The Johns Hopkins Applied Physics Lab’s Integrated Adaptive Cyber Defense (IACD) project is maturing and moving into high gear as playbook automation begins to take hold across multiple government and industry sectors. Standards and tools are emerging that will become the bulwark for active cyber defenses for the next generation. Learn from the Technical Leader of JHU APL IACD project, Wende Peters, as she takes us through the journey that is IACD in this interview with ActiveCyber.
A couple of years back I heard about a workshop sponsored by NSA and DHS on “integrated active cyber defense.” Naturally, I was interested and so I signed up to attend. I was very excited to learn about the IACD project and reported about it here. I also introduced myself to several folks including Wende Peters who is the Technical Lead of the project. I was pleasantly surprised to learn she had heard of the ActiveCyber web site, but I was not able to schedule an interview with her at the time. So when I ran into Wende recently at another conference I was very happy when she accepted to do this interview. Read the interview below to learn more about how active cyber defenses have been accelerated forward through the efforts of Wende’s team at JHU APL and through partnerships with industry and government that have been formed under the IACD project umbrella. Also, register now for the upcoming Integrated Cyber conference where you can learn all about security automation and orchestration over two days and multiple tracks – I will see you there!
Spotlight on Wende Peters, Johns Hopkins Applied Physics Lab
October 9, 2017
Chris Daly, ActiveCyber: What is the definition of “integrated adaptive cyber defense” and why is it an important concept for cybersecurity professionals and mission owners?
Wende Peters, JHU APL IACD: Integrated Adaptive Cyber Defense (IACD) is an approach and strategy focused on applying speed and scale to cyber defense operations via interoperability, orchestration, and information sharing. At its core, IACD is about being able to combine – and recombine – security tools and operations as needed. Cybersecurity professionals should reasonably expect that the shelf life of the tools and procedures they create is longer than that of a gallon of milk – a threat-by-threat, vulnerability-by-vulnerability approach with a custom solution for every item just should not be acceptable. Mission owners should equally expect that cybersecurity is a mission enabler, not an obstacle. IACD seeks to address those expectations by putting flexibility and extensibility into the mix.
ActiveCyber: How and when did this program get started, who are the sponsors, and what goals were presented to you when you started?
Peters: Officially, IACD was stood up as an initiative in 2014 under combined sponsorship of the Department of Homeland Security and the National Security Agency. Its roots, however, reach back far longer. Combined communities of like-minded people have been focusing on security automation and interoperability for years, in both the public and private sectors. IACD describes a targeted ecosystem for cybersecurity that embodies the goals from those efforts. Our sponsors both sought an approach that looked at things differently than many traditional programs of record. They elected to combine their resources, focus, and investments to pursue this vision, and asked JHU/APL to be the trusted technical arm to their partnership. In July 2014, the JHU/APL established our FIIRE lab (Federated Innovation and Integration Research Environment) and started the first IACD spiral – a rapid, agile demonstration of automated cyber defense activities. There have been 10 more spirals since then – each helping to elicit or define the common functions for an automation framework, identify gaps in commercial technology, and scope the mission needs.
ActiveCyber: What are some of the components or features of an IACD environment? What does the architecture look like?
Peters: The IACD architecture is not your typical Systems Engineering 101 architecture – it is very much based on the idea that we should only ‘specify’ those things that absolutely must be commonly understood to enable the desired functionality. It includes the following:
– Orchestration services,
– Trust services,
– Infrastructures to support information exchange and control messaging,
– ‘Sensors’ and ‘actuators’ that can trigger and be triggered during operations.
To date, most IACD implementations follow a more ‘literal’ instantiation of the architecture services – they typically have an orchestration product installed that is signaled by discrete tools (IDS, host agents, etc.) and communicates direction to other tools. These are valid and impactful instantiations right out of the blocks – we’ve demonstrated 95%+ improvements in timelines for typical security operator and incident response workflows. Some of the most dedicated partners in evolving IACD have been orchestration product vendors. We’ve worked hands on with more than half a dozen, and have seen sincere and considered technical input to the IACD framework from many others.Future options, though, are even more diverse. Orchestration services (vice a specific ‘orchestration product’) could be implemented many ways – as a separate cloud-based service, as self-forming control mechanisms in your environment, maybe even as block chain-enabled command modules. What’s key is that they are able to:
- commonly understand cyber events,
- process those events to filter and make sense of input,
- determine a need to act,
- select actions based on operational and business priorities, and
- express the chosen action in a sequence of response actions that are machine ingestible.
ActiveCyber: What type of vendor and user outreach has been conducted and what have been the responses from these communities?
Peters: From the beginning, IACD has been about establishing trusted relationships with the commercial vendor space – we sought to learn what was already out there, demonstrate what could be accomplished immediately, and feedback openly and widely the capabilities that we weren’t able to bridge. We promise vendors that we will protect any and all proprietary information that we are given, but that our goal is to understand the common things that aren’t just one company’s secret sauce. You can have an amazing product that provides IACD functionality top-to-bottom in a proprietary stack – and many users may ultimately choose that route, especially if they are already heavily invested in that vendor. But to be included in an IACD spiral, demonstration, and pilot that we support, you need to be willing to share lessons learned, seek interoperability with other tools outside your product line, and contribute to the community.
