‹#› September 2015 Cloud-CISC Cloud Cyber Incident Information Sharing Center

‹#› -Albert Einstein

‹#› Agenda Review the Problem Cloud-CISC & TruSTAR Product Demo Questions and Open Discussion

‹#› Review the problem

TruSTAR Sensitive & Proprietary ‹#› TruSTAR Sensitive & Proprietary The problem 75% of enterprise attacks spread from the first company to the next within 24 hours Verizon DBIR Median number of days threats are present on a victims network prior to detection is 205 days Verizon DBIR

‹#› The problem The bad guys collaborate in real-time and share exploit intelligence on a global scale Countries Affected Major Attacks * The good guys report incidents internally, but rarely share information. Steady Growth of Incident Reports * *Cisco 2014 Security Report, **Verizon 2014 DBIR Report The bad guys collaborate and share information… …and the bad guys are winning. TruSTAR Sensitive & Proprietary

‹#› But, why don’t the good guys coordinate? Legal Concerns over disclosing Personally Identifiable Information, IP and discovery. Market Concerns over brand reputation and financial implications of disclosing a breach. Government Concerns over being seen as in bed with government and/or anti-trust violations. “Legislation removes legal excuses and puts pressure on companies to share, but legal concerns pale in comparison to market risk of sharing cyber incident information.” -Bryan Cunningham, Former NSC Legal Counsel, Data Security Attorney, May 2015 TruSTAR Sensitive & Proprietary

‹#› Where has sharing gone wrong in the past? We have learned from the benefits and challenges faced by current and past sharing groups. We have also learned from our own experience with Cloud-CERT. Without protection from market / reputation risk and incentive to share early in the incident cycle, sharing is limited to: Recycled threat data Ad-hoc/’out-of-band’ personal relationships Stale incident data TruSTAR Sensitive & Proprietary

‹#› Cloud-CISC built for valuable sharing.

‹#› Cloud-CISC changes the paradigm to “Connective Defense” With Cloud-CISC companies can collaborate and decrease their dependence on their own security providers to discover and mitigate attacks. TruSTAR Sensitive & Proprietary ● Anonymity enables security operators to share real incident data by protecting them from market and reputation risk. ● Correlation incentivizes operators to share early in an incident to gain immediate insight from correlated data. ●Mobile Alerting enables operators to learn about incidents based on their user preferences. ●Automated Extraction of indicators of compromise accelerates risk identification and mitigation. ●End-to-End Encrypted Collaboration enables secure, real- time chat to drive toward collective mitigation.

‹#› With Cloud-CISC the sharer gains immediate insight and the community gains early warning. Share + Correlate + Collaborate = Mitigate Powered by TruSTAR - A Technology pioneered by the leadership of CSA. TruSTAR Sensitive & Proprietary

‹#› Product Demo

‹#› We have a simple sharing script that utilizes our anonymity tools... You can compare redacted and original text from the terminal and submit. You can then export indicators with an export script and report ID. All of this can be easily automated and integrated with your workflow! The UI is helpful for some, but we also have an API and command line tools for automation and integration... TruSTAR Sensitive & Proprietary $ python import-trustar.py AnonymizerTemplate.json $ export-trustar.sh

‹#› Next Steps?

‹#› How do I get involved? TruSTAR Sensitive & Proprietary Getting Involved? Elite enterprise cyber security teams have already begun on-boarding and sharing is happening. Early adopters are rewarded with free access for the first year of the Cloud-CISC. Send to to join Co-Chairs Dave Cullinane - Chairman, CSA Brian Kelly - CSO, Rackspace Still open to nominations for steering committee leaders and members! Contact for leadership

‹#› Questions ? THANK YOU.