TruSTAR’s CEO and co-founder Paul Kurtz recently appeared on Cloud Security Alliance’s podcast, CSA Security Update, and sat down with podcast host and CSA Assurance Investigatory Fellow John DiMaria to discuss the value that information sharing adds to threat intelligence.
Paul and John covered a range of wide topics about information sharing, discussing how SOCs can proactively defend their organizations by normalizing and sharing suspicious data. Below, we have edited and condensed part of the podcast. Click here to listen to the full podcast.
John DiMaria, Host of the CSA Security Update Podcast: Information sharing is something that we talk a lot about. It’s not only about what type of information we share, but also how secure that information is, so we’ll probably cover a lot of area today. Could you just give us a quick background on information sharing and TruSTAR to start with?
Paul Kurtz, CEO and Co-Founder of TruSTAR: There’s a lot of support for information sharing,, but the hardcore reality is that many companies are not in a position to share data with each other because of a very simple reason: that they don't have a firm understanding of what is happening inside their own networks.
In other words, you may have an enterprise that is running a SIEM, a case management system, and maybe an orchestration platform and endpoint detection. They have no means to correlate and enrich that data easily in real time. And if you can't do that, the opportunity to work with other companies becomes really, really hard. And so what TruSTAR does is we work from the inside out.
TruSTAR starts by making sure that we're aggregating all the internal feeds and tools you have inside of an enterprise first. That is exceptionally important. And once you do that, then you can start to leverage external data that may be coming from an existing sharing organization like the IT-ISAC, RH-ISAC, or CSA. It becomes a far more efficient process.
John DiMaria: Can you give us a basic use case regarding information sharing process? What should be the ultimate objective that people should target?
Paul Kurtz: A lot of people think the focus of information sharing should be, "I've been attacked. I've figured out how I've been attacked and I need to share that with others." The problem with that scenario is that by the time you figured out you've been attacked and have waded through the data, everyone in the office has moved on using the same technique, time and time again.
It really comes down to sharing suspicious data. Let's say you're a member of your retail company and you're a part of the RH-ISAC, you see something that just doesn't look right, it's suspicious and you want to verify if there's information about it, you can send that data into the RH-ISAC, they'll validate that data, with any other data that they have on hand so you can expedite your investigation.
It's really about not waiting until you know you've been had, but looking at suspicious data and making the sharing process a part of your investigatory process. Not waiting until after the fact.
John DiMaria:How do organizations avoid siloed environments to get the most out of the threat intelligence efforts and really fuse multiple data sources together, while at the same time avoiding overwhelming their security analysts?
Paul Kurtz: When you talk to CISOs, you'll find many of them have a level of anxiety about if they're taking advantage of whatever threat intelligence platforms or threat intelligence feeds that are out there. They still don't feel that they have that synoptic understanding of what's going on inside the enterprise and feel that intel is being left on the floor, so to speak.
Whether it's intel's from their own internal systems or it's super hot intel that's come from a very reputable provider out there. How do you merge and assimilate those things? And that John is, that's the big challenge that people or enterprises have been grappling with for the past 20 years.
When you bring your internal and external intelligence sources together, your security team’s competence level goes up significantly.CISOs know that they're not leaving intel on the floor. With this visibility, they know what's going on, they can work with other parties and can share the data that is most germane. We're enabling an enterprise to aggregate their own data easily and begin that exchange with other parties.