Over the past few months, the world of information sharing has started to come together with security integration and automation. First, the Cyberspace Solarium Commission’s report proposed the creation of a “Joint Collaborative Environment”, a common and interoperable environment for sharing and fusing cyber intelligence for the public and private sectors. Second, Catherine Stupp’s article in the Wall Street Journal put a finger on a significant security problem inside companies: integration and automation. Her article focuses on the downward pressure inside companies to reduce costs through more integration and automation of security tools in our new COVID world. In a non-COVID world, both these developments could remain unconnected and pass without action, however, as companies rethink their security strategies and accelerate changes, there is a chance the pandemic may help transform security operations and collaboration.
As background, since President Clinton signed PDD-63 over twenty years ago, we have scratched our heads on how to enable the seamless exchange of cybersecurity data between companies. The Federal Government funded information-sharing programs and Congress has passed laws to facilitate and protect the exchange of data, still, there has been little action.
There are several reasons why this has not happened:
-Companies don't want to admit they have had a problem.
-Protection of personally identifiable information.
-Impeding law enforcement investigations or fear of law enforcement investigation.
Each reason is largely predicated on the repercussions of disclosing information about breaches, but given the speed of attacks in cyberspace, information about breaches loses value very quickly. From the technical perspective of defending networks, a focus on breaches is a red herring. What is more valuable is the exchange of suspicious technical information, which, if exchanged, can improve defenses in near real-time.
This is where integration and automation meet information sharing. As it turns out, in discussions with CISO's over the past several years, they did not have the means to integrate data from their internal security tools, as Catherine Stupp’s article notes. If they can't integrate data and automate labor-intensive activities, their ability to protect their own enterprise, let alone exchange data with other parties is inherently limited.
There are two reasons why CISO's could not integrate their data.
First, they operate several security tools - endpoint detection response (Rapid7, Cisco ThreatGrid), security information and event management (Splunk, QRadar), case management (ServiceNow, Jira), and orchestration (Phantom, Demisto) - tools that produce data in different formats and protocols. The data from these systems must be transformed and normalized so that it can be correlated and enriched with external threat data.
Second, operators need the means to update tools with enriched data bidirectionally. In other words, the enriched output must be uploaded automatically into security tools, case management systems, and orchestration platforms.
Once these problems are addressed, a company has a far more precise picture of what is happening inside their enterprise. Relevant contextual data associated with suspicious events can be exchanged with others, such as another team within the same company, supply chain, partners, or a sharing organization.
TruSTAR has worked over the past four years to address these problems. Today we manage cyber intelligence for Fortune 500 companies as well as several sharing organizations. We have seen a more seamless exchange of data occur now in the private sector since there is a focus on the technical information. Many companies and sharing organizations use TruSTAR via API only. API usage is a massive win as now defense systems are updated automatically.
Technologies such as TruSTAR’s open the door to the creation of a Joint Collaborative Environment, as envisioned by the Solarium Commission, as well as other sharing initiatives. TruSTAR is host to an exchange of COVID-19-related threat intel in partnership with IBM, BAE, AT&T, and the Cyber Threat League. This enclave is tapped by companies and sharing organizations alike to receive the latest technical information on COVID-19 related exploits.
In the absence of solving normalization, transformation, integration, and automation challenges, there would be little hope of defending ourselves against increasingly sophisticated adversaries. As private sector defenses improve, the government can help by targeting the most sophisticated hackers as integrated and automated defense systems within and between companies can handle the most problems. Now is not the time to be timid about changing your security strategy to a more effective and cost-efficient model.
If you want to learn more about how TruSTAR is is tackling COVID-related cyber crime through our OSINT Community Enclave, click here.