Cybersecurity Market
Cybercrime has been called a pandemic [14] and criminal cyber operations have evolved into global industries. The leading example is the ransomware underground which collected more than $20 Billion USD globally in 2020 alone [15] and ransomware demands increased by 144% in 2021 [20]. Billions of dollars in ransomware payments have led to advancements in the development and distribution of ransomware binaries resulting in a growth of young, malicious, yet entrepreneurial, mindsets. Furthermore, because of the potential for large payoffs, more competition is entering the field. Business Email Compromise (BEC) is considered to be the next malicious cyber-attack vector. Reports [1] show an uptick of nearly 84% in BEC attacks with the costs for a compromise totaling more than $7 Billion USD in potential losses [10]. The criminal underground is a big business supported by a robust client base and large underground marketplaces. It is clear that cyber attacks have become serious pandemic threats to our modern society.
Security vendors are endeavoring to prevent and disrupt criminal cyber operations. They are working to develop detection and prevention mechanisms to ensure that organizations are protected from the worst of these cyber attacks. This has resulted in big business. The security industry is a $119 Billion dollar industry [17], has an expected growth rate of 8%, and employs more than 3.5 million people [4]. Every year cutting-edge technologies are showcased at trade shows and conferences, highlighting technologies designed to detect and prevent the latest attack techniques. Security experts are also seeing record-setting growth with an expected 31% growth between 2019 and 2029 [23]. Additionally, there are estimated to be 4.6 million total cybersecurity workers worldwide [24]. The battle between attackers and defenders has never looked quite as intense as it does today.
While the use of Artificial Intelligence (AI) holds promise for combating cyber attacks, it is only one of many responses that will be required to fight the pandemic. Reports show that a fully deployed AI learning model is only able to reduce the total dwell time of an attacker, post-breach, by 28 days [3]. AI thus reduces detection and remediation timing but at a much higher cost of operation.
Security vendors are endeavoring to prevent and disrupt criminal cyber operations. They are working to develop detection and prevention mechanisms to ensure that organizations are protected from the worst of these cyber attacks. This has resulted in big business. The security industry is a $119 Billion dollar industry [17], has an expected growth rate of 8%, and employs more than 3.5 million people [4]. Every year cutting-edge technologies are showcased at trade shows and conferences, highlighting technologies designed to detect and prevent the latest attack techniques. Security experts are also seeing record-setting growth with an expected 31% growth between 2019 and 2029 [23]. Additionally, there are estimated to be 4.6 million total cybersecurity workers worldwide [24]. The battle between attackers and defenders has never looked quite as intense as it does today.
While the use of Artificial Intelligence (AI) holds promise for combating cyber attacks, it is only one of many responses that will be required to fight the pandemic. Reports show that a fully deployed AI learning model is only able to reduce the total dwell time of an attacker, post-breach, by 28 days [3]. AI thus reduces detection and remediation timing but at a much higher cost of operation.
Market Failure
The medium-sized business market is struggling to build and maintain a security perimeter due the lack of resources, the inability to pay for capable security tooling or services, and the lack of trained personnel who are able to properly maintain security tools and provide services. As a result, most businesses are left with security tools that are running on default configurations and are rarely updated with meaningful and actionable detection, alerting, or reporting capabilities. Organization leadership is left hoping it has enough protection to survive the next attack.
To make ends meet, these organizations are forced to lean upon limited professional service time from their security vendors or they are forced to pay a Managed Security Service Provider (MSSP) to continually maintain their security tools. Organizations that have been compromised rely on security vendors to remediate the security incident, which adds an additional financial burden. As with all aspects in our modern economic culture, you get what you pay for, and most organizations are not able to afford the best MSSP, skilled security researcher, or the most comprehensive threat intelligence datasets.
The sharing of threat information is the lifeblood of the cybersecurity defense ecosystem, it allows for individual organizations to properly configure their security operation center tooling and allows for highly skilled threat analysts to accurately communicate threat information. This type of information is called Cyber Threat Intelligence (CTI). Threat intelligence is any information related to a threat that might help an organization proactively protect itself against a perceived threat or to detect the activities of a threat actor. Major types of threat intelligence include indicators, tactics, techniques, and procedures (TTPs), security alerts, threat intelligence reports, and tool configurations. Security operations rely on accurate and timely threat information to facilitate the monitoring of threats and to improve their defenses.
There are three requirements that must be met by security platforms to allow security operations to effectively respond to incidents.
To make ends meet, these organizations are forced to lean upon limited professional service time from their security vendors or they are forced to pay a Managed Security Service Provider (MSSP) to continually maintain their security tools. Organizations that have been compromised rely on security vendors to remediate the security incident, which adds an additional financial burden. As with all aspects in our modern economic culture, you get what you pay for, and most organizations are not able to afford the best MSSP, skilled security researcher, or the most comprehensive threat intelligence datasets.
The sharing of threat information is the lifeblood of the cybersecurity defense ecosystem, it allows for individual organizations to properly configure their security operation center tooling and allows for highly skilled threat analysts to accurately communicate threat information. This type of information is called Cyber Threat Intelligence (CTI). Threat intelligence is any information related to a threat that might help an organization proactively protect itself against a perceived threat or to detect the activities of a threat actor. Major types of threat intelligence include indicators, tactics, techniques, and procedures (TTPs), security alerts, threat intelligence reports, and tool configurations. Security operations rely on accurate and timely threat information to facilitate the monitoring of threats and to improve their defenses.
There are three requirements that must be met by security platforms to allow security operations to effectively respond to incidents.
- Security platforms must maintain relevant threat intelligence to remain secure. Relevant threat information is information that is both timely, trusted, and actionable.. In addition, organizations must rely on trusted threat data to avoid wasting resources tracking false indicators. There are many threat intelligence services that claim to be legitimate. Organizations should only use threat intelligence that has been reviewed and verified by trusted security professionals prior to their integration into security platforms.
