In the early 2010s, ‘Trusted Circles’ were the primary way to share intelligence with other people and parties in cybersecurity. Exclusively a group permissions capability, data shared to ‘trusted circles’ would be shared to whoever had permissions to access data in that ‘trusted circle’ at that time.
Since creating the cyber intelligence Enclave in 2016 for intelligence management, TruSTAR has consistently expanded the capability and use-cases for Enclaves beyond the ‘trusted circle’ concept. Today, TruSTAR’s Enclave technology is the most advanced cloud-based governance engine for enterprise cyber intelligence. On this, the five-year anniversary of Enclaves, we wanted to take stock of how the feature has evolved to meet the needs of integration, automation and intelligence sharing.
- Integrated Event Storage - The most valuable information in enterprise cyber security is information about historical events and incidents. Too often enterprises prioritize external threat intelligence and enrichment before they even know if this event has been recently investigated and what valuable historical context may already exist. This leads to redundant investigative cycles and unnecessary time wasted reinvestigating. Cloud-based Enclaves provide a low-cost, integrated storage solution for events. Now, instead of searching endpoint, firewall, email, SIEM and multiple ticketing systems, the alerts and events can persist in your Enclaves, providing you and your tools an easy API/UI search mechanism to answer the age-old analyst question ‘have I seen this before?”. See for yourself how one customer, LogMeIn, is using Enclaves to harvest the value of internal events and external intelligence sources here.
- Permissions & Secure Intel Sharing - Enclaves go beyond the binary permission capabilities of Trusted Circles to include granular, full-spectrum data access control from create → view → edit/delete. Enclaves are the perfect construct for inter-company intelligence sharing communities that require multiple companies’ access to a single repository and can also help power intra-company intelligence sharing across different teams and tools for security, fraud and risk.
- Observable Extraction - Not every observable is relevant in every source, workflow and/or use-case. As a default the typical cyber observables are all utilized, but Enclaves allow users to define extracted observables for more nuanced use-cases. For example, you may want to extract phone numbers from one source that collects voice-enabled fraud data and not from another that tracks suspicious emails where the phone numbers in signature blocks from their own employees are not relevant → Enclaves are the only way to manage this seamlessly.
- Event, Campaign-based Enclaves - In 2020, Enclaves served a unique purpose for many customers beginning with Covid-related fraud observables. Intel partners from IBM, Intel471, AT&T/Alienvault, the CTI League and others published proprietary indicators from known Covid-related phishing and fraud schemes to an open community on TruSTAR. With the industry scramble from the FireEye and Solarwinds hack announcement, enterprises used TruSTAR Enclaves to create vetted repositories of related indicators from various sources to automatically sync with their core detection and response tools.
2021 & Beyond
In the last five years, TruSTAR Enclaves have come a long way from their initial conception as a way to “stage” your data in the cloud before you shared it with others. Here are some capabilities currently in the works for the future of Enclaves.
- Intel Workflows - As every observable, event and intelligence report belongs to an Enclave in your TruSTAR environment, Enclaves become the way to set up your Intel Workflows in 2021. Unlike process orchestration playbooks that mimic human action, Intel Workflows will provide automated data-centric outcomes where data is the input and data is the output. You may want to cross-validate suspicious IPs in your ISAC enclave with your commercial intelligence provider before you ingest them into your SIEM for detection.
- Performance Analytics - When it comes to the ROI on intelligence, many enterprise security teams are flying blind. There is no easy way to tell which intel sources provided unique enrichment, which ones provided false positives and which ones are redundant. In the next phase of Enclave innovation, TruSTAR will make it easy for enterprise security teams to see exactly how their sources are performing by giving Enclave-level analytics on Coverage, MTTD and MTTR.
- Data Residency - R&D efforts are underway to empower Enclaves with a new set of capabilities to enforce data residency for compliance or performance reasons. As regulatory regimes to govern data residency like GDPR gain traction globally and with the rise of edge computing, Enclaves will soon determine ‘where’ mission critical intelligence is stored for the enterprise.
- Machine Learning - As Enclaves are the leading solution for storing your historical event intelligence in a tool-agnostic repository for future enrichment, they will become the defacto “Cyber Memory” for the enterprise. The Cloud Security Alliance’s research paper on Cloud-based Intelligent Ecosystems says,
“Rather than responding to a stream of cyber events ‘playing whack-a-mole’, we need to recall events gathered from security systems seamlessly. Creating a virtual ‘memory’ to absorb events will enable Machine Learning (ML) to identify patterns more effectively and efficiently address malicious activity.”
As TruSTAR continues to build on machine learning infrastructure across the platform, we will also provide tools for the enterprise to conduct their own machine learning on their own historical events in their Enclaves to move from the reactive to the predictive.
The Enclave has evolved from an initial edge-case for an Enterprise to stage test data on TruSTAR before it is released to other teams and tools, to becoming the de facto way enterprises manage intelligence in the cloud. It has become the foundational architectural element for data-centric security leaders who are beginning to see their data sets as the permanent and primary asset for their program while tools and applications will change and evolve. And, while it has come a long way, the Enclave will continue to grow and change as new use-cases in integration, automation and intel sharing become increasingly top of mind to keep pace with the ever-evolving security landscape.
For more on how Enclaves can help accelerate automation and efficiency in your security program, check out our white paper on Data-Centric Security Automation.