Microsoft tests security information exchange platform

Microsoft has announced a private preview of Interflow, a security and threat information exchange platform for professionals working in cybersecurity.

The project - which has been in development for around 18 months - uses industry specifications to create an automated, machine-readable feed of security and threat information.

The idea is that this data can be used by security professionals, giving them the ability to respond to threats in a timely manner.

The concept underlying Interflow is not new, as Sophos pioneered a virus information exchange in the early 1990s, with support from several other vendors, but the project fell away over time due to competitive issues.

In 2000, the IT security industry created AVIEN (anti virus information exchange network), with a sister group - AVIEWS (anti virus information and early warning system) - arriving two years later. Both groups were combined as the new AVIEN in 2008.

Interflow picks up on the data sharing idea by allowing analysts and researchers to share the data feed across industries and groups in real-time - supporting open specifications such as STIX (structured threat information expression), TAXII (trusted automated exchange of indicator information), and CybOX (cyber observable expression standards) to underpin automated collation where available.

At the moment, Redmond is testing Interflow internally, but is inviting organisations with their own dedicated security team to enquire about a private preview.

Plans also call for Interflow to be available to all members of MAPP (Microsoft Active Protections Program), which was established in 2008 to provide security software providers with early access to software vulnerability information.

According to Tim Rains, director of Trustworthy Computing, supporting open specifications will allow Interflow to integrate with existing operational and analytical tools that many organisations use through a plug-in architecture.

It has the potential to help reduce the cost of defence by automating processes that are currently performed manually, he said.

Mark Graham, a malware analyst with Context Information Security, welcomed the news on Interflow - not only for its facilitation in the exchange of machine-readable cyber security data but also in its role as the glue cementing data sharing between incident responders and threat intelligence providers.

"With the pluggable architecture, the piecemeal data exchange that has held the community together until now has a real chance of becoming iron-clad, evolving from the level of shared trust between individual researchers into a collaborative agreement that spans entire organisations,” he said.

“The adoption of STIX and TAXII - a comprehensive but still evolving set of schemas for data of this type - will likely not be without bumps along the way, but the use of an open standard is refreshing and the strong promotion towards a unified format is something the community desperately needs."

Graham said Interflow will allow cyber security researchers to delve deeper than before, widening the aperture of available datasets.

"Potentially this will enable security companies and researchers to respond more flexibly across a wider range of threats - for example, companies that are experts in cybercrime won't necessarily suffer should they respond to a state-sponsored attack (and vice versa) - and those who routinely deal with more targeted threats, ie. the Snake Rootkits and Flames of this world, will not be at a disadvantage should they require access to data on Zeus botnets."

Interflow's success, according to Graham, depends on the willingness of companies to share with what may be potential competitors, but in his experience, many of these relationships already exist on an individual level.

“Now we will have a shared platform to support that mutual exchange."

This article originally appeared at scmagazineuk.com