Best Practices for Building an Information Sharing Community
This document describes the practical aspects of setting up an information sharing community using CSAP. Unlike a regular guideline document, it was created by conducting in-depth research, analyzing practical best practices, and gathering feedback and experience from existing CSAP customers, as well as their success in setting up an information sharing community. Organizations who are getting started with CSAP can leverage this document as a step-by-step guide to perform the best practices that are necessary for the success of an information-sharing initiative.
Before You Start With CSAP
This section describes, in detail, the key aspects required for the success of an information sharing community. The activity mentioned in every key aspect must be organized and kept ready in order to quickly onboard and get started with the CSAP application.
Define Your Success Criteria
When getting started, it is important to define success criteria for your community and outline what it means to be successful in the first 90, 180, 270,365 days. This is done in order to drive both engagements with your Members and the adoption of key technologies. Cyware solutions give you the options to drive both human engagement and machine-to-machine sharing. With that, it is important to understand as much as possible about the overall capabilities of your membership and what levels of interaction to expect. Using this knowledge, coupled with the understanding of the overall goals for your community, you can actively plan how to best drive the adoption of your new community engagement tools.
For example, initial engagement may include a large portion of your Members as they dive into new technology offerings. However, most sharing communities, without consistent and effective activity from the community moderators to maintain interactions, will likely see their Members limit their overall daily interactions. Communities with a solid and persistent engagement strategy and focus on driving consumption of key content directly from the platform will see a higher level of long-term adoption in their communities.
With this in mind, it is important to define what success means to your community. A few key items to consider include the following:
Daily active users compared to total registered users.
Consumption of information by Members, are they utilizing what the community is producing? (Many Members may focus exclusively on the consumption of information only.)
Member creation of useful information.
Total number of Members actively consuming information in an automated manner.
Total number of Members sharing information in an automated manner, as well as the quality of the data.
Depending on your community’s goals and your Members’ overall capabilities, it is important to remember that every community is different, and some values may be more indicative of success than others. Some communities can effectively drive the adoption of a portal with heavy human interactions, while some might be more focused on producing key content for consumption by their communities.
CSAP allows you to track all metrics related to the above-listed items from a user-friendly dashboard. Community organizers can perform quick analysis and generate reports to make the overall information sharing process as effective as possible.
Define Your Governance
One of the important steps to perform for starting any information sharing community is to define the vision, mission, and purpose in order to keep information-sharing efforts in the right direction and enable member organizations to derive the best possible outcomes. In addition, information sharing communities must have well-defined objectives regarding the information they want to share with Members, as well as ensure that the information shared with the member is consistent and relevant.
To solve these challenges, CSAP allows member organizations to be categorized into different Recipient Groups that are useful while sharing information. Custom Recipient Groups for Threat Intel Teams, Executives, CISOs, Crisis Response Teams, and others can also be created based on niche requirements. Additionally, Members can be categorized based on organizations, locations, and sectors.
CSAP provides alerts categories that enable information sharing community analysts to include relevant information in every threat alert shared with Members.
Real-Time Alerting
Analysts must share processed information, without duplicates, and information that enables decision makers to respond to an incident. This may require real-time telemetry of exploited vulnerabilities, active threats, and attacks. It may also contain information about the targets of attacks.
CSAP allows sharing of real-time situational awareness alerts on the latest incidents, breaches, malware, vulnerabilities, and threat methods to Members. Alerts can be scheduled to be published at a particular time to ensure timely information sharing. CSAP allows ISACs to create an enhanced security parameter by creating trusted sharing communities with Members, vendors, clients, suppliers, distributors, and other third-party organizations. They can then share daily cyber threat briefs, notifications about new threats, phishing attacks, and incidents in real time over the web, email, and mobile.
The ISAC security analyst team can alert all Members, or a limited group of members in a state or a country, by sending targeted emergency alerts using the Crisis Notifications feature during cyber or physical emergencies. This also helps gauge the magnitude of the crisis based on the Members' responses.
CSAP Analyst Portal users with an Analyst role can use Threat Levels to indicate the level of ongoing malicious cyber activity, along with the requisite preparedness measures that must be undertaken against them. Security teams can modify or update Threat Levels based on parameters that they consider to be essential, such as likely damage due to threat, preventive measures in place, risk level, and criticality of the threat.
Threat Assessments are used to quickly get a pulse of how many Members are impacted by a vulnerability, malware, or threat. CSAP allows Analysts to include Threat Assessment questions in alerts that are shared with Members. Security teams can also view the consolidated responses provided by Members to assess the company or sector-wide impact, providing quick and timely feedback to the originator of the alert.
Collaboration is the Key
The key focus of the sharing community is on strengthening collaboration by ensuring the correct way of exchanging information and fostering feedback. However, since every community has different needs, different capabilities, a community must have the ability to effectively pivot across collaboration assets while maintaining a central repository of all information.
