Blog

July 24

Playbook Best Practices & Local Policies: Guides to Better Implementation

Published on July 24, 2017
Alexander Lee
Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory

Playbook Best Practices & Local Policies: IACD’s Assertions

This is the third in a five-part series of articles that describe content to be incorporated in an IACD playbook. This article discusses the inclusion of best practices and local policies.

Read more...

July 10

Playbook Process Steps: Establishing the Stepping Stones

Published on July 10, 2017
Alexander Lee
Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory

Playbook Process Steps: IACD’s Assertions

This is the second in a five-part series of articles to discuss what types and amount of content should be contained within a playbook to be considered an IACD implementation.

Read more...

July 5

2017 Information Assurance Symposium (IAS) – Trust in Automated Indicator Sharing

Published on July 5, 2017
Michael Vermilye
AIS Adoption Lead

Integrated Adaptive Cyber Defense (IACD) presented an introduction to the DHS Automated Indicator Sharing (AIS) initiative which provides a trusted sharing infrastructure that allows for the national level sharing of indicators and defensive measures. Trust is a key component for information & action sharing between communities. Trust can be enforced in a technical sense but also has to encompass the brokering between existing and emerging trusted communities where the constraints and concerns of communities are respected throughout the set of exchanges. The session summarized efforts to enable automated sharing between government, commercial and information brokers.

Read more...

June 22

What's on YOUR Playbook Wishlist

Published on June 22, 2017
Kimberly Watson
Technical Director for Integrated Cyber Defense Operations, JHU/APL

I recently presented on IACD playbooks at the Information Assurance Symposium in Baltimore. What became clear during the discussion was that while a majority of attendees were interested in developing playbooks, different sets of people believed that different types of playbooks were the most important to create first.

We are developing playbooks in parallel with authoring the playbook specification. We are currently looking for input on Initiating Conditions. We also want to know what initiating conditions are a high priority for you. I made a list from the comments I received during and after my IAS session. What is missing? What playbooks do you need now?

Read more...

June 22

Playbook Initiating Conditions: Where’s the Starting Line?

Published on June 22, 2017
Alexander Lee
Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory

Playbook Initiating Conditions: IACD’s Assertions

This is the first in a five-part series of articles to discuss what types and amount of content should be contained within a playbook to be considered an IACD implementation.

Read more...

June 20

Can You Smell What Playbooks Are Cooking?

Published on June 20, 2017
Alexander Lee
Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory

Just a pinch of this and a dash of that, or is it the other way around…?

The debate of whether cooking is an art or science has been hotly debated among those who value the experience and freedom of creation with those who strive for consistency. Give two different chefs the same set of ingredients, and with a general set of instructions but does not specify how much of each ingredient to use, will produce two wildly different results. One would expect that getting two chefs to agree on an “optimal” mixture would be a challenge – then expand the number of potential contributors to tens more chefs and reaching consensus becomes that much more difficult.

Read more...

June 18

If you want to "buy in" to SAO, you need to buy differently....

Published on June 18, 2017
Kimberly Watson
Technical Director for Integrated Cyber Defense Operations, JHU/APL

“Automation and orchestration are the trend in cybersecurity operations, but different integration models leave organizations choosing between speed, scale, and time to value.”

Security automation and orchestration (SAO) has the potential to significantly improve the efficiency and effectiveness of your cybersecurity operations - but only if your products and services were/are designed and purchased with integration in mind.

Read more...

June 15

Find Your Cyber Alamo

Published on June 15, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

I am preparing to speak at the International Association of Certified ISAOs (IACI) Thought Leadership Forum.  IACI challenged those invited to speak to be ‘compelling’ – to talk about how to drive us to step up to be a leader in cybersecurity today.

Gulp. I need a good hook. Yeah. I say it is time for all of us to Find our Alamo.

Read more...

June 13

How Do You Know if There is an Elephant in the Room?

Published on June 13, 2017
Kimberly Watson
Technical Director for Integrated Cyber Defense Operations, JHU/APL

Is your couch broken? Do you smell peanuts on their breath? Maybe there are a few blind men in the room each touching something large and gray…

According to Wikipedia, an Elephant in the room is an obvious problem or risk no one wants to discuss, or a condition of groupthink no one wants to challenge. But what if the problem isn’t that obvious? How do you know that there is a risk to discuss or a condition to challenge?

