Installing multiple layers of security controls to protect information systems and data from attack has been industry best practice for several decades. The logic is simple enough – implementing security layers with overlapping and redundant capabilities provides greater security control while identifying more risks.
The challenge as networks become more complex, workload migrates to cloud service providers and threats become more advanced is to manage the growing complexity of modern security technologies and the huge amount of data each generates.
Whether you call it defense-in-depth or multi-layer security, a major consequence of this approach is technology sprawl, as enterprises implement arrays of stand-alone solutions that never quite work together. Your anti-virus, advanced malware protection clients, firewalls, forensics clients, endpoint protection, network access control protections and native operating system controls are all related but work autonomously and generate their own alert streams and log their own data.
Security incident and event monitoring (SIEM) systems enable cybersecurity teams to centrally collect and correlate security alerts, but such solutions are inherently reactive. The next generation of capabilities must focus on empowering security teams to coordinate and reduce the number of manual security response actions necessary across the enterprise.
Integrated Adaptive Cyber Defense (IACD) provides a framework for addressing these challenges. The goal is to enhance cyber defenses by coordinating threat intelligence across a wide ecosystem, integrating security systems using common protocols, and automating response activities using pre-defined response actions.
IACD is the result of a joint effort of the Department of Homeland Security (DHS), the National Security Agency (NSA), the Johns Hopkins University Applied Physics Laboratory (JHU/APL) and industry – including GDIT in a leading role.
In practical terms, putting IACD to work means ensuring component pieces of your defense collaborate effectively through standard protocols; increasing the efficacy of your cyber defenses using commercial defenses and community-derived playbooks; and reducing the time and manual level of effort necessary to prevent and respond to potential incidents.
GDIT’s Cyber Center of Excellence has built our cybersecurity reference architecture on this IACD framework. Our reference architecture brings together our service catalog of security capabilities, knowledge base of playbooks from our security operations engagements, and best of breed technology partners to implement a proactive integrated security architecture that is extensible and flexible enough to fit any enterprise.
Orchestration and automaton are the critical pieces of this puzzle, providing a force-multiplier effect to security teams by consolidating the data from each piece of the security stack and enabling automated decision making and response based on the organization’s risk management framework. With orchestration, instead of simply generating alerts, your systems can resolve solutions, identifying malware and setting of a chain of responses to remove and destroy the errant code and block the source, as appropriate.
Automation ensures a consistent and auditable response to known threats. It also empowers CISOs and security teams, freeing them from administrative chores to more appropriately apply their skills and expertise. If we can achieve the goal of automating the 80 percent of attacks that are routine in nature – spam, phishing emails with malware attached or known bad URLs and IP addresses – our security teams can focus their considerable skills on the unique sophisticated threats that pose the greatest danger.
Today’s threat landscape is increasingly sophisticated, and the volume of cyber attacks is growing exponentially. Cybersecurity teams must redefine their battlespace with a modern, integrated, active cyber defense.
Integrating security capabilities using common protocols and collaborative techniques will maximize the effectiveness of cybersecurity investment. By embracing automation we can increase organizations’ cyber defense resources, convert the defense landscape to be proactive in nature and empower security teams to eliminate threats – before they cause a breach.