On December 3rd, the Texas Bankers Association (TBA), Independent Bankers Association of Texas (IBAT), and SWACHA hosted a cybersecurity event for banking executives, board members, and senior management called, “Executive Leadership of Cybersecurity (ELOC)”. At the conference, the Financial Services Information Sharing and Analysis Center (FS-ISAC) announced the availability of a free threat information sharing appliance that financial institutions can use to enter, store, and share threat information. The appliance is called Soltra Edge and the website says it “takes large amounts of complex threat information across communities, people and devices and analyzes, prioritizes, and routes it to users in real-time.” [more]
Here is some initial information:
- The appliance is a free download that is distributed as a virtual machine. It runs CentOS and is accessed via a web interface. Setup appears fairly simple, especially for a customer that is already running VMware. The database stores information using Structured Threat Information eXpression (STIX) and information can be shared by setting up feeds using the Trusted Automated eXchange of Indicator Information (TAXII) protocol.
- Making use of the appliance is not as easy as the setup. It is a brand new product that is trying to gain acceptance, so it is still under development and does not have all the features that they eventually want it to have.
- The appliance is distributed with an empty database. The financial institution can load threat information using the web interface (manual data entry), import from a CSV file, import from a STIX file, or import from a TAXII feed.
- Initially, most of community financial institutions will likely want to receive threat information from a TAXII feed rather than enter and store/share their own threat information. Each TAXII feed must be setup individually. Here are the ones we know about so far:
- FS-ISAC has one available with a couple of caveats – 1) the financial institution will probably need to join FS-ISAC (for pricing information, visit https://www.fsisac.com/join) and 2) the last post on the Soltra forum indicated that this feed needs to be upgraded in order to work with Edge v.2.
- There is a free feed at hailataxii.com, but it is not yet clear who is providing the information or how useful it is.
- So far, reporting seems VERY basic. Queries can be manually entered into the web interface, but that was the only reporting feature shown during a Soltra webinar. The Soltra forums have some discussion about integrating the appliance with some security information and event management (SIEM) systems such as Splunk, but that is still in development. Also, many community financial institutions do not currently have a SIEM system installed.
- There are plans to import threat data directly from firewalls, IPS/IDS, etc., but that is also under development and reporting on that information would still be an issue.