Successful Outcomes by Crowdsourcing Risk Management

Crowdsourcing Risk Management
Author: Mike Saurbaugh, CRISC, CISM, CISSP, MSIA
Date Published: 1 May 2019

Crowdsourcing cybersecurity risk management across the enterprise presents opportunities for security leaders to bolster their program resilience through other resources. The value in crowdsourcing is that it leverages the ability to tap into a wide range of people who can work toward the purpose of a particular desired outcome. Those who participate are essentially sharing information and providing some sort of value back to those with a particular need. There is strength in numbers and, when the cybersecurity team can manage a community of contributors from various areas, the program is more powerful and can achieve successful outcomes.

Cybersecurity use cases aside, crowdsourcing is the process of reaching out selectively to a group, or anyone for that matter, regardless of their capabilities, to enlist help for an objective. Examples many can relate to are the traffic and navigation application Waze and local search service Yelp. Both leverage the power of people and harness information from which others can benefit. Also, the recent Amazon acquisition Ring, a home security organization, provides product capability for homeowners to enable sharing of information that can benefit a neighborhood community, assist law enforcement, and, potentially, deter and drive down crime rates.

Now think of applying similar concepts to benefit cybersecurity teams through internal and external threat intelligence collection and sharing, vulnerability management, and enabling sharing within products that provide a mesh of information exchange based on the product purpose.

Security leaders can tap into the crowdsourcing process to help fulfill their needs in cybersecurity and improve their program. Internally, it helps in establishing an organizationwide culture of cybersecurity and, externally, it aligns like-minded security teams with information and services to improve defenses against attackers.

Internal Employees Report Phishing

Getting started with crowdsourcing may lead to many questions. For instance, where to begin? Look no further than enterprise employees. Reporting phishing ranks high on an organization’s quick-win list and is the easiest area on which to focus. Employees are an asset to the security program and, when properly trained, are able to help security teams ingest intelligence based on the attacks employees are encountering.

For years, security teams have spent time periodically conducting phishing simulation exercises. Phishing scenarios are far more meaningful than security awareness computer-based training (CBT). CBTs simply test employees at a point in time and require them to sit through often lengthy instruction sessions. However, phishing simulations coupled with phishing reporting are more effective. In fact, reporting phishing among employees is crowdsourcing. By having employees report real phishing emails that they have learned to identify through phishing simulations, security teams are able to gather intelligence on targeted phishing emails that have made it to employees’ inboxes.

Employees reporting suspicious email is extremely helpful for a security operations center (SOC) to receive so that it can implement countermeasures and hunt for potential compromise within the organization. However, without this information, there is a lost opportunity to manage incidents and close existing gaps. Fortunately, security teams have started to learn through the years that there is immense value in crowdsourced reporting.

Finally, phish reporting and other security incidents can be gamified within an organization. Employees who identify and report the most real phish and not benign spam can make it to the top of a leader board. Tracking high frequency reporters also helps security teams pay attention to those who report the fastest and most accurately. This is desirable because it allows security teams to focus on who provides them with the best intelligence, and they can prioritize incidents based on credible information and informants.

Security Ambassadors

Security leaders have learned to get creative to supplement security teams. Employees serving as security ambassadors, also referred to as security champions, are a way to crowdsource additional people to help fill gaps without adding to full-time headcount.

Just who are security ambassadors? They are other people within the organization who can help get involved with security in addition to their current role. Think of security ambassadors as the security team’s extended network to help communicate the security vision and plan of action across the enterprise. They do not relinquish their current roles, but rather volunteer some time to be part of the security mission and are a bidirectional asset of communication between lines of business and the security program.

A few obvious areas outside of security for technical roles include developers, project managers, system administrators, engineers and IT help desk personnel. The IT help desk staff are crucial ambassadors because they are the people who are fielding calls and emails and need to be on-board from the start. It is important for the help desk personnel to possess outward-facing positive communication with employees so that they do not feel repressed when contacting the help desk team to relay security-related information. Employees can be the first to identify and report incidents, and IT and security teams need to embrace their outreach.

One concern that often comes up with ambassadors is the amount of time commitment and compensation. Typically, 4 to 8 hours per month on ambassador work is the target. Often, security leaders position the opportunity in such a positive way that employees volunteer as opposed to being asked. Being an ambassador is a fulfilling role with purpose, which is a driving factor for many who want to be part of the group. There is meaning, purpose and the ability to contribute to a great cause outside of a daily role. Recognition is a fantastic way to motivate people to join the crowdsourcing mission.

Threat Intelligence Exchanges and Consortiums

Sharing intelligence among similar verticals is an opportunity for security teams to produce and consume intelligence for the betterment of those involved. It is a great way to learn from industry peers about active attacks and countermeasures that can be put in place. At the same time, the security team needs to be able to administer the influx of information and not let it become stale and unmanageable.

Information sharing may come in many different forms. Security teams not already familiar with Structured Threat Information eXpression (STIX), Trusted Automated eXchange of Indicator Information (TAXII) and Cyber Observable eXpression (CybOX)1 should become acquainted with them when getting started with information sharing. Their purpose is to enable automatic sharing of information to support the need for situational awareness around emerging threats so that teams can make informed decisions about how to counterthreats. A good example is the consumption of indicators, such as IP addresses, domain names, hashes and URLs. From here, security teams may take action on the indicators to drive alerts or enable real-time blocking based on indicator activity.