- Security data must be simple. Organizations must be able to easily identify viral indicators and implement straightforward security measures in response to active cyber attacks. Maintaining a security tool that continually updates its rulesets to detect the latest attacks can dramatically improve an organization’s ability to survive that cyber attack. These rulesets often take a significant amount of work to implement and maintain. Oftentimes, too much for a medium-sized business to perform.
- Security products must be economical. Budget constraints affect every organization and only through the reduction of production costs can organizations afford to bring in the latest security technology to protect their environments. Medium-sized businesses directly feel this constraint as their entire yearly budget for security may only allow them to purchase the lowest tier of a dedicated threat intelligence platform or employ a security worker with limited practical security experience.
Figure 1. The Trilemma: Security data must be relevant, simple, and economical.
Unfortunately, 83% of global organizations experienced more than one data breach in 2022 [9], 61% within the small and medium-sized business category alone [25], with the average cost of a data breach reaching $4.35M USD [3]. Small and medium-sized businesses simply cannot be expected to survive even one data breach. Now more than ever medium-sized businesses need security solutions that allow them to access relevant, simple, and economical security products. There are three scenarios that accurately demonstrate this dilemma:
There is a significant demand for threat intelligence that supports the global mid-sized organization. This business demographic’s security needs are not being met by today's cybersecurity defense providers. As noted above there are traditionally two types of suppliers for security products: centralized commercial security providers and decentralized open source security researchers. The security products from centralized providers are high quality and easy to integrate, but they are oftentimes expensive and inaccessible to most organizations. The security products from decentralized security researchers are basically free, but they come from unverified sources, suffer from variable quality, and can be complex to integrate [16].
- Scenario #1 - Commercial security vendors can provide relevant, timely, and actionable threat information directly within their respective security operation tool that is simple to understand and implement. However, this oftentimes only comes with the purchase of premier security offerings, making these services too expensive for their security budget.
- Scenario #2 - Open source products such as MISP, OpenCTI, and many security GitHub repository tools can provide timely and actionable threat information that will assist security operations. Since they are free, they are also very economical to implement. However, these tools can be difficult to use, time-consuming to maintain.This requires a dedicated team member with advanced skills to properly implement them. Most mid-level organizations cannot provide this level of skilled work.
- Scenario #3 - Free threat intelligence lists can be simple to integrate into most security tools, reducing the burden on security personnel. But, many of the free threat intelligence lists contain old and irrelevant data, which may or may not have been verified by reputable sources. This security data thus delivers a false sense of security and leaves the medium-sized business slightly better off, but no where near sufficient in securing their environments
There is a significant demand for threat intelligence that supports the global mid-sized organization. This business demographic’s security needs are not being met by today's cybersecurity defense providers. As noted above there are traditionally two types of suppliers for security products: centralized commercial security providers and decentralized open source security researchers. The security products from centralized providers are high quality and easy to integrate, but they are oftentimes expensive and inaccessible to most organizations. The security products from decentralized security researchers are basically free, but they come from unverified sources, suffer from variable quality, and can be complex to integrate [16].
Humans have adapted to survive in nearly every inhospitable climate on this planet, including those that harbor some of the most deadly diseases and bacteria. In recent history, medical advancements like immunization and proper sanitation have increased human longevity. We owe our continued survival to one of the most intriguing and significant advancements in evolutionary biology: the immune system.
The immune system is nature's way of dealing with infections and diseases that enter the human body. It grows and adapts as we are exposed to foreign bodies like fungi, toxins, viruses, and bacteria, also called pathogens. The immune system maintains a network of sensors that sound the alarm when a pathogen is detected and in response creates antigens that our bodies remember forever to ensure they can quickly fight the infection should it return. Remarkably, instead of combatting the infection locally, the immune system provides the antigens to the entire body. This sharing of remediation information prevents a systemic infection from taking place within the body.
Today's modern and interconnected world is not all that dissimilar from a biological system. There are independent and diverse organizations and networks working in unison with the larger global society to maintain, support, and develop not only our modern lifestyle but the very ability to move forward and evolve. Arguably our society is still a nation-centric one, but we have begun to build global defense agencies such as Interpol and the World Health Organization which are capable of spreading information internationally regarding terrorism and pandemic-level events. However, today, there is a plague that is wreaking havoc across our interconnected world. A global pandemic that we have not been able to successfully combat or even significantly hamper. This pandemic is the Cyber Attack.
In a world where we can livestream any event to billions of users around the world, why do we still find ourselves in a situation where a cyber campaign can use the same type of attack to compromise hundreds of organizations over the course of several months and not be stopped? Is it not possible to build a global antibody armored against an attack's indicators of compromise (IOC) and deliver this to all organizations immediately? This type of global network immune system would undoubtedly protect potential victims, prevent criminal organizations from making large sums of money, and reduce the global threat of cyber attack pandemics.
Similar to how the immune system is able to globally deploy antigens to protect the whole body from a pathogen, the security industry needs to build a global network immune system to ensure that security infections taking place in one enterprise are rapidly disseminated to protect the global ecosystem. We should not live in a world where a single ransomware variant, or pandemic, is only fought locally and allowed to persist successfully for several months around the globe. Nor should we live in a world where 53% of all security breaches are not detected [11], or where the average dwell time of an attacker (the time from the initial breach until detection) is 207 days [7] plus another 70 days to contain the breach.
What is needed is a new, faster system for detecting, transporting, and deploying security-focused antigens to all global defenses to ensure they have correct and timely information to fight the infection. This system must not only respond to a singular infection but must also build the immunity response antigens to combat cyber infections on a global scale.
By pulling from nature, we are presented with a method to prevent wide-scale infections. Imagine, instead of a pathogen like a virus or bacteria, we are presented with a threat actor who has compromised a network. Imagine also, similar to how the immune system responds to a virus, the cyber immune system responds to the threat by deploying cyber antigens throughout the global network of interconnected organizations thus preventing infections in those networks. With the advancement of blockchain technology, it is now possible to achieve this imagined scenario: the creation of a global Decentralized Security (DeSec) cyber immune system.
