Skip to Content

Facebook Builds Rating System for Its 400-Partner Security Network

Everyone on Facebook knows how to “like” a story. Now a group of cybersecurity geeks on a special social network run by the tech giant will get to do something similar.

Starting this summer, Facebook is rolling out a rating system for “ThreatExchange,” a platform where engineers meet to share information about bot-nets, spam, and other nasty stuff attacking their networks. The program, which launched in early 2015 with partners like Dropbox and Pinterest, has grown to over 400 participants, including new members like Netflix (NFLX) and United Airlines.

Last week, Facebook’s (FB) security team shared details of the review system with Fortune, and explained what ThreatExchange can and can’t do to shut down cyber threats.

“A Set of Five Responses”

Facebook started ThreatExchange as an alternative to the messy system of emails and spreadsheets that companies used, both internally and with each other, to share information about cyber attacks.

The API-based system serves as a centralized repository to which members can contribute information with the entire network, or with just one or a handful of other ThreatExchange members. The platform’s rapid growth is a good thing overall, but has also meant there can be a lot of noise on the system that risks drowning out important signals.

“The feedback was people saying we need a way to evaluate who is saying useful things about the data,” said Mark Hammell, who runs Facebook’s threat infrastructure team.

Get Data Sheet, Fortune’s technology newsletter.

In response, the company decided to introduce a ratings system that will let members of ThreatExchange provide feedback on incoming information. Ordinary Facebook users, however, may be disappointed to learn these don’t include the familiar “Like” button or the newer icons like “Wow” or “Sad.”

“It’s less a comment thread, and more a hard-coded set of five responses,” said Hammell.

The responses will let ThreatExchange members flag whether a piece of information is useful or outdated or if it requires more data. A Facebook spokesperson said the other two responses are under wraps for now since the system is still in early beta, and will only roll out to everyone on the network weeks or months from now.

As for the nature of threats that members on the network identify, they include new types of malware, bot-nets and suspicious URLs. Hammell says ThreatExchange members are a diverse group ranging from Fortune 500 security teams to a 16-year-old in Michigan.

It’s Not About a “Dashboard With Blinky Lights”

While security exchanges are useful because they let good guys pool information, they also have limits. For instance, companies with valuable information, especially security vendors, may have a commercial imperative to keep it to themselves rather than tell their competitors about it. Also, security breaches are a sensitive matter and many firms are reluctant to reveal they’ve been hit.

Facebook is realistic about this, and doesn’t pretend ThreatExchange will ferret out every security threat lurking on the web. Nor does it expect every company on the platform to share everything, and so it allows firms to distribute their information to as many or as few people on the network as they see fit.

“The previous efforts have failed because they tried to be a giant circle of trust,” said Hammell. “It leads to conflict of interest between vendors and others.”

ThreatExchange does, however, take care about who is allowed on the platform, screening to ensure a would-be member is not an adversary looking to glean intelligence.

As for what Facebook itself gets out of ThreatExchange, the benefit includes valuable data that helps it better protect its own network. For now, though, the company says it has no plans to parlay this information into a means of selling security products.

Instead, Facebook is content to let companies like Carbon Black and RiskIQ draw on the ThreatExchange API to build interfaces for the security software already in place in offices around the country. For instance, a company might build an integration that takes data from ThreatExchange and plugs it into an integration for Splunk (SPLK).

Despite this growing collaboration in the security industry, however, Hammell says he doesn’t see a day when threats will be defeated and companies can rest easy. That’s significant coming from Facebook, whose security reputation is better than most.

“Anyone who tells you it’s under control and don’t worry is crazy. The threats change and the actors get more sophisticated,” he said. “The job is not about building a dashboard with blinky lights to warn about threats. Instead, it’s to build products well enough that attackers can’t get in.”