Pilot Will Focus on Automating Response to Indicators of Compromise
According to the MS-ISAC, the pilot will “focus on the curation of the feed and the processes used by the participants to triage, prioritize and act upon” the resulting indicators of compromise.
The states and the county will use automation and orchestration to gain “efficiencies in tasks, processes and resultant actions for the producer and consumers” of the indicators of compromise, according to a statement from the MS-ISAC.
Specifically, the pilot will help the states identify ways to cut down on manual tasks and promote the sharing of actionable threat information. Another key goal of the initiative is to identify the orchestration services needed to integrate cybersecurity responses, such as sensing, understanding, decision-making and acting.
“The effort stems from recent APL research and pilot programs with critical infrastructure industries that showed how automated information sharing can shore up cyber defenses by reducing response time,” according to the MS-ISAC.
SOAR tools use the Integrated Adaptive Cyber Defense framework, which was developed by the APL for cybersecurity automation, orchestration and information sharing. That framework was established under an effort sponsored by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the National Security Agency.
According to the APL, for those using the framework, cybersecurity response times have dropped from 11 hours to 10 minutes, and in some instances, preapproved responses were implemented in one second.
Automation should be something government agencies consider for cybersecurity simply because human workers often cannot keep up with the growing number and changing nature of threats out there, according to Charlie Frick, an APL researcher and the pilot project’s lead investigator.
“It’s a scalability issue,” Frick tells StateScoop. “The massive amount of attacks and the rate at which they’re increasing, it’s just not a human-tenable problem. Currently, we’re bringing people to a software fight.”
The results of the pilot, which is expected to finish this fall, will be “technology agnostic and could serve as a model for other states and local governments to quickly and easily augment their cyber defense capabilities,” according to the MSI-ISAC.