As networks become increasingly complex, adding such things as wireless connectivity, cloud services, BYOD, and the Internet of Things, they present increasing opportunities for compromise. Most organizations have deployed a variety of security devices across their network as part of their overall security infrastructure, usually from different vendors. These devices often operate in isolation and are unable to talk to one another. Such interoperability challenges can hamper efforts to share cyber threat information across and between networks, and frustrate attempts respond to threats in a timely manner.
At the same time, cyberattacks are increasing in frequency and government agencies are under constant attack. Driven by the needs to standardize threat intelligence communications across various business applications on the network, implement open architectures, and automate security tasks, security requirements for federal and local governments are in a state of flux. In order to remain responsive, resilient, and agile, government organizations must adopt open, integrated, and automated security architectures that enable the collection and sharing of threat intelligence and the ability to coordinate a response to detected threats.
The first step in sharing threat information is to standardize the structure and format of threat data so that it is interoperable and consumable across various networks and platforms. The federal government and private sector agree on the need for a common language to enable the rapid exchange of intelligence.
That effort is already well under way, with the United States Computer Emergency Readiness Team (US-CERT) strongly encouraging the use of the Trusted Automated eXchange of Indicator Information (TAXII™); the Structured Threat Information eXpression (STIX™) and the Cyber Observable eXpression (CybOX™) standards. TAXII, STIX and CybOX are free, community-driven technical specifications that represent cyber threat information in a standardized format. They enable automated information sharing, and thus foster cybersecurity situational awareness, real-time network defense, and sophisticated threat analysis. The National Cybersecurity and Communications Integration Center (part of the Department of Homeland Security’s (DHS) Office of Cybersecurity and Communications) and US-CERT support the global adoption of these standards to be used around the world to enable nations to share information in the battle against cybercrime.
Standardized threat intelligence formats enable interoperability between security tools. This interoperability, in turn, supports the implementation of an open architecture. By using an open API architecture, products and systems from different vendors can connect, share information, and work as a unified security framework. Such an approach also supports end-to-end visibility across all components of a security architecture. This advantage is a force multiplier, and the reason why government acquisition requirements specify open architectures and connectivity.
An open architecture also enables easier enforcement of government standards, such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations." This publication defines everything government agencies, and organizations working with government agencies, must have in place to secure their systems as well as what is often extremely sensitive data.
Documents like SP 800-53 are often lengthy and complex. Determining whether a particular product is consistent with the guidance they provide is often a time consuming manual task. An open architecture gives government acquisition organizations the ability to use a centralized, automated compliance mechanism to rapidly evaluate offerings from different vendors against standards and regulations.
Perhaps the greatest advantage to government offered by adopting standard threat information formats is orchestration and automation. It’s no secret that there is a cybersecurity talent shortage. In order to manage a growing volume of increasingly sophisticated threats, it is critical to have infrastructure and security tools that enable quick, automated, and synchronized responses without human intervention.
Organizations such as Open C2 educate and advocate for the development of orchestration software and standardized command and control languages. Central to the OpenC2 movement’s platform is the idea that standardizing language between machines enables rapid response to shared threat intelligence. As the OpenC2 forum states: “Future defenses will require the sharing of indicators, the coordination of responses between domains, synchronization of cyber defense mechanisms, and automated actions at machine speed against current and pending attacks.”
Standardized command and control languages and interfaces also simplify integration. With standards in place, there’s no need to train staff on every new technology in order to support enterprise adaptation and integration.
Imagine an integrated approach to cybersecurity that automates the processing and analysis of threat information from many different sources, one that can not only quickly identify network security threats, but also react to them in a synchronized manner. When done manually, these are labor-intensive and time-consuming tasks. Once automated, an effective security response is almost instantaneous.
Such a vision of global cooperation is only possible through an open architecture and the standardization of threat information and command and control language. Such an integrated architecture would improve network security, help organizations avoid costly, damaging breaches, and do so without increasing costs associated with personnel. This solution is achievable. Moreover, it is the solution that must be pursued in order to keep up with increasingly sophisticated and intelligent cyberattacks.
Originally published in the Winter 2017 issue of United States Cybersecurity Magazine.