During the closing keynote address at August's Data Center World conference in Orlando, Florida, Timothy Rohrbaugh, JetBlue's chief information security officer, emphasized the importance of sharing, not only with other components of your team, but with other security teams within your industry, even if they're working for the competition.
Why? Because the same people who are trying to compromise your system are also trying to breach your competitors' systems, and they're likely using the same techniques. Knowing what's in your attackers’ playbook can help you mitigate the threat before it happens.
He illustrated this with a sports analogy, pointing out that in professional football a killer play is never again as effective as it is the first time it's used, when the opposing team is caught entirely by surprise.
"If games weren't televised and they were only between the two teams and no one else could see it, all you would see is the end score," he said. "The thing that benefits [other teams] is that everybody could see that run, and then all the defensive coordinators could be like, 'If that happens, we better have a response,' and then force the offensive coordinator to make it look a little bit different."
In other words, once a football play is televised to a nationwide audience, with numerous slow-motion replays for various angles to show the audience exactly how the play was carried out, it becomes a play that other teams can defend against. With shared information, the same can be true in IT security.
"We are actually trying to share what the threat actors are doing, and we're trying to get a response to it," he added. "Since we are actually sharing today, we need to use that. That's what the [threat intelligence] teams are supposed to be doing."
He pointed out that many industries already have organizations in place for such sharing, in the form of nonprofit ISACs, or information sharing and analysis centers, which not only provide resources for gathering information on cyberthreats, but also a way to share information about specific incidents and threats.
"After I left the military and government, I went into financial services for a long time and we had FS-ISAC," he said. "We had sharing, and it actually became a fantastic resource."
When he moved to JetBlue a couple of years ago, he said, "I didn't know about Aviation ISAC, so we actually have one that is just as good" [as the ISAC for financial services].
What Security Is Doing Wrong
The reason that sharing is important, especially when it's information about threats that are actively being launched against an industry, is that a security team’s main focus should be on their attackers, but that's not how security is typically done these days, Rohrbaugh said.
"They're just going from frameworks and checkboxes and compliance that they didn't design, and that's causing IT costs, business impact and a slowdown in employees’ access to the things that they need," he said.
The problem with that approach, he said, is that it's "not working with an understanding of exactly what the threat is, who's coming after your customers and who's coming after your infrastructure."
At JetBlue, Rohrbaugh said, he wants to change the dynamic on how security is approached.
"I want to put threat intel at the center of the security program, which drives investment and change, which means they have to figure out who's coming after us, what they want and what techniques they use. Then the rest of us, who are on the defensive side called Blue Team, decide how we're going to react to that."
Rohrbaugh called this approach "threatened form defense."
"That means that we won't spend money, we won't focus in an area, unless it's attributed to an actual threat actor who's coming after us," he explained.
"Everybody's heard the term, 'boil the ocean,'" he said. "We could boil the ocean, but what would happen is that we would do all of this work, but we don't know who's coming after us and what they're going to use, so we're spread very thin and we're costing the business a ton of money. You can see this is just a game that we're going to lose."
"That's the way I view compliance programs that come from governments or third parties," he added. "They're not taking into account the context of the business, the threat actors and what they're coming after."