How do you measure the quality [of contributions]? Because right now with our current stipulation, that you have to share a thousand pieces every day, kind of eliminates the smaller players. So we are talking about how to solve that problem right now and we’re working on a proof of concept that should be done by the summertime.
Security vendors like us and Symantec and Intel, we all collect malicious code all the time. Collecting and sharing 1,000 pieces every day is not that big of a deal for us but there are niche intel players and one-person teams that are also doing pretty good intelligence but have no way to meet that high bar so we’re trying to figure out how to get those guys into the club.
Are you concerned that members will glean all the intelligence provided by others without contributing very much?
Yes. If you belong to the alliance, everybody has to contribute. We want to measure that with some accuracy and not all intelligence is of the same quality as others. I may come in with a piece of malicious code that everybody has seen already so that’s not much value but a smaller player might come in and give the one indicator that attributes the entire playbook to a specific adversary. We want to be able to measure that and take credit for that and give that person who shares it the credit that they deserve. What we’re talking is building an intelligence marketplace, a way to evaluate all the intelligence that’s coming in, giving it a score and therefore everybody in the marketplace knows who the good intelligence people are, who the bad ones are.
So, it’s not a one-way street where members gain the benefits but don’t contribute.
Right. We’re trying to protect against the not so great intelligence outfits that just come in and grab all the great intelligence and don’t ever give anything.
With the proof of concept, how do you overcome the problem?
We’re building it now and testing it now. We’ve got some ideas about how to build the thing. We’ll see what shakes out by the summertime.
And that should theoretically improve the effectiveness of the whole alliance?
I think so. It gives everybody a chance to play regardless of what size they are and regardless of the amount... No longer will we grade it on volume of intelligence shared. It will be on quality of intelligence shared.
Sign up for Computerworld eNewsletters.