Four state governments and one county are currently participating in a pilot project led by a Johns Hopkins University research lab to automate some of their cybersecurity processes as officials strive to make their information-security defenses more nimble.
The IT agencies in Arizona, Louisiana, Massachusetts and Texas — along with Maricopa County, Arizona — are implementing tools developed by the Johns Hopkins Applied Physics Laboratory that automatically act on cyberthreat intelligence, such lists of untrustworthy domains or malicious IP addresses, rather than wait for changes to be entered manually. The Security Orchestration, Automation and Response, or SOAR, tools are part of APL’s Integrated Adaptive Cyber Defense framework, a set of guidelines aimed at automating the more repetitive tasks of cybersecurity so human workers can be freed up to think and act more strategically.
One of the big reasons governments should consider automating some of their cybersecurity practices is the sheer fact that human workers can’t keep pace with the growing number of threats their organizations face, said Charlie Frick, an APL researcher and the pilot project’s lead investigator.
“It’s a scalability issue,” he said. “The massive amount of attacks and the rate at which they’re increasing, it’s just not a human-tenable problem. Currently, we’re bringing people to a software fight.”
The framework’s development was sponsored by the Department of Homeland Security and National Security Agency, and it was endorsed in 2017 by the Financial Services Information Sharing and Analysis Center, which supplies banks with cybersecurity intelligence and alerts. In a pilot program the following year, corporations including Mastercard and Huntington Bank used APL’s tools to automatically implement the FS-ISAC’s latest recommendations.
Frick said the participating financial institutions were able to cut down the average time it took to act on an FS-ISAC alert, like blocking a range of IP addresses, from 14 hours — a span that would include waiting for someone to read the alert, meetings and discussions about the alert and manual data entry — to about nine minutes.
The states participating in the current pilot, which Frick said is scheduled to wrap up in late September, are aiming for a similar experience. The APL framework is being applied to speed up how those governments respond to the latest indicators from the Multi-State Information Sharing and Analysis Center. Both the Center for Internet Security, the nonprofit group that operates the MS-ISAC, and DHS’s Cybersecurity and Infrastructure Security Agency are backing the Johns Hopkins pilot.
But, Frick said, governments need to have reached a certain level of maturity in their cybersecurity operations to start adopting the IACD framework, including already having an orchestration capability, like Splunk’s Phantom Security platform, to integrate the various software products used in IT security operations.
State IT agencies are increasingly turning to automating administrative tasks in the wake of the COVID-19 pandemic, as the health crisis’ economic fallout drains government budgets and forces furloughs and layoffs. But Frick said the automation encouraged by his framework is meant to free cybersecurity workers from mundane tasks, not replace them.
“I have not seen security automation be a staff-reduction tool,” he said. “I’ve seen a lot of refocusing. You do still need the human to make the decisions. We just want to get to that point, orders of magnitude faster so they’re doing what they’re good at and the machines can do the repetitive tasks. You don’t need to manually type in a ‘Whois’ or VirusTotal search 10,000 times by hand.”