The immune system is nature's way of dealing with infections and diseases that enter the human body. It grows and adapts as we are exposed to foreign bodies like fungi, toxins, viruses, and bacteria, also called pathogens. The immune system maintains a network of sensors that sound the alarm when a pathogen is detected and in response creates antigens that our bodies remember forever to ensure they can quickly fight the infection should it return. Remarkably, instead of combatting the infection locally, the immune system provides the antigens to the entire body. This sharing of remediation information prevents a systemic infection from taking place within the body.
Today's modern and interconnected world is not all that dissimilar from a biological system. There are independent and diverse organizations and networks working in unison with the larger global society to maintain, support, and develop not only our modern lifestyle but the very ability to move forward and evolve. Arguably our society is still a nation-centric one, but we have begun to build global defense agencies such as Interpol and the World Health Organization which are capable of spreading information internationally regarding terrorism and pandemic-level events. However, today, there is a plague that is wreaking havoc across our interconnected world. A global pandemic that we have not been able to successfully combat or even significantly hamper. This pandemic is the Cyber Attack.
In a world where we can livestream any event to billions of users around the world, why do we still find ourselves in a situation where a cyber campaign can use the same type of attack to compromise hundreds of organizations over the course of several months and not be stopped? Is it not possible to build a global antibody armored against an attack's indicators of compromise (IOC) and deliver this to all organizations immediately? This type of global network immune system would undoubtedly protect potential victims, prevent criminal organizations from making large sums of money, and reduce the global threat of cyber attack pandemics.
Similar to how the immune system is able to globally deploy antigens to protect the whole body from a pathogen, the security industry needs to build a global network immune system to ensure that security infections taking place in one enterprise are rapidly disseminated to protect the global ecosystem. We should not live in a world where a single ransomware variant, or pandemic, is only fought locally and allowed to persist successfully for several months around the globe. Nor should we live in a world where 53% of all security breaches are not detected [11], or where the average dwell time of an attacker (the time from the initial breach until detection) is 207 days [7] plus another 70 days to contain the breach.
What is needed is a new, faster system for detecting, transporting, and deploying security-focused antigens to all global defenses to ensure they have correct and timely information to fight the infection. This system must not only respond to a singular infection but must also build the immunity response antigens to combat cyber infections on a global scale.
By pulling from nature, we are presented with a method to prevent wide-scale infections. Imagine, instead of a pathogen like a virus or bacteria, we are presented with a threat actor who has compromised a network. Imagine also, similar to how the immune system responds to a virus, the cyber immune system responds to the threat by deploying cyber antigens throughout the global network of interconnected organizations thus preventing infections in those networks. With the advancement of blockchain technology, it is now possible to achieve this imagined scenario: the creation of a global Decentralized Security (DeSec) cyber immune system.
Truss Ecosystem
Truss is a platform that facilitates the development of a global Decentralized Security (DeSec) cyber immune system. Figure 2 shows the three main components of the Truss ecosystem:
- On the right are the organizations that are the front line of attack and are often the first to recognize new attacks.
- On the left are the researchers who analyze organizational attack data and create the products that enable defenses against cyber attacks
- In the middle is the marketplace which serves as the hub for sharing data, creating security responses, and incentivizing participation from the community of researchers and organizations.
Figure 2. Truss ecosystem
The image illustrates how independent organizations can connect with security researchers through a marketplace to transfer security-related information. The marketplace provides an avenue for researchers to post their research in a method that enables a wider reach to a larger audience. In addition, interested organizations are able to connect to the marketplace to find security research information allowing them to better protect their own organizations.
.
Truss Organizations
At the heart of the global cyber immune system is a distributed network of independent security organizations or individuals (hereby referred to as Truss entities). Within this network, each Truss entity can use the security information generated from the environments of other Truss entities to better secure their own environments and build security mitigations in response to global cyber pandemics automatically and in real-time.
As illustrated in Figure 3, an organization records the security events taking place within its cloud environment. Should malware within a given container be identified, a list of the malware's IOCs is shared across the Truss network.
As illustrated in Figure 3, an organization records the security events taking place within its cloud environment. Should malware within a given container be identified, a list of the malware's IOCs is shared across the Truss network.
Figure 3. Interconnected Security Blockchain Flow
A Truss network provides the foundation for automating the detection and dissemination of a security event that occurs in a single environment. It does so by sharing this event with the global network in real time. By using a public and transparent blockchain to maintain the cryptologic proof that a security event took place within a given environment, each entity in the Truss network maintains a communication pathway with all other entities in the network to facilitate the sharing of security incident information. Each subsequent investigation of an incident can result in the creation, distribution, and implementation of tailored security products that can be used to detect any number of cyber attacks across any number of networks. Identified attack data can then be shared instantly. This results in the faster transfer of security-related events and information which creates a more secure global ecosystem.
Truss Researchers
Truss security analysts are the second pillar of the Truss ecosystem. Analysts create threat intelligence by collecting, analyzing, and interpreting data related to potential or existing cyber threats. Independent security analysts spend a considerable amount of time contributing CTI to shared systems. In addition, security analysts working for centralized organizations produce large amounts of high-quality CTI for their customers. But, it is evident that the cyber security data needs of millions of organizations are not being met. What is needed is a way to tap into the expertise and effort of a large number of independent security analysts who are not currently contributing to the broader cyber-defense ecosystem and deliver their threat knowledge directly into a vulnerable organization’s security operation center tools.
