Sergey Nivens - Fotolia


ISAOs: The benefits of sharing security information

ISAOs are a good way for organizations to share information about security threats. Expert Steven Weil explains what these organizations are and their attributes.

Cybersecurity can be lonely work. Wouldn't it be helpful if there was a place where you could share information with and get advice from fellow cybersecurity professionals? An ISAO might be exactly what you need.

An Information Sharing and Analysis Organization, or ISAO, is a group that, on a voluntary basis, gathers, analyzes and shares cyberthreat information among its member organizations. Information Sharing and Analysis Centers are types of ISAOs.

ISAOs are often formed around a specific industry or sector (e.g., legal services, medical devices). In such ISAOs, shared information is often about specific threats to an industry or sector, and can include data pertaining to information systems and applications frequently used by ISAO members. There are also ISAOs that focus on a specific geographic region, such as a city or state.

Some ISAOs are informal, and offer their members a minimum set of services, while other ISAOs are very organized, and have a smorgasbord of services. The type of ISAO formed and the services it offers are decided by its members.

ISAO benefits

Organizations can benefit from joining an ISAO in several different ways. By sharing and receiving actionable cyberthreat information, organizations can gain an enhanced understanding of their threat environment and make better and more timely decisions about how to allocate cybersecurity resources to defend themselves.

By collecting and sharing information from multiple organizations, ISAOs can present their members with a detailed picture of malicious activity taking place within a specific sector or geographic region. Member organizations can then use this information to individually and collectively block attacks they may not have known about otherwise.

ISAOs in which members share non-incident information, such as cybersecurity best practices, training opportunities and unbiased product information, can help organizations develop more effective vulnerability mitigations and reduce the frequency and impact of security incidents.

What to look for

Being a member of an ISAO takes time and effort; plus, there's usually an annual fee, so organizations should be sure to carefully vet ISAOs and determine what they want to get from their membership. While it's possible to be a member of multiple ISAOs, many organizations choose to be members of just one.

An organization should first decide whether it wants to be a member of a sector or industry-focused ISAO or one focused on a particular geographic area. Then, it should determine if all members of an ISAO are considered equal or if there are different membership levels.

Beyond the core set of information sharing services that almost all ISAOs offer, determine what additional services are important for your organization. Additional services can include, but are not limited to:

  • hosting a secure online discussion space for member-to-member collaboration;
  • collecting and disseminating mitigation information and resources;
  • developing and maintaining relationships with relevant government agencies;
  • hosting a secure online document repository;
  • providing cybersecurity training;
  • facilitating mutual aid among members; and
  • offering a test environment for malware analysis.

Next, decide whether you just want raw data from an ISAO, analysis of the data or both. If your organization has systems that use automated data, make sure the ISAO has an automated information sharing capability, such as Trusted Automated eXchange of Indicator Information.

It's critical to understand what information an ISAO's members will be asked to share and whether or not attribution is required. Non-attribution can make members feel more comfortable sharing, but knowing who is sharing information can provide greater confidence in the data's quality and accuracy. Also, be sure to find out whether an ISAO shares information with state or federal governments, other ISAOs or other third parties.

It's important that your organization's data be protected, so check for formal data handling, protection and usage policies that clearly define types of shared information, appropriate sharing methods and safeguarding requirements. Mature ISAOs will typically use a data classification method such as the US-CERT Traffic Light Protocol.

Finally, check that the ISAO has a formal governance model and governing body that is authorized to make decisions and convey the ISAO's organizational policies. This is necessary for when an ISAO has to reconcile competing priorities and conflicting approaches for reaching its objectives.

A properly vetted ISAO can enable you to become part of a deep and broad network of cybersecurity information sharing, plus help reduce your organization's risk. There are many ISAOs available, so check them out and see if they fit your organization's needs.

Next Steps

Learn more about the cyberthreat sharing funded by the U.S. Department of Health and Human Services

Discover the impacts of the Cybersecurity Information Sharing Act

Read about the fund to encourage data sharing between startups and enterprises

This was last published in May 2017

Dig Deeper on Data security and privacy