TL; DR: The Information Technology-Information Sharing and Analysis Center (IT-ISAC) brings together leading companies from the IT, food and agriculture, and elections spaces to jointly mitigate server attacks. The community serves as a force-multiplier, supplementing its members’ internal security practices with an intelligence management platform, threat analysis, and engagement with top security experts. Moving forward, the nonprofit aims to drive additional value in an ever-evolving threat landscape through partnerships and enhanced analysis efforts.
The recent cyberattacks on SolarWinds and Microsoft have underscored the growing threat posed by nation-state actors.
But these aggressors aren’t the only ones security teams have to worry about. Compounding the problem are secondary threats from copycat hackers inspired to commit similar crimes.
“When a nation-state launches a new activity that becomes public, that knowledge is spread for anyone to use,” said Scott Algeier, Executive Director at the Information Technology-Information Sharing and Analysis Center (IT-ISAC). “Now, everybody needs to defend against these campaigns because, even if a nation-state actor isn’t going to attack you specifically, others can use their techniques to attack you.”
If threat actors are increasingly learning from one another, the logical response is for defenders — security experts from companies worldwide — to do the same. That’s the premise of IT-ISAC, a one-of-a-kind nonprofit uniting the IT sector’s best and brightest through trusted, confidential collaboration.
Membership in the group unlocks access to multi-directional knowledge sharing via an intelligence management platform, analysis through trend and incident-specific reports, and thought-leadership through industry-government partnerships.
IT-ISAC’s mission is to foster a community of companies that serves as a force-multiplier, enabling collaboration on actionable cyber threat information and effective security practices and policies.
“We’re always working to up our game both on the tactical side to help people stop attacks on networks and on the strategic side, helping the CISOs and senior leadership plan for what’s to come,” Scott said.
More than Two Decades of Trusted Collaboration
IT-ISAC was established in 2000 in response to the 1998 Presidential Decision Directive 63 (PDD 63), one of the foundational documents for public-private partnerships in critical infrastructure security.
“The challenge is that most of the critical infrastructure in the industry is owned privately,” Scott said. “There’s a national security interest in having secure and resilient infrastructure, and one of the proposed solutions was to create industry-segmented information sharing and analysis centers (ISACs).”
The goal behind these centers is to facilitate information sharing among member companies, providing a trusted forum for industry engagement without the fear of government oversight or regulation.
Scott told us that IT-ISAC’s initial mission was twofold.
“One focus was sharing threats; the other one was to identify vulnerabilities within the internet infrastructure itself,” he said. “At the time, there were a lot of attacks like Code Red and Nimda that degraded or slowed down the internet. We wanted to respond and mitigate those threats, but also identify threats and vulnerabilities in core infrastructure.”
Since that time, security challenges — and the industry as a whole — have changed dramatically. And while IT-ISAC is still interested in identifying vulnerabilities, the group is primarily focused on sharing information that will help enterprises manage threats to server infrastructure.
Automated Sharing of Threat Intelligence
The way IT-ISAC approaches collective threat intelligence has also changed during the group’s more than two decades of experience. The methodology for sharing information, for instance, has evolved dramatically.
“We’ve gone from copying and pasting indicators from across the membership into Word documents and Excel sheets to automated indicator sharing,” Scott said. “Today, there are more indicators available to members, so part of our role has changed from trying to find indicators — which we still do— to making sense of the information at hand.”
The membership breakdown has also evolved over the years.
“Our membership was founded by a core group of technology providers and security vendors,” Scott said. “Since then, we’ve expanded to include some of the newer technology companies.”
These include cloud, home automation, Internet of Things (IoT), and industrial IoT companies.
“We’re also really proud of the fact that we support sectors beyond IT,” he said. “There’s the elections industry — companies who make the voting machines — and also the food and agriculture industry. We have a group of member companies that provide core components of the food supply chains.”
Through IT-ISAC, such groups are empowered to explore threats specific to their industries while also getting the benefit of their full IT-ISAC membership by engaging with analysts from other member companies.
Of course, today’s definition of an IT company has become decidedly murky.
“Almost every company is an IT company that can engage with us and our membership, receive the analytic products we produce, and leverage the knowledge of our members,” Scott said. “At the same time, we’re very respectful of the fact that companies do fall in specific sectors. We’re not interested in taking membership away from other ISACs in healthcare, finance, or communications, for example.”
A Force-Multiplier Supplementing Existing Security
Over the years, organizations have also become more willing to share threat intelligence. In the last two years or so, Scott said, there has been a surge in government-industry collaboration.
“We’re seeing activity from government, and it’s not just the Department of Homeland Security (DHS) — it’s across government,” he said. “We’re now seeing a lot more activity and effort in making indicators and analysis available, and there’s more engagement than ever before.”
A similar trend has occurred between industry peers, setting aside competition-based fears to benefit from the nonprofit’s capabilities as a force-multiplier in server security.
“The concept of collaborating or sharing information with your competitors in the marketplace can seem counterintuitive,” Scott said. “But our team has done an awesome job establishing trusted relationships. We have the right non-disclosure agreements in place, but if companies don’t trust you to handle information the right way or that they’re going to get value back, they’re not going to share.”
Moreover, there’s a sense that members are in this fight together — and recognize that they can’t combat threats of increasing sophistication and volume alone.
“A lot of it is also mission-driven,” Scott told us. “The forum helps members achieve their goal of securing their enterprise. Because they recognize the value of membership, companies are empowering their people to share. The concept isn’t that you’re getting access to the IT-ISAC team — it’s that you’re getting the IT-ISAC team and analysts from these leading technology companies.”
Driving Value Through Partnerships and Enhanced Analysis
IT-ISAC’s goal for 2021 is to operationalize partnerships that the nonprofit put in place last year.
“Last year, we formed a relationship with the information sharing and analysis organization CompTIA, and we’re currently providing analytics support for them,” Scott said. “There is a whole set of information needs that the community has that we’re just beginning to understand. So we’re building that knowledge and understanding to support our community.”
The nonprofit has also formed working relationships with CompTIA, ISACA, and the EC-Council on certification and training.
“This has been a huge priority for our member companies for several years,” Scott said. “There are not enough people to fill jobs in the workforce. So how do you find and retain employees? How do you train them up, not for the jobs they’re doing today, but for those you need them to do tomorrow? Our relationships with ISACA, CompTIA, and the EC-Council are related to this issue.”
IT-ISAC is also exploring ways to provide members with enhanced analytic products.
“If five companies are monitoring the same three actors, who’s monitoring everyone else? We’re looking to divide and conquer, creating a framework for what information we’re looking for and how we share.”