Security Group Collaborates on Sharing Malware Data

A consortium of IT security companies, formed last year under the auspices of the IEEE Standards Association, is rolling out an XML malware metadata scheme to improve data sharing within the industry.

"We are dealing with a huge explosion of malware," said Jeff Green, senior vice president of McAfee Avert Labs and chairman of the Industry Connections Security Group (ICSG). While hackers and criminals have collaborated to create a sophisticated environment for the development of malware as a service, security companies have focused on silo solutions rather than cooperation, Green said. "Industry is behind the curve," he added.

The new scheme provides a standardized way to share data to speed analysis and prioritization, Green said.

ICSG is the first to be formed under the Industry Connections program established by the Institute of Electrical and Electronics Engineers (IEEE) to provide a safe harbor for industry collaboration. The program is something of an incubator to ease the development of new technical standards.

Initial ICSG members include AVG Technologies, McAfee Inc., Microsoft Corp., Sophos, Symantec Corp. and Trend Micro.

"This program is a way for companies that are of a like mind to begin cooperating in some way," said Jim Wendorf, a technology and standards consultant working with the IEEE. "We're trying to provide something in the very early stages of the standards lifecycle."

Industry standards for technology provide a way for companies to enable common features and functionality across a variety of interoperable products, which can spur innovation and benefit both vendors and customers. This typically is done within a formal working group overseen by a recognized standards body, such as the IEEE. But because standards development can require collaboration among competing companies, complex intellectual property and antitrust issues have to be worked out, and that can take a year or more before a working group can do substantive work.

The Industry Connections program provides a safe environment for industry collaboration before creating a formal standards working group, so that a consensus can be developed for needs and goals in addressing issues. The program has developed a legal framework for cooperation, with output copyrighted by IEEE and spelling out participants' requirements. The framework is simpler and more flexible than that for a formal standards-making project.

"You can get up and running very quickly," Wendorf said.

Without that framework in which to work, "we would still be working out the legalities," rather than rolling out a data sharing tool, Green said.

A group of security professionals first met in October to discuss the challenges posed by the growth in the volume and types of malware they are facing. The rapid growth in malicious code illustrates the growing sophistication of the underground economy supported by it. The number of unique pieces of malware identified jumped from 125,000 in 2006 to 1.5 million in 2008. There have been 1.2 pieces identified in the first half of 2009, according to McAfee.

Security companies already share threat information among themselves and with some outside groups in government, academia and law enforcement, but in a largely unstructured way.

"We just passed huge .ZIP files to each other, which really didn't tell us much," Green said. Each group would have to do its own analysis of the data to understand and prioritize it.

The group chose the IEEE as the umbrella for its work creating a formal, rational method for sharing data. Some of the member companies have begun using the scheme, and the group would like to see it expanded to include partners such as government agencies and Internet service providers, Green said.

He said ICSG has other irons in the fire, as well. "The security group is definitely going to be broad-brush," he said. "We have a road map of other things we're working on."

IEEE hopes to see additional groups formed under the program, which could produce standards proposals, white papers, specialized tools, online databases and data feeds for their communities.

"Industry Connections is designed to streamline the incorporation and intellectual property logistics and free a group to instead focus on a common industry or business problem," said IEEE Managing Director Judy Gorman.

About the Author

William Jackson is the senior writer for Government Computer News (