Cyber-fusion, collective defence and resilient security

Dan Bridges at Cyware describes how cyber-fusion enables teams to work collaboratively, sharing information and tackling cyber-threats much more effectively

 

There’s no doubt that effective cyber-security and resilience can be hampered by problems such as siloed resources, ineffective communication and a focus on reactive defence in the face of rapidly changing risks.

 

When an organisation’s security stakeholders aren’t collaborating effectively, threats may go undetected, response times may be delayed and valuable insights may remain unshared – weakening cyber-security effectiveness and increasing vulnerability to attacks.

 

In response to these problems, cyber-fusion has emerged as a way to integrate key security functions such as threat intelligence, security automation, threat response, security orchestration and incident response. It’s an integrated approach which enables organisations to detect, manage and respond to potential threats in a collaborative and cohesive manner.

 

In contrast to reactive security models, cyber-fusion emphasises threat hunting and real-time response by leveraging shared intelligence across security teams. This includes advanced security orchestration and automation (SOAR) capabilities, which allow security teams to automate threat response workflows across cloud and on-premises environments.

 

Cyber-fusion processes automatically gather malware intelligence from internal (UEBA, SIEMS, antivirus, EDR tools, and IDS/IPS) and external sources (ISACs, ISAOs, CERTS, RSS feeds and commercial threat intelligence feed providers, among others).

 

This information is then subjected to automated real-time analysis, with threat data and alerts rapidly disseminated among security stakeholders in a way that is easily consumable, visible and actionable. Armed with this insight, security teams can prioritise which assets, at an operational level, are most at risk and allocate resources accordingly, minimising mean time to detect (MTTD) and mean time to respond (MTTR).

 

On a practical day-to-day level, cyber-fusion centres serve as an operational hub, integrating people, process and tools. They help cyber-security teams, such as SOC (Security Operations Centre) and CTI (Cyber Threat Intelligence), work more cohesively to analyse, prevent  and mitigate threats, while supporting detection and response analysis.

 

Information sharing and collective defence

Collaboration sits at the heart of effective cyber-fusion, and in this context, collective defence is crucial to delivering on its objectives.

 

The concept of collective defence is based on threat intelligence sharing and coordinated threat response actions against security threats. It relies on organisations working together across industries to understand the nature of the threats they face and how to implement a coordinated response.

 

One of the best examples of this approach is the role of Information Sharing and Analysis Centres (ISACs), which collect, analyse and disseminate actionable threat information to their members and also provide tools to mitigate risks and enhance resilience.

 

For instance, the National Council of ISACs is made up of 27 sector-specific organisations that act as “a true cross-sector partnership, providing a forum for sharing cyber and physical threats and mitigation strategies among ISACs and with government and private sector partners during both steady-state conditions and incidents requiring cross-sector response.”

 

While organisations recognise the crucial importance of collaboration and information sharing in the fight against cyber-crime, most struggle to effectively combine insights across teams and security platforms.

 

According to recent research, for example, over 90% of respondents said collaboration and information sharing are very important or crucial for cyber-security. In addition, 70% believe their organisation could improve threat intelligence sharing, with 19% saying they could share significantly more.

 

However, over half (53%) said their organisation does not currently utilise an Information Sharing and Analysis Centre (ISAC), underlining the shortcomings of the way most security teams approach threat intelligence. Over a quarter (28%) said they were unaware of the existence and role of ISACs altogether.

 

But why is this important? Well, any disconnect between teams and the siloed approach taken around the use of security tools poses a serious threat to the delivery of threat intelligence and, by definition, the ability of organisations to protect themselves against today’s cyber-security risks.

 

What’s required instead is the actionable insight offered by collective defence communities, and their continued growth will only help security teams deliver more resilient strategies.          

 

The importance of information sharing is gaining significant traction, having also found its way into the EU Network and Information Systems Directive 2 (NIS2), which came into force in October. Focusing on the resilience of various sectors, such as critical infrastructure, food supply, digital providers and waste management, it aims to strengthen the cyber-security strategies of organisations in these industries and across their supply chains.

 

This includes encouraging EU member states to exchange relevant cyber-security information among themselves, including information relating to cyber-threats, vulnerabilities, indicators of compromise, tactics, techniques and procedures, and cyber-security alerts.

 

In this environment, organisations that continue to operate with the security equivalent of a siege mentality will always be disadvantaged compared to those who fully engage with their industry ecosystems.

 

Looking ahead, the ‘stronger together’ adage is certain to become even more important as organisations look for more effective ways to build resilience.

 

---

 

Dan Bridges is Technical Director - International at Cyware

 

Main image courtesy of iStockPhoto.com and Olivier Le Moal