From an evolutionary standpoint, there was probably not much difference for cavemen between saying, "Watch out for that saber-toothed cat," "Don't eat those berries," and "Don't get Gerf mad; she swings a mean tree branch." It was all about sharing information about threats. And we're still working out how to do that today, based on the new types of threats to our businesses, our social standing, and our infrastructure.
What we have trouble doing is formalizing that intelligence sharing. For one thing, it requires trust -- and trust tends to happen between individuals, not between organizations. Once you abstract the "trusted circle" too much, it tends to weaken, especially where a legal department is involved. And broader communication channels with bells and whistles, such as special forums and platforms, are a great idea, but they involve a little more friction from a user experience perspective. When you talk to a trusted friend, you're more likely to pick up a phone (whether it's for email, texting or voice). So no matter how cool your threat intel sharing platform might be, if the social dynamics get disrupted for any reason, the communication channels tend to default back to email or phone.
One thing that platforms are great for, however, is automated data exchange. This has de facto been in place for years wherever a security vendor's products are installed: they collect the logs and output from each customer's deployment base, analyze the aggregated data, and use it to improve situational awareness and filtering for all. What has been missing is the overall view across products and vendors. What is any given enterprise or population seeing that's relevant to others? Today's machine-readable threat intelligence exchange is filling this gap -- and regardless of whether you consider indicators to be the equivalent of really big signatures, it's all data that should be consumable by your security technology, if not already baked in.
Machines can talk to machines, but when something is really unusual, humans tend to pick up the phone again. At the Retail Cyber Intelligence Sharing Center (R-CISC), we have members who can share structured data at a sophisticated level, but we also have many who just "know a guy" they can call when they want to ask about something they've discovered. The challenge for us, and for similar Intelligence Sharing and Analysis Centers (ISACs), is to help build stronger connections between "gossip-level" threat intelligence sharing and "grownup" sharing -- where organizations can trust one another as often as individuals do. It's easier to get machines to trust one another than it is to get enterprises to do it, but we need both types of interactions to cover the threats out there.
The biggest challenge of all: getting trust to scale. We would all benefit from knowing about shared threats, but forced trust won't work, and neither will the expansion of trust circles that breaks fragile sociological bonds. President Obama's Executive Order 13691 on cybersecurity intelligence sharing has launched efforts to establish Information Sharing and Analysis Organizations (ISAOs) that don't have to fall along industry lines. It will be great if enterprises can find new and more ways in which to trust one another. But in the meantime, we need to think globally and act locally to preserve what channels we have open today. For the future, we must learn to share threat intelligence outside our own particular caves -- because there's more than enough cyber-saber-toothed cat to go around.