Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:40 PM
Connect Directly

Ex-eBay CISO's Startup Aims To Beef Up Attack Information-Sharing

SecurityStarfish offers commercial service for victim companies to anonymously share breach war stories, intelligence, mitigations

The former chief information security officer at eBay has launched a new startup that offers a subscription-based service for companies hit by cyberattacks to anonymously share their war stories and obtain inside information on new attack campaigns and deflection methods.

SecurityStarfish, co-founded by David Cullinane, who served as CISO at eBay for five years, and Gordon Shevlin, former executive vice president at FishNet, emerged from stealth this week offering a commercial platform that analyzes its members' shared attack intelligence, remedies for defense, and offers heads-up attack information.

Talk of victims teaming to fight back against cyberattackers rather than going it alone began in earnest in the wake of the game-changing targeted hacks of Google, Intel, Adobe, and others in early 2010. While numerous ad-hoc and industry-specific mechanisms and groups exist for companies to swap their attack stories and intelligence, the majority of these efforts by nature are voluntary and informal. SecurityStarfish is taking that strategy to a more commercial level -- something that Cullinane, who spent years working with other companies to share their attack experiences and intelligence informally, says is key to successfully converting that information into action that helps protect those organizations from falling victim to other attacks.

[ Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details. See Victim Businesses Teaming Up To Fight Cybercriminals. ]

SecurityStarfish CEO Cullinane says during his tenure at eBay, he worked with other CSOs to share attack information on an ad-hoc basis, but in many cases, the process hit a dead end. "By the time we explained to each other what had happened, and PR, and legal" got involved, things didn't go much further, he says. "One of the problems with this is it's based on volunteer [activity]. People get busy with things, priorities shift, and [follow-up] doesn't always work."

So he spoke with some CSOs at the RSA Conference earlier this year and cemented the idea of making this attack info-sharing process a paid enterprise so it becomes a more official and regular process -- with follow-up. "We are trying to change the picture from the adversary making money ... to changing the balance of power, so to speak, by getting things done more effectively in collaboration and stop them from being able to monetize" their attacks, Cullinane says.

SecurityStarfish provides a portal to its members, which currently span Fortune companies in the financial services, manufacturing, retail, and energy industries, where they anonymously submit information and intelligence about attacks they've experienced. The company then analyzes all of the data using various tools, including Hadoop, and provides frequent reports that analyze the latest threats and provide guidance on how to remediate and protect against them.

"We give them feedback on what's happening in their vertical and cross-vertically," Cullinane says. "It's not just intelligence-gathering, aggregation, and doing the sophisticated analysis of what's happening out there." SecurityStarfish also will host working forums several times a year where member companies can share what they are doing that works in preventing attacks or mitigating threats, he says, as well as collaborate on mitigation and defense strategies.

So what does this new commercial entity mean for the ad-hoc, regional, and industry-specific attack information-sharing groups out there, including the ISACs, InfraGuards, and others?

These groups will remain key go-to places for many companies and organizations, experts say. But it's unclear in the future how organizations will select which one to go to in the aftermath of an attack if they join up with a commercial enterprise like SecurityStarfish.

"The predominant way of sharing war stories and information is to get a bunch of peers together, close the doors, and talk about it," says Wade Baker, director of risk intelligence at Verizon. "I think it's useful and serves its purposes. But when you're talking at sharing tactical-level information, you can't have a session to share that information fast enough."

Baker concurs that one of the big hurdles with ad-hoc efforts is the corporate legal department. "I think there's more recognition of the value this kind of information has, so therefore there's a greater willingness at least to look at methods of sharing this kind of intelligence responsibly," he says.

If a company shares a malware hash it found on one of itssystems that its antivirus didn't catch, that could help the rest of the community, he says. "If legal can understand what they're doing there ... and that next time [AV] will be able recognize it as badware because other organizations" shared their samples, then it could smooth the way for more sharing, he says.

Jacques Francoeur, founder and executive director of the Union of Concerned Cybersecurity Leaders (UCCL) and a former officer with the Bay Area CSO Council, says the key difference with SecurityStarfish's approach is that it formalizes a breach-information exchange. And that's a two-edged sword: "When you formalize it, you have to put in place disclosure agreements, and the formalization process, in many cases, is a path to killing the exchange [of information]. Legal does not yet appreciate the upside of sharing," he says.

Meanwhile, the informal, ad-hoc method in use today is not scalable, he says.

SecurityStarfish costs $60,000 per year, and Cullinane says his company's collaboration model is ultimately cheaper than going it alone. "The cost of doing this as an individual company that has to figure out a solution to every single attack or type of attack becomes an incredibly expensive proposition," he says. Teaming in the fight is the only way to beat the bad guys, who already collaborate among themselves, he says.

UCCL's Francoeur says the value of SecurityStarfish would come from the "actionable information" it offers its members. The catch, he says, will be what level and quality of intelligence the members provide. "And they'll have to get a critical mass so there's sufficient value to other members," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...