As much as the headlines of a new bill in Washington grabbed my interest with a twinkle of hope, it turns out in some ways this may be a step away from a new wave of information sharing. It appears to promote information sharing regarding security breaches between the private sector and the government by blanketing companies with protections such as not publicly disclosing the information. While I’m all for information sharing, this seems to be more back-room sharing to the benefit of some but to the detriment of most.
One of the primary ways we can learn about information security breaches and their cause is through publicly available resources like DataLossDB. If the majority of us within the security community cannot access information and learn from it, in the end this will only cause more breaches not less. We as a community are starting to see the very early benefits of a New School way of thinking through reports like the Verizon DBIR and many others like it. By understanding what is causing real world security incidents, we can prioritize our work and put the right controls in place to protect against them. We need to get away from what has been traditionally a practice in alchemy and black art and realize we can all learn from each other. The bad guys seem to be better at this than we are.
Here at HoneyApps we drink the New School of Information Security kool-aid on a daily basis. By taking a quantitative approach to our security and operations we have not only been able to more effectively prioritize our work, but have learned where our product needs to evolve to support and enable these methods. With our upcoming open vulnerability explorer, we hope to combine many of the public vulnerability data sources into a single searchable and filtered view where we can also facilitate open discussions on remediation and controls that matter in protecting against these. We’ll continue to evolve our metrics and benchmarking to provide a view into how you as well as your peers are doing in very quantifiable terms. In the near future we will begin to combine this with the threat and breach activity that is available whether it’s public or via subscriptions we obtain.
There are a lot of very skilled people in functions outside of information security that continue to learn from each other and the data that is out there. Here’s to hoping the security community moves in that direction.