Partner Spotlight: IT-ISAC Members Automate and Simplify Intelligence Sharing with TruSTAR

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

Established in 2000, IT-ISAC members include over 120 technology companies from the IT, Food and Agriculture, and Election industries. TruSTAR has been the intelligence management platform for IT-ISAC users since 2018, and 83% of members have used the TruSTAR platform to improve their security operations. 

We recently interviewed IT-ISAC Executive Director Scott Algeier to discuss why the organization chose to partner with TruSTAR, and the benefits its members are experiencing using TruSTAR to simplify integrations, automate data flows and make intel more actionable.
 

"Regardless of tool sets members are using, it’s easy for them to pull indicators from TruSTAR, add them to their security tools, and leverage the information that the IT-ISAC provides.”
— Scott Algeier, IT-ISAC Executive Director

At what point did you realize the need for a platform to share intelligence?   
Information sharing, like everything, goes through transitions. It's not always easy to get companies to share information, but we were building great momentum within the IT-ISAC and getting organizations and member companies to share with us. It got to the point where it was very time consuming to be copying and pasting indicators from Excel sheets and PDF documents, compiling them, sharing them out to the members, and then having the members copy and paste them into their tool sets. The need for automation is what drove us to explore platform options for sharing intelligence. 

What were the driving factors for selecting TruSTAR as your intelligence management platform?  
TruSTAR has the ability to share indicators at scale and the ability to leverage STIX-TAXII. With TruSTAR, it is very easy to work with the different tools used by our members. Regardless of tool sets members are using, it’s easy for them to pull indicators from TruSTAR, add them to their security tools, and leverage the information that IT-ISAC provides. The other value add that we see with TruSTAR is the ability to correlate indicators from different cases and from different submissions. 

How does TruSTAR solve your challenges? 
One challenge, which also is a strength, is the diversity within our membership. We have large companies with very mature capabilities and smaller companies with less mature capabilities. TruSTAR enables us to service both. Large companies who want to pull indicators directly into their security tools can. Member companies can do analysis around the indicators within the platform, and members can look at what they see in their security tools versus what’s in the TruSTAR platform and do the correlations.

Additionally, TruSTAR enables us to have special interest groups for the various member industries we serve so that they can share indicators of interest specific to their industry. This allows us to provide targeted sharing and intelligence and helps avoid sharing irrelevant indicators that could be seen as noise to members in other industries. 

For ease of sharing, TruSTAR helps us to automate indicators using STIX-TAXII and API, making it easier for members to share with the IT-ISAC team and other member organizations. It’s also very easy for members to share without attribution with the TruSTAR redaction feature. They can scrub things in their private enclave and review before they push it over.

Another challenge is that we don't want to overload our members with information. With TruSTAR, they can set up keyword searches to pick and choose what they want. If members are interested in certain types of indicators, APT groups, or strains of malware, they can search for what they need. 

TruSTAR also helps our security team. The efficiencies created by automated indicator sharing, leveraging the technology platform that TruSTAR provides, has freed up a lot of time for our team to do additional analysis, find additional incidents, find under-reported vulnerabilities, and share that information with our members. It enables us to provide indicators for those companies who are interested in indicators, but it also enables us to turn those indicators into intelligence, which is valuable across all our member sets.

Can you tell us more about how the IT-ISAC security team uses the platform? 
We use the indicators we find for further investigation; we can take indicators from open source or that our members have shared and use TruSTAR to correlate and add context. We also use the platform when we get member requests for information. We can quickly plug those requests into TruSTAR and usually get some hits, which is helpful to quickly provide the member with more information. 

Another favorite feature of TruSTAR is the dashboard integration. We can check out any trending malware or CVEs that threat actors may be targeting, and by referencing those CVEs and trending malware, we’re able to do additional research.

We also use the TruSTAR integrations for Chrome and Slack. With the Chrome integration, you can highlight the indicators and add them into TruSTAR with a right click. Similarly in Slack, if someone shares something in one of our channels, we can easily add it to TruSTAR. 

IT-ISAC members get a TruSTAR Community Plus plan as part of their membership. How does that benefit your members? 
Having the ability to correlate and search indicators within their own private Community Plus version of the platform is a big benefit. It provides members with the ability to do some vetting of the indicators themselves and identify which information they want to pull into their SIEM tools. TruSTAR makes it easy to copy and move reports into different enclaves so members seem more willing to share information. Whitelisting and redaction features for scrubbing things like internal IPs and company names make it easy for members to share information without attribution.     

Can you describe the support that you get from TruSTAR and how that helps members?
The support we get from TruSTAR is awesome. The TruSTAR team provides individual onboarding sessions for each of our member companies as they join. This is incredibly helpful so everybody understands how to use the platform and maximize the value of their membership. Once onboarding is complete, members receive ongoing support through access to product training webinars and additional one-on-one demo refreshes. Additionally, TruSTAR's support email is a great and efficient resource when members have questions or need assistance.

Outcomes:

• Automation to share indicators at scale: IT-ISAC eliminated the need for manual copying and pasting of indicators by leveraging TruSTAR’s intelligence management platform, which seamlessly integrates with member security tools.  
• Time saved allowing additional internal analysis: Efficiencies created through sharing automation provide the IT-ISAC team more time for analysis and reporting to benefit its members. 
• Ease of sharing for members: TruSTAR’s Unified Intel API provides a single point of integration through TruSTAR’s fully RESTful API, TAXII infrastructure and Python SDK making it easy for members to share information with IT-ISAC. 
   

----------------------------------------------------
Thanks!
Mikala Vidal