Field
The present disclosure relates to private collaborative analytics. More specifically, this disclosure relates to a method and system that facilitates optimal selection of collaborating partners for organizations.
Related Art
Organizations today are exposed to an increasingly large number of cyber threats, including malware and software vulnerabilities as well as botnet, zeroday, and denial of service attacks. In compliance with risk management frameworks, industry practices usually recommend implementation of standard security countermeasures, such as firewalls, antivirus software, patch management, and security/log audits.
Some security solutions go beyond passive defense mechanisms and offer proactive measures to predict attackers' next move. Prediction techniques rely on attack information—so-called “security data”—that companies retain: Internet Protocol (IP) addresses, domains, Uniform Resource Locators (URLs), hostnames, vulnerabilities, phishing emails, metadata (e.g., attack technique, malware, activity description), incident parameters, Threats Techniques and Procedures (TTPs), etc. The more security data a company has, the better the understanding of adversarial strategies and thus the success of its prediction techniques.
Threat modeling requires as much information as possible about threats but information is usually scarce. In practice, companies have a limited view of malicious cyber activities and can only achieve limited prediction performance. Previous work showed that collaboration would curb this challenge as companies are often hit by the same attacks (see, e.g., Zhang, J. and Porras, P. and Ulrich, J. Highly Predictive Blacklisting. Proceedings of Usenix Security, 2008). Therefore, companies can enhance the accuracy of security intelligence and analytics mitigation techniques if companies share security data with each other, thereby increasing the availability of information about attacks.
Unfortunately, a number of problems often prevent companies from sharing security data. Companies may have different preferences regarding which partners they want to collaborate with, based on their expectations of benefiting from a collaborating relationship. For example, company X may want to share security data with company Y more than company Z because company X may expect a greater benefit from sharing security data with company Y than company Z. However, company Y might prefer to share data with company W more than company X. Each company wants to benefit from their collaborative relationships, but it is difficult for companies to determine among themselves which other companies to collaborate with. In some cases, companies might not wish to follow recommendations from a central authority, and pick collaborators that work best for them. Without an effective process for determining collaborating relationships to satisfy the companies' needs, the companies might not be able to benefit from collaborating and sharing security data.