We’ve had over 50 products, feeds, and programs that have been successfully integrated into IACD implementations. Some are merely aware that we used their APIs to integrate with other tools. Others have committed whole business units to working out IACD concepts, reviewing and contributing to the IACD architecture, and adjusting their internal road maps and architectures. From the user perspective, we started with very small relationships of trust and limited pilots. Increasingly, as the architecture solidified and the market moved towards the needed interoperability, IACD has needed to shift towards supporting user adoption. We’ve continually brought those two parts of our IACD community together at ‘community days’ – venues where vendors, researchers, integrators, service providers, users, and acquisition deciders converge with the common focus on what it will take to make IACD functionality real, sustainable, and beneficial to all. We’ve grown to a multi-day, multi-track event with hundreds of participants: Integrated Cyber. Our individual spiral findings, as well as the IACD framework of reference architecture, orchestration services, and playbook specifications are housed on the IACD website for anyone to access. We also have a growing community on LinkedIn and are opening up more collaborative channels for community interaction soon.
ActiveCyber: What are the limiting factors when it comes to achieving maximum security automation and orchestration? How do you see these factors being addressed through the IACD project?
Peters: Most people ask that question and tend to expect a computational, technology, or research-based answer. While we’re the technical agents for IACD, we are absolutely not technology-centric. Shifting the culture and constructs of cybersecurity is a central focus of IACD. Resistance to adoption is far more of a limiting factor than any technology right now. People seem to envision a ‘SkyNet’ scenario – and either fear it and reject all automation, or dismiss as failure anything that falls short of full autonomy. I think the key is to shift the focus from “maximum” to “optimal.” The reality is that way we perform cybersecurity operations is simply unsustainable. We could convert every college student in the country to a cyber security field and still not have enough people to keep pace with the expanding Internet of Things. We will end up either automating operations or abandoning them – let’s figure out how to enable today’s adoption, but anticipate that what seems impossible today will be business as usual next year, and so on. We evolved the construct of IACD Playbooks to support that gradual movement to adoption. The purpose of a playbook is to represent operational processes in a manner that:
1. Most organizations can associate with processes they are performing
2. Can be mapped to governance or regulatory requirements (e.g., NIST 800-53)
3. Demonstrates a path to process automation over time
4. Identifies industry best practices for the process steps.
Bottom-line – technology will continue to evolve to support more advanced input (machine learning, advanced analytics; however, if you’re not equipped to take advantage of even the more elemental advances, advanced predictive capabilities aren’t going to help.
ActiveCyber: What is next for IACD? How do you see the project evolving?
Peters: We’re incredibly excited to be shifting towards adoption and scaling of IACD through partnerships. This week we were able to announce that we will be working directly with the Financial Sector to support operationalization of IACD at several financial institutions. In addition, the FS-ISAC will be facilitating an interconnected pilot among those institutions, applying orchestration and automation to their threat intelligence sharing operations. Within FY18, we expect to see multiple large-scale financial SOCs leveraging IACD. These kind of public-private partnerships are what our sponsors had in mind – enabling the community and industry to advance the state-of-the-art and drive evolution of capabilities. As this model evolves, we expect to provide support to other critical infrastructure sectors. Our community of collaboration continues to expand as well. Our next major in-person event – Integrated Cyber – is October 16-17 at the JHU/APL Kossiakoff Center. More information is available at www.cvent.com/d/d5q5pz
Wende, it sounds like IACD is really moving the needle when it comes to identifying the benefits from security automation and orchestration. Your IACD Team’s efforts exemplify the type of industry-government interactions that are needed to really accelerate the progress in defending our cyber assets across all sectors. I believe your Team’s efforts have measurably impacted the growth of this industry and I look forward to seeing all the great things that are being done and inspired by your efforts at the Integrated Cyber event.
And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, or other security topics. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at ActiveCyber.
About Wende Peters
Wende Peters is a member of the Principal Staff at the Johns Hopkins University Applied Physics Laboratory and is the Principal Technical Lead for Integrated Cyber Defense. That role includes serving as the DHS and NSA trusted agent on Integrated Adaptive Cyber Defense and Automated Indicator Sharing. Ms. Peters previously served on behalf of the Government as the Lead Systems Engineer for Active Cyber Defense and Lead Systems Engineer for CNCI-5. She was the Director for the National Information Assurance Engagement Center, a joint assessment and demonstration effort between NSA and DOD. Prior to transitioning to cyber, Ms. Peters was supervisor of APL’s Ship Systems Engineering and Integration group and served as the US Navy’s Chief Engineer for the Tactical Tomahawk Weapons Control System. Ms. Peters has a Bachelor’s degree in Mathematics and a Master’s degree in Applied Computer Systems.