Ramping up Your Security Operations Center

You just found out that your network is permeated with malware, and has been for months. What do you do now? You can’t just bring the whole network down. And it has affected at least 5 different organizational units. Getting approvals to remediate those systems will take forever. How can you be sure it won’t keep spreading to more organizations while you go through the tedious process of manually patching and remediating machine after machine? May as well declare a disaster and move things to the back-up site. Oh yeah, the back-ups are probably infected with the malware too.

Believe me, you are not alone in your misery. Many attacks go undetected for months because they’re part of APT targeted campaigns that are not as noisy as most attacks are, and can slip by traditional defenses. Sometimes you only find out about them through a third party such as law enforcement. However, even once a compromise is discovered, it currently takes many organizations days or even weeks to deploy actions to mitigate it. This is because incident managers generally must orchestrate responses across a myriad of roles, locations, and meetings among multiple organizational units. This coordination effort often occurs in different change control boards, which can slow the ability of the enterprise to respond quickly to attacks. Then, you have to go through the often manually intensive process of patching and remediation.

Automate Your Cyber OODA Loop

What if you could automate much of this workflow – from breach detection through planning and coordination to remediation? What if autonomous agents distributed in your network could detect compromises or vulnerabilities, and mitigate in place? What if you could automate even contextual rules and decision-making for mitigation and remediation actions – needing only to specify outlier conditions when a human-in-the-loop was needed? Each of these scenarios is already feasible, or soon will be, through on-going research and development of security orchestration tools and autonomous – “self-healing” and “self-protecting” security capabilities.

The current generation of security orchestration tools provides the ability to automate a variety of security tasks within an organization, including aspects of incident response, vulnerability management, attack detection and breach mitigation, and identity and access management. The effectiveness of orchestration capabilities is highly dependent on the availability of open APIs to allow seamless integration of the many analytic tools, data management tools and repositories, data transport and workflow tools, decision engines and controllers, and sensors that are involved in a security task. Through automation of these workflows, security orchestration tools are instrumental in accelerating the orient-decide-act portions of the OODA loop.

The effectiveness of orchestration tools can also benefit from the use of standards to help identify the software that needs to be patched or remediated. NIST and industry partners have been developing a data format called the software identification (SWID) tag to address this need. A SWID tag uses an XML-based data format containing a collection of information describing a unit of software. A SWID tag enables categorization, identification and hashing of software components, references to related software and dependencies, and other data points. SWID tags can be associated with software installation media, installed software, and software updates (e.g., service packs, patches, hotfixes).

Orchestration tools also include cutouts for manual approvals of workflow tasks. Manual approvals are important since any COA could have significant impact on critical, on-going operations. Therefore, COAs must at least be authorized at certain checkpoints by designated personnel who are knowledgeable about ongoing operations and the subtle relationships between different organizations and mission processes.

Some examples of current generation orchestration tools and solutions include CSGI Invotas’ Security Orchestrator, NetCitadel, Thundercat’s Cyber One, Vernier’s Adaptive Security Platform, Fidelis XPS, and Juniper’s Secure Analytics. Partnerships between different vendors are also beginning to emerge in the security orchestration market as well. For example, network providers, firewall vendors, and cloud providers are teaming to create large-scale orchestrations that leverage VM orchestrators such as OpenStack, SDN for network choreography, and next-generation, virtualized firewalls for agile defenses.

Security information and event management (SIEM), repository, network access control (NAC), and log management tools play a key role in security orchestration. Cisco’s Platform Exchange Grid (PXGrid), Trusted Computing Group’s Trusted Network Connect (TNC) and Metadata Access Point (MAP) server, Splunk, AlienVault, ArcSight, QRadar, ForeScout’s CounterACT are examples of tools which offer repositories that collect, parse, store and analyze a variety of security event and asset state data. Several of these tools also leverage this data to support automated workflows for network access control, insider threat detection, incident response, vulnerability management, and other security use cases.

Adaptive Security Orchestration Is On Your Horizon

There are many diverse approaches employed for automating security tasks, depending on the environment and the task at hand. For example, orchestration tools will use scripts to automate large-scale patching of vulnerabilities for endpoints, such as those required for Patch Tuesday. Process-oriented tools are often used to design the workflow and provision new users and their entitlements. In cloud environments, VM orchestrators will spin up newly minted gold images and migrate workloads to replace outdated or unpatched VMs. However, when it comes to breach detection and mitigation, several new adaptive approaches are being explored and developed. In general, these new approaches use semi-autonomous agents that can monitor for attacks, changes in endpoint state, or vulnerabilities and mitigate in place.

A variety of sensing and decision-making models are used by these different adaptive approaches for breach detection and in-place mitigation. One approach being used by many mobile device providers is to containerize the protected application together with pattern recognition elements and an encoding for mitigating actions. By this approach, when a pattern recognition element detects attack behavior, the encoded action is invoked. Such condition-action rules are user-specified and require the construction of a potentially large rule base in order to be effective. This approach is also limited to the context of that specific application or system and doesn’t account for external variables such as other system dependencies or the criticality of the application to mission requirements.

Another approach focuses on what is normal behavior and state of an endpoint, and then provides alerts and mitigation actions when deviations beyond some threshold occur. Therefore, what constitutes normal and secure states must be known. Current tools using this approach, such as Triumfant, often will combine empirical measurements of state along with statistical observations of “normal” to produce profiles for each endpoint. Then, an agent on an endpoint will keep track of changes to “normal” and perform mitigation actions when the threshold is met, or when directed by a remote controller.