The Truss platform provides an avenue that enables independent security analysts to get compensated for sharing CTI. Analysts who uncover cyber threats and publish their findings are able to cryptographically sign their CTI and post it to the blockchain. Organizations subscribing to receive CTI each pay a fee to access the data and a portion of the fee goes back to the analyst. By enabling this point-to-point connection between independent analysts and organizations, the Truss ecosystem promotes a positive feedback loop that encourages more analysts to contribute, which then encourages more organizations to participate. The ultimate goal is to untether security data production from centralized organizations and unleash the potential of the decentralized community of analysts.
In addition to sharing security event information directly, the Truss platform also provides an avenue for security practitioners to investigate and hunt for security events across the global Truss network, effectively removing enterprise-focused security vendors as the sole proprietors of large-scale security-related information. As Figure 4 illustrates, analysts will have the opportunity to request query capabilities into select organizations in order to review the security logs from that organization.
The Truss platform provides an avenue that enables independent security analysts to get compensated for sharing CTI. Analysts who uncover cyber threats and publish their findings are able to cryptographically sign their CTI and post it to the blockchain. Organizations subscribing to receive CTI each pay a fee to access the data and a portion of the fee goes back to the analyst. By enabling this point-to-point connection between independent analysts and organizations, the Truss ecosystem promotes a positive feedback loop that encourages more analysts to contribute, which then encourages more organizations to participate. The ultimate goal is to untether security data production from centralized organizations and unleash the potential of the decentralized community of analysts.
In addition to sharing security event information directly, the Truss platform also provides an avenue for security practitioners to investigate and hunt for security events across the global Truss network, effectively removing enterprise-focused security vendors as the sole proprietors of large-scale security-related information. As Figure 4 illustrates, analysts will have the opportunity to request query capabilities into select organizations in order to review the security logs from that organization.
Figure 4. Researchers' investigation into third-party events
Organizations will be incentivized to allow analysts to review their security logs through a tokenomic-based exchange model. The more data an organization allows an analyst to view, the more likely that the analyst will produce a security product from the organization's data. When the analyst makes their work available for purchase on the Truss Marketplace a portion of the sale of each product sold will return to the organization the security analyst used to build their product.
The tokenomics of the Truss ecosystem actively works to incentivize all participants within the ecosystem to work together to produce high-quality and high-fidelity products that benefit each participant within the ecosystem. The more trustworthy the analyst, the more likely organizations will be incentivized to allow them access to their data. The more an organization opens its data to analysts, the more opportunities the organization has to help protect the larger ecosystem as well as the more opportunities they have to economically benefit from their data.
The tokenomics of the Truss ecosystem actively works to incentivize all participants within the ecosystem to work together to produce high-quality and high-fidelity products that benefit each participant within the ecosystem. The more trustworthy the analyst, the more likely organizations will be incentivized to allow them access to their data. The more an organization opens its data to analysts, the more opportunities the organization has to help protect the larger ecosystem as well as the more opportunities they have to economically benefit from their data.
Truss Marketplace
Truss provides a platform for secure data-sharing, research, and investigation, encouraging organizations and individuals to maintain and share a record of their security incidents. The use of a public blockchain allows every Truss entity to seamlessly integrate the protections developed by analysts across the Truss ecosystem. Truss entities of any size can subsequently download and implement the protections designed from anywhere in the Truss ecosystem directly into their security infrastructure.
In addition to providing the infrastructure for collecting and disseminating attack data, there must also be incentives for security practitioners and organizations to contribute their time and data. Subsequently, the Truss ecosystem provides an avenue for analysts to sell their protection products to a global audience through the development of security marketplaces. Using a public blockchain to share security events, and allowing analysts to scan and build protections based on data from the blockchain fosters the creation of a self-sufficient ecosystem of security knowledge, skills, resources, and protections. Organizations and individuals alike will be free to integrate and sell purpose-built collections of security detections directly to end-users reducing the cost of security protections while simultaneously encouraging advanced research.
Any Truss entity can be a consumer, seller, and creator within the Truss ecosystem. The Truss ecosystem will assist Truss entities to buy and sell their security products through a Truss Marketplace. The Truss Marketplace will be designed to facilitate access and searchability to enable users to quickly find, access, and implement the security products they need to protect their environment. The Truss Marketplace will provide sellers with virtual counter space to present their products in a user-friendly and easily navigable method.
Truss entities can earn proceeds by providing research, detections, and remediations for the latest security risks facing global networks and computational endpoints to the Truss Marketplace. These security products can then be purchased by any other Truss entity.
In addition to providing the infrastructure for collecting and disseminating attack data, there must also be incentives for security practitioners and organizations to contribute their time and data. Subsequently, the Truss ecosystem provides an avenue for analysts to sell their protection products to a global audience through the development of security marketplaces. Using a public blockchain to share security events, and allowing analysts to scan and build protections based on data from the blockchain fosters the creation of a self-sufficient ecosystem of security knowledge, skills, resources, and protections. Organizations and individuals alike will be free to integrate and sell purpose-built collections of security detections directly to end-users reducing the cost of security protections while simultaneously encouraging advanced research.
Any Truss entity can be a consumer, seller, and creator within the Truss ecosystem. The Truss ecosystem will assist Truss entities to buy and sell their security products through a Truss Marketplace. The Truss Marketplace will be designed to facilitate access and searchability to enable users to quickly find, access, and implement the security products they need to protect their environment. The Truss Marketplace will provide sellers with virtual counter space to present their products in a user-friendly and easily navigable method.
Truss entities can earn proceeds by providing research, detections, and remediations for the latest security risks facing global networks and computational endpoints to the Truss Marketplace. These security products can then be purchased by any other Truss entity.
Figure 5. Truss Marketplace life-cycle
Truss entities of any size and industry can purchase and implement the security products from any individual or organization providing those protections. This model removes third parties from the buying and selling of security products allowing all Truss entities to implement the latest and most accurate security measures to protect their environments. For example, a small one-person operation can implement the same security protections as a multi-billion security enterprise by buying directly from the security analyst who discovered the threat. Similarly, this allows freelance security analysts to sell their critical security wares to a global audience instead of to a single organization that can afford their unique skill set.
