Without a Cyber Intelligence Exchange, The Private Sector is “Flying Blind”

There is a growing consensus among companies today of the urgency to understand the cyber incidents going on around them. To not have a contextualized awareness of your surrounding is “flying blind,” leaving your company vulnerable to costly attacks — like ransomware — that are avoidable.

The Blind Spots of Monitoring & Automation

Our first inclination is to automate everything in cyber security. We trust algorithms, SIEMs, and firewalls will flag suspicious events and orchestration software will sort out anomalies and incidents. While automation is necessary to improve cybersecurity monitoring and reduce labor costs, ultimately, adversaries will game these systems for the purpose of defeating them. In addition, these monitoring services are driving up costs while adversaries appear to remain in the lead. IDC recently predicted security spending will increase another 38 percent by 2020, eclipsing $101 Billion annual spend.

Monitoring threats without context is similar to a pilot turning off the radar and being unaware of weather and aircraft in the immediate vicinity. The scenario is reckless and scary.

Much like the need for pilots, cyber operators need the ability to quickly understand what is going on around them and take corrective action quickly. What has been missing for operators is the ability to access, visualize and understand real external events germane to the security of their network.

How Correlation and Visualization Unlock Insight

Cyber attacks don’t exist in a vacuum, they exist in complex and constantly evolving environments. We need tools that are just as adaptive and responsive as the threats they are trying to protect against.

Companies now have the means to immediately have a contextualized awareness of cyber events going infiltrating companies through intelligence exchange programs. TruSTAR has developed Private Enclaves, intelligence exchange ecosystems only visible to one company or user group, which allow a company to see all of their incident related data in a broader, actionable context without exposing their identity to others. Users can easily establish a Private Enclave that presents their events as they relate to other users in the TruSTAR exchange.

The system scales easily as data is stored in our graph database (Neo4j). Every time a new threat indicator is ingested, users have the option to share information in their Private Enclave with the wider, vetted TruSTAR community without attribution. When new event correlations are established, operators can immediately see the context visualized on a graph and explore it to act more decisively on next steps.

For example, a recent joint analysis between a couple of our customers using TruSTAR reveals how the exchange of data can prevent fraudulent activity. Below, in Figure A, a fraudulent actor opens an account with Cloud Provider 1, who closes the account, and then one week later the same fraudulent actor opens an account at Cloud Provider 2 using the same credentials. A few days later we observe a customer in the financial sector dealing with a security case from that very same actor. In this case, we see that indicators reported by the cloud service providers and the financial services company also correlated with a Darktrack RAT command and control server.

Figure A:

With access to the TruSTAR exchange, Cloud Provider 2 could prevent the establishment of a fraudulent account on their system and disrupt the expansion of a fraudulent activity across a larger network, as shown below in Figure B.

Figure B:

We have found TruSTAR users gain the most actionable value from threat indicators when they see correlations mapped into larger intelligence exchanges, as shown above. This supports the notion that one company’s fraud problem often becomes another company’s security problem.

When security operators “fly blind,” they’re only seeing their own data, which makes it impossible to see trouble coming. When security operators use anonymous incident exchanges like TruSTAR, that’s when you know they are in the pilot’s seat with a clear 360-degree view of the ever changing threats around them.

Sign-up for an Private Enclave demo today.