Understanding collective defense as a route to better cybersecurity
In many ways, cybersecurity is characterized by very insular priorities. Focused on protecting their own network perimeters, systems and data, organizations quite correctly develop highly tailored and personalized strategies. As a result, businesses that outwardly appear very similar, competing in the same industry for the same customers, may have very different approaches to prevention, mitigation and recovery.
Granted, the entire cybersecurity ecosystem is supported by a huge variety of vibrant communities where cooperation plays a fundamental role, but the idea that organizations can cooperate at a deeper level to deliver ‘collective defense’ is less commonplace.
In cybersecurity terms, collective defense means organizations share the most useful resources, information and processes to improve resilience between otherwise unconnected entities. For many people, it will be more familiar as a geopolitical and military concept, with NATO Article Five, for example, stating that an attack on one member state will be treated as an attack on them all. This sends a clear and unifying message to potential adversaries while adding significantly to the resources available to each individual country.
Organizations invoking collective defense to protect their IT and data assets will usually focus on sharing threat intelligence and coordinating threat response actions to counter malicious threat actors. Success depends on defining and implementing a collaborative cybersecurity strategy where organizations, both internally and externally, work together across industries to defend against targeted cyber threats. Done well, it can be extremely effective.
Vice President of Collective Defense at Cyware.
Building momentum
But how is this playing out in the real world? There are a growing number of examples to draw on, including the collaborative legal action launched last year by Microsoft, Fortra LLC and Health-ISAC. This alliance targeted actors that deployed cracked versions of Cobalt Strike or those that blatantly violated Microsoft’s terms of use, particularly the malicious deployment of its copyrighted APIs. As media analysis at the time pointed out, “this disruption won’t halt cybercriminal operations, but it will put a strain on their resources.” The point is, collectively, organizations are better placed to detect, challenge and dismantle the infrastructures that underpin cyber security risks.
In its most recent Digital Defense Report, Microsoft also focused on the need for wider efforts to improve collective cyber resilience. For example, faced with sophisticated cyber threats, the report points out that collaboration and a united front are vital to building a more secure digital landscape. In this context, open-source and supply chain security vulnerabilities could be significantly improved through the use of collective action.
Take the Open Source Security Foundation (OpenSSF), for example, a cross-industry forum dedicated to addressing new security challenges. Its role includes developing frameworks to address challenges, such as improving comprehension of supply chain threats and efficient strategies for mitigating them.
Other organizations are assisting in the support of collective defense as well, such as the Open Cybersecurity Alliance (OCA), a nonprofit coalition under the umbrella of OASIS Open. The OCA supports an open ecosystem where cybersecurity tools interoperate without the need for custom integrations, helping cyber defenders work together more effectively by reducing technical barriers to sharing.
On a government level, regulatory guidelines such as the SEC’s cyber incident reporting regulations, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the EU Cybersecurity Act are another important part of the collective defense picture. What these various initiatives have in common is their emphasis on promoting a collaborative, community-focused approach to strengthening the digital ecosystem against ever-changing cyber risks.
From theory to implementation
Putting this into practice requires organizations to commit to coordinating their cybersecurity strategies to identify, mitigate and recover from threats and breaches. This should begin with a process that defines the stakeholders who will participate in the collective defense initiative. These can include anything from private companies and government agencies to non-profits and Information Sharing and Analysis Centers (ISACs), among others.
The approach will only work if it is based on mutual trust, so there is an important role for the use of mechanisms such as non-disclosure agreements, clearly defined roles and responsibilities and a commitment to operational transparency. Operationally, secure, real-time communication channels are key to ensuring threat and defense intelligence information can be shared. Similarly, the community should establish processes to disseminate indicators of compromise (IoCs), tactics, techniques and procedures (TTPs), backed by best practice information and incident reports.
Collective defense communities can also look to the Cyber Fusion Centre model to bring together relevant security functions, including threat intelligence, security automation, threat response, security orchestration and incident response, in a cohesive approach. A practical example of how this can work is when vulnerability management and incident response teams work together to deal with a bug exploitation incident more effectively than might be possible by working in silos.
Given the challenging range of cybersecurity risks faced today, collective defence represents not only a common-sense approach to improving protection but can also transform the security posture of organisations currently trying to go it alone. As such, it is a model that perfectly fits the notion that “the whole is greater than the sum of its parts.”
We list the best cloud antivirus.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
In many ways, cybersecurity is characterized by very insular priorities. Focused on protecting their own network perimeters, systems and data, organizations quite correctly develop highly tailored and personalized strategies. As a result, businesses that outwardly appear very similar, competing in the same industry for the same customers, may have very…
