A new bank-backed software program promises to let financial institutions react to security threats in milliseconds.
When the system, called Soltra Edge, goes live Dec. 2, banks nationwide will share information about security incidents, which the software will reformat and send back out to banks in a way that machines can read. This means, according to Soltra Edge's creators, that it will be able to directly tell banks' security systems what to do for instance, tell firewall software to block malicious URLs and instruct antivirus software to find and disable new strains of malware.
Sixteen banks provided the funding for Soltra Edge, including JPMorgan Chase, Citigroup, U.S. Bancorp and BB&T. About 150 members of the Financial Services-Information Sharing and Analysis Center in Washington contributed to the requirements and design of the service, and 45 banks are pilot-testing it.
"Last year we had two [banks piloting the software], and only a few weeks ago we had 45," said Bill Nelson, president of Soltra and president and chief executive of the FS-ISAC. "The interest has gone way up. It's come at the right time because there's so much need for it by financial institutions and other sectors."
"The discussion of cyber security has moved out of the server room and into the board room," Kelly King, the chairman and CEO of BB&T, said in a press release. "Defending against today's cyber threats and attacks often takes more than any one organization, it takes an industry working together."
Behind Soltra Edge is Soltra, a joint venture of the FS-ISAC and the Depository Trust & Clearing Corp., an industry-owned organization that provides post-trade clearing and settlement.
"At its simplest, Soltra Edge is an engine that allows us to deliver threat information from people who discover threats to the places where it needs to be defended against," said Mark Clancy, CEO of Soltra and chief information security officer of the DTCC.
Suspicious website addresses, malicious email addresses, malware definitions, and descriptions of phishing campaigns can be sent to the system in plain English. The software restructures the messages using a format called STIX (Structured Threat Information eXpression) so they can be read by security software.
Such information is already shared by bank members of the FS-ISAC, manually. Hours can pass from the time a bank's security department receives the threat information to when it does something about it. Threat-information-sharing has also suffered a problem of scale. The FS-ISAC's threat database already contains 12 million records. In some cases, banks have begun getting so much information about security breaches that it's impossible to use it all, and some has fallen through the cracks.
"My team gets 40 emails a day from various people around the globe about suspicious emails and websites they've seen," Clancy said. "We take that information and cut and paste it from the email system into the dozens of security modules we have."
Soltra Edge will automatically route the information to security solutions including threat intelligence feeds, security information and event management systems, firewalls, intrusion detection and prevention devices, and anti-virus software, using a routing mechanism called TAXII (Trusted Automated eXchange of Indicator Information) that was developed by the Department of Homeland Security and Mitre Corp.
The kind of straight-through processing Soltra Edge promises would push information out to the security tools in milliseconds, Clancy said.
It almost sounds too good to be true, the idea that messages written any old way could be turned into clear instructions security software can automatically act upon. Clancy acknowledged that work remains to be done.
"There's a lot of complexity and hard work and some unfinished business in that space," he said. Soltra is building adaptors that will help commercial security software communicate with Soltra Edge.
But as more security tools adopt the STIX and TAXII specifications, the adaptors won't be needed, he said. A security event management tool called Splunk already uses the standards and integrates with Soltra Edge. IBM and HP are working on building support for STIX and TAXII into their security software.
In addition to collecting and distributing threat information, Soltra Edge will also report on "sightings" of security problems, which, in a bit of geeky humor, are referred to as UFO sightings and represented with a UFO icon.
"This tells you that this thing didn't specifically target me, it went to everybody," Clancy said. Security threats that target only one institution might warrant a different level of attention than those blanketing everyone.
"Even with just sighting data, you start to get more context on what you're up against," Clancy said.
Soltra is the name of a fortress that in medieval times was at the end of a line of fires that warned when invaders were coming.
"We adopted that name in the digital metaphor but it's the same premise we want to know when the bad guys are coming so we can be ready for them," Clancy said.
The technology itself originated as joint project of the DTCC and the FS-ISAC called Avalanche, as in avalanche of data. "That's what happens when engineers name stuff," Clancy noted. Funding from member banks enabled the group to speed up the software, which each bank runs in a virtual machine in its infrastructure.
"We intentionally didn't make this an uber-cloud in the center, because security professionals wanted to have operational control over this stuff and keep it in their own shop," Clancy said.
The free version of Soltra Edge provides the high-speed threat updates. A premium version will come with the adaptors to widely used security modules, as well as maintenance and support.
The overall biggest benefit of Soltra Edge is its speed, Nelson said. Large banks will be able to react more quickly to threats. Small institutions with one or two people devoted to information security should also benefit, he said.
"This allows you to free them up to do more people work, rather than cutting and pasting stuff from an email or PDF and moving it into your security systems," he said.
The U.S. banking industry has come a long way with security threat information sharing, Nelson said.
"Five years ago we were trying to get people to share information," he said. In Europe, that conversation is happening today. But in the U.S., now that banks are sharing, "that created a new problem of 'how do I consume it? How do I act on it?'" he said.