The announcement of IBM X-Force Exchange as a new way to share threat intelligence data was made by Brendon Hannigan, GM, IBM Security Division at IBM InterConnect in February. As of today, the service is finally live and it looks interesting, not least because IBM is hoping that by using a community approach, social media and peer review, it will become a trusted source of data for security teams and help raise awareness of cyber attacks.
According to figures from IBM 65% of its enterprise customers are already using external threat intelligence data to enhance their security decision making. The problem is that the amount of data they are receiving exceeds their ability to consume, verify and act upon the data even with the addition of cloud computing and big data analytics. There is also a significant issue over the validity of the data and how much trust or weight to put behind each piece of data.
For those who deal with security issues on a daily basis, it seems that every innovation that should improve their ability to detect attacks just ends up making the problem worse. It is this that has persuaded IBM to bring the IBM X-Force Exchange to market.
What is the IBM X-Force Exchange?
Simply put, it is a cloud-based platform managed by the IBM X-Force Security team underpinned by a secure collaboration platform and API. IBM describes it as open, social and actionable but what does it mean by this.
Open The cloud platform will be built, managed and owned by the IBM X-Force team. That team will for the first time make information from its own threat intelligence work widely available, which includes research and the use of techniques such as honeypots and spamtraps to identify attacks. This data will be supplemented by data from third parties such as IBM Partners and competitors who want to leverage the platform.
The challenge will be to ensure that the quantity of data is controlled and made manageable. This means doing the base analysis from all the sources to provide easily understandable threat assessments rather than expecting users to take a fire hose of data and do the analysis themselves.
Social: This will also deliver information on attacks as well as act as a community environment. For example, a user discovers a malware attack and posts the details in the X-Force Exchange. That report is seen by other users who can add more data to it and raise the trusted level of the report. This is not just about those detecting an incident.
BM will actively be seeking out security analysts and researchers to work with them and as part of this, IBM’s own X-Force analysts will be on the platform. The other goal is to create industry collections of attacks that can be distributed at a board room level.
The big challenge here will be managing the community. As with other communities there will be those who contribute a lot and those who just lurk. IBM will have to set out how it intends to reward frequent contributors while staying with the legal frameworks of government employees and various bribery laws around the world. Free products, trips to IBM events including accommodation and inviting them to speak at events all sound good but what was once an easy way of getting communities started has become a minefield.
There is also a lot of work required to prevent hackers from trying to build a reputation and then using that to launch attacks. We have seen the App version of this where several generations of non-infected versions of apps have been released and then they have been loaded with malware just at the point where they were considered trusted. There is nothing to say this won’t happen here but IBM believes that the community peer review approach makes it less likely.
Actionable: This is a little less developed at the moment and much will depend on how IBM works with partners. Initially information on attacks will be a two-way conversation using the API between the X-Force Threat Exchange and IBM’s own security tools and appliances.
IBM intends to extend this to its partners and to open it up to the wider security industry. In order to make this a wider industry tool, IBM has announced it will support two emerging standards – the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII). These mean that data can be pulled in from other vendors and fed into the X-Force Threat Exchange.
At a later point it may be that this will also be used as part of an automated update programme to ensure that security rules and controls are updated to keep up with new attacks as they emerge. There is much to be worked out here but as the level of security knowledge in smaller organisations continues to wane, this would inevitably be easily adopted by a segment of the market.
Widening the appeal
Interestingly, IBM has decided to make it accessible to everyone through a Freemium model. What the different tiers will be and what the costs will be for different types of users from researcher to independent IT security contractor, CISO to internal IT security specialist has not yet been disclosed.
IBM needs to make this data public quickly in order to get people on board, especially as it is likely that all of the actionable offerings will be part of different charging models. We hope that access to IBM X-Force researchers will not be restricted by class of user and IBM will need to make sure that how people are ranked in the community is similarly not seen to be affected by what they have paid.
Engaging the enterprise
On the face of it, there is much here that will get enterprise customers willing to engage with the X-Force Threat Exchange platform and especially the community. However, there is also a reasonable case to be made by many large organisations, government teams, those engaged in defence, pharmaceutical, finance and other industries that a two tier solution is what they want.
At one level they will engage with the wider platform but there are specifics of attacks and threats that they may want to keep in-house and only accessible to their own staff. There are good reasons for this. It is unrealistic to think that hackers and cyber criminals will not join the platform. Giving out too much data about how attacks have been detected will enable them to improve the quality of their attacks. Sensitive organisations will want to restrict information on what they are detecting to reduce the pace of evolution that we are currently seeing in the cyber threat market.
Enabling organisations to have their own private cloud platform maintained by IBM with controls on what is fed to the wider public platform is not a complicated solution. The hybrid cloud model plays well here and also plays to IBM’s own strengths.
There is another option here and that is restricted industry platforms targeted at governments, finance and defence contractors in particular. IBM has a lot of experience of building community clouds in the US and this would seem to be a natural extension of work that is already in place.
This is a good move by IBM as it raises the awareness of cyber threats. How well it does with the community and third-party companies will eventually determine the effectiveness of the X-Force Threat Exchange. We already know that cyber criminals run highly effective collaboration environments to help refine attacks and breach security controls and this could be the first step in creating an equivalent solution for cyber defence.