This week I spoke to Paul Kurtz, the cofounder and CEO of TruSTAR Technology. Paul was previously the CISO of CyberPoint and worked at the National Security Council earlier in his career.
Threat sharing has become a hot topic of discussion in the security world and threat information sharing platforms such as TruSTAR have arrived to meet the demand. In the space of just a month, TruSTAR and threat sharing platforms ThreatConnect and ThreatQuotient all raised funding. TruSTAR allows companies to share threat information in a truly anonymous way, and it provides them incentives to do so. In the interview below, Paul and I discuss what "truly anonymous" means and how TruSTAR's solution is different than that of his competitors.
How important is threat information sharing? If it was more prevalent, would it have prevented some of these huge hacks?
It’s critical. Congress just passed the Cybersecurity Act of 2015, which removes some of the liability risk associated with sharing threat information. Industry and government understand that we need to work together against hackers.
If you look back 15 years or more, you’d see that we’ve been fighting the bad guys individually. If we’re really going to bend the curve, we need to work together. There are a few issues however. One is liability, and another, which is more important right now, is market and reputational risk. Target, United, and others were very reluctant to talk about their breaches because of the market risk. We need to put the incentives in place for companies to share real information when there is a problem.
You shared your opinion on the Cybersecurity Act of 2015 before it was passed; what are your thoughts on the final bill that was passed a few weeks ago?
I think the debate was interesting. What it came down to in the end was privacy, in particular concerns over personal information being shared with other Federal government agencies. The main question was about what information would be shared and what would be done with it. Detractors from the bill didn’t understand that if you’re sharing incident data, things like personally identifiable information (PII) are not relevant. PII doesn’t help to protect against threats and the idea that PII will be shared is simply not the case.
The law does allow companies to share data with each other, which is more important than companies sharing information with the federal government. [BTW, it is more important that the private sector share with other as they own and operate the vast majority of the infrastructure in the United States and government has real challenges in sharing information it may possess]. Because of this, I think we’ve landed in the right place with this law.
What will change as a result of it?
A lot. In the case of a breach or disruption, general counsels tend to lock things down to avoid any liability. This law will make them more willing to share information. The law isn’t a panacea however, because it doesn’t prevent market and reputational risk when sharing information relating to a breach. That’s where Trustar comes in. We allow vetted companies to share data with other enterprises anonymously and with PII removed.
In the past month or so, your company Trustar, ThreatConnect and ThreatQuotient all raised funding. What are the key features that all threat exchanges have and what are the points of differentiation between your individual solutions?
The problem with other threat sharing platforms is that they aren’t entirely anonymous. The reality is, when a CISO has a problem, they’re very reluctant to share this problem with anyone besides their close buddies. [To expand a little….Other platforms share information that is not necessarily actionable or timely] Our platform provides anonymity for vetted enterprises, meaning that no one, not even Trustar, knows who shared it.
With our platform, security workers have an incentive to share threat information because if they share something, we can give them information right away about the threat that they shared and whether other organizations are experiencing something similar.
Over and above that, we give people the ability to collaborate with each other anonymously. Within the product, you can initiate an end to end encrypted discussion with people that have dealt with a problem similar to you. Thus the three keys to our platform are the complete anonymity when sharing threat information, correlating the information that you’ve shared with information that others have shared, and the capability to collaborate anonymously.
In relation to our competitors, no one else provides complete anonymity. Some of the other services tell companies to send them the data, which they scrub and then send out to everyone else. The Department of Homeland Security does that for instance, but then sharing with them means that Uncle Sam knows who you are.
If you’re a CISO, you’re putting a lot of trust on whatever security providers you are using. The burnout rate among security operators is incredibly high, in part because they can’t join forces with others. If we look at every major problem with society--whether it be AIDS, polio, terrorism--what do the good guys do? We work together. We need to do the same in cyber security.
Is the anonymization process very difficult technologically?
It’s based on Andrew Lindell’s “Anonymous Authentication” paper released at Black Hat in in 2007. I was previously a CISO at CyberPoint and I asked some of the researchers within CyberPoint Labs to create an algorithm that would allow people to share data anonymously. After reviewing Andrew’s paper they designed and built an anonymous authentication software protocol. We used it to build a SAAS platform which included the new protocol plus correlation and encrypted chat. This was company was ultimately called TruSTAR, which is short for True Security Through Anonymous Reporting.
Cybersecurity Startup QuadMetrics Calculates Odds a Company Will be Breached
Distil Networks Acquires ScrapeSentry
- The company claims that it can predict within 90% accuracy whether a company will be breached in the next year. To build its prediction engine, the company examined the characteristics of companies that were breached, before the breach occurred.
Cyber security company Appthority raises $10 million
- ScapeSentry is an MSSP that specializes in protecting websites against scraping.
The Hottest Cybersecurity Startups Of 2015
- The money comes from Venrock, USVP, and Blue Coat. Appthority provides mobile application risk management for enterprises and won "most innovative" at RSA in 2012.
Ron Gula's 2016 Predictions: Cloud Security
- Forbes defines "hottest" as biggest growth in valuation. Forbes also reports on the most recent valuations for each of the companies mentioned. Apparently Cylance was most recently valued at $290 million and AlienVault was valued at $430 million.
Shape Security Raises $25 Million to Expand "Botwall" Technology
- Tenable CEO Ron Gula predicts that we'll see a lot more exploits on cloud assets in 2016; this includes attacks on SaaS providers and cloud infrastructure providers like AWS and RackSpace.
Prevalent Receives $8 Million in Series B Financing
- Shape Security's Botwall product can be deployed on premise or in the cloud and protects against automated attacks. The round was led by Baseline Ventures.
Raytheon Websense rebrands as Forcepoint, acquires Intel Security's Stonesoft
- Prevalent provides third party vendor risk management solutions.
RSA president outlines cloud security strategy, IDaaS plans
- Intel acquired Stonesoft 3 years ago for $389 million in cash. Stonesoft makes next-gen firewall products.
Thoughts on Media Reports Around Check Point acquisition of CyberArk
- RSA will be focusing on building IDaaS products and avoiding cryptography and DLP products.
- Check Point has $1.5 billion in dry powder and the acquisition makes strategic sense.