Streamlining the Incident Exchange Process

As enterprises look to keep up with a faster tempo of cyber attacks they are increasing the amount of information they consume, analyze and exchange about adversaries on an ongoing basis. The reuse of attack tactics to target enterprises in the same sector and across sectors is driving the need to share and exchange incident data. The role of community driven organizations like ISACs or ISAO,s and partnerships with peers is starting to take increased importance in enterprise security strategy. But there are some key challenges that enterprises need to address to effectively operationalize their incident exchange process and partnerships.

First, incidents being exchanged need to be sanitized of attributable information and verified that no confidential information is being inadvertently disclosed. Today this requires manual processes and human examination, which doesn’t scale. Second, community and sector based intelligence is available in a number of different formats, including human readable emails and machine readable feeds. It can be difficult to take proactive decisions while consuming shared intelligence from multiple sources. Also, scaling the number of exchange and sharing partnerships risks increasing operational complexity and further overwhelming security operators.

TruSTAR understands these fundamental challenges and has developed a platform to help enterprises streamline the incident exchange process. TruSTAR’s anonymous authentication and redaction tools provide enterprises with a single point of distribution to send sanitized incident data in standardized formats (CyBox/STIX) to email listservs and peers. TruSTAR also provides users multiple channels to submit data to the platform, including directly from SIEM and ticketing systems, through a fully public REST API or even by email. This significantly reduces the overhead of participating in various sharing organizations and partnerships. TruSTAR’s advanced correlation and visualization engine allows operators to surface and prioritize internal events and incidents by enriching them with incidents and indicators received from 3rd parties via emails and feeds like Hail-A-TAXII. Operators can then focus on the most relevant indicators and feed them into their response and mitigation process. Our real-time chat and collaboration capabilities enables active exchange of incidents within the network of sharing partners,facilitating a community based defense posture.

Active incident exchange should serve as a force multiplier for enterprise security teams and help them get a better return on security investment. By focusing on streamlining the incident exchange process enterprises can look beyond their four walls and access a collective perspective of incidents.