Information Sharing and Analysis Centers (ISACs) are generally vertical focused as critical infrastructure sectors as defined by the US Government.
Red Sky relies on a diverse group of participants and is not restricted by industry. In fact Red Sky utilizes the diversity to create a rich, decentralized analysis forum.
In most ISAC company submissions are complete anonymized. Because sources of incident reports are unknown to the participants, companies can not talk to each other about the incidents they incur. As a result, analysts at the ISAC have no way of asking questions of the originator to clarify analysis before publishing to the broad membership. Red Sky relies on both their own team of analysts, and those of participating members. Internal to Red Sky, participants know each other.
There could be hesitancy to communicate into a community forum that a CISO does not have 100% assurance – personal confirmation - of who is listening- particularly for incident issues, sensitive issues.
This is a mainstay of our business. We believe this to be one of our strongest value propositions. Confidentiality is as critical to trusted information sharing as good analysis!
Red Sky will never associate any company name(s) with intrusion activities or discussions in any Red Sky analytic forums. Companies may choose to do so, but Red Sky will not. We are happy to guarantee this in writing. In fact, our subscriber acceptable use document calls this out specifically.
My company (a bank) does not like to be first with a new vendor. Credibility on their part would be needed by having other large firms first.
Yours is not the first banking customer. We believe you will find value from our first banking members and from the value added by our first Red Sky analysts. Founding members have been hand picked to ensure value-add to our community.
I like Red Sky’s idea of using a Social Networking interface. Looks promising. What is the specific vetting process for participants to have access to this service?
In an effort to ensure value and integrity of new members, our board, the CISO Executive Network, and our Founding Members (our Advisory Board) will be used to vet new members. Initial members have strong ties with someone involved with formation -our own or trusted referrals from others like the CISO Executive Network. Our first two were both invited to participate.
Longer term, once the Founding members are on board, new membership vetting will follow slightly modified FIRST membership processes. New members will require two others (advisory board members or nominating members) endorsements to accompany their application and fee. The FIRST process is well seasoned and widely accepted.
Will access to the service require two-factor authentication?
Information that I would like to see on Red Sky that would be of value: Attack signatures (C2s, malware signatures, tools used, etc.), specific recommended detection and remediation methods as they are developed, information on APT attack origin assessments, and specific malware analysis specifications to ascertain if malware is targeting an organization or just a nuisance virus.
Red Sky will offer all of these services over time. Attribution however is the role of law enforcement and counter-intelligence. Red Sky analysts come from this space and envision authoring papers discussing attribution and tactics, techniques and procedures used. Speculative attribution is easy. Backing it up with enough detail to point fingers is extraordinarily hard. Red Sky wants to protect your environment first, point fingers second.
Profiling tactics, techniques, and procedures (TTP) has become a useful tool for understanding indicator quality and forecasting attackers’ next moves. Indicators can quickly be compared to multiple open sources to understand how widely they are used. Red Sky analysts, and others operate in the decentralized community of peer reviewed practitioners.
I am curious as to how Red Sky can ensure the integrity and accuracy of the information posted by participants. Also, how much moderation would Red Sky provide for postings?
Red Sky participants and all of their comments, analysis, and discussions are all subject to peer review. Each participant will earn a 1-5 Star rating based on instantaneous feedback provided by the reader. Every posting has two buttons available to readers: “This answer is correct” and “This answer is helpful”. Each analyst participating be scored using a five star rating system that is built over time from the compilation of input scoring, participation, the number of ‘this is correct’ scores, and various other factors. High quality analysts will quickly rise to the top while others will have lower ratings.
The portal also offers both individualized groups and hidden groups. Individualized groups may be formed by anyone, with membership selected by the owner. Hidden groups only show up to the administrator and members. Hidden groups are not shown in search results.
Would Red Sky intelligence focus on cyber industrial espionage attacks, cyber crime attacks, or both?
Red Sky, while seemingly a security intelligence organization, is better described as an extension of your own cyber analytic organization. While ‘intel’ may be gleaned from Red Sky, intelligence is generally thought of as only predictive. We wish to be collaborative, in all activities from predictive to incident response to teaching and learning from each of our members.
Analysis provided through by Red Sky and its participating membership can take any form needed. However, our focus is strictly in the following areas:
Other significant, cutting edge problems as they arise