Next week, on 10/02 and 10/03, Johns Hopkins University Applied Physics Lab (JHU-APL) will be hosting the next Integrated Cyber conference. I invite you to attend this important cybersecurity conference. The conference is free; however, you should preregister. Go to https://www.iacdautomate.org/october-2018-integrated-cyber/ for more information. There will be several panel discussions and many interesting technical talks focused on Integrated Adaptive Cyber Defense (IACD). The keynote speakers include Neal Ziring, NSA Capabilities Directorate, Sherri Ramsay, former Director of the NSA/CSS Threat Operations Center, and Rick Howard, Chief Security Officer for Palo Alto Networks.
I am honored to participate in the Integrated Cyber conference once again. I will be among the panelists for the Actionable Information Sharing panel on day one of the conference. I will also be presenting a technical talk entitled Addressing Both Sides of the Equation: Security Automation and Deception. This discussion looks at the concepts underlying my current doctoral research. Here is a brief description of the presentation:
Security automation and intelligence sharing seek to speed the detection of and response to cyberattacks. Meanwhile, deception and moving target defenses can slow the attacker by disrupting the attacker’s situational awareness. By addressing both sides of the equation, speeding the response and slowing the attack, we can narrow the gap between attackers’ time to compromise and our time to detect and respond. Security automation allows defenders to accelerate their observe-orient-decide-act (OODA) loop through continuous situational awareness and rapid response. Additionally, defenders can operate within the attacker’s OODA loop by using deception to disrupt the attacker’s situational awareness. This discussion will present the conceptual framework underlying research into the use of security automation and adaptive cyber defense in the financial services industry.
I have spoken about IACD in past posts. For those unfamiliar with IACD, here is a brief description. The Department of Homeland Security (DHS), the National Security Agency (NSA), and JHU-APL jointly developed the IACD framework in collaboration with private industry leaders. The DHS and the NSA started the effort in 2014 to help address the continued malicious cyber-attacks on government and private industry. JHU-APL recognized that current human-centered cyber defense practices could not keep up with the increasing volume and speed of cyber threats. The IACD framework seeks to close this gap by automating cyberdefense tasks and increasing information sharing between enterprises. The IACD approach is to use integration, automation, and synchronization of security solutions to drive increased cybersecurity effectiveness and efficiency. The goal of IACD is to create an environment in which all connected technologies play a vital role in protecting themselves and each other. The IACD model suggests an approach like an immune system in biology. The auto-immune functions will combat most incidents. Humans will be freed to address the more complex issues that cannot be addressed by the automated detection and response capabilities.
The IACD redefines the OODA loop as sensing, sense-making, decision making, and acting. Shared situational awareness is achieved through the sharing of information with other entities across the OODA loop. Orchestration services provide the automation and integration of the defense and response activities. Conceptually, the IACD framework is a set of orchestration services. The orchestration services provide the ability to integrate disparate sources of security information and tools, use automation to assess risk and decide whether and how to respond, synchronize the response actions across an organization’s systems based on playbooks, and inform others within the community to enable quicker response by other IACD-capable organizations.
This year, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and JHU-APL partnered with three financial institutions to pilot the IACD framework. I was fortunate to be involved with this pilot. The financial sector IACD pilot was designed to demonstrate the deployment of the framework to foster adoption within the financial sector. The integrated pilot sought to understand how intelligence enrichment could assist different organizations with varying policies and risk tolerances to determine what action to take. The pilot focused on the ingestion of threat intelligence from the FS-ISAC at the participating financial institutions. By the way, members of the JHU-APL team will discuss the lessons learned from this pilot in a technical talk at the Integrated Cyber conference.
If you are in the Baltimore/Washington, D.C. area, or can be, on 10/02 and 10/03, please join me at the Integrated Cyber conference!
About the author: Donnie Wendt is an information security professional focused on designing and engineering security controls and monitoring solutions. Also, Donnie is an adjunct professor of cybersecurity at Utica College. Donnie is currently pursuing a Doctorate of Science in Computer Science with a research focus on security automation and orchestration.