Trusted Security Circles overview

With the Trusted Security Circles application, your security team can identify suspicious network activity, and inquire to other members of the circle if it has been observed. An anonymous query goes to the other members of the circle, and a sightings search is performed using the suspicious observables.

With these tools, your team can immediately determine if a security incident they are investigating is affecting your peers, suppliers, or partners. This detection capability, in turn, not only protects the IT assets of other Trusted Security Circle members, but also guards your supply chain.

Trusted Security Circles are communication channels that connect sets of Trusted Security Circles customers who have some kind of underlying relationship, such as:
  • Trusted Security Circles (all users)
  • Financial Services
  • Healthcare
  • Chicago area
  • Suppliers for ACME corp.

A Trusted Security Circle can consist of groups of organizations within the same line of business, divisions of the same corporation or corporate hierarchy, or groups of organizations that want to share threat intelligence. The only requirements for organizations to belong to a circle are that they have a valid organizational profile.

When messages or observables are shared between members of the Trusted Security Circle, notifications are sent to each member.

Trusted Security Circles profiles

Members of a circle are called profiles. A profile identifies a customer or customer domain (if domain separation is used). Profiles define how you, or more exactly, your Trusted Security Circles instance, is identified to other members of the circle. By default, a profile labeled "anonymous" is created automatically when either a basic or advanced Trusted Security Circles plugin is first installed. This profile also is automatically enrolled as a member of the Trusted Security Circles global trusted security circle, referred to as the central instance.

Trusted Security Circles central instance

The Trusted Security Circles central instance is a ServiceNow-hosted, scoped application that protects the identities of the participants and manages the behavior of Trusted Security Circles profiles. It is responsible for managing such processes as:
  • Registering a Trusted Security Circles Client profile
  • Updating and deactivating a profile
  • Creating a circle
  • Listing circles

The central instance authenticates any requests to ensure that only valid ServiceNow customer profiles can access it. All access to the central instance is restricted. You can access the central instance only through the application and modules installed by the Trusted Security Circles Client plugin.

Note: Sub-production Trusted Security Circles Client instances register with a different, sub-production central instance. You cannot register a sub-production Trusted Security Circles Client profile with the production central instance. You also cannot register instances that are not registered with ServiceNow support. So you cannot register local development instances.

Threat information shared through the circles is routed through the central instance and the messages are distributed to all the intended participants. The central instance also tracks the circles to which each profile belongs, and queues up messages that the profiles retrieve when they poll for them.

The following diagram illustrates the manual and automatic steps involved in sharing observable information from a sender to a recipient via the central instance.

Figure 1. Trusted Circles ecosystem
Trusted circles ecosystem

Trusted Security Circles messages

Messages destined for Trusted Circles are sent to the central instance. Messages are then queued up for each of the recipient profiles. Each customer instance with a Trusted Security Circle plugin installed sends a request for messages every 30 seconds. Messages not picked up within the specified time limit (currently 48 hours) are removed from the message table

Trusted Security Circles terminology

The following terms are used in Trusted Security Circles.
Term Definition
Observable A suspicious change to your computers or network. An observable can be a change to a stateful property (such as the MD5 hash of a file or the value of a registry key), or a measurable event (such as the creation of a registry key or the deletion of a file).
Registration The process of enrolling a basic or advanced client with the Trusted Security Circles central instance. The registration process happens automatically after you install a basic or advanced Trusted Security Circles plugin.
Sighting The detection of an observable.
Sightings search A computer search to find instances of observables. Sighting searches can be conducted automatically as part of a workflow, or manually from an observable.
Trusted Security Circle A channel that facilitates the sharing of observables data between member profiles.
Trusted Security Circle messages The packets of information exchanged by Trusted Security Circles that describe suspected malicious observables.
Trusted Security Circle profile An entity that identifies a customer instance that has joined a Trusted Security Circle.
Trusted Security Circles advanced client This plugin provides complete access to Trusted Security Circles. It gives Trusted Security Circles customers the ability to join any public or private circle and share an unlimited number of observables. The license for this plugin must be purchased separately.
Trusted Security Circles basic client The plugin that provides limited access to Trusted Security Circles. Five observables can be shared per day and customers can join only the default global Trusted Security Circle. This plugin is included in any purchase of the Threat Intelligence application. However, it must be installed separately.