A Truss Marketplace should be designed with ease of use in mind. Each security product will be tagged with common security industry identifiers allowing consumers to quickly identify the specific type of product they are interested in buying. See Figure 6, for an example of how sellers and buyers will use the marketplace's organization.
A Truss Marketplace should be designed with ease of use in mind. Each security product will be tagged with common security industry identifiers allowing consumers to quickly identify the specific type of product they are interested in buying. See Figure 6, for an example of how sellers and buyers will use the marketplace's organization.
Figure 6. Truss Marketplace
As the number and scope of cyber threats increase, so will the demand for security data and other security products. The Truss Marketplace will be presented with the ability to crowdsource the best security products based on the consumer's feedback. The consumer of a purchased query smart contract will be able to rate the effectiveness of that particular security product. The consumer base within the Truss ecosystem will influence the popularity and sophistication of query smart contracts and all other security products sold on the Truss Marketplace.
Through the marketplace, any Truss entity can buy security products directly from the creators of that product. This direct approach should reduce the cost and increase the availability of security solutions. The Truss ecosystem also provides an avenue toward profitability for a large enterprise-level Truss entity's security team. By allowing these security teams to sell their security knowledge and expertise, the enterprise security team can transition into a profitable investment, instead of the ever-necessary and ever-rising cost of doing business.
Through the marketplace, any Truss entity can buy security products directly from the creators of that product. This direct approach should reduce the cost and increase the availability of security solutions. The Truss ecosystem also provides an avenue toward profitability for a large enterprise-level Truss entity's security team. By allowing these security teams to sell their security knowledge and expertise, the enterprise security team can transition into a profitable investment, instead of the ever-necessary and ever-rising cost of doing business.
Figure 7. Security information supply chain
Figure 7 shows the Truss information supply chain. Each Truss entity will store security events in its own centralized and unique blockchain, recording the security events gathered from their computational environments. These security events can then be shared, or sold, with the larger Truss ecosystem. Any Truss entity can send and receive fully authenticated and integrally sound security data to and from any other global Truss entity within the network. The larger Truss ecosystem relies on communication between Truss entities to harness the ability to investigate, build, sell, and buy the security knowledge of other Truss entities through the sharing of data across individual blockchains. The Truss ecosystem enhances the security and flexibility of all Truss entities through increased visibility and marketing awareness of global or viral security events. Resulting in organizations having access to enterprise-level security solutions, regardless of their size or industry.
On-Chain Innovation
The primary goal of Truss is to provide a platform that promotes innovation around the creation and dissemination of security products to support the creation of a global cyber immune system. This includes technical innovation wherein a diversity of security analysts are given complete freedom to define their security products. This may include offerings such as threat intelligence products containing information about emerging threats, IOCs, and known malicious entity reporting. It could also lead to the development and sale of script-based intelligence tools, Infrastructure as Code (IaC) templates, configuration and security design guides used for compliance guidelines, or even formalized security information and event management (SIEM) add-ons that facilitate the collection and analysis of security event logs from various sources within an organization's formalized security products.
The Truss platform also promotes economic innovation wherein security analysts and organizations are able to explore different models for packaging and selling threat data and products. For example, one analyst may want to charge a premium for their product because it addresses a complex attack. Another analyst may want to charge a minimal amount and try to sell on volume. Some analysts may want to include a fee that creates an automated "marketing bounty" to use on a specific product. Some analysts may want to allocate a minimal amount to pay for community sales reps while others may want to give away much more of their margin to encourage the sales team.
One of the key characteristics of the Truss platform is its openness and accessibility. It allows anyone to participate, create their own security products and tools, and engage in transactions with other participants. This openness promotes transparency, inclusivity, and equal opportunity for all users, fostering a dynamic Truss ecosystem. In turn, this empowers security analysts and organizations to create and execute programmable agreements, automate processes, and build decentralized applications that can disrupt the traditional threat intelligence supply chain and enable new forms of digital interactions to combat cyber attacks.
There are three components to the Truss architecture (Figure 8): the Truss marketplace, the Truss chain, and the Truss agent. The marketplace was described earlier in the whitepaper. The remainder of this section explores the Truss Blockchain and Truss Agent.
The Truss platform also promotes economic innovation wherein security analysts and organizations are able to explore different models for packaging and selling threat data and products. For example, one analyst may want to charge a premium for their product because it addresses a complex attack. Another analyst may want to charge a minimal amount and try to sell on volume. Some analysts may want to include a fee that creates an automated "marketing bounty" to use on a specific product. Some analysts may want to allocate a minimal amount to pay for community sales reps while others may want to give away much more of their margin to encourage the sales team.
One of the key characteristics of the Truss platform is its openness and accessibility. It allows anyone to participate, create their own security products and tools, and engage in transactions with other participants. This openness promotes transparency, inclusivity, and equal opportunity for all users, fostering a dynamic Truss ecosystem. In turn, this empowers security analysts and organizations to create and execute programmable agreements, automate processes, and build decentralized applications that can disrupt the traditional threat intelligence supply chain and enable new forms of digital interactions to combat cyber attacks.
There are three components to the Truss architecture (Figure 8): the Truss marketplace, the Truss chain, and the Truss agent. The marketplace was described earlier in the whitepaper. The remainder of this section explores the Truss Blockchain and Truss Agent.
Figure 8. The Truss Marketplace, Chain, and Security Agent
Truss Blockchain
A Truss security ecosystem has several requirements that dictate the use of a decentralized architecture. First, there is a global need for cybersecurity and threat intelligence as cyber attacks span national boundaries and affect all industries. To be effective for downstream consumers, threat intelligence surrounding these cyber attacks must be relevant and timely. In addition, due to the limited security budgets of mid-sized organizations, any security offerings must also be cost-effective. The security products developed by analysts also must be secure and trusted. Finally, there must be an incentive for each entity within the ecosystem to participate.
