Using an automated threat response framework to protect government infrastructure
Unfortunately, none of us has any trouble imagining a security breach. Breaches are so frequent these days, so fast and so clever, that seemingly out of nowhere we could find critical infrastructure threatened, networks at risk, markets in danger.
Whether the mark is a government agency, a key part of the energy or communications infrastructure, or a too-big-to-fail financial institution, fear of security breaches keeps government security officers up at night. Every sizable institution is at risk, from retail chains to the Pentagon. While attackers will target any organization that stores valuable data—or even any entity that digitally connects to such organizations—there’s no richer or more resonant target than the government. Whether it’s for bragging rights or to make an ideological statement, taking down a piece of the essential infrastructure that keeps the country running has value beyond money for many cyber criminals.
In 2013, there were a stunning 47,479 confirmed attacks on public administration organizations—a segment that spans embassies, economic programs, the military, and other support organizations—and at least 175 of those attacks resulted in confirmed data compromise, according to Verizon’s 2014 Data Breach Investigations Report. Not unexpectedly, the public sector also leads the field in cyber-espionage, with 133 confirmed incidents, more than half of which occurred in the United States. Clearly, the government sector is a major target for hackers of all affiliations, both inside and outside the U.S.
An ever-evolving enemy demands a well-armed (and automated) response
As technology changes and evolves, cyber attacks change and evolve too. Attacks often come in looking like one piece of software code only to rapidly mutate and adapt to the target environment, proliferating at machine speed to expose weaknesses. In such an environment, new vulnerabilities and attack vectors are being identified and exploited, and security teams can’t keep pace with the number and sophistication of attacks. With a real shortage of security-literate professionals—as well as an economic environment full of unfunded mandates and continuing resolutions—it’s become increasingly difficult to keep up in the face of such relentless attacks.
The escalating frequency and complexity of attacks is making real-time cyber security management more complicated and challenging for public and private organizations alike. But the gap between risk mitigation and attack sophistication is most critical in the government space, where cyber threats challenge the nation’s security infrastructure. So how can government security officers ensure the rapid response and decisive take-down these attacks demand? They need to arm their people with intelligent and holistic security analytics and automation solutions that enable an agile and immediate response to some very devious enemies.
Instant action: closing the gap with automated threat response
During an attack, every second counts. While an attack can happen in an instant, it can take months to remove it from the infrastructure—while the damage continues to spread. Should skilled security professionals get bogged down in an endless loop of repeatable manual processes, or rely on smart automation to speed the response? Should team members spend critical attack time trying to integrate disparate tools and legacy systems, or use pre-integrated playbooks built on well-orchestrated actions? The answer is obvious.
Today’s state-of-the-art security operations center (SOC) requires well-honed protocols, advanced data gathering and analysis tools, and a modern threat-identity infrastructure. But integrating multiple point security tools is expensive and does not scale when the tools are supported by manual processes. Teams need a way to tie their security tools together with proven processes and protocols, with a dose of automation to make everything work at machine speed, to allow them to perform more sophisticated threat analysis and remediation.
After all, many highly-specialized SOC analysts spend significant amounts of time dealing with the manual aspects of the many advanced tools at their disposal. Countless personnel resources are expended on updating helpdesk tickets, uploading malware protections, testing hyperlink safety, and gathering information from infected machines. In fact, many organizations spend more time on repeatable manual tasks than they do on analyzing actual incidents or supporting more advanced security measures. With new automation and orchestration technologies, agencies can layer defense protocols throughout the organization—and reallocate valuable analyst time to support resilient operations and rigorous uptime requirements.
Calling the plays in an attack scenario: using proven protocols to orchestrate a response
An automated threat-response framework helps to bridge the gap between the security systems agencies have and the readiness levels they need. By unifying security tools and data feeds, security teams can integrate threat data from across the SOC, fine-tune systems to respond immediately to threat information, and orchestrate action in real-time across multiple systems.
Instead of analyzing and reacting to specific attacks as they happen, forward-looking agencies are cataloging active responses built from proven protocols they use on a regular basis. Building a smart, automated threat-response system begins with looking at discrete threat types and identifying the appropriate workflows, tools, and processes required for a successful response in each instance. Putting together a playbook that outlines these courses of action that can be orchestrated to execute specific threat-response scenarios allows organizations to reuse proven automations and workflows and connect them to larger response strategies. Over time, such playbooks can become digital libraries of approved actions that can be linked together to create active defense environments. Playbooks can continually collect organizational wisdom around security measures and provide SOC analysts with tested and adaptable sets of responses to multiple attack scenarios.
Playbooks and other tools in the threat-response framework combine an agency’s best personnel, processes, tools, and workflows and organize them into a dynamic, flexible, real-time security-response engine, forming the cornerstone of a more resilient overall security strategy. And in a world where agencies are fending off millions of attacks every year—each aimed at bringing down a critical piece of the government—that speed and agility matters.
Peter Clay is chief information security officer at CSG Invotas.