Late last week, Steve Zurier of Dark Reading published an insightful article covering the 6 Steps for Sharing Threat Intelligence in collaboration with TruSTAR CEO Paul Kurtz.
Below are four key principles for threat intelligence sharing, as detailed in the article.
- Information sharing is not altruistic. It’s not just about paying it forward, it’s about being an active participant in a collaborative environment that you can (and will) see many benefits from.
- Information sharing is also not about breach notification. By sharing earlier stage suspicions (not just post-breach data), you help keep others informed of things on your radar (and in return get the same insights from outside).
- Sharing data with other organizations about exploits and vulnerabilities is legal so long as you don't share personally identifiable information. There is a plethora of valuable information to share and receive that doesn’t involve PII, and governmental legislatures are in place to support this.
- The sharing system must be easy to use. If it isn’t in the same workflow your analysts are already working in, it’s very unlikely they are going to participate. We’ve built sharing right into the same UI and processes our customers interact with to ensure it’s as simple as possible.
At TruSTAR we strongly believe we're the only TIP on the market that addresses each one of these steps within a single platform. Mature security organizations must be able to incorporate threat intelligence exchange data into their own organizations and the wider community.
Here are six steps you can use to meet the above principles of information sharing.
- Understand threat events you are seeing in-house. By ingesting full security events into your private enclave, TruSTAR customers not only ensure what their analysts have seen and worked on in the past are presented immediately, but we also break down internal silos of information by allowing correlations to security events and data seen by other analysts, teams, departments, offices, etc. to ensure your organization functions as a unified team when performing analysis.
- Make more efficient use of the intelligence you're already using. We allow users to ingest any source of information (OSINT, paid feeds, sharing groups, ISACs/ISAOs, etc.), but if your team is burdened by manual ingestion and correlation, they likely aren’t using it at all, let alone in a timely manner. We pool all intelligence sources into a single view, correlated by common IOCs (indicators of compromise), so your analysts can sift through the noise in real time and spend their time analyzing instead of aggregating.
- Start the information-sharing process. TruSTAR was built from the ground up for sharing. We enable both internal sharing between teams, offices, etc. and with external organizations such as regional or sector-specific partner groups, etc. With our customizable and self-learning redaction features, you can efficiently remove any sensitive information from your data prior to sharing to ensure your legal team is on-board.
- If possible, don't limit your sources of threat intelligence. Unlike simple bi-directional sharing solutions such as communities or trusted circles, TruSTAR enables complex organizations to engage with various partners and groups seamlessly within a single platform. This allows you to engage with as many sources of data as relevant to your organizations, and understand which of these sources are actually providing valuable enrichment versus just adding noise.
- Select a system that can participate with the U.S. government. Our founders have roots within government, so we understand how crucial including government entities in the threat sharing process is to chase down the bad guys. We also know not all organizations want to, or are able to, share with the government, so any user of our technology can optimize their workflows as needed for their constraints to enable or disable this.
- Small organizations: lean on your ISAC for help. By enabling such a range of data sources to enrich your analysis needs, we not only streamline processes for larger organizations, but also empower smaller organizations as well to take advantage of the communities of data seen by industry partners. A smaller team won’t have as much in-house knowledge or tools to take advantage of, so pulling info from outside can have a huge, immediate impact.