Why Sophos joined the Cyber Threat Alliance
One of the most powerful cybersecurity weapons is collaboration.
Cybersecurity is asymmetric – to protect your organisation you need to win all day, every day, but your adversaries, the criminals trying to break into your network, only have to win once to succeed.
Bad actors are constantly fine-tuning their attacks: refining their social engineering, churning out new variants of malware and discovering and exploiting new vulnerabilities.
One of the most powerful weapons we can use to redress this asymmetry is collaboration.
That’s why we have always been a willing partner in collaborative computer security efforts, and it’s why joining the Cyber Threat Alliance (CTA), a collaborative effort that reaches beyond our industry, was a no-brainer.
More than the sum of its parts
The CTA was established in 2014 to connect government, business and security vendors and it’s now emerging as a powerful and substantive force. The alliance was founded by Cisco, Fortinet, McAfee, Palo Alto Networks and Symantec.
Members of the CTA are professional researchers with solid reputations, and the alliance is adding verification and service level agreements to what has previously been a “gentlemen’s agreement” amongst security researchers.
The alliance’s value is clear: it brings together some of the most established, innovative and successful cybersecurity operations in the industry. It provides a forum with defined service levels to put marketplace rivalries aide, and to nurture meaningful collaboration between industry leaders in defense of the common good.
CTA’s focus is on exchanging rich contextual information on cyberattacks. Modern threats are complex and fast-moving and the CTA rewards the members who share fresh data on threat lifecycles and attributions.
We receive intelligence from the millions of devices and networks we protect around the world, and sharing that with CTA members benefits everyone by helping the industry to respond to threats more rapidly.
Our membership is already producing results from which our customers will benefit.
CTA’s year of expansion
Our entry into the CTA comes in a year where the organization has grown significantly. In February the CTA was formally incorporated as a non-profit entity and we are among three new members to have joined in the past four months.
The addition of a company based in the UK brings the benefits of the CTA platform to the UK and strengthens the alliance throughout Europe, Asia and across the globe, according to CTA president Michael Daniel.
SophosLabs’ top priority after joining the CTA was ensuring the richness and accuracy of the data we share. We started by exposing only malware samples that aren’t already known to the public, along with actionable context for each file such as command and control addresses and malware family names.
As well as malware samples, SophosLabs is also contributing URLs it’s found hosting malware, paired with information on the malicious files they’re harboring.
The combination of these two methods provides visibility into both malware attack vectors and post-infection behaviors and kill-chains.
Despite being the newest member of the alliance, Daniel said this year’s entrants have already exceeded the minimum daily sharing threshold.
As the alliance has now grown to six affiliate members in good standing, the organization will be holding elections for three seats on the Board of Directors that are held for representatives of affiliate members. These positions will be elected by their CTA member peers and will join the Founding Members’ CEOs on the Board of Directors for a term of one year.
Our push for more industry collaboration
It’s the second time this year we have joined an organization designed to combat modern security threats through collaboration.
Over the summer, we announced our new membership of the Global Cyber Alliance (GCA), where entities from the public and private sectors collaborate across borders to combat malicious cyber activities. That alliance was founded by a partnership of law enforcement and research organizations such as the City of London Police, Manhattan District Attorney and the Center for Internet Security.
Among other activities, GCA has launched an initiative to drive adoption of DMARC (Domain-based Message Authentication Reporting and Conformance) to prevent email-based phishing.
At the time, Sophos chief strategist Anup Ghosh compared the company’s alliance with GCA to superheroes joining the Justice League:
Think of it as infosec’s Justice League or Avengers – an ensemble of heroes joining forces to fight evil.
In joining the CTA as well we’ve shown that unlike in the movies, in the real world heroes don’t have to choose between the Avengers or the Justice League, they can be in both.