As the popularity of threat intelligence has grown, products have entered the marketplace to manage internal, external and vendor-provided data. Security teams can now implement a threat intelligence platform (TIP) to ingest, deduplicate and action indicators based on necessity. Anomali, EclecticIQ, Recorded Future, ThreatConnect and ThreatQuotient are a few vendors in the TIP market.

Information sharing and analysis centers (ISACs) are another great example of information sharing done across public and private sectors. Among sectors, ISACs are nonprofit consortiums that share information based on cybersecurity threats. Industries band together and work to share information to help strengthen cyberdefenses across the sector. Financial services (FS-ISAC), retail (R-CISC), national health (NH-ISAC), and oil and gas (ONG-ISAC) are a few examples.

Another option that stems from 2015’s US Executive Order 13691, an order that promotes private-sector cybersecurity information sharing, are information sharing and analysis organizations (ISAOs).2 ISAOs are similar to ISACs, but they are not sector-specific. In short, ISAOs gather and propagate indicators that have been analyzed across a broader community of participants. Executive Order 13691 encourages sharing of information related to cybersecurity risk and to voluntarily partnering with the federal government.

Connecting many intelligence-sharing communities, the Global Resilience Federation (GRF) enables multiple sectors to join in a threat-sharing initiative.3 Given that many attacks may target more than one industry at a time, the GRF provides the connective tissue between ISACs, ISAOs and community emergency response teams (CERTs).

Vulnerability Disclosure and Bug Bounty Programs

Vulnerability disclosure and bug bounties have grown in popularity in recent years. The programs were put in place to manage responsible disclosure and potentially financially reward (or at least publicly recognize) individuals who find vulnerabilities. The idea is for the enterprise offering the bounty to pay individuals for responsible disclosure of the vulnerability. A benefit is that vulnerabilities are privately disclosed to the enterprise offering the bounty as opposed to having vulnerabilities exploited publicly, which would require significant response. Imagine a website application that is vulnerable to millions of users’ information and that, if exploited, would lead to having to disclose the attack, a high cost to remediate, including financial loss from the stock market reacting (if publicly traded). And, of course, there are potential EU General Data Protection Regulation (GDPR) concerns as well.

Many large enterprises offer vulnerability programs. Apple, Facebook, Google, Microsoft and Uber are a few of the more well-known names of operating programs that pay out as much as US $250,000 to those who identify and notify the organization of vulnerabilities. Facebook shows an example of the structure and terms and conditions.4

However, before rushing off to create a program, it is worthwhile to take a step back and outline how the program will be managed. As such, companies such as Bugcrowd, HackerOne and Synack have emerged to help organizations manage their vulnerability disclosure programs.

It is important to verify one’s ability to manage a vulnerability and bug bounty program. Great reward can come from it when teams have the ability to manage a vulnerability under control vs. crisis. But, at the same time, it does require dedication and maturity.

What constitutes a bug? What does the reward structure look like? How is feedback and communication handled with those who find vulnerabilities? These are just a few of the questions that need to be answered before embarking on a vulnerability reward program. Done properly, disclosure and reward programs can help manage risk associated with application vulnerabilities.

Conclusion and Next Steps

Start small and manage well. Enterprises should be careful what they wish for when it comes to information. While there is value in crowdsourcing, security teams may not have the time and tool resources to manage the information flow. As such, they may find themselves inundated. In fact, if a pragmatic process is not in place, security teams may find themselves worse off than had they not embarked on crowdsourcing in the first place.

This is why one of the first places organizations start is with their employees and work toward gathering phishing and other incident indicators. Enterprises are also focusing on what is, typically, the most significant issue facing organizations regardless of size and industry—phishing.

As with many aspects of cybersecurity, transparency is important with the internal management team. It is important for legal to be involved from the beginning, especially if there is vulnerability disclosure or information sharing involved.

There is strength in numbers, and crowdsourcing is a way to improve resiliency in risk management. Attackers leverage a community, and security teams can do the same in their quest to continue managing an acceptable level of cybersecurity risk.

Endnotes

1 United States Computer Emergency Readiness Team, “Information Sharing Specifications for Cybersecurity,” http://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity
2 Department of Homeland Security, “Information Sharing and Analysis Organizations (ISAOs),” USA, http://www.dhs.gov/isao
3 Global Resilience Federation, http://grfederation.org/
4 Facebook, “Information,” 12 September 2018, http://www.facebook.com/whitehat

Mike Saurbaugh, CRISC, CISM, CISSP, MSIA
Serves as a director of technical alliances with business development solution integration responsibility for enterprise customers. Previously, he spent nearly two decades leading cybersecurity and technology in financial services and was the head of cybersecurity for 12 years. Saurbaugh is faculty with IANS Research and strategically advises Fortune clients on cybersecurity. Involved from the onset with Security Current when it launched, Saurbaugh served as the research director, leading a number of strategic projects for global security vendors and CISOs. Saurbaugh is also a mentor with cybersecurity accelerators MACH37 and Queen City Fintech, and he owns a security consulting LLC through which he conducts independent advisory and risk assessment engagements. Saurbaugh has served in various curriculum advisory committee roles for higher education.