A decentralized public ledger architecture has several benefits that make it an effective solution for meeting the requirements of a DeSec system:
A decentralized public ledger architecture has several benefits that make it an effective solution for meeting the requirements of a DeSec system:
- Global reach: Blockchains operate on a decentralized network, which means there is no central authority controlling or managing the data. This decentralized nature eliminates the need for intermediaries and allows for direct peer-to-peer transactions. This feature is particularly advantageous for organizations and analysts who may not have access to commercial security SaaS platforms.
- Relevant and timely intelligence: While centralized security organizations have shown that they can create relevant and timely threat intelligence data, their ability to scale is dependent upon the number of security analysts that have been hired by the organization. An open blockchain platform is able to scale to any number of security analysts. In addition, as soon as a threat is discovered and threat intelligence is posted and validated on the blockchain, mitigation data for that threat is immediately available to every organization and security consultant. This enables the near-instantaneous transfer of threat intelligence and eliminates delays associated with corporate bureaucracies or limits on political cross-border transactions.
- Cost-effective: Centralized security providers expend resources to collect, store, and analyze security data. These providers are incentivized to collect as much security data from their customers as possible in order to build protections. However, with an ever-expanding set of resources, they are forced to acquire new customers to help keep costs low for their customer base and the resource cost versus return cycle continues to spiral. [18]. By using a blockchain and eliminating the need for intermediaries, the suppliers and consumers of threat intelligence can directly transact with one another, reducing time and costs.
- Security: Blockchain technology provides a high level of security and trust in transactions. The data stored on the blockchain is encrypted and distributed across multiple nodes in the network, making it highly resistant to tampering and fraud. This feature is crucial when dealing with global customers as it helps establish trust in the transactions and ensures the integrity of the information being shared.
- Transparency and trust: Blockchain offers transparency by maintaining an immutable and auditable record of all transactions. Every participant in the blockchain network can access the same information, creating a transparent and shared ledger. In the context of the creation and transfer of threat intelligence, this transparency is beneficial for global customers as it allows them to verify the provenance of the data used to develop the CTI making it easier to establish trust in the CTI.
- Incentivization: A blockchain token presents a straightforward way to offer incentives to developers, organizations, and analysts who contribute to the Truss ecosystem. These incentives can come from fees paid into the ecosystem by other participants, or they can be more direct in the form of token grants, bounties, funding for building applications, or providing other valuable services.
Public Chain
The public chain is key to the success of the Truss ecosystem as it provides transparency and visibility into global security events. The public chain must be reachable by security analysts and organizations around the world. In addition, it must be able to support a large number of low-cost transactions, so chain transaction fees must be relatively low. The Truss blockchain can be conceptualized as consisting of three primary layers: the infrastructure layer, the protocol layer, and the application layer (Figure 9).
Figure 9. Truss Blockchain Architecture
The application layer is where the business logic and applications reside. This layer represents the user-facing side of the blockchain, where developers create decentralized applications (dApps) that interact with the blockchain network. In the Truss ecosystem, the application layer includes the Truss decentralized marketplace and other blockchain-based applications such as cryptocurrency wallets and voting platforms. Developers leverage the underlying infrastructure and protocol layers to build applications that utilize the trust, transparency, and decentralized nature of the blockchain. These applications interact with the blockchain through an application programming interface (API) to access and modify data and execute smart contracts.
The protocol layer of a blockchain encompasses the rules, algorithms, and protocols that govern the operation and behavior of the blockchain network. It includes elements such as the consensus algorithm, block creation and validation rules, cryptographic algorithms, and transaction validation protocols. The protocol layer also holds the smart contracts that define the rules, terms, and conditions of interactions between Truss entities.
The infrastructure layer forms the foundation of the blockchain network. It includes the underlying hardware and network components that enable the functioning of the blockchain. This layer encompasses the physical infrastructure, such as servers, nodes, and data centers, as well as the networking infrastructure that facilitates communication and data transmission between the nodes in the network.
At the infrastructure layer, blockchain nodes are deployed, which are responsible for maintaining a copy of the blockchain's distributed ledger, participating in the consensus mechanism, and validating transactions. The infrastructure layer ensures the availability, reliability, and scalability of the blockchain network.
While it is possible to imagine Truss use cases, such as highly specific requirements or unique consensus mechanisms, that would require building a domain-optimized layer 1 infrastructure, deploying contracts to an existing layer 1 blockchain offers significant advantages in terms of security, reliability, network effects, interoperability, developer support, cost efficiency, and user trust.
The protocol layer of a blockchain encompasses the rules, algorithms, and protocols that govern the operation and behavior of the blockchain network. It includes elements such as the consensus algorithm, block creation and validation rules, cryptographic algorithms, and transaction validation protocols. The protocol layer also holds the smart contracts that define the rules, terms, and conditions of interactions between Truss entities.
The infrastructure layer forms the foundation of the blockchain network. It includes the underlying hardware and network components that enable the functioning of the blockchain. This layer encompasses the physical infrastructure, such as servers, nodes, and data centers, as well as the networking infrastructure that facilitates communication and data transmission between the nodes in the network.
At the infrastructure layer, blockchain nodes are deployed, which are responsible for maintaining a copy of the blockchain's distributed ledger, participating in the consensus mechanism, and validating transactions. The infrastructure layer ensures the availability, reliability, and scalability of the blockchain network.
While it is possible to imagine Truss use cases, such as highly specific requirements or unique consensus mechanisms, that would require building a domain-optimized layer 1 infrastructure, deploying contracts to an existing layer 1 blockchain offers significant advantages in terms of security, reliability, network effects, interoperability, developer support, cost efficiency, and user trust.
