Fighting fire with fire: Anonymous security net targets enterprises
Paul Kurtz believes US enterprises have a fundamental disadvantage in fighting cyber attacks: The bad guys are cooperating with each other while the good guys work alone.
Concerns about government regulation, bad publicity and intellectual property theft prevent organizations from telling anyone outside their four walls about security threats they face, said Kurtz (right), former cybersecurity advisor to the White House under Presidents Clinton and Bush and director of counterterrorism for the National Security Council. The result: victims fight attackers with one hand tied behind their backs. “The paradigm of each of us trying to defend ourselves must change,” he said.
Kurtz is trying to do something about it. He’s teamed up with former eBay, Inc. Chief Information Security Officer Dave Cullinane to launch TruSTAR Technology, LLC, a SaaS platform which they describe as the industry’s first global anonymous cyber incident-sharing platform.
Kurtz, who left the government in 2003 after nearly 20 years working with weaponry, counterterrorism and cyber security, said he’s long been both fascinated and frustrated by the fact that cybercriminals freely share their techniques with each other, reasoning that opportunity is virtually limitless and more information benefits everyone.
Not so within corporations, however. Government-regulated entities like banks and securities firms, in particular, “say publicly they’re sharing security information, but privately they’ll tell you it’s really a mess,” he said. “That’s because if you’re a regulated entity, you don’t want the government to regulate you more.” So you stay quiet and cover your losses. The result is that the same exploits are targeted again and again by criminals, with predictable success.
Corporate behavior is unlikely to change, so TruSTAR provides the guaranteed anonymity that Kurtz believes is essential to getting businesses to crank open the lid on information.
Assuring anonymity without undermining credibility is a tricky task. The company is using a patent-pending anonymous authentication algorithm in which members share just enough information about themselves with the community to validate that they belong there while TruSTAR shares just enough information with them to verify that they aren’t an imposter.
Prospective members must provide a Dun & Bradstreet number and go through a credit check and approval process. Vetting is an ongoing process.
When a members share information about a new attack, it’s immediately checked against an incident database. “We can find others who have experienced the same pain and correlate with ongoing attacks,” Kurtz said. Once members began collaborating with each other, they can choose to reveal their identities or stay anonymous. However, every new incident report is filed anonymously.
TruSTAR is strictly for corporate customers. “We are not a sharing mechanism for white hat hackers. We are for enterprises,” Kurtz said. About a dozen Fortune 500 companies have joined so far.
The services carries a membership fee, but Kurtz described it as “affordable. Won’t want to charge people for giving up their secrets,” he added.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU