Box Automates Intelligence and Workflows While Reducing Manual Work Hours with TruSTAR

Box is the market leader for Cloud Content Management. Their mission is to power how the world works together. Box partners with enterprise organizations to accelerate their digital transformation by creating a single platform for secure content management, collaboration and workflow. Today, Box powers over 97,000 businesses, including 70% of the Fortune 500 who trust Box to manage their content in the cloud.  

Read on for more in this Q&A with Box's Kyle Bailey, Manager, Threat Operations.

“The fact that we can easily integrate with all of our data sources that we were pulling in externally by using TruSTAR, as well as any internal data feeds that our incident response team was coming across, is a really big deal for us.”
— Kyle Bailey, Manager, Threat Operations, Box

What were the challenges that you were trying to solve when you were looking to acquire TruSTAR?
We were previously on an open source platform [CRITS] that we had deployed internally, and it had worked well when our scale was much, much smaller. We started to run into issues with maintaining the backend platforms, struggling with system ownership and support of the platform. Those types of things are common struggles with on-prem solutions. We also started to struggle with integrations with other applications — being able to pull in external feeds, threat feeds, as well as pushing data between our ticketing platform and our SIEM. As we tried to integrate all of the pieces of our security operations tool set, it wasn't scaling and it wasn't working.

The fact that we can easily integrate with all of our data sources that we were pulling in externally by using TruSTAR, as well as any internal data feeds that our incident response team was coming across, is a really big deal for us. We could easily build workflows to push data to TruSTAR, and also get those great correlation graphs and context within the console itself.

When you talk about your open source tools and feeds, can you give us a sense of what those are so we know what you're referencing?
We were using an open source platform called CRITs, but the pieces that we were struggling with integrating and being able to expand on were being able to integrate feeds like VirusTotal and PassiveTotal that we paid for. We weren't getting the full use of those feeds because we weren't actively pulling the data into that CRITs platform and didn't have the people in place to go build that out for us. CRITs has some functionality there, but it's not plug and play like TruSTAR is. So not having to find someone who could go research the platform and build that out for us and having it all right there in front of us was a huge advantage.

How is Box currently organized from a security perspective, and what is your role in relation to the rest of your team?
I manage our threat operations group, which is a composition of our detection engineering and threat intel teams, and then our red team. That's embedded within our larger security operations organization, which includes our incident response team and our security automation team. Our detection and threat intel team is four people right now, and the red team is another three people. The entire security operations team is about 35 individuals spread across the US and London for our MES cert function.

How much time do you think your team dedicated to maintain and support CRITs before you deployed TruSTAR?
At the end of the CRITs lifecycle, it became this thing that we didn't support. We just weren't getting what we needed out of it. But I would say, when we were actively supporting it, it was a good 10 hours a week of maintenance that one of our security engineers would maintain.

One of the things that we leveraged in the past was pushing out indicators that we had marked as bad or malicious. We would push them out to our different security control solutions, and we had the maintenance of the scripts that would pull the data out and then push to the security solution.

There was a lot of break fix type work that had to be done around those and monitoring that had to be built to make sure that things were functioning as we intended. This function had become siloed to one person and, once that one individual left, we were stuck with legacy tools that we couldn't maintain anymore.

Is there a specific use case and workflow that you use TruSTAR for now?
One of the biggest wins that we've had is our ability to automate and push indicators out of tickets that our incident response team was actively working and identifying threats relevant to our organization as malicious. We've built a workflow where we're able to push those indicators from our ticketing system, Jira ServiceDesk, back into a TruSTAR Enclave and marked as malicious, and from there we have a flow back into Splunk that then tells the team if they see these indicators again.

One of the challenges that we had in the past was when we found things that were bad, we didn't have automated processes to tell us if we saw them on the network again, or if, say, another host was infected and exhibiting similar indicators. It was on the analyst to go manually put these known bad indicators into a Splunk search and figure out where else on the network these things were happening.

