Enterprises tend to work in silos. That's because security groups are guarded about their data and their methods, for good reason. However, in order to significantly improve our detection (and hence mitigation) game, we need to know more about attacks & breaches. Collaborating with peers in the industry will help understand trending attacks, obtain detection & mitigation plans that actually work, get access to best practices, and exchange actual code to implement in their SIEMs (or other run-time environments). Such collaboration has to be secure, selective, and result in the exchange of implementable instructions, preferably code.The best collaboration that has happened thus far in security operations has been the ISAC - however, participants will agree that it has degenerated to simply becoming a mailing list of noisy IOCs sent to 1000's of recipients with no clear instructions on how to detect & mitigate. This is not materially useful.The level of enterprise SOC collaboration must evolve significantly to contain implementation-ready instructions and code, with enriching analytics to provide context and guidance, and must be easy to use with targeted sharing amongst trusted groups. The most common questions we get from CISOs who are willing to share detection logic are:
- What are we sharing?
- With whom are we sharing?
- How are we sharing?
The platform that provides simple, usable and elegant answers (and actually implements it!) will win.