With all of the high-profile cyberattacks on critical infrastructure and subsequent press coverage, it’s great to see the U.S. government step in and help identify some key guidelines and recommendations. The sharing of threat intelligence is a key government action that has great potential to significantly advance our cyber defenses. At the same time, as we enter new territory here, there are vendors causing noise, confusion, anxiety, and possibly a less secure environment. Given all of these moving parts, I feel compelled to write this blog and provide a more open discussion and concrete steps for helping the community secure critical infrastructure for real.
Over the past few months I’ve had the chance to deep-dive and exchange opinions on several of the recent announcements from the U.S. government. These touch points include conversations with customers, asset owners, and key stakeholders in the energy, water, railway, and pipeline sectors. Specifically, we discussed the recent directives specifying 17 criteria to consider when selecting industrial control system (ICS) monitoring technologies, which includes enhanced detection and visibility capabilities and facilitated incident-sharing with the government.
One of the most important aspects highlighted in the 17 points is the capability for the cyber monitoring technologies implemented to share incidents with government partners. Those who have had the chance to interact with me in any form (through the government research that I was leading, when I spent years working in a SOC, and while working with Nozomi Networks’ customers) would remember that at one point in our interaction I would stress, from the very beginning, the importance of information sharing. While working in a large Security Operations Center (SOC), I was frequently frustrated by cybersecurity technologies that practiced the principle of “security by obscurity.” I remember how complicated it was to extract and use data between different technologies. Vendors were not open enough to let customers leverage and use the data they created, and even more so, when trying from external solutions. This is why from the very beginning, I built our technology within Nozomi Networks to facilitate the sharing of our data, easily. Our product lines which include Vantage (on the cloud), and Guardian (on-site), have extensive capabilities to share information with others using a variety of tactics, protocols, and formats. Sharing data between partners, across a collaborative ecosystem of technologies is at the foundation of advancing our cybersecurity posture as well as understanding our adversaries.
I want to call out people taking advantages of something that the government was initially setting up with good intention.
From customers, I became aware of proclaimed ‘industry leaders’ using this great government initiative as a marketing tool to sell more of their products and licenses. I also read about solutions capable of sharing data among peers, but only among users of the same product. This is not information sharing, transparency, or good practice for cybersecurity. We are better than this, and we can do more. I understand very well the weight of running a company with investors that are focused on increasing value, but I consider more importantly the mission and the responsibility we have as leaders in the cybersecurity space. That’s why I want to embrace what the DOE has recommended — that will really moving the ball forward — in an open and transparent way.
Initial confusion in the market aside, the DOE has re-emphasized that their recommendation is vendor neutral, and encompasses many commercial products to monitor and protect the industrial control networks of our critical infrastructure. We at Nozomi Networks are pleased that our products meet and exceed the guidelines issued by the DOE and several other government agencies. We believe, however, that when it comes to best-in-class threat intelligence sharing, there’s still work to be done to reach an effective solution. This is why we now want to take this conversation to the next level. To illustrate what an ideal solution might look like, we would like to share a proposal for the community that will enable any security vendor to share anonymized threat intelligence data from the entire community with the government.
To get a glimpse at what this proposal might look like, please stay tuned for the second part of this blog, where I hand the baton to my co-founder and lifelong friend Moreno Carullo.