IACD Articles

The IACD team is currently updating posts to reflect our current thoughts on the framework and how it is employed. Join our LinkedIn Group to get new updates.

 

October 9, 2017

Remember Red, hope is a good thing

I have been accused of wearing rose-colored glasses my entire 30+ year career in security and information assurance. There has never been a problem that can’t be framed in some way that allows an 80% solution to emerge…every challenge is just an opportunity for a great advancement.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense


October 5, 2017

Feed me, Seymour!

In Little Shop of Horrors, it was all about quantity...but when it comes to threat feeds, we need to find a way to make it about quality. We need to get past sharing just indicators and be willing to create and share actionable knowledge.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense


October 2, 2017

Our Lady of Blessed Acceleration, don’t fail me now

We may not be on a mission from God, but we are absolutely committed to empowering organizations to employ mission-driven actions at speed and scale to maintain critical operations. While the current Security Automation and Orchestration (SAO) market is greatly improving the efficiency of security operations, we are striving to advance those same operations to become more effective.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense


September 28, 2017

Thank You Sir, May I Have Another

Before Kevin Bacon went all Footloose, he was just another student at Faber College...and as I read the articles about breaches and the state of cybersecurity, I wonder how many CISOs feel like one of the nameless Omega Theta Pi pledges standing in line waiting for their turn with the paddle. It seems like a foregone conclusion that your company will be attacked and your information compromised.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense


September 25, 2017

Survival of the Fittest

Natural selection may be mainly about genetics and adaption in response to environmental stressors, but like all analogies that distract me during a bad sports weekend, there is also some loose tie to cyber defense. Adaptation is the key to survival in nature, and I think the ability to adapt is the key to “survival” in the cyber world.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense


August 21, 2017

Playbook Relationship with Governance or Regulatory Requirements: Why We Have Playbooks in the First Place

This is the last in a five-part series of articles that describe content to be incorporated in an IACD playbook. This article discusses the need to include the relationship with governance or regulatory requirements.

Written by Alexander Lee, Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory


August 7, 2017

Playbook End State: The Finish Line is in Sight

This is the fourth in a five-part series of articles that describe content to be incorporated in an IACD playbook. This article discusses the need to include an end state.

Written by Alexander Lee, Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory


July 24, 2017

Playbook Best Practices & Local Policies: Guides to Better Implementation

This is the third in a five-part series of articles that describe content to be incorporated in an IACD playbook. This article discusses the inclusion of best practices and local policies.

Written by Alexander Lee, Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory


July 10, 2017

Playbook Process Steps: Establishing the Stepping Stones

This is the second in a five-part series of articles to discuss what types and amount of content should be contained within a playbook to be considered an IACD implementation.

Written by Alexander Lee, Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory


July 5, 2017

2017 Information Assurance Symposium (IAS) – Trust in Automated Indicator Sharing

Integrated Adaptive Cyber Defense (IACD) presented an introduction to the DHS Automated Indicator Sharing (AIS) initiative which provides a trusted sharing infrastructure that allows for the national level sharing of indicators and defensive measures. Trust is a key component for information & action sharing between communities. Trust can be enforced in a technical sense but also has to encompass the brokering between existing and emerging trusted communities where the constraints and concerns of communities are respected throughout the set of exchanges. The session summarized efforts to enable automated sharing between government, commercial and information brokers.

Written by Michael Vermilye, AIS Adoption Lead


June 22, 2017

What’s on YOUR Playbook Wishlist

I recently presented on IACD playbooks at the Information Assurance Symposium in Baltimore. What became clear during the discussion was that while a majority of attendees were interested in developing playbooks, different sets of people believed that different types of playbooks were the most important to create first.

We are developing playbooks in parallel with authoring the playbook specification. We are currently looking for input on Initiating Conditions. We also want to know what initiating conditions are a high priority for you. I made a list from the comments I received during and after my IAS session. What is missing? What playbooks do you need now?

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense Operations, JHU/APL


June 22, 2017

Playbook Initiating Conditions: Where’s the Starting Line?

This is the first in a five-part series of articles to discuss what types and amount of content should be contained within a playbook to be considered an IACD implementation.

Written by Alexander Lee, Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory


June 20, 2017

Can You Smell What Playbooks Are Cooking?

The debate of whether cooking is an art or science has been hotly debated among those who value the experience and freedom of creation with those who strive for consistency. Give two different chefs the same set of ingredients, and with a general set of instructions but does not specify how much of each ingredient to use, will produce two wildly different results. One would expect that getting two chefs to agree on an “optimal” mixture would be a challenge – then expand the number of potential contributors to tens more chefs and reaching consensus becomes that much more difficult.

Written by Alexander Lee, Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory


June 18, 2017

If you want to “buy in” to SAO, you need to buy differently....

“Automation and orchestration are the trend in cybersecurity operations, but different integration models leave organizations choosing between speed, scale, and time to value.”

Security automation and orchestration (SAO) has the potential to significantly improve the efficiency and effectiveness of your cybersecurity operations – but only if your products and services were/are designed and purchased with integration in mind.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense Operations, JHU/APL


June 15, 2017

Find Your Cyber Alamo

I am preparing to speak at the International Association of Certified ISAOs (IACI) Thought Leadership Forum.  IACI challenged those invited to speak to be ‘compelling’ – to talk about how to drive us to step up to be a leader in cybersecurity today.

Gulp. I need a good hook. Yeah. I say it is time for all of us to Find our Alamo.

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


June 13, 2017

How Do You Know if There is an Elephant in the Room?

Is your couch broken? Do you smell peanuts on their breath? Maybe there are a few blind men in the room each touching something large and gray…

According to Wikipedia, an Elephant in the room is an obvious problem or risk no one wants to discuss, or a condition of groupthink no one wants to challenge. But what if the problem isn’t that obvious? How do you know that there is a risk to discuss or a condition to challenge?

Security orchestration platforms, products, and services are designed (and marketed) to significantly improve the efficiency and effectiveness of cyber defense personnel and processes. Efficiencies come from automating manual tasks and processes, and the effectiveness of operations improves because more events or incidents are being detected and mitigated in a more-timely manner. But increasing the effectiveness of your cybersecurity program is more than that. It involves preventing more attacks or incidents from occurring and limiting the impact from any event by employing timely response and recovery actions. Enter the current unnoticed elephant in the room:

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense Operations, JHU/APL


June 8, 2017

Spider 2 Y Banana

If you are a fan of Monday Night Football, then you know exactly what I am talking about…and if you have played football, you can read the diagram to the left and you know exactly what play is being described.

So what does a play from the infamous West Coast Offense have to do with cybersecurity? Probably nothing. But the idea of a defined set of content and consistent notation for documenting plays so they can be shared quickly and easily with new team members? That is the impetus behind Integrated Adaptive Cyber Defense (IACD) playbook specification efforts.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense Operations, JHU/APL


June 6, 2017

Using Playbooks to Unlock Security Automation

To successfully open a cylinder lock, the following three components must all align together: The key, the cylinder (where the key goes in) and the set of pins. The lock will remain closed if even one of these components does not fit with the other pieces.

Security automation is a complex and multi-faceted problem that the industry is working hard to solve. IACD believes that, like the cylinder lock, there are three key components that must show clear traceability between them for successful implementation:

Written by Alexander Lee, Senior Staff Professional at The Johns Hopkins University Applied Physics Laboratory


June 6, 2017

Unpack Your Adjectives – IACD Style

Security automation and orchestration is definitely trending. The reasons why organizations are moving to automation are pretty well known: too few resources, too much malware, too many shared threat indicators, too many alerts, and too many repetitive tasks. The reasons why organizations are choosing orchestration platforms to implement automation are also well documented: manual processes waste analyst and operator resources, custom integration between product suites is hard to maintain, and critical alerts end up on the ops center floor instead of being processed and acted upon. What does not seem to be discussed or understood is that the ability to integrate, automate, and orchestrate can be severely limited by a lack of interoperability support in the security products you already have or intend to purchase.

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense Operations, JHU/APL


June 5, 2017

Cybersecurity and the Wisdom of Tom Izzo

"Do we just have a program, or do we have a team. Ever since I’ve been in this game, people have told me that a program is bigger than one person, one player, one coach. We’re about to find that out.”
-Tom Izzo, Michigan State University men’s basketball coach, Oct 1999

In fall of 1999, Mateen Cleaves, point guard and only returning All-American on the MSU team, fractured his foot. MSU was ranked #3 in the preseason AP poll and the previous year, they made the Final Four for the first time in 20 years. Then Mateen goes down, taking with him the hopes of many Spartan fans. Enter Tom Izzo, the calm voice of reason (at least during this press conference), and he starts talking about the program. About leadership. About work ethic and no excuses. And he was right – the Spartans won it all that year and the MSU basketball program has become one of the best in the nation over the last 2 decades.

So I ask you – Do you have a cybersecurity program? Or a team?

Written by Kimberly Watson, Technical Director for Integrated Cyber Defense Operations, JHU/APL


May 24, 2017

Cyber Winter: More Than a Night’s Watch – We’re Going to Need Dragons!

We are losing the war in cyberspace. Nation state, criminals, rogue nations, anarchists, and in the not-too-distant future, terrorists, act with impunity. This loss of our personal identities, intellectual property, financial resources and potential loss of access to critical infrastructure has a direct and indirect cost to our nation of billions of dollars annually. Despite the billions of dollars invested in “best in class” cybersecurity solutions by American businesses and government departments and agencies, our defense still defends on human defenders. With over 800,000 open cybersecurity positions in the US alone, and only a small fraction of that number entering the workforce each year, our cyber warriors are like the Night’s Watch: manning the wall with far too few trained warriors to withstand the unending waves of attacks. Our human cyber warriors simply can’t match the speed and scale achieved by an adversary that long ago adopted automation to enable attacks that occur in numbers and succeed in penetrating cyber defenses with a speed that humans can’t match. Simply put, our human cyber warriors are fighting robotic adversaries.

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Mar 21, 2017

Integrated Adaptive Cyber Defense Framework

As part of the ongoing activities supporting IACD, we have been building out key portions of the IACD Framework. This framework – including reference architectures, use cases, draft specifications, and implementation examples – provides a structure to adopt this extensible, adaptive approach to cybersecurity operations.

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Mar 20, 2017

You (Don’t) Just Gotta Have Faith!

IACD dial-able automation and whatever it takes to ‘see the light’

The single most common comment we receive when discussing Integrated Adaptive Cyber Defense (IACD) is “my [people/SOC/managers etc.] are never going to let us automate that.” The perception is that it is all-or-nothing (or the rise of Sky Net).

IACD is – by design – focused on Bring Your Own Enterprise – which means you bring not only the tools you already have deployed, but your business rules, risk tolerance, and, yes, your faith in automation.

Published on March 20, 2017
Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Mar 12, 2017

Elementary My Dear: Partnerships & Integrators Multiplying Cyber Defense

Integrated Adaptive Cyber Defense (IACD) was formed around the idea that we could 'operationalize the cyber OODA (Observe-Orient-Decide-Act) loop' and dramatically improve the timeliness and effectiveness of cyber defenses by:

  • Addressing speed and scale via automation and integration
  • Providing dial-able levels of automation to support operational priorities and gradual development of trust in automation
  • Ensuring trusted, secure control driven by network owner rules
  • Enabling flexible, affordable solutions via commercial products that leverage interoperability standards

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Mar 8, 2017

“Do Not Adjust Your Set – We Control The Vertical”: Robust, Open APIs

With all due respect to the The Outer Limits, let's agree that none of us want to go back to the days of rabbit ears and tin foil, needle-nose pliers to change the channel, smacking the side of the television, or adjusting the vertical hold.

And yet 'vertical hold' – vertical integration, proprietary interfaces, limited access partner agreements – continues to limit our ability to fully access and take advantage of the security tools that we've already bought and paid for.

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Mar 3, 2017

What’s the LEAST I Can Say About Orchestration?

By all accounts, absolutely everyone in the cybersecurity community is talking about orchestration. Or orchestrators. Or Incident Response Automation. Or SOAR (which gets you a much cooler acronym and the opportunity for a logo on a coffee mug, even though no one seems to agree what it definitively stands for – see Gartner versus Business Wire etc.)

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Mar 2, 2017

Integrated Adaptive Cyber Defense (IACD) Playbooks and the Cybersecurity Framework

The Framework for Improving Critical Infrastructure Cybersecurity, published and maintained by the National Institute of Standards and Technology (NIST), enables organizations to apply 'business drivers to guide cybersecurity activities', 'consider cybersecurity risks as part of the organization's risk management processes', and 'align cybersecurity activities with business requirements, risk tolerances, and resources.' By applying the Cybersecurity Framework (CSF), an organization can profile current cybersecurity risk and define a target state that best aligns with its unique risk tolerance.

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Feb 27, 2017

What Will Tip the Scales for Cyber Information Sharing?

We've too often suggested that information sharing provides some sort of panacea in the realm of cybersecurity. But many of our colleagues will argue that they are more than adequately 'shared with' – be it through Government, commercial, or home-grown sources. They wonder what they are supposed to do with 10, 100, or 1000 times more information than they can currently handle, particularly when every news article heralds the overwhelming cyber workforce shortages we face.

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL


Feb 23

What Is Integrated Adaptive Cyber Defense (IACD)?

Integrated Adaptive Cyber Defense (IACD)TM is a strategy for increasing the speed and scale of cyber defenses by leveraging automation to enhance the effectiveness of human defenders, moving them outside the response loop into a response planning and approval role “on the loop” of cyber defense. The rapid detection and mitigation of cyber threats requires the integration, synchronization, and automation of sensing, sense-making, decision-making, and acting capabilities across network layers, and relies upon the rapid ingestion and processing of shared threat and response intelligence among trusted partners. IACD defines a framework – including reference architectures, use cases, draft specifications, and implementation examples – to adopt this extensible, adaptive approach to cybersecurity operations.

Written by Wende Peters, Principal Technical Lead for Integrated Cyber Defense Operations, JHU/APL