«Written Testimony of Mr. Mark G. Clancy, Chief Executive Officer, Soltra Before the Committee on Homeland Security United States House of ...»
Written Testimony of Mr. Mark G. Clancy, Chief Executive Officer,
Before the Committee on Homeland Security
United States House of Representatives
“Oversight of the Cybersecurity Act of 2015”
June 15, 2016
Chairman Ratcliffe, Ranking Member Richmond and members of the Committee, thank you for
scheduling today’s hearing on industry perspectives on the Cybersecurity Act of 2015 (CISA).
My name is Mark Clancy, and I am the Chief Executive Officer of Soltra. Soltra’s mission is to design and deliver solutions that shorten the time from awareness, to decision to action, in addressing cyber threats.
First, thank you for all of your efforts and dedication to addressing key cybersecurity concerns and for successfully passing cybersecurity information sharing legislation. As our nation continues to confront serious cybersecurity threats to our critical infrastructure, cybersecurity information sharing is one critical way to address these challenges.
CYBERSECURITY INFORMATION SHARING
By 2008, a new sharing model was needed as the Financial Services Information Sharing and Analysis Center (FS-ISAC) started to grow significantly. This second generation trust model had widened to a larger number of institutions and individuals who still met face to face on occasion, but now had moved to using electronic mail lists as the primary method of exchanging information between face-to-face meetings.
By 2010, when I was the Chief Information Security Officer at The Depository Trust and Clearing Corporation (DTCC), we realized the scale of the community and the tonnage of information being shared grew to the point we could not utilize all the information, and that a third generation approach to sharing was required to use standardization and automation. This led to us exploring standards that described a cyber threat in such a way that a human could understand it, but a machine could process it.
SOLTRA CREATION: DTCC AND THE FS-ISAC COLLABORATIONSoltra is the financial industry’s answer to the third generation information sharing model. Soltra is a joint venture created by DTCC and the FS-ISAC that leverages the unique expertise of both entities, bringing together the best and brightest of the industry.
DTCC is a participant-owned and governed cooperative that serves as the critical infrastructure for the U.S. capital markets as well as financial markets globally. At its core, it develops and harnesses technology to provide a variety of risk management and data services to the financial services industry. More than 40 years ago the firm was created largely out of the need to leverage technology and automation in order to ensure securities transactions were more efficiently settled, thereby reducing risk of loss in the event of a counterparty default. In this respect, DTCC presently is among the most sophisticated financial technology or “FinTech” companies.
Today, DTCC continues to deploy evolving and improving technology in service to its mission as the primary financial market infrastructure for the securities industry. DTCC simplifies the complexities of clearing, settlement, asset servicing, data management and information services across multiple asset classes. In 2015, DTCC’s subsidiaries processed securities transactions valued at approximately US$1.5 quadrillion.
The FS-ISAC is a 501(c)6 nonprofit organization and is funded entirely by its nearly 7,000 member firms and sponsors. It was formed in 1999 in response to 1998 Presidential Decision Directive 63 (PDD 63), which called for the public and private sectors to work together to address cyber threats to the nation’s critical infrastructures. The FS-ISAC expanded its role to encompass physical threats after the attacks on 9/11, and in response to Homeland Security Presidential Directive (HSPD) 7 (and its 2013 successor, Presidential Policy Directive (PPD) 21) and the Homeland Security Act.
The FS-ISAC has grown rapidly in recent years. In 2004, there were only 68 members which were mostly large financial services firms. Today, FS-ISAC has nearly 7,000 member organizations, including commercial banks and credit unions of all sizes; markets and equities firms; brokerage firms; insurance companies; payments processors; and 40 trade associations representing all of the U.S. financial services sector. Because today’s cyber-criminal activities transcend country borders, the FS-ISAC has expanded globally and has active members in over 37 countries.
SOLTRA Soltra advances cybersecurity capabilities and increases resilience of critical infrastructure organizations by collecting and distilling cybersecurity threat intelligence from a myriad of sources to help safeguard against cyber attacks and deliver automated services at “computer speed,” cutting down the hundreds of human hours that are currently needed to distill cyber threat information.
Soltra began as a true cross-industry initiative that included a live prototype involving over 125 security practitioners that included FS-ISAC members, private sector representatives from other critical sectors, and government entities to refine the requirements, architecture and design of Soltra’s automation software, which is known as Soltra Edge.TM Soltra Edge provides for a free platform that users can access, and after less than a year and a half, Soltra Edge has been downloaded by over 2,600 organizations in 75 countries spanning 25 industries to consume, utilize, and share cyber threat intelligence using open standards.
The Soltra Edge platform sends, receives, and stores messages of Cyber Threat Intelligence (CTI) in a standardized way. It hides the complexity of the underlying technical specification so that end users can setup and start receiving threat information in under 15 minutes in most cases, changing the paradigm where it could take months or millions of dollars to change internal systems if companies wanted to do it on its own. The information that is received can be used to push instructions to other security tools to perform detection and mitigation of those threats. To support the widest possible adoption, we also made a highly functional version of the platform available at no cost to end user organizations to defend themselves. We also offer a low-cost or no-cost solution to ISAC and ISAO community organizations to act as the community hub for machine to machine threat sharing if they lack an existing operational capability. For organizations with additional needs, we also offer a paid membership which includes system integrations for platforms that have not adopted standards, enterprise grade operational features, and technical support.