The Truss API
For the Truss chain, having all of the security event data stored within an irrefutable chain of events enables security analysts to determine with 100% accuracy that a given event took place within a specific environment under specific conditions. Through a chain request, a security analyst can query the blockchain for any series of indicators or patterns of events that may have occurred within an organization's computational environment.
The Truss blockchain API will support organizations and security analysts wanting to access security event information and security products. The API exposes a variety of endpoints or methods that developers can use to interact with the blockchain network. These endpoints include functions such as submitting transactions, validating threat intelligence information, and querying account balances.
Similarly, the Truss marketplace API is available for peer-to-peer interaction with marketplace functionality. Threat intelligence feeds, access to the latest security product information, and the purchasing of products and tools is all available via the marketplace API. It is expected that agent applications running within an organization’s network will communicate directly with the chain and marketplace APIs allowing organizations to customize where security information is sent to.
The Truss blockchain API will support organizations and security analysts wanting to access security event information and security products. The API exposes a variety of endpoints or methods that developers can use to interact with the blockchain network. These endpoints include functions such as submitting transactions, validating threat intelligence information, and querying account balances.
Similarly, the Truss marketplace API is available for peer-to-peer interaction with marketplace functionality. Threat intelligence feeds, access to the latest security product information, and the purchasing of products and tools is all available via the marketplace API. It is expected that agent applications running within an organization’s network will communicate directly with the chain and marketplace APIs allowing organizations to customize where security information is sent to.
The Truss Agent
The Truss Security Agent (TSA) is a pivotal component of the Truss platform. It acts as an intermediary, linking the organization's SOC to a wide array of security information and products available on the Truss Marketplace. Through the software agent, organizations can download security threat intelligence and threat alerts, sourced from trusted entities and experts worldwide. This marketplace of security products ensures that organizations can access tailored and up-to-date information, specific to their industry, geography, and operational context.
The TSA enhances the capabilities of the organization's cybersecurity infrastructure by complementing existing Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR) tools. By incorporating blockchain-based threat intelligence, the TSA enriches the data available to these tools, providing a more comprehensive view of the threat landscape. This augmentation bolsters the organization's ability to identify, mitigate, and respond to threats more effectively and efficiently.
The Truss Security Agent (TSA) is a pivotal component of the Truss platform. It acts as an intermediary, linking the organization's SOC to a wide array of security information and products available on the Truss Marketplace. Through the software agent, organizations can download security threat intelligence and threat alerts, sourced from trusted entities and experts worldwide. This marketplace of security products ensures that organizations can access tailored and up-to-date information, specific to their industry, geography, and operational context.
The TSA enhances the capabilities of the organization's cybersecurity infrastructure by complementing existing Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR) tools. By incorporating blockchain-based threat intelligence, the TSA enriches the data available to these tools, providing a more comprehensive view of the threat landscape. This augmentation bolsters the organization's ability to identify, mitigate, and respond to threats more effectively and efficiently.
A principal requirement of the Truss platform is that it must support the distribution of CTI data. This information must be shareable and easily accessed by all organizations participating in the ecosystem. As such, there is a public component of the Truss ecosystem that provides the current state of security events and transparent and auditable security data products.
As the Truss ecosystem evolves, it can also support the sharing of anonymized organizational log data that can be used by security analysts to support the creation of threat intelligence. In this case, there would also be a private component of the Truss ecosystem that provides for secure storage of organizational security data. This necessitates the creation of a hybrid blockchain, where private organizations will maintain a private blockchain of their own internal security events, but simultaneously allow the organization to share parts of their private data on a public blockchain that is available to all users of the Truss ecosystem.
This section explores the introduction of private blockchains into the Truss ecosystem with the goal of enabling real-time sharing of organizational event logs to the community of Truss analysts.
As the Truss ecosystem evolves, it can also support the sharing of anonymized organizational log data that can be used by security analysts to support the creation of threat intelligence. In this case, there would also be a private component of the Truss ecosystem that provides for secure storage of organizational security data. This necessitates the creation of a hybrid blockchain, where private organizations will maintain a private blockchain of their own internal security events, but simultaneously allow the organization to share parts of their private data on a public blockchain that is available to all users of the Truss ecosystem.
This section explores the introduction of private blockchains into the Truss ecosystem with the goal of enabling real-time sharing of organizational event logs to the community of Truss analysts.
Hybrid Blockchain
Hybrid blockchains combine elements from both public and private blockchains, aiming to leverage the benefits of both models. They provide a middle ground between the fully decentralized nature of public blockchains and the controlled access and permissions of private blockchains. The first layer consists of a permissionless or public blockchain that maintains the decentralization, transparency, and immutability features. The second layer is a permission-based, or private, blockchain that adds controlled access and additional functionalities.
Organizations generally must manage large quantities of text-heavy security log data. This is in sharp contrast to the small and lightweight transactional data that is traditionally stored in public blockchains. In this situation, a hybrid blockchain can offer cost advantages compared to a fully public blockchain. By utilizing a private blockchain layer for internal or sensitive operations, organizations can reduce the computational and storage costs associated with public blockchain networks. A hybrid chain ecosystem supports the coexistence of internal private permissioned chains alongside a public permissionless chain. An organization implementing full Truss infrastructure might maintain two or more internal private blockchain nodes for log collection and threat intelligence ingestion. It would also interact with the public blockchain for reporting and disseminating threat data. In total, the three types of blockchains include the public Truss blockchain, a private blockchain, and finally a master blockchain (Figure 10).
Organizations generally must manage large quantities of text-heavy security log data. This is in sharp contrast to the small and lightweight transactional data that is traditionally stored in public blockchains. In this situation, a hybrid blockchain can offer cost advantages compared to a fully public blockchain. By utilizing a private blockchain layer for internal or sensitive operations, organizations can reduce the computational and storage costs associated with public blockchain networks. A hybrid chain ecosystem supports the coexistence of internal private permissioned chains alongside a public permissionless chain. An organization implementing full Truss infrastructure might maintain two or more internal private blockchain nodes for log collection and threat intelligence ingestion. It would also interact with the public blockchain for reporting and disseminating threat data. In total, the three types of blockchains include the public Truss blockchain, a private blockchain, and finally a master blockchain (Figure 10).
Figure 10. The Truss Blockchain Triad
Public Blockchain
The public chain is external to the organization. Data from the private chain is shared with the public chain via a customizable smart contract that can redact some or all of the internal or sensitive information contained within the private blockchain. This can allow Truss entities to share as much or as little data about a particular event as they feel comfortable. For example, a DAO may wish all information within their network to be fully transparent as this is a cornerstone of their operational philosophy, whereas a Fortune 100 enterprise may wish to share very little information as this could jeopardize their shareholder's confidence in protecting their intellectual property.
Private Blockchain
The private blockchain is used by the Truss entity as the production-ready security operations hub for monitoring and detecting all security events generated from the Truss entity's computational environment. The private nodes are hosted internally within the Truss entity's production environment and is not exposed to the internet. It is possible to maintain several unique nodes to assist with large log volumes and investigation requirements. The private blockchain could also replace a Security Information and Event Management (SIEM) appliance as the two share similar functionality.
Master Blockchain Nodes
The master blockchain is optional and is only used as an integrity check and a core source of truth for the Truss entity's security events recorded within the private blockchain nodes. The master node would be hosted under an additional layer of security from the production environment and from the private node. User access to the master node would be strictly controlled and external network access would be prohibited. Only isolated and heavily regulated service accounts would be allowed to interact with the master blockchain to ensure that the data contained within is uncompromised (Figure 11).
Figure 11. The Internal Blockchain Triad
A hybrid blockchain architecture can facilitate interoperability between Truss entities. By bridging public and private components, hybrid chains enable the exchange of assets, data, or transactions between different blockchain ecosystems or traditional databases. The Truss ecosystem will utilize an inter-chain communication mechanism where threat information and other data can pass between the public chain and the private chains, as well as other Truss entities or the Truss marketplaces. Each Truss entity will maintain its own unique security information and can store or transfer data that would be pertinent to the security of other Truss entities. Each entity will be free to initiate connections with one or more Truss entities to share its data. This will allow for the safe and secure transfer of potential malicious incidents.
Private Chains
A private blockchain is an application environment that enables the decentralized storage of security events and the execution of smart contracts and smart functions. A private node is used by the Truss entity as the production-ready security operations hub for monitoring and detecting all security events generated from the Truss entity's computational environment. It also allows for the collection and analysis of internal security log data. The use of a private node within each organization allows for faster operation and ingestion of the security data they will be storing. In addition, the number of private nodes can be nearly unlimited within the Truss entity's internal network architecture. This architectural design allows the Truss entity to create an internal network of nodes that allows for faster data processing and ensures the integrity of its internal security data. An organization participating in the Truss ecosystem would optionally host a private node and a master node. This private node could be hosted internally or outsourced to a service provider. Specific security data would be ingested from the public chain to the private node. Similarly, select organizational log data or the results of log analysis could be shared with members of the ecosystem (Figure 12).
Figure 12. The Internal Blockchain Triad
This architecture also allows Truss entities to scale rapidly and securely while ensuring their security data is available to security analysts and security operations regardless of the processing demands of their security tools at any given moment.
Sharing Cyber Threat Data
To participate in the Truss ecosystem, an organization would expose data from its private blockchain allowing analysts to investigate or hunt for malicious activity. An organization would technically still be allowed to participate in the Truss ecosystem without sharing security data, and this would effectively prevent analysts from investigating any security events occurring within that Truss entity. However, if an attack were to occur in that particular Truss entity's environment, only that entity would be able to know and respond to the incident. Any intelligence collected from the incident would not be immediately shared with the wider ecosystem. Philosophically, all Truss entities become stronger the more they share and there are incentives to be had, both monetarily and philosophically, by participating fully within the Truss ecosystem. Figure 13 shows the technical flow of how an organization might share a security incident it discovers. On the left of the figure, the organization has discovered and collected the incident details. These details are then used to create an NFT security product in the marketplace. This product is publicized and other organizations are notified either manually or via their own scanning applications. Organizations that deem the security incident relevant then can ingest the threat response details into their systems.
Figure 13. Technical Flow of sharing a security incident
Truss organizations that do wish to share some or all of their security blockchain data will register their chain with a distribution list to be shared across all blockchains within the Truss ecosystem. Each participating Truss entity can supply as little or as much information about themselves or their business as they deem necessary. The more accurate the shared information, the more accurate defenses can be made for the Truss ecosystem in general and for each entity. The shared distribution list will be available to registered security analysts who can freely query any public blockchain during their hunting and investigative work.
Selling Cyber Threat Data
Truss enables organizations to sell their security knowledge and data. This enables them to not only increase their return on investment (ROI) for security operations, which is traditionally a zero-sum investment (until a compromise occurs), but also enables them to share their security expertise with the larger ecosystem, raising the global security awareness and ultimately the security hygiene of all who participate in the ecosystem.
Fueled by a growing number of security practitioners vying for the selling of the latest defensive measures, more knowledge will be shared within the ecosystem, resulting in a natural reduction in the number of sustainable malicious actors and the elimination of their offensive capabilities. Furthermore, the more exposed and unsanitized a Truss entity chooses to make its public blockchain, the more visibility analysts can achieve, resulting in more sophisticated detection and defensive measures being made available to the public.
Fueled by a growing number of security practitioners vying for the selling of the latest defensive measures, more knowledge will be shared within the ecosystem, resulting in a natural reduction in the number of sustainable malicious actors and the elimination of their offensive capabilities. Furthermore, the more exposed and unsanitized a Truss entity chooses to make its public blockchain, the more visibility analysts can achieve, resulting in more sophisticated detection and defensive measures being made available to the public.