CSAP fosters collaboration between Members in the following ways:
Members can directly share threat intel reports with other Members in the information sharing community to enable better collaboration and defense against relevant threats.
Work groups can be easily created, allowing for quick and focused responses to key events and concerns by leveraging Recipient Groups.
CSAP enables multiple methods for Members to provide feedback on content being shared, including relevancy and value of the content provided.
Threat Assessment enables security teams to quickly get a pulse of how many Members are impacted by a vulnerability, malware, or threat activity. CSAP allows all Members to share the outline of threat or intelligence by allowing them to collaborate by providing the required details easily from the alert content.
Requests for Information (RFI) can be generated by Members from the CSAP Member Portal and submitted to the information sharing community for various purposes, such as gathering information about subjects and staying informed about the assessment and steps taken by the security team to support and improve the overall security posture. RFIs also allows users to communicate with analysts using their standalone collaboration features.
CSAP allows security analysts to manage the information sharing community to classify information, before securely sharing with the Members, using Traffic Light Protocol (TLP) or customized alert classification methods.
Threat Levels allow communities to indicate the current level of malicious cyber activity. Security teams can determine and update threat levels based on various parameters, such as likely damage due to the threat, preventive measures that are in place, and other crucial data such as risk level and criticality of the threat.
Knowledge Sharing
The ability to capture and leverage the vast knowledge shared by information sharing community Members is one of the many reasons new organizations look to join collaborative environments. Document sharing and knowledge repositories pave the way for the continued success of sharing communities. Furthermore, Members tend to miss out on the vast knowledge that is already collected and shared by the community and current Members. The key information required for Members to react against crisis situations gets lost due to the lack of a proper mechanism for sharing, availing, and storing the documents and knowledge repositories. CSAP enables this historical and collaborative knowledge sharing through two major features:
The Knowledge Base allows the ISAC to upload an extensive set of documents such as policies, guidelines, and handbooks, and allows Members to access them easily from the web and mobile platforms.
The Doc Library allows the ISAC, as well as individual Members, to store important files where users can find and download them from the web and mobile platforms.
Follow the TLP Rule for Information Sharing
Trust building is one of the key aspects of an information sharing community, and Traffic Light Protocol (TLP) is the best way to encourage greater sharing of information with the right recipients. TLP provides a simple and intuitive schema for indicating when and how sensitive information can be shared, facilitating frequent and effective collaboration. This, in turn, facilitates the greater sharing of actionable information without delay and empowers Members to better defend networks and mitigate threats
CSAP allows Analysts to share information automatically with the right recipients based on TLP grouping. Analysts can also choose to show or hide information to the recipients based on the TLP selected for the information.
CSAP enables Members to share threat intelligence with other Members who have shared TLP clearance.
CSAP allows the addition of TLP to Knowledge Base documents to ensure that they are shared with the right recipients.
Analysts can also choose to limit the sharing of files and folders in the Document Library based on Recipient Groups and TLP.
Milestones
Define what it means for your community to be successful, in 30, 60, 90, and 365-day increments.
Organize your community Members into appropriate recipient groups and name your recipient groups.
Plan the alert categories and name the categories appropriately. You can also make specific categories available to Members for the purpose of information sharing.
Gather accurate location information of your Members in order to send targeted alerts.
Classify Members according to organizations/organization types.
Draft Threat Level indications that can be commonly interpreted by the community.
Create forms and map them to alert categories. The categories available for Members can be utilized for threat intel sharing.
Create Member Admins and Intel Approvers. Member Admins can add new Members to the community and Intel Approvers can review and approve the information submitted by Members from your community.
Set up Knowledge Base categories and allow Members to upload an extensive set of documents, such as policies, guidelines, and handbooks. Members can then easily access them from the web and mobile platforms.
Create appropriate folders in the Doc Library in order to provide access to the right set of Recipient Groups.
Set your TLP definitions according to the standard practices of your organization, sector, or community. The same TLP definitions can be moderated to CSAP.
Create Channels to automatically publish alerts from trusted sources to appropriate Recipient Groups. Channels help in grouping alerts based on Info Sources, Recipients, and Tags. If any of the published alerts contains the configured Info Source or Tags, then the alert is automatically grouped into the appropriate Channel.
Considerations for Building an Information Sharing Community
Before understanding how to set up your information sharing community using CSAP, it is important to know the key aspects that help in the sustained operation, enhanced collaboration, and continued participation of members in an information sharing community. Since this document describes the crucial steps that need to be performed in CSAP for setting up information sharing communities, it is important to define the key parameters for a successful information sharing community.
The goals and objectives of an information sharing community should be designed in a way that advances the overall security strategy of such communities, as well as enables more effective management of risk. Your organization should be able to combine the overall knowledge and experience of your own security teams with the member organizations that are part of your community. Additionally, this should enable you to share information with the community while operating in accordance with its security, privacy, regulatory, and legal compliance guidelines.
Additionally, the following key aspects play a major role in the success of the information sharing community: