Guest blog from the Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world.
A widely-held belief across our security community is that high-quality cyber threat information sharing benefits teams tasked with operations, analysis, and response. Such benefit demands, of course, that the threat sharing be truly high-quality. Luckily, good commercial platforms are available today to ease the burden of setting up, operating, and running a successful threat sharing group. Few excuses thus exist for security teams who are not currently sharing data.
An additional belief commonly held in our community is that cyber exploits are becoming faster, more intelligent, and more elusive. Such attack attributes are being achieved using a dose of our own Sand Hill Road-funded technology: Automation, machine learning, and autonomy. The resulting so-called synthetic attacks are too fast and too elusive for any manual, human-coordinated response – and this is a frightening prospect for security teams.
F5 Networks, in conjunction with TAG Cyber, commissioned a recent working group during F5 Agility 2018 in Boston to examine these two considerations – threat information sharing and synthetic cyber offense – in the context of an additional factor: That is, the working group was asked to perform their examination with respect to an emerging technology trend that might offer promising benefits to security teams: Software-defined networking (SDN).
The working group – which consisted of industry participants invited largely from the global service provider community – was thus invited to spend its time discussing, debating, and focusing on the following fundamental question: Can emerging SDN-enabled service provider infrastructure provide an underlying collective platform for automated cyber threat information sharing between global carriers to reduce the risk of synthetic attack?
To address this multi-pronged question, the working group identified three more focused questions that would organize and focus the discussions, and that would help produce an aggregate answer:
· SDN for Security – What are the relevant pros and cons of SDN for cyber security?
· Improved ISP Sharing – What strategies can be followed to improve overall ISP sharing?
· Functional Requirements – What platform features support SDN-enabled sharing?
Many additional relevant topics were raised during the working group activity, but these three focused questions seemed to work well to produce the conclusion that SDN infrastructure does, in fact, provide an excellent base on which to enable automated threat information sharing between carriers. In fact, the working group agreed on this basic principle: To stop automated, synthetic attacks, service providers will need to rely on automated defenses.
The first question focused on how SDN can provide an effective base for security – versus how SDN itself might be secured (a topic considered outside the scope of this effort). To that end, participants offered their views on the following aspects of SDN that were designated as well-suited to dynamic, automated sharing of threat information across multiple service provider infrastructure deployments:
The second question focused on how global ISPs might generally improve current sharing of threat information. Quite a bit of compare-and-contrast discussion was held regarding the relative methods used within the service provider community versus the high-profile sharing procedures and methods used in the financial services sector. The working group thus identified the following suggestions for better sharing – in the context of emerging SDN:
The third question focused on identifying functional requirements for SDN platforms and vendor solutions that would support automated threat information sharing between carriers. Agreement existed amongst the working group that vendors are motivated to serve their customers, and will respond best if user groups organize their needs into working standards. The main functional features identified for SDN-enabled sharing are as follows:
The next steps recommended by the working team were as follows: (1) To publish this article from the group discussion to assist other related efforts in their planning process; (2) To take back to each constituent organization the results of the study to foster ideas for SDN-based sharing and to influence standards activity, and (3) To engage in discussions with the vendor community to recommend more attention to this vital area.
The conclusion of this working group is easy to state: That is, it was uniformly agreed upon by members that, in fact, emerging SDN-enabled service provider infrastructure can provide an underlying collective platform for automated cyber threat information sharing between global carriers to reduce the risk of synthetic attack. Arriving at such a conclusion was an exciting prospect for the team, given the agreed intensity of automated synthetic attacks.
Prepared by TAG Cyber LLC: https://www.tag-cyber.com/
 Readers desiring a thorough examination of software defined networking (SDN) fundamentals are directed to Software Defined Networks – A Comprehensive Approach, by Paul Goransson and Chuck Black (Morgan Kaufman, 2014).
 To respect the privacy of participants and their organizations, this note only refers in aggregate to conclusions and recommendations made during the working group session, rather than the names of any experts or groups represented I the study. Participants had the opportunity to review and suggest edits to this note – but any remaining errors are the responsibility of the author.
 One major conclusion drawn by the working group is that the financial services sector does the most effective job of any sector at publicly marketing their threat sharing tools, methods, and FS-ISAC ecosystem.