Besides your case management ticketing tool and your SIEM, are there any other tools that benefit from either contexts or enrichment from TruSTAR? Any EDR, network or other security tools?
There's definitely an enrichment piece to this, but in our setup we do it all in the ticketing system. In the ticketing platform, as indicators are being populated and new events or new tickets, we have automated processes to go out to TruSTAR that pull data about these indicators. These enrichment functionalities have been really helpful to the incident response team for context.

Were you ever able to get this type of workflow using CRITs?
It existed in a much more archaic form. We had enrichment happening and we did have a little bit of intel feeding back into our SIEM, but it took a lot of manual code and a lot of hours to build that out. Then, like I said earlier, we ran into a problem where that function got siloed and we didn't know how to maintain these things any longer. We weren't getting the enrichment functionality as deeply as we are from TruSTAR, just because of the ability to integrate.

Do you track ROI with your security tools today and how do you justify or track ROI working with TruSTAR?
Time saved through manual functions that we've been able to automate is a big piece of it — how much time can an analyst save by having all of this enrichment and manual feedback into the SIEM happening for them without needing to take all of the manual steps that existed previously. I would venture to say that at least 10 hour of manual work per week was shaved off once we started using TruSTAR.

We have been able to reduce our MTTR metric by about 20% over the last year and we have seen a reduction in MTTD as well. TruSTAR’s ability to enrich and correlate all of our data sources into each ticket for the analyst has played a significant role in the reduction of these metrics.

There's also the countless hours of analyst’s time saved in terms of hunting and pecking for enrichment existing in the tickets that they don't have to go discover manually, as well as being able to mark indicators, like I mentioned.

When you were ready to procure TruSTAR, how did you build a business case to justify the procurement piece with the powers to be at Box?
Consistency in the platform and not needing an individual to maintain software backend, that's huge just in time saved and also allocating that time to other more important projects. The other piece would be fully integrating all of our data feeds and getting the most out of the data feeds that we're already paying for. We were paying for some things and not actively leveraging them because the platform didn't fully support it. So, being able to get more or full value out of tools and threat feeds that we were already paying for.

Also time saved behind the scene, not needing to manage this on-prem platform, and appealing to a functionality side, giving the incident responders much more context on the events that they were actioning.

Does Box currently share or contribute to any ISACs? Do you use any of the data that you get from their feeds?
We are a member of the IT-ISAC, which we do use as a correlation point in TruSTAR. That is a big piece of what we want to be doing to contribute back to the community in the future. We do pull their feed down and push it into Splunk and leverage that from an alerting standpoint.

Strategically with your security program, what are you looking to do next with TruSTAR and any use cases that you have?
One of the big things that we're trying to do is get more of our internal IOCs into TruSTAR. When those IOCs match up we can correlate things together much more easily than we could in the past. 

We're trying to take that to the next level by trying to get things like low-level attacks, firewall blocks, email filter blocks, etc. and those IOCs into TruSTAR. That way when, say, a threat actor is feeling out our email filter, feeling out our firewall, and eventually gets through and generates an alert, we can have correlation and backstory to see what was happening previously and things that they were trying and have that all correlated in a single pane of glass in TruSTAR. That kind of context is a piece that we're missing at the moment.

The second thing we want to do is, for us, we're interested in producing more targeted intel products that our incident response team or our security teams can leverage internally. I think TruSTAR is going to play a big part in that, and being able to tie indicators together, tie threat actors together, and get a full picture of either what we're seeing, what we have seen, or what others are seeing through IT-ISAC will give us more context to produce a more holistic product for our incident response team and leadership as well.

Outcomes

• Operationalizing Internal Intelligence: By consolidating all of its data into a single intelligence management platform, Box is able to open previous investigations and see context for future enrichment in detection and response tools. 
• Aggregating and normalizing external intelligence: Box is able to use TruSTAR to automate the process of ingesting, normalizing, and correlating threat intelligence from premium sources and ISAC data.
• Time Saved for Engineers and Analysts: Box removed the operational burden of building and maintaining open source CRITs solutions and reduced analyst time 'wrangling data' for enrichment by utilizing the TruSTAR platform.
• Seamless Dissemination of intelligence to other tools, teams and partners: By utilizing a bi-directional data flow and a uniform tagging system, Box has improved visibility across teams and tools.