Can Information Sharing Deliver Real Value?

Information sharing has often been regarded as a reactive, one-directional effort of laudable, but limited, value. Despite some ad hoc success, sharing programs have been consistently held back by their inability to provide participants with information that is both timely and actionable. In my last blog, we discussed how TruSTAR’s unique anonymization technology can encourage timely sharing of data. Today, we’ll discuss how we are tackling making the data actionable by focusing our efforts in three key ways: Incidents, Correlation and Collaboration.

Incidents

While automated threat intelligence and big data solutions continue to come of age and most certainly have their place, there is also a distinct need to focus on the “small” data. Rather than searching for the needle in a haystack, TruSTAR actually aims to make the whole haystack smaller. Our platform is designed to help incident response teams share actual incidents of concern. By focusing less on raw data streams and more on incident reports developed by security analysts, we aim to help members make sense of the data they are already seeing and provide valuable external context and decision support.

Correlation

It is not enough to share the right data at the right time. You also have the share the right data at the right time with the right people. Our newly released correlation engine is focused on doing just that.

Once an incident report is shared, TruSTAR’s algorithms provide near real-time correlation with other reported incidents and open source feeds. If similarities are found with other recent or ongoing attacks, the “sharer” receives immediate insight from related reports on things like indicators of compromise, malware hashes, and possibly even mitigation techniques. In this way, our new correlation engine provides immediate support to the “sharer’s” incident response efforts as they work to resolve a newly discovered attack.

Further, our planned alert functionality will allow users to be warned of relevant attacks discovered via the correlation engine based on their own user preferences. For example, a member will be able to set filters to provide a push notification for all DDOS attacks in North America that are rated as severe. In this way, the correlation engine will very quickly alert members if other incident response teams at companies similar to theirs are experiencing the same problem.

While the alert functionality is still under development, today our interface already allows members — whether sharing or receiving — to easily surf related reports to find those of greatest value. Reports are automatically grouped by sector, region, type of attack, severity, and whether mitigation is available.

Collaboration

Once an incident impacting multiple members is discovered via the correlation engine, TruSTAR members can rapidly form a team of responders from across the industry to review what is being seen and work on defensive strategies together, rather than trying to sort out the threat they are seeing alone. They will also be supported by TruSTAR’s Responder team comprised of incident response experts monitoring TruSTAR Station activity. For many of our members, this virtual expansion of their in-house security analyst expertise is a key benefit of using the platform.

When operating in the collaboration portal, members can remain anonymous or operate under their company identity. Members may also form private groups to address issues requiring more sensitive coordination procedures.

In short, TruSTAR does more than simply encourage our members to share information after an incident is resolved as a service to others. Rather, TruSTAR drives real value for members by delivering timely and actionable information that supports their incident response efforts in a concrete way and speeds their time to mitigation.

And now for the sales pitch…if you’d like to learn more and see TruSTAR in action, consider signing up for a 30-day trial of the platform at no cost to you. We’d love to get your feedback on the platform as we work to continually improve TruSTAR’s ability to provide real-time support to our members when dealing with an incident of concern.

-Posted by Chris Roblee, Director of Engineering