Aug 21 2020

States Join Automated Security Pilot with MS-ISAC, Johns Hopkins

Four states and a county government are taking part in an effort to deploy security orchestration, automation and response tools.

The promise of artificial intelligence for cybersecurity is that it will free security professionals at government agencies from menial tasks and allow them to focus on threat hunting and higher-level work. Another benefit that might get lost in the shuffle, but is no less important, is that automation in cybersecurity can actually lead to enhanced security for agencies.

Five governments are testing that proposition. Last month, the states of Arizona, Louisiana, Massachusetts and Texas, along with Maricopa County, Ariz., announced a partnership with the Multi-State Information Sharing and Analysis Center and the Johns Hopkins Applied Physics Laboratory (APL) to pilot a cybersecurity automation program.

The agencies will be using security orchestration, automation and response (SOAR) tools, which “enable organizations to collect security-threat data through multiple sources and perform triage response actions significantly faster than with manual processes,” according to a Johns Hopkins press release. The hope is that it will enable the agencies to “quickly and broadly share information — in near real time — and leverage automation to prevent or respond to cyberattacks,” the release states.

Pilot Will Focus on Automating Response to Indicators of Compromise

According to the MS-ISAC, the pilot will “focus on the curation of the feed and the processes used by the participants to triage, prioritize and act upon” the resulting indicators of compromise.

The states and the county will use automation and orchestration to gain “efficiencies in tasks, processes and resultant actions for the producer and consumers” of the indicators of compromise, according to a statement from the MS-ISAC.

Specifically, the pilot will help the states identify ways to cut down on manual tasks and promote the sharing of actionable threat information. Another key goal of the initiative is to identify the orchestration services needed to integrate cybersecurity responses, such as sensing, understanding, decision-making and acting.

“The effort stems from recent APL research and pilot programs with critical infrastructure industries that showed how automated information sharing can shore up cyber defenses by reducing response time,” according to the MS-ISAC.

SOAR tools use the Integrated Adaptive Cyber Defense framework, which was developed by the APL for cybersecurity automation, orchestration and information sharing. That framework was established under an effort sponsored by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the National Security Agency.

According to the APL, for those using the framework, cybersecurity response times have dropped from 11 hours to 10 minutes, and in some instances, preapproved responses were implemented in one second.

Automation should be something government agencies consider for cybersecurity simply because human workers often cannot keep up with the growing number and changing nature of threats out there, according to Charlie Frick, an APL researcher and the pilot project’s lead investigator.

“It’s a scalability issue,” Frick tells StateScoop. “The massive amount of attacks and the rate at which they’re increasing, it’s just not a human-tenable problem. Currently, we’re bringing people to a software fight.”

The results of the pilot, which is expected to finish this fall, will be “technology agnostic and could serve as a model for other states and local governments to quickly and easily augment their cyber defense capabilities,” according to the MSI-ISAC.

MORE FROM STATETECH: Find out how states can best quantify cybersecurity risks.

matejmo/Getty Images