SOLTRA CREATES THE FIRST EVER INTEROPERABLE INFORMATION
SHARING PLATFORM: PROVIDES CROSS-SECTOR SHARING TO BETTER
COMBAT THREATSSoltra has built a threat sharing ecosystem using three open standards first developed by DHS and MITRE called the Structured Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII), and the Cyber Observable eXpression (CybOX). STIX, TAXII, and CybOX have been transitioned into an international standards body, OASIS. These open standards are foundational for the interoperability and machine processing that are key to addressing complexity, and acting on information quickly. The OASIS CTI Technical Committee, which maintain these standards, has the largest amount of corporate and individual members of any technical committee in the standards body.
Soltra utilizes these open standards and has the unique ability to be the “glue” between different sectors and to provide connectivity for those who do not have the time or infrastructure to manage the transition to STIX/TAXII. This common standard also allows a defender of networks to use CTI from community sources like ISACs and ISAOs; government sources such as the U.S. Departments of Homeland Security (DHS) and Treasury, along with the Federal Bureau of Investigation (FBI); and utilize that information in a variety of commercial and open source security tools. It also addresses the problems companies currently have when using multiple vendors whose bundling of CTIs may only work with that same vendor’s tools. Soltra fixes this problem and allows for the use and scalability of information from multiple sources to be utilized in multiple tools that detect or defend the network.
Soltra also helps break down barriers between and amongst key sectors of the economy, providing the bridge from financial services to key sectors like health, energy, retail, as well as state, local, tribal and territorial (SLTT) governments. Historically, sectors only shared information within that sector. While important and effective to do, it also stovepipes the fact that the attackers are using the same Tactics, Techniques and Procedures (TTPs) against all sectors and allows them to effectively use the same tool to attack all sectors. Soltra breaks down the barriers to sharing by ultimately providing the “utility platform” and enabling interchange of information already in the STIX/TAXII format. We see this today with firms that are members of multiple ISAC/ISAO organizations and with ISACs that have sharing relationships with each other. Both of these act as cross sector bridges since it is simple to share information. Friction is greatly reduced when using Soltra to connect organizations – the same standard format, communications method, and access controls are used to respond to the data-handling instructions driven from the Traffic Light Protocol markings of content.
SOLTRA AND INFORMATION SHARING BRING GREATER SECURITYSharing information about threats remains essential as Mandiant reports1 that for 2015 the median number of days from compromise to discovery was 146 days. This improved from a median of 229 days from the 2014 Mandiant report2, but is still an extensive window. The 47% of firms that detected a breach themselves took 56 days to discover the breach, but the 53% of firms notified by an external party had a median of 320 days from compromise to detection.
This is directly relevant to information sharing in two ways. First, the delta between the time of an internal and external notification are likely a symptom of poor access to information about threats or ability to act on that information. Second, information shared about threats may represent intrusion sets recently identified that had been in situ for a long time. We need to both increase the percentage of internally discovered breaches and shorten the time to detect them.
Sharing CTI data is one such way these discoveries are made and timely sharing leads to timely discovery. Soltra is working to solve this problem by widening the access to CTI data and shortening the time to act on it over manual methods. It is hard to know with certainty why the industry improved the lag in compromise to discovery, but it is highly likely information sharing tipping defenders on what to look for was a part of the improvement.
1 https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf 2 http://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf Third, there are some important lessons learned about the benefits of sharing information that, quite simply, will vary based upon the maturity of the institution participating in the program.
However, a few things are universal:
First, initially when a company receives CTI data, it is purely a consumer of that information. It might find that it has limited technical or operational capabilities to utilize some or all of the information in an effective way. For example, it may receive indicator information about malware on endpoint, but not have a capability to scan end points for such files. At that juncture, the company will begin to realize that it needs to better understand what is in the data to actually be able to utilize it. For example, understanding how to use information when the temporal context is of an intrusion 300 days ago is important. If it then looks for that activity from the moment the CTI is received, it could miss the event that precipitated the intrusion several hundred days earlier. If it was just recently reported, the original victim may have just identified it and that data, even if it is a year old, might be the clue needed to ascertain if the same incident had occurred in your infrastructure. As a company moves up the maturity curve, it also moves from primarily utilizing the telemetry which is represented by the CTIs and starts to utilize insights and contextual information to anticipate hazards down the road. Even in mature sectors the bulk of the activity is around the telemetry CTI data.
As a company matures into using CTI data that was shared, it starts to realize that some data lacks sufficient context and may appear to be a false positive. This comes about between the very natural tension between sharing quickly when information is fresh, but could still be incomplete.
This also occurs by the very nature of the investigative process that produces information and observations of activity that may have occurred during an attack but could be unrelated to the attacker’s actions and are an artifact of normal IT system behavior. In order to address this, a company will want to have a method to ask the producing source to confirm details, or perhaps after its own research it will understand the context was lost or the CTI data is, in fact, inaccurate. A company will need to have a mechanism to share these results back to the producing source so they can adjust the content and send out a revision to the community.