Understanding collective defense as a path to better cybersecurity
Cybersecurity is in many ways characterized by very insular priorities. Organizations focused on protecting their own network perimeters, systems, and data rightly develop highly customized and personalized strategies. As a result, companies that outwardly appear very similar, competing in the same industry for the same customers, can have very different approaches to prevention, mitigation, and recovery.
Granted, the entire cybersecurity ecosystem is supported by a wide variety of vibrant communities where collaboration plays a fundamental role. However, the idea that organizations can work together at a deeper level to provide “collective defense” is less common.
In cybersecurity terms, collective defense means that organizations share the most useful resources, information, and processes to improve resilience between otherwise unconnected entities. For many, it will be more familiar as a geopolitical and military concept, with NATO’s Article Five, for example, stating that an attack on one member state is treated as an attack on all. This sends a clear and unifying message to potential adversaries and adds significantly to the resources available to each individual country.
Organizations that invoke collective defense to protect their IT and data assets typically focus on sharing threat intelligence and coordinating threat response actions to counter malicious threat actors. Success depends on defining and implementing a collaborative cybersecurity strategy where organizations, both internal and external, work together across sectors to defend against targeted cyberthreats. When done right, it can be extremely effective.
Vice President of Collective Defense at Cyware.
Building momentum
But how does this play out in the real world? There are a growing number of examples to draw from, including the joint legal action launched last year by Microsoft, Fortra LLC, and Health-ISAC. This alliance targeted actors deploying cracked versions of Cobalt Strike or actors openly violating Microsoft’s terms of service, specifically the malicious implementation of its proprietary APIs. As media analysis at the time noted, “this disruption won’t stop cybercriminal activity, but it will strain their resources.” The point is that organizations will collectively be better able to detect, challenge, and dismantle the infrastructures that support cybersecurity risks.
In its most recent Digital Defense Report, Microsoft also focused on the need for broader efforts to improve collective cyber resilience. For example, in the face of advanced cyberthreats, the report points out that collaboration and a united front are essential to building a more secure digital landscape. In this context, open-source and supply chain security vulnerabilities could be significantly ameliorated through the use of collective action.
Take, for example, the Open Source Security Foundation (OpenSSF), a cross-industry forum dedicated to addressing emerging security challenges. Its role includes developing frameworks to address challenges, such as improving understanding of supply chain threats and effective mitigation strategies.
Other organizations are also helping to support collective defense, such as the Open Cybersecurity Alliance (OCA), a non-profit coalition under the umbrella of OASIS Open. The OCA supports an open ecosystem where cybersecurity tools work together without the need for custom integrations, allowing cyber defenders to collaborate more effectively by reducing technical barriers to sharing.
At the government level, regulatory guidance such as the SEC’s cyber incident reporting regulations, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), and the EU Cybersecurity Act are another important part of the collective defense picture. What these different initiatives have in common is their emphasis on promoting a collaborative, community-centric approach to fortifying the digital ecosystem against ever-evolving cyber risks.
From theory to implementation
To put this into practice, organizations must commit to coordinating their cybersecurity strategies to identify, mitigate, and recover from threats and breaches. This should begin with a process that defines the stakeholders who will participate in the collective defense initiative. These can include everything from private companies and government agencies to nonprofits and Information Sharing and Analysis Centers (ISACs), and more.
The approach will only work if it is based on mutual trust, so there is a key role for the use of mechanisms such as confidentiality agreements, clearly defined roles and responsibilities, and a commitment to operational transparency. Operationally, secure, real-time communication channels are essential to ensure that threat and defence intelligence information can be shared. Similarly, the community must establish processes to disseminate indicators of compromise (IoCs), tactics, techniques and procedures (TTPs), supported by best practice information and incident reports.
Collective defense communities can also look to the Cyber Fusion Center model to bring together relevant security functions, including threat intelligence, security automation, threat response, security orchestration, and incident response, into a cohesive approach. A practical example of how this can work is when vulnerability management and incident response teams work together to more effectively deal with a bug exploitation incident than would be possible by working in silos.
Given the challenging array of cybersecurity risks we face today, collective defense not only represents a sound approach to improving protection, but it can also transform the security posture of organizations currently trying to go it alone. As such, it’s a model that fits perfectly with the idea that “the whole is greater than the sum of its parts.”
We list the best cloud antiviruses.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: