Trusted Security Circles and Threat Intelligence sharing guidelines

Adversaries continue to gain access to more sophisticated tools and techniques, which in turn has led to an increase in the frequency and, in some cases, effectiveness of cyber-attacks.

As threat actors have collaborated to increase the effectiveness of their attacks, there is increasing awareness of the need for collaboration among those defending against such attacks (see the NIST Guide to Cyber Threat Information Sharing

The ServiceNow® Trusted Security Circles provides ServiceNow customers with the ability to collaborate by facilitating the sharing of observables, their frequency, and context for sharing (collectively, “Threat Intelligence”) among peers and partners. By enabling these peers and partners to share Threat Intelligence instance-to-instance, ServiceNow customers benefit from relevant, timely, and actionable data.

These Trusted Security Circle Guidelines (“Guidelines”) are intended to assist members of the Trusted Security Circles community in deriving the greatest benefit while preventing the accidental or incidental disclosure or dissemination of information that, if improperly disclosed, may have adverse consequences for member’s organization. These Guidelines are not exhaustive and are not intended to replace your information security practices or established threat information sharing program.

Guidelines specific to the Trusted Security Circles

Members of the Trusted Security Circles are encouraged to:

  • Create internal policies that define when members will share threat intelligence and what members will do with threat intelligence that a member receives from others. Members typically share observables, including their frequency in a member environment, name, and description.
  • Identify those individuals that can configure the Trusted Security Circle application “Application”), including joining Trusted Security Circles. Make sure only those individuals have administrative rights to the Application.
  • Identify those individuals who will have access to the Threat Intelligence that has been shared with your organization.
  • Identify those individuals that will have the ability to send Threat Intelligence. Make sure that only those individuals have the appropriate roles.
  • Review all configuration relevant to sharing including relevant system properties, security tags for filtering of Observables, Trusted Security Circle membership, and profile configuration. Understand that within certain configurations automated sharing and automated responses are enabled.
  • Understand how the Application works with Sighting Search to provide all members of a Trusted Security Circle prevalence information for other members.

General guidelines for Threat Intelligence sharing

  • You are solely responsible for complying with all applicable legal, regulatory, and contractual requirements pertaining to information sharing, including without limitation, applicable data privacy laws and laws governing classified information.
  • You are encouraged to establish threat information sharing agreements and policies governing the protection and handling of personal data.
  • You should also implement safeguards to protect intellectual property, trade secrets, and other proprietary information from unauthorized disclosure.
  • To help ensure the protection of personal data, you should:
    • Perform, when possible, automated analyses and technical mitigations to delete personal data that is not directly related to a cyber threat.
    • Minimize the amount of data included in the shared threat intelligence to information that is directly related to a cyber threat.
    • Retain only information needed to address cyber threats.
    • Ensure any information collected is used only for network defense or limited law enforcement purposes.

Keys to successful Threat Intelligence sharing using Trusted Security Circles

A successful threat sharing community depends on trust. It is incumbent on the members of the Trusted Security Circles community to promote this trust by participating appropriately, including without limitation, by:
  • Joining Trusted Security Circles that are targeted at organizations like yours (e.g. focused on your vertical or a related vertical).
  • Sharing information that is accurate, relevant and timely to the members of the Trusted Security Circle.
  • Responding to information that is shared from other members of the Trusted Security Circle using the automatic Sighting Search and response feature.