In the aftermath of the March attack on RSA, some SecurID customers turned to one another for help in deciding what to do about their organizations’ potentially compromised tokens. Take The Bank of New York, which ultimately accelerated its plans to replace its tokens after its then-chief security officer (CSO) consulted with his counterparts at other companies.
“We were thinking about postponing it until 2012,” says Tom Malta, a senior technology risk executive and former CSO at The Bank of New York. But after Malta posted a question to other members of an invitation-only social media network for CSOs and other security executives about how they were handling their RSA tokens in the wake of the breach, he learned most were already in the process of replacing their tokens. “I went back to my management [at The Bank of New York] and told them my peers in the industry were about to move on it, so we should do it [as well],” he says.
The RSA breach provided a classic test case for the so-called Wisegate online community, a new invitation-only social network where CSOs can confidentially share information about breaches, security events, and products. Wisegate was created last year and emerged from stealth mode in September as what its founder, Sara Gates, describes as “a private Yelp plus Match.com” aimed specifically at IT, especially information security executives such as CSOs. Gates, the former head of Sun Microsystems’ identity management unit, says she conceived of the idea for an invitation-only social medium because top-level security execs need somewhere to congregate and safely and confidentially share and confer on security experiences, information, and intelligence.
“It’s a resource fueled by community,” Gates says. “Our mission is not to be a social network, but to be a resource that applies to delivering information from peers.”
Malta, who is a founding member of the so-called Wisegate online community, says the RSA hack was a key example of how the Wisegate online community helps CSOs touch base with one another on how their organizations are handling a specific security event or new product rollout. “It helps bring a sense of urgency to our programs and enables us to go back to our companies on whether we should move on this or that,” he says.
The underlying problem, of course, is that the bad guys are regularly sharing attack and other security intelligence, while victim organizations are at a disadvantage, typically isolated and without a main go-to place to share or compare their experiences.
There are plenty of other forums for sharing attack intelligence and other security issues, such as the Bay Area CSO Council, whose members arguably were one of the worst hit by Aurora, and had already been confidentially sharing various types of attack information long before that attack. The U.S. defense industry has its own online exchange for swapping attack information, for example, and the FBI-led InfraGuard events also serve as a way for local businesses, academic institutions, state and local law enforcement agencies, and CISOs to network and gain intelligence on the latest threats.
What’s unique about Wisegate is that it’s invitation-only, and no vendors are allowed. Phil Agcaoili, chief information security officer at Cox Communications, says the Wisegate security community is a new way for organizations to help one another defend against attackers. “Our adversaries are sharing and have been for quite some time,” says Agcaoili, who is also a founding member of Wisegate. “Information-sharing on the defensive side is important … We need it across organizations, and we need people at all levels talking and sharing.”
Agcaoili wouldn’t give specifics on the kinds of things he discusses on the site with other CSOs and security professionals in keeping with the community’s confidentiality policy, but he says the RSA compromise was a big topic this year. “We talked about the RSA compromise and came together” and shared information, he says. “Frankly, it put a little more urgency on the next steps for me and helped me solidify that there has to be more activity here, so let’s not wait and make sure we are being more proactive” about responding to the RSA breach, he says.
The site’s interface looks like a cross between LinkedIn, Twitter, Facebook, and other social media sites, but it doesn’t really operate like them. “It’s sort of an unsocial social network. This is a private, by invitation-only community just for senior execs like myself for sharing what’s going on in security and in and around technology,” Malta says.
The catch, however, is that Wisegate is a subscription-based community, unlike most social media sites. Individual members pay $1,000 per year. Its members say it pays for itself, however, by precluding as much conference or live meeting travel. A member can invite a colleague or friend to join; that person is then vetted by Wisegate and, if accepted, offered membership. A member must have a senior title and work for a company with more than 1,000 employees. And he or she cannot work for a vendor.
And there’s always that risk that not all members will respect the confidentiality rules of engagement. That has likely been why many members are still not sharing a lot of specifics on breaches in their organizations. “People are still hesitant in sharing the gory details,” Malta says. “There have been a lot talking about breaches on a firewall or perimeter security and what people are doing with malware. They are starting to get a little more specific now.”
There tends to be more collaboration on threats across the security disciplines within the community, which is broken into microcommunities. “For example, a member who runs identity management for a Fortune 1000 company was telling the cybersecurity-focused members that their receptionist had the latest malware on his laptop and that had become a point of vulnerability,” Wisegate’s Gates says. “As a result, they are focused as much on communicating with employees for what suspicious behavior might look like as they are with what technology can do. So the identity management-centric members and the APT-centric members are able to cross security disciplines to collaborate and solve problems.”
Gates says individuals can request a membership invite by visiting this link.