Automated cyberthreat intelligence pilot reduced states’ response times to minutes

States that participated in the pilot cut the time needed to block malicious domains from three days to three minutes.
Top view of the hands of a programmer on his laptop
(Getty Images)

A pilot project testing an automated data feed of potential network compromises cut down the time needed to take defensive measures from days to a few minutes in the state and local governments that participated in the program.

Through the Indicators of Compromise Automation Pilot — conducted by the Multi-State Information Sharing and Analysis Center and a Johns Hopkins University research lab, with the backing of the Cybersecurity and Infrastructure Security Agency — participating agencies saw their response times following the detection of potential malicious activity drop from several days to just a few minutes, according to the Center for Internet Security, the nonprofit that operates the MS-ISAC.

The project, which began last year, initially involved the statewide IT agencies in Arizona, Louisiana, Massachusetts and Texas, along with Maricopa County, Arizona. Those agencies implemented tools developed by the Johns Hopkins Applied Physics Laboratory that act on cyberthreat intelligence, such as lists of untrustworthy domains or malicious IP addresses, by automatically blocking them rather than waiting for a human operator to manually enter them into firewalls or other protective systems.

The tools are known as Security Orchestration, Automation and Response, or SOAR, a system designed to extract indicators of activity from network monitoring devices — such as the Albert sensors sold by CIS — assigning them a score relative to the threat they pose and then distributing that information to participating agencies along an automated feed.


“To automate the scoring, that’s the game changer,” said James Globe, the MS-ISAC’s vice president for security operations.

In agencies where malicious domains and IP addresses are blocked manually, the process from initial detection to action can often take as long as three days, according to CIS. When fully automated, the pilot found, the time from detection to remediation was often about three minutes. In a partially automated environment where human operators still approve the automation functions, the response time dropped to about eight hours, still accounting for an 88% reduction in total processing time.

The intent, Globe said, is to help agencies quickly reduce their risk of exposure to novel cyberattacks.

“Let’s say a threat actor creates a new variant of some ransomware,” he said. “If they’re successful in attacking a [state, local, tribal or territorial] government, we still collect information. We extract IOCs, vet it and score it. We pass those indicators and the confidence score in under two minutes.”

One participating state was able to block nearly 500,000 attacks from indicators that appeared in the automated feed during the pilot, with 56% of them being prevented the same day those indicators were first detected.


SOAR tools, though, are typically only found in larger, more mature cybersecurity organizations. The tools used during the MS-ISAC and Johns Hopkins pilot were developed in accordance with a 2017 framework issued by the Department of Homeland Security and National Security Agency, and previously implemented by large financial institutions.

Still, Globe said, the MS-ISAC is planning to start marketing the system to its more than 10,000 members during the first quarter of 2021. For smaller agencies more likely to rely on managed service providers, CIS plans to offer the tools to those vendors.

“We target members where they’re currently at,” he said. “We’re going to the mature organization with policy templates, sample playbooks.”

While the pilot began with the four states and Maricopa County, Globe said participation grew over the course of the year to 16 states, cities and large counties.

Latest Podcasts