Security orchestration platforms, products, and services are designed (and marketed) to significantly improve the efficiency and effectiveness of cyber defense personnel and processes. Efficiencies come from automating manual tasks and processes, and the effectiveness of operations improves because more events or incidents are being detected and mitigated in a more-timely manner. But increasing the effectiveness of your cybersecurity program is more than that. It involves preventing more attacks or incidents from occurring and limiting the impact from any event by employing timely response and recovery actions. Enter the current unnoticed elephant in the room:

Read more...

June 8

Spider 2 Y Banana

Published on June 8, 2017
Kimberly Watson
Technical Director for Integrated Cyber Defense Operations, JHU/APL

If you are a fan of Monday Night Football, then you know exactly what I am talking about…and if you have played football, you can read the diagram to the left and you know exactly what play is being described.

So what does a play from the infamous West Coast Offense have to do with cybersecurity? Probably nothing. But the idea of a defined set of content and consistent notation for documenting plays so they can be shared quickly and easily with new team members? That is the impetus behind Integrated Adaptive Cyber Defense (IACD) playbook specification efforts.

Read more...

June 6

Using Playbooks to Unlock Security Automation

Published on June 6, 2017
Alexander Lee
Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory

To successfully open a cylinder lock, the following three components must all align together: The key, the cylinder (where the key goes in) and the set of pins. The lock will remain closed if even one of these components does not fit with the other pieces.

Security automation is a complex and multi-faceted problem that the industry is working hard to solve. IACD believes that, like the cylinder lock, there are three key components that must show clear traceability between them for successful implementation:

Read more...

June 6

Unpack Your Adjectives - IACD Style

Published on June 6, 2017
Kimberly Watson
Technical Director for Integrated Cyber Defense Operations, JHU/APL

Security automation and orchestration is definitely trending. The reasons why organizations are moving to automation are pretty well known: too few resources, too much malware, too many shared threat indicators, too many alerts, and too many repetitive tasks. The reasons why organizations are choosing orchestration platforms to implement automation are also well documented: manual processes waste analyst and operator resources, custom integration between product suites is hard to maintain, and critical alerts end up on the ops center floor instead of being processed and acted upon. What does not seem to be discussed or understood is that the ability to integrate, automate, and orchestrate can be severely limited by a lack of interoperability support in the security products you already have or intend to purchase.

Read more...

June 5

Cybersecurity and the Wisdom of Tom Izzo

Published on June 5, 2017
Kimberly Watson
Technical Director for Integrated Cyber Defense Operations, JHU/APL

"Do we just have a program, or do we have a team. Ever since I've been in this game, people have told me that a program is bigger than one person, one player, one coach. We're about to find that out.”
-Tom Izzo, Michigan State University men’s basketball coach, Oct 1999

In fall of 1999, Mateen Cleaves, point guard and only returning All-American on the MSU team, fractured his foot. MSU was ranked #3 in the preseason AP poll and the previous year, they made the Final Four for the first time in 20 years. Then Mateen goes down, taking with him the hopes of many Spartan fans. Enter Tom Izzo, the calm voice of reason (at least during this press conference), and he starts talking about the program. About leadership. About work ethic and no excuses. And he was right – the Spartans won it all that year and the MSU basketball program has become one of the best in the nation over the last 2 decades.

So I ask you – Do you have a cybersecurity program? Or a team?

Read more...

May 24

Cyber Winter: More Than a Night's Watch - We're Going to Need Dragons!

Published on May 24, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

We are losing the war in cyberspace. Nation state, criminals, rogue nations, anarchists, and in the not-too-distant future, terrorists, act with impunity. This loss of our personal identities, intellectual property, financial resources and potential loss of access to critical infrastructure has a direct and indirect cost to our nation of billions of dollars annually. Despite the billions of dollars invested in “best in class” cybersecurity solutions by American businesses and government departments and agencies, our defense still defends on human defenders. With over 800,000 open cybersecurity positions in the US alone, and only a small fraction of that number entering the workforce each year, our cyber warriors are like the Night’s Watch: manning the wall with far too few trained warriors to withstand the unending waves of attacks. Our human cyber warriors simply can’t match the speed and scale achieved by an adversary that long ago adopted automation to enable attacks that occur in numbers and succeed in penetrating cyber defenses with a speed that humans can’t match. Simply put, our human cyber warriors are fighting robotic adversaries.

