The behavior of crowds is a puzzle that has kept economists busy for centuries. The great Charles Mackay helped explain the potentially negative consequences that can occur when crowds go completely bonkers in his 1841 classic Extraordinary Popular Delusions and the Madness of Crowds. His chapter on the tulip bulb craze in seventeenth century Holland is required pre-reading for anyone pitching a VC with some new crowd-sourced start-up.
Wall Street has certainly noticed the cascading fear that can occur when an uncontrolled crowd gets itself worked up. In fact, a representative visual image of crowds for experienced financiers is that of the beloved Bernard Baruch standing at the base of Federal Hall amidst the wild insanity, waving his arms, trying to calm things down: “Two and two are still four,” he said. “Two and two are still four.” Crowds, when they go nuts, can be scary things.
Two years ago, I was seated at a bar in San Francisco during the RSA Conference, when I ran into an old friend from Washington, Paul Kurtz. I’d known Paul since his days as Special Assistant to President George W. Bush for Critical Infrastructure Protection. As a thought leader in our industry, Paul is always two chapters ahead of the rest of us, so it was no surprise to me that Paul was starting a new cyber security company to harness the positive power of crowds to share threat intelligence.
Since then, I’ve stayed close as Paul’s company TruSTAR built a threat intelligence platform, increased its customer base, and has since grown an impressive database of threat indicators so that companies can securely and anonymously exchange threat intelligence data and stay one step ahead of new attacks. To keep these exchanges marching in the right direction, TruSTAR has focused on creating trusted groups called Enclaves, which seems sensible to me. I suspect even Bernard Baruch would like the idea.
I caught up with my friend recently and asked for an update on the sharing of threat intelligence. Here’s a summary of my technical discussion with TruSTAR CEO, Paul Kurtz:
EA: Paul, what is the best way for enterprise security teams to share threat information?
PK: While most organizations want to share, they are not ready to do so. They tend to struggle with wrangling threat landscapes within their own organizations, which makes it difficult to decide what and how to share. Luckily, through trial and error, we’ve identified three requirements that will help companies share threat intelligence information in an exchange effectively: First, they must learn to seamlessly correlate events that occur inside their organization to reconcile current and past events into meaningful intelligence. Second, they must take time to operationalize any threat data that might already be coming in from outside parties, such as ISACs or proprietary threat feeds. And third, they must identify and highlight their return-on-investment for sharing. This will include the cyber risk reduction that come from receiving early indicators of attack from a trusted threat intelligence exchange.
EA: Tell us a bit more about your specific threat intelligence platform and how it supports sharing objectives.
PK: TruSTAR is designed to operationalize threat intelligence feeds using automation, and to support the listservs in ISAC and ISAO groups. We’ve designed our platform to be analyst-centric so that it’s easy for users to see how events correlate and quickly share intelligence data with actionable context. Our exchange functionality helps trusted peers share threat intelligence easily and securely. We auto-redact sensitive information so that privacy can be preserved with minimal risk and our platform leverages insights from reporting of events by other customers occurring in other sectors and peer groups. For example, a customer in one sector can quickly determine whether an attack like WannaCry or NotPetya is beginning to impinge on their sector or infrastructure. This feature distinguishes us from more traditional TIPs which cannot leverage insights or sightings from across their customer base. Overall, we emphasize accuracy, speed, confidentiality, and flexibility for any company or group of companies that wish to benefit from threat information sharing. The platform also supports anonymity and the ability to redact information on the fly. Organizations like the Retail Cyber Intelligence Sharing Center (R-CISC) or Columbus Collaboratory use our platform to enable sharing while protecting the identities of their members. Through these steps, organizations are engaging, and receiving real-time threat insights from other companies. Some of our partners estimate that threat intelligence sharing has reduced fraud investigations by as much as 1,200 days.
EA: Is this type of automation required now for effective threat intelligence sharing?
PK: Great question! Of course, it depends on what you mean by automation. We are still ways off from machine-to-machine event sharing, even though the STIX/TAXII standards are in place. The more important automation question is how threat intelligence platforms seamlessly fit into workflow. For example, companies need to merge threat data from email, SIEMs, orchestration platforms, and ticketing systems. In the absence of integrations, this becomes a manual process and the return on investment drops significantly. I believe we will see the day when protocols like STIX are widely used, but most companies are not close to that objective. TruSTAR recently rolled out an automated email ingest capability that has been getting a lot of engagement from users. We found that companies who pay for ISAC/ISAO memberships could not tap the value from their industry sharing groups because they received indicators via unstructured data formats like email. Once we added the email ingest capability, we could relieve security operators of the mundane task of manually inputting data from email into their threat intelligence platform. We also have customers that use Splunk and ServiceNow to engage in sharing. It is a powerful combination.
EA: How does an enterprise go about developing or joining a trusted sharing group?
PK: Many such groups already exist. If you in the financial sector, for example, sharing groups like the FS-ISAC already exist – and our platform provides support to such organizations. Developing sharing relationships often occurs first, followed by technical support for threat exchange functions. If you have the opportunity, we recommend developing a sharing community in conjunction with the use of a platform like TruSTAR for optimal process definition. When joining sharing groups, TruSTAR recommends a crawl, walk, run approach. First, get your house in order. Enable company operators to understand how event data correlates internally and externally before exchanging data with others. Second, develop and nurture existing relationships. This can include operationalizing information threat feeds from information sharing groups like ISACs/ISAOs or sharing groups of your own making. Do not drive operators to run time-consuming queries of other sites hunting for data. Instead, enable seamless use of data from an Information Sharing and Analysis Center (ISAC) or an independent provider such as CrowdStrike. Third, scale threat the intelligence exchange into your SOC. That is, exchange data with other companies based on relevant correlation, and without relying on a third party for attribution protection.
EA: Can smaller companies benefit from threat intelligence sharing?
PK: There are no size or scope issues that might limit an organization’s ability to share and benefit from a threat intelligence exchange. For example, we find that larger companies are starting to fold their extensive supply chains into their sharing processes, which has the benefit of addressing the growing risk of third-party originated data breaches. Also, we find that MSSPs are adopting our platform to serve their smaller customers. This is a terrific use-case as some smaller companies don’t have in-house security staff and instead, rely on others to assist. MSSPs leverage TruSTAR to capitalize on the overall network effect of our exchange model, bringing greater insight to their customers than if they were to operate independently.