Security information sitting within silos does little good, particularly in the early phases of a malware attack. So when President Obama signed Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in 2013, it created new public/private information sharing pathways. The early results were very interesting, said John Cassidy, CEO and co-founder of King & Union, but lacked necessary context.
“I started to undercover lots of things going on,” Cassidy said. “I was raising my eyebrows, saying ‘What the heck?'” What he and others saw was correlated data without any analysis to guide the next step.
Cassidy is one of the developers behind EINSTEIN 3 Accelerated, a DHS-sponsored information sharing program within the United States intelligence community, designed to protect the U.S. critical infrastructure. According to the DHS website, EINSTEIN 1 analyzes network flow records; EINSTEIN 2 detects and alerts to known or suspected cyber threats using Intrusion Detection Systems (IDS) technology; and Einstein 3 Accelerated monitors only select Internet traffic either destined to, or originating from, federal civilian Executive Branch departments and agencies in the “.gov” domain.
A second Obama-era executive order, 13691 Promoting Private Sector Cybersecurity Information Sharing, extended the previous order to include the private sector. “I’ve been with that program and built it up since its inception,” said Cassidy. “I was bewildered by the inability for people to start using that system and the willingness to protect them and participate in the program. It was interesting to watch [the private sector participate]. They were more spooked about putting their email traffic into a system that was monitored by the government. There’s are a lot of trust issues.”
Financial Services is big part of the U.S. critical infrastructure, and Cassidy said an information sharing program was attempted by the financial services information sharing and analysis center (FS-ISAC), a public/private organization through DHS, but the effort at data sharing was not successful. “They’ve got what I’d call a giant bit bucket,” Cassidy said. “Everything goes in, gets correlated, and this big thing comes out. And most people that are using it — except for JPMorgan, Wells, and a few other big guys — have no earthly idea what do to with the information.”
Cassidy said that the new Financial Systemic Analysis & Resilience Center (FSARC) is an attempt by the financial services industry to solve what FS ISAC couldn’t do. “There’s an initiative that we’re getting ready to respond to under DHS that was started with a group of banks to try to come up with a research project around collaboration. We’ll be building on this.”
“So you have the [U.S.] government effectively communicating within its security operation centers,” Cassidy said. “That leaves banks to do their own security, and generally not really talking with each other. Or ISACS that were created with the goal of sharing information, but basically building giant spreadsheets of more threat data.” He quickly realized that information sharing without analysis isn’t good enough.
After observing this for several years, Cassidy got together with a friend, Brent Wrisley, and they started thinking about how to make all this work even better. “Brent was supporting me from the cyber analysis side when I was running this massive Einstein program, so I realized I needed analysis guys like him that could dig into APTs and everything. So after I brought Brent and his team onto the Einstein program and we both started seeing all this stuff going on, we decided to build a platform to try and fix some of this stuff.”
In April 2016 Cassidy raised some seed capital and created a new company, King & Union, to demonstrate the benefits of information public/private information sharing with analysis.
Avalon, the flagship product from King & Union, is a secure approach to information collaboration, Cassidy said. It has the ability to pull data into one workspace so investigations can be conducted more efficiently aggregates information so that analysts can visualize the data. There is also a collaboration element for trusted groups that can be spun up within an organization and with partners to discuss specific events so new threats can be analyzed in real time. It is also has a repository of past security events allowing for easy comparison.
A free edition allows for the use of proprietary data, interactive threat visualization, the creation of trusted collaboration groups with real time chat, backups of investigations, and a limit of 100 searches each day. A paid Enterprise edition includes third-party data integration, custom intelligence indicators, custom exports, and unlimited searches.
So far, King & Union has been piloting systems that allow organizations to start communicating without having to worry about liability, Cassidy said. Avalon has been collecting IP addresses, freezing malware samples, and SSL certificates — things that are of interest. “We’re running [everything] through our system along with tones of data that we already have, and able to present to a visual representation model within seconds instead of you having to build one yourself.”
In a private demo at Black Hat USA 2018, Cassidy displayed information within Avalon on a new malware sample. The system associated new sample with other known malware, suggesting it was a variant. It also associated relevant analysis on those other malware samples, speeding further analysis of the new variant.