Read more...

Mar 21

Integrated Adaptive Cyber Defense Framework

Published on March 21, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

As part of the ongoing activities supporting IACD, we have been building out key portions of the IACD Framework. This framework - including reference architectures, use cases, draft specifications, and implementation examples – provides a structure to adopt this extensible, adaptive approach to cybersecurity operations.

Read more...

Mar 20

You (Don't) Just Gotta Have Faith!

Published on March 20, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

IACD dial-able automation and whatever it takes to 'see the light'

The single most common comment we receive when discussing Integrated Adaptive Cyber Defense (IACD) is "my [people/SOC/managers etc.] are never going to let us automate that." The perception is that it is all-or-nothing (or the rise of Sky Net).

IACD is - by design - focused on Bring Your Own Enterprise - which means you bring not only the tools you already have deployed, but your business rules, risk tolerance, and, yes, your faith in automation.

Read more...

Mar 12

Elementary My Dear: Partnerships & Integrators Multiplying Cyber Defense

Published on March 12, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

Integrated Adaptive Cyber Defense (IACD) was formed around the idea that we could 'operationalize the cyber OODA (Observe-Orient-Decide-Act) loop' and dramatically improve the timeliness and effectiveness of cyber defenses by:

  • Addressing speed and scale via automation and integration
  • Providing dial-able levels of automation to support operational priorities and gradual development of trust in automation
  • Ensuring trusted, secure control driven by network owner rules
  • Enabling flexible, affordable solutions via commercial products that leverage interoperability standards
Read more...

Mar 8

"Do Not Adjust Your Set - We Control The Vertical": Robust, Open APIs

Published on March 8, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

With all due respect to the The Outer Limits, let's agree that none of us want to go back to the days of rabbit ears and tin foil, needle-nose pliers to change the channel, smacking the side of the television, or adjusting the vertical hold.

And yet 'vertical hold' - vertical integration, proprietary interfaces, limited access partner agreements - continues to limit our ability to fully access and take advantage of the security tools that we've already bought and paid for.

Read more...

Mar 3

What's the LEAST I Can Say About Orchestration?

Published on March 3, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

By all accounts, absolutely everyone in the cybersecurity community is talking about orchestration. Or orchestrators. Or Incident Response Automation. Or SOAR (which gets you a much cooler acronym and the opportunity for a logo on a coffee mug, even though no one seems to agree what it definitively stands for - see Gartner versus Business Wire etc.)

Read more...

Mar 2

Integrated Adaptive Cyber Defense (IACD) Playbooks and the Cybersecurity Framework

Published on Mar 2, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

The Framework for Improving Critical Infrastructure Cybersecurity, published and maintained by the National Institute of Standards and Technology (NIST), enables organizations to apply ‘business drivers to guide cybersecurity activities’, ‘consider cybersecurity risks as part of the organization’s risk management processes’, and ‘align cybersecurity activities with business requirements, risk tolerances, and resources.’ By applying the Cybersecurity Framework (CSF), an organization can profile current cybersecurity risk and define a target state that best aligns with its unique risk tolerance.

Read more...

Feb 27

What Will Tip the Scales for Cyber Information Sharing?

Published on February 27, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

We've too often suggested that information sharing provides some sort of panacea in the realm of cybersecurity. But many of our colleagues will argue that they are more than adequately 'shared with' - be it through Government, commercial, or home-grown sources. They wonder what they are supposed to do with 10, 100, or 1000 times more information than they can currently handle, particularly when every news article heralds the overwhelming cyber workforce shortages we face.

Read more...

Feb 23

What Is Integrated Adaptive Cyber Defense (IACD)?

Published on February 23, 2017
Wende Peters
Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL

Integrated Adaptive Cyber Defense (IACD)TM is a strategy for increasing the speed and scale of cyber defenses by leveraging automation to enhance the effectiveness of human defenders, moving them outside the response loop into a response planning and approval role “on the loop” of cyber defense. The rapid detection and mitigation of cyber threats requires the integration, synchronization, and automation of sensing, sense-making, decision-making, and acting capabilities across network layers, and relies upon the rapid ingestion and processing of shared threat and response intelligence among trusted partners. IACD defines a framework - including reference architectures, use cases, draft specifications, and implementation examples – to adopt this extensible, adaptive approach to cybersecurity operations.

Read more...