Cybersecurity Communities: Defending IT Collaboratively (Contributed)

In response to numerous challenges, state and local governments should explore how sharing public-private resources, talent and knowledge can strengthen cyberdefenses while simplifying the overall process.

by / February 19, 2019
Shutterstock

Hiring the best and brightest cybersecurity talent will always be difficult for state and local governments. They have to compete with private-sector firms that can offer significantly greater compensation. Many government agencies also must meet rigorous certification standards for new hires, including exceptional requirements that make them eligible for in-depth background investigations. 

Making matters worse, there are not enough people in the cybertalent pipeline. Cybersecurity Ventures, a research firm, estimates there will be a global shortage of 3.5 million cybersecurity workers by 2021. Moreover, the Cisco 2018 Annual Cybersecurity Report found that these staff shortages contribute to organizations failing to design and build secure information systems as well as maintain basic security controls.

Some states are tackling the problem through training programs and have built and staffed their own cybersecurity centers. Others have offered grants to establish cybersecurity courses to train new talent. The SANS Institute, an information security and cybersecurity research and training company, has started the CyberStart program, a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cybersecurity by completing various challenges. At a more strategic level, many state and local governments are considering a collaborative, “community” approach to solving their cybersecurity challenges.

Collaboration: Strength in Numbers

Security communities are groups of cybersecurity professionals who concluded that working together to solve our country’s security challenges better serves their organization and the broader community when compared to working in a silo alone. In general, the more people there are working on a problem, collaboratively, with a broader data set and context, the better the outcome for everyone.

From threat detection to incident response, the tactics that bad actors use — and methods to thwart and resolve them — are constantly evolving. Drawing from the lessons learned and best practices of more than just a single organization enables security professionals to be more efficient with their time, reach maturity more quickly and to identify and leverage innovation earlier.

Efforts are underway. The state of Ohio, under the direction of former Gov. John Kasich, has formed a committee to foster collaborative partnerships to strengthen cyberinfrastructure and resources. InfraGard is a partnership between the FBI and members of the private sector. The program provides a vehicle for public-private collaboration that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of critical infrastructure. While one of the most difficult parts of communities is getting people to join, participate and ultimately share, the government sector provides the opportunity for top-down mandates around collaboration. 

MITRE’s Knowledge Base of Cybertactics

A collaborative community project that has had a huge impact on the practical side of cybersecurity is the MITRE ATT&CK™ framework. Founded in 1958, MITRE is a nonprofit organization that manages federally funded research. The organization works on projects for a variety of agencies, including the IRS, Department of Defense (DOD), Federal Aviation Administration (FAA) and National Institute of Standards and Technology (NIST). 

Based on real-world observations, the ATT&CK (adversarial tactics and techniques and common knowledge) framework is a globally accessible knowledge base of adversary tactics and techniques. It serves as a foundation for developing specific threat models and methodologies in the private sector, security vendor community and varying government organizations. 

The ATT&CK knowledge base has helped several projects, mappings and supplemental resources, allowing the supporting communities to continue growing. The platform and data sources sections are incredibly valuable because they tell practitioners which systems they need to be monitoring and what they need to be collecting from them to mitigate and/or detect abuse of the technique. The use of knowledge provided by the framework can almost immediately increase the maturity of a government security organization.

By classifying attacks into discreet tactics, it’s easier for researchers to see common patterns, determine the author of different campaigns and track how a threat has evolved over the years as the author adds new features and attack methods. The framework recognizes that real-world threats are constantly advancing, and maps events to give analysts the context needed to identify advanced persistent threats (APT). The term APT is commonly thrown around, but for the federal, state, and local government as well as organizations supporting them, APT is a genuine concern.

Simplifying the Cyberdefense Process

With the impending security skills shortage, government organizations will have to find new ways to make better use of the talent and resources they currently have. Security operations centers (SOCs) are overwhelmed by thousands of daily alerts, and manually responding to each one — legitimate or not — is a time-consuming and arduous task. 

By combining comprehensive data gathering; standardization; workflow analysis and analytics; and security orchestration, automation and response (SOAR), technology companies are working to provide organizations the ability to easily implement sophisticated defense-in-depth capabilities based on internal and external data sources like the ATT&CK framework. As a result, government agencies are beginning to adopt SOAR, seeking to quickly and effectively resolve a significant portion of the thousands of alerts they receive each day while also ensuring that processes and standards are enforced through automation. This will free up their security experts to spend more time on complex investigations, creating innovative processes, and proactive threat hunting.

From optimal productivity and performance to the ability to respond to incidents faster, collaboration delivers invaluable benefits to security operations in the public sector. Because the private sector controls the vast majority of the world’s critical infrastructure systems, government security will depend on effective, global collaboration with industry security professionals using resources like the MITRE ATT&CK framework. 

Cody Cornell

Cody Cornell is CEO and co-founder of Swimlane. He is a respected authority on cybersecurity and is responsible for the strategic direction of Swimlane and the development of its security automation and orchestration solution. He has collaborated with industry-leading technology vendors and is known for his work to identify opportunities to streamline and automate security activities that speed cyber response and enable security orchestration. In 2011, Cornell co-founded Phoenix Data Security Inc., a cybersecurity professional services organization. After beginning his career in the U.S. Coast Guard, he spent 15 years in IT and security, including roles with the U.S. Defense Information Systems Agency, Department of Homeland Security, American Express and IBM Global Business Services. Cornell is a frequent presenter on information security at forums such as the Secret Service Electronic Crimes Task Force, the DHS Security Subcommittee on Privacy and National Public Radio (NPR).

 
Platforms & Programs