Going on the Offensive: Exchanging Intelligence using TruSTAR
Cyber security attacks can spread at an alarming rate. 75% of attacks move from victim 0 to victim 1 within 24 hours. 40% within one hour. Attackers often use the same or similar methods to target multiple companies in quick succession. Consequently, it is impossible for individual security teams or vendors to defend against the vast number of threats out there.
The problem is made worse by the fact that attacks take on average 5 months to detect. According to the Mandiant trends report, half of such attacks are detected through external notification, a process that can take almost a year. This can seem like an eternity in a world where attacks are spreading quickly, getting more sophisticated and hackers are coordinating their efforts. The result is the scenario depicted below.
Early Herd Immunity
In this landscape, having access to relevant and timely threat intelligence is key to protecting businesses and establishing a herd immunity against malware. Sharing threat data is not a new concept, but recent events have further highlighted the need for effective sharing. The FBI Grizzly Steppe report, for example, emphasizes sharing of cyber threat indicators as a crucial threat mitigation strategy. New laws such as the Cybersecurity Information Sharing Act have also made it easier and less risky for businesses to share data.
It is important to note that there are existing mechanisms to share information such as the ISACs and the Cyber Threat Alliance. Vendors also have sharing portals such as X-Force exchange and the Advanced Threat Intelligence Plus platform. Unfortunately, current methods are manual, often not realtime and require significant effort to automate. Secondly, as businesses rush to deal with the damage of the attack and go through the cycle of detection, containment and analysis, they tend to underreport the scope of the breach due to a limited understanding of the incident or concerns about privacy, liability and PR exposure. Consequently, shared information may end up being interesting but not actionable.
Smart, Simple and Secure Sharing
TruSTAR has developed a comprehensive intelligence exchange platform that allows the security community to share timely, context rich intelligence while preserving privacy.
Context: TruSTAR monitors various data streams inside a company’s network such as incident reports and open source feeds. It extracts a number of incident indicators from them and correlates the information with other incidents across the company’s network, a sector and across all businesses in the system. The result is extremely personalized and actionable intelligence that can be filtered, searched and analyzed. TruSTAR also provides a graph based visual interface that an analyst can use to study the incident and determine the right course of action. The analyst can also leave feedback and rate the severity of the attack to help other uses.
Privacy: TruSTAR enables users to automatically scrub attributable or customer data from the incident reporting and share without attribution. It does this while preserving the actionable indicators . Consequently, there is no legal or PR risk and the burden of participation is minimal.
Real-time: The incident data is shared in real time since the product integrates with existing security tools through a robust set of APIs. The privacy-preserving technology makes it easier to navigate the internal sharing approval process and companies can get insights within seconds of starting an investigation into a possible attack.
Access: The platform allows the user to carefully control who is part of the sharing network. An analyst can collaborate with peers in the entire industry or among various internal teams through private groups, a process that is surprisingly hard today.
Analyst Tools: To help the security operator act on intelligence data, the company has built a comprehensive toolkit including support for alerting, collaboration and analysis. For example, Project Balerion, which was recently open sourced, reduces the uncertainty in statistical cyber analysis.
Real Threats
Today, TruSTAR helps dozens of companies, including a number of Fortune 100 organizations, share information and go on the offensive against bad actors. The power of the platform has led to a 100 fold increase in the number of incidents being shared over the last year. The threats analysts are discovering and fighting against are substantial. One example is when fake or stolen credit cards are used to create accounts on cloud hosting providers. Simply exchanging this fraudulent account activity between 2 cloud hosting companies would have prevented over 2,000 days of fraudulent account activity for just the two companies over the course of 2016. The platform is extremely versatile and operators are using it in numerous ways including threat triage, data enrichment, investigations and cyberhunting. The image above shows correlations across sectors for a Carbanak attack focused on the hospitality sector. TruSTAR can also help operationalize existing sharing initiatives such as the ISACs or create entirely new channels.
Any organization that believes a connective and collaborative approach is crucial to cyber defense would benefit from the TruSTAR platform.
The Team!
One of the most exciting aspects of TruSTAR is the quality of the team. Paul Kurtz, the CEO, served as a senior director for cyber security and special assistant to the president. He also worked to increase security information sharing as executive director of the Cyber Security Industry Alliance before leading a global security risk management organization. Patrick Coughlin was a senior security analyst in the United States, Afghanistan and the middle east and has lived through the challenges that security operators face everyday. The rest of the team also has deep domain expertise and is well positioned to achieve the TruSTAR mission.
We at Storm Ventures are thrilled to join TruSTAR on a journey to build a true sharing platform and help the industry get a leg up in the cyber security arms race.
You can learn more about the company on their website and their blog.