from colossal damage to companies and individuals, revealing sensitive information about security breaches and findings should be carefully considered and only shared with those who you want to assist, those that want to help you, and those that can be trusted. The ideal situation would be to share sensitive data about attacks solely with other victims of the same attack. This information should only benefit their security level, as opposed to any financial incentives mentioned above.
True story: There is a third party platform vendor that enables data collaboration between their customers BUT the data exchanged (or shared) from that moment belongs to the platform vendor. The vendor does specify and offer the option for customers to secure and prevent further sharing up to 1000 incidents, but beyond that, the vendor is entitled to publish or use the data as it pleases. Needless-to-say, 1000 incidents can be shared in no time. This means that chances are that the additional data will indeed be shared with others. It is safe to assume that many customers are not aware of this and while they have purchased ‘facilitation’, the vendors’ model is clearly incentivized to own and trade the data.
Due to its vision and approach, Facebook’s team will provide the security world with a very useful service. But due to the fact that Facebook ThreatExchage is not privacy oriented by nature (with regards to the data being shared and stored), extra caution is necessary. Security experts and their enterprise should consider forming a sharing policy which takes into consideration the level of sensitivity and regulatory implication of the data being shared. Only then can a suitable platform be selected. This kind of hybrid sharing strategy will provide organisations with the benefits of sharing different data profiles while keeping aligned with the regulation and compliance demands.
Examine your prospective sharing platform inside and out. Assess what level of control you have over your data, who can be exposed to information breaches, when this might happen, and where your sensitive information may appear. If you use a third party facilitated platform, check their protection policies and the methods they use to secure your data. Find out if your data is encrypted and if it’s stored on the cloud or on-premises. Importantly, always examine your facilitator’s business model.
The Key: If their business model is based on acquiring information in order to own it and sell it, you’ll be risking unwanted data exposure. Ultimately, a truly private collaboration medium allows users to own their data, and maintain control of how accessible and visible it is among peers.
Latest posts by Guy Wertheim (see all)
- Black Hat 2015: Could There Be Another CISCO, Michael Lynn Holy Grail Vulnerability Disclosure? - August 7, 2015
- Facebook’s ThreatExchange: Who Owns Your Data? - April 14, 2015
- Sharing Capabilities: Amex CEO Sketches the Future of Cybersecurity Collaboration - February 26, 2015