Integrated Cyber
May 1-2, 2018
Integrated Cyber is the premier cyber event bringing together the Integrated Adaptive Cyber Defense (IACD), Automated Indicator Sharing! (AIS), and cyber information-sharing communities.
This two-day event provides a forum for collaboration and technical exchange to support the adoption of integrated, automated cyber defenses across the cyber ecosystem. Expanded from the IACD Community Day, Integrated Cyber showcases government, industry, critical infrastructure, operations, and research perspectives.
Integrated Cyber is hosted by the Johns Hopkins University Applied Physics Laboratory (JHU/APL), in collaboration with the National Security Agency (NSA) and the Department of Homeland Security (DHS). Our goal is to dramatically change the timeline and effectiveness of cyber defense via integration, automation, and information sharing.
*Please note: more presentations are being added, please check back if you cannot find the talk you are looking for. Thank you for your patience!*
Day 1
Keynote - Mr. Rick Driggers, Deputy Assistant Secretary, Office of Cybersecurity and Communications, DHS
Rick Driggers serves as the Deputy Assistant Secretary of the Office of Cybersecurity and Communications (CS&C) at the Department of Homeland Security. The CS&C is responsible for enhancing the security, resiliency, and reliability of the nation’s cyber and communications infrastructure. CS&C actively engages the public and private sectors as well as international partners to prepare for, prevent, and respond to catastrophic incidents that could degrade or overwhelm strategic assets. Prior to the CS&C, Mr. Driggers served at the National Cybersecurity and Communications Information Center (NCCIC), the National Protection and Programs Directorate, the National Security Council, the Office of Infrastructure Protection, and the Office of Intelligence and Analysis. He was a Special Tactics Combat Controller in the U.S. Air Force and is a graduate of the Executive Fellows Program at the Harvard University Kennedy School of Government.
View Slides (Coming Soon)
Integrated Cyber: Operationalization and the Future Ecosystem - Wende Peters, JHU/APL
Wende Peters is a dynamic leader who readily bridges technology, business, and C-Suite lanes. She is a thought-leader on multiple large-scale cyber solutions in both the private and public sectors. Ms. Peters is an accomplished speaker and communicator, with demonstrated effectiveness in crafting the big picture, while making realistic, pragmatic progress.
"The best challenges are the ones that no one thinks we can pull off! Give me a hill to take and I'm there!"
Ms. Peters has had foundational roles in designing private/public cyber security solutions, spanning technology, policy, marketing, and management. She is a leader of multi-agency architectures for net-speed exchange of cybersecurity information and network/enterprise operations.
Featured Speaker - Alan Paller, President, SANS Technology Institute, Director of Research, SANS Institute
Alan Paller is president of the SANS Technology Institute and director of research for the SANS Institute, responsible for projects ranging from the Internet Storm Center (the Internet’s early warning system, with 500,000 sensors around the world) to the Top Ten Security Menaces of the coming year. He also edits NewsBites, the twice-weekly summary of the most important news stories in security. But he says his most satisfying responsibility is finding people who have solved important security problems and helping SANS’ 85,000 alumni in 60 countries learn about those people and their discoveries. Alan earned degrees in computer science and engineering from Cornell University and MIT. He has written hundreds of articles on computer graphics, EIS, and computer security, and has authored two books, The EIS Book: Information Systems for Top Managers and How to Give the Best Presentation of Your Life. He has testified before the House and Senate, and in 2001, the president named Alan as one of the original members of the National Infrastructure Assurance Council. In 2005, the Federal CIO Council chose him as its annual Azimuth Award winner, recognizing his singular vision and outstanding service to government information technology. He earned his bachelor of science in engineering from Cornell University and a master of engineering from MIT.
Breakout Session 1
The partnership with the Financial Sector was a perfect opportunity for an integrated pilot – one which includes both the generation and distribution of the information to be acted upon as well as the actions taken by the organizations receiving this information. An integrated pilot provides the opportunity to identify capability gaps and best practices for information sharing that drives automated defense. This talk will present the motivation and accomplishments to date of the FS-ISAC portion of our financial sector integrated pilot, as well as highlight key insights and what they imply for information sharing organizations. We will also identify some characteristics of the future ecosystem derived from lessons learned during the design phase of the pilot.
This session will discuss the current threat against Industrial Control Systems (ICS) and will provide an overview of the DoD’s proposed MOSAICS concept demonstration. MOSAICS will leverage and integrate existing and developmental technologies from government labs, academia, and industry to provide robust situational awareness and defense of critical infrastructure. By extending advanced sensing and visualization solutions into ICS networks and even to some embedded systems, MOSAICS will provide the data feeds and situational awareness necessary to enable automated analysis, course of action development, and response actions required for timely defense of these critical systems.
Using T&C co-simulation to explore automated cyber threat detection and response strategies at scale, under various cybersecurity scenarios, to avoid or mitigate undesirable grid effects.
View Slides (Coming Soon)
This talk will provide an overview of the knowledge engineering and science of security scientific knowledge management that is needed to support advanced decision-making augmentation and automation in a future integrated cyber defense ecosystem with AI-driven cyber defenses. We’ll explore a cyber effects matrix visualization to discuss cybersecurity decision patterns centered on adversary TTPs (problems) and what “effect/effects” (solutions) the defender can have on the adversary’s activity (TTPs) across the cyber attack life-cycle and the context from IACD sense-making needed for advanced decision-making support, augmentation, and automation in the future ecosystem.
Organizations often move too quickly to pilot an SA&O product without considering and planning for all the essential steps that need to happen first. And as a result, they may not achieve the success they were expecting, will quickly grow frustrated, and give up on the idea of implementing IACD altogether! But there’s no need for that to happen!
This session introduces the Draft IACD Readiness Framework and identifies the key areas that your organization should address for long-term success. The Framework progresses through the readiness stages of Adoption, Piloting, Initial Deployment, Improvement, and Long-term Sustainment.
Breakout Session 2
There are many new products on the market that have automation at their core, and their goal is to increase the speed and scale of cyber defense. They reflect IACD principles and tenets, and yet, if you buy them and try to integrate with the current IACD framework using existing security orchestration methodologies, you may find it hard to realize their full value. This should not be the case. How does security orchestration need to evolve to optimally support the inclusion of an advancing market in automated defenses, analysis, decision-making, and information integration?
Pilot efforts foster adoption by demonstrating how to deploy the IACD framework and strategy on actual production networks. The financial sector is an ideal candidate due to the sophistication of its security teams and processes. An integrated pilot helps identify gaps and best practices for information sharing to drive automated defense. This presentation will cover the completed Discovery and Design phases and the plans for the Execution phase. Hear how differences in organizations, structures, policies, environments, and tolerances translate into different solutions able to utilize the common IACD framework. See a demonstration of the process, hear insights into technical and overall implementations, and discuss a list of metrics of success.
Threat detection and information sharing in ICD are two components essential to improving a network’s security posture. Mark will identify detection methodologies through threat-based analytics (TBAs) in ICS networks where anomaly detections are not practical. Real case studies will then be leveraged to demonstrate information-sharing programs both internal and external to an organization.
What are key focus areas for AIS in the near future?
Making indicators more operationally relevant by increasing context and confidence scoring
• Properly measuring indicator timeliness, quality, and value
• Continuing to be seen as a technology leader in CTI sharing standards
View Slides (Coming Soon)
The Department of Energy implemented a number of automation workflows on their network. Many lessons were learned through the actual application of tools to a live system.
Day 2
Featured Spotlight: From Concept to Implementation: Automated Cyber Defense Use Cases - Scott Jasper, Naval Postgraduate School - Natalio Pincever, Palo Alto Networks - Shawn Fitzgerald, Palo Alto Networks
Scott Jasper is a Faculty member in the National Security Affairs Department at the Naval Postgraduate School in Monterey, California. He teaches courses on Internet, Society and Cyberconflict (NS4910), Cyberspace Operations Fundamentals (CY3200), Defense Capability Development (NS3021) and Hybrid Warfare (NS4260). His research interests focus on the technical capability and legal viability of active cyber defense. His fourth book is titled Strategic Cyber Deterrence: The Active Cyber Defense Option published by Rowman & Littlefield (July 2017). Scott has published chapters in various Handbooks and articles in International Journal of Intelligence and CounterIntelligence, Strategic Studies Quarterly, The National Interest, Small Wars Journal, Journal of International Peacekeeping, the Diplomat, and Defense News. He has a PhD from the University of Reading, in the United Kingdom.
Natalio Pincever is currently the Director, Advanced Programs at Palo Alto Networks. In this role, Mr. Pincever works across Federal market customers to identify opportunities to insert Palo Alto Networks products and capabilities into their mission space, as well as to deliver new capabilities to support their mission. His goal is to evolve Palo Alto Networks’ relationship with their customers from that of a product vendor to being a trusted mission partner.
Previously, Mr. Pincever was at McAfee, where he built and ran an organization dedicated to supporting the unique Intelligence needs of McAfee’s largest customers. His team provided mission-focused intelligence products leveraging McAfee’s threat collections as well as their own sources and methods, answering the deeper “who-what-when-where-why-how” needs of their customers. Prior to that position, he was McAfee’s senior Technical Executive for Intel and Advanced Technologies working across the Intelligence Community; he was the Chief Engineer for Cyber at Raytheon’s Intelligence and Information Systems; as well as having served in several positions in the Defense Intelligence Senior Executive Service (DISES) at the US Department of Defense.
Shawn Fitzgerald joined Palo Alto Networks Federal team in April 2014 as a Systems Engineer focused on the US DoD. Shawn has been in the networking industry since 1991, holding individual contributor and management positions in Systems Engineering and Technical Marketing for industry leaders such as FORE Systems, Cisco Systems, and QLogic.
Breakout Session 3
IT O&A research has been applied to ICS cyber research and adapted to a utility SOC environment. Today’s research topic areas and the current data science toolbox are relevant to future ICS research.
View Slides (Coming Soon)
The FS-ISAC North American Insider Threat Working Group developed a framework to support efforts to manage insider threat to systems, assets, data, and capabilities. IACD partnered with this working group to provide playbooks to support implementation of certain processes identified in the framework. This partnership brought to light the value of automation to support insider threat program processes and activities. In this talk we will describe the framework, highlight the IACD playbooks and their relationship to the framework, and discuss the issues and opportunities related to the inclusion of security automation and orchestration.
With the release of STIX 2.0 last year and the new features being added in STIX 2.1, the security community now has a simple and powerful means of expressing potentially complex but actionable cyber threat intelligence. This presentation will present an overview of STIX 2.0/2.1 with an emphasis on how these new capabilities can be employed in sharing ecosystems to achieve operational goals.
Whenever an organization creates a workflow that enacts actions that can negatively impact their environment, they must think about how to monitor for such impacts, and how to reverse the action or mitigate the impact. In this session, we present some thoughts on different shades of reversibility in the context of security automation and orchestration, as well as some generic ways to achieve reversibility. Finally, we report some initial observations from experimental implementations of selected, fully automated, reversible workflows.
Organizations often move too quickly to pilot an SA&O product without considering and planning for all the essential steps that need to happen first. And as a result, they may not achieve the success they were expecting, will quickly grow frustrated, and give up on the idea of implementing IACD altogether! But there’s no need for that to happen!
This session introduces the Draft IACD Readiness Framework and identifies the key areas that your organization should address for long-term success. The Framework progresses through the readiness stages of Adoption, Piloting, Initial Deployment, Improvement, and Long-term Sustainment.
Breakout Session 4
How do metrics and measures aid organizations in recognizing SAO benefits, value, and effects?
This session gives an overview of the challenges a financial institution faces in vetting, applying, and responding to threat intelligence. The volume of threat indicators puts a strain on resources to filter through the noise and discover credible, actionable threat indicators in a timely fashion. Security analysts are spending too much time enriching indicators and responding to alerts. After examining the current-state process, a future-state process, leveraging security automation, is presented.
Lessons learned from IACD pilots, and the operational realities that they provide, has evolved our understanding of the ecosystem. During this same time, the OpenC2 community has been working on their own pilots and reference implementations in an effort to understand and demonstrate the role of OpenC2 in the ecosystem, as well as highlight gaps. Come and find out what IACD has been doing to refine our architectural perspective and thinking, and understand how OpenC2 and other standards can fit within the evolving ICD Reference Architecture. Also hear about the great work happening in the OpenC2 community and where it is heading.
This session will be the third, quarterly meeting of the IACD Integrator’s Community of Interest (COI). The focus of the COI is to facilitate discussions around how we can advance the “adoption” of IACD concepts across a broad range of customer operational environments. The meeting’s agenda topics will consist of an overview of the COI purpose and goals, presentations by IBM Resilient’s use of automation for Incident Response, lessons learned from an orchestration pilot with U.S. Bank and the future focus of the COI.
Automated remediation is a key technology for CES-21 research. New Context has led the research for the indicator remediation language using STIX. Standards like STIX, TAXII, and OpenC2 are examples that provide a foundation for infrastructure to perform machine speed threat detection, sharing, and response.
Due to the sensitivity of the content, this presentation cannot be posted.
Breakout Session 5
The acceptance of security orchestration and a wide variety of interoperable information-sharing products based on standards such as STIX/TAXII has started to create an ecosystem where automation rapidly responds to security indicators. In the near future, wide deployment of these tools and techniques based on shared workflows and recipes will address a number of problems from workforce shortages to automated malware propagation. But this is just an incremental step in the art of the possible. What are the next challenges and our envisioned future where these challenges are addressed by as-yet-uninvented solutions? A battle royal between autonomous attackers and defenders? This panel brings together futurists, policy makers, scientists, vendors, and critical infrastructures to discuss their view of the next set of grand challenges in automated cyber and how we will interact with these technologies.
The term “middlebox” includes any device between user end points other than a transparent switch. Middleboxes are essential to the operation of all telecommunication and ICT networks today, and large infrastructures will typically have thousands of ubiquitously deployed middleboxes. The current standards effort in ETSI is to specify protocols to enable trusted, secure communication sessions between network end points and one or more middleboxes using encryption. The specification is intended to facilitate implementation profiles for a wide array of implementations and applications. This talk will describe current efforts and how you can get involved.
View Slides (Coming Soon)
In an effort to advance the sharing of orchestration workflows, JHU/APL identified a level of detail that seemed appropriate for cross organizational sharing and created a reference implementation. The reference implementation uses BPMN with data objects representing variables and OpenC2-like commands. Cybersponse, a key supporter of the extended cyber defense community and associated standards, partnered with APL to refine the reference implementation. This refinement is based on the perspective of how an orchestrator could ingest and represent the imported workflow in a manner that simplified tailoring for a specific environment, adding in automation as desired. This session provides a demonstration of the reference implementation and discusses how it can be ingested and used within Cybersponse.
As organizations invest in security automation and orchestration (SAO), how can they make the most of what they have to get the largest immediate return on that investment? How can organizations that have a limited investment in products and services use automation effectively? This talk will present insights into how to use your base infrastructure to improve your security posture in real time.
View Slides (Coming Soon)
Quantum key distribution is a new tool for generating shared random keys that can be securely distributed between devices for simplified authentication and encryption. When used with the new Secure SCADA Protocol for the 21st Century (SSP-21) protocol, this new technology is being integrated into industrial control systems associated with the electrical power industry. This joint presentation will describe the technology, the protocol, and its most recent applications.
A recommendation on how to get to where the sector needs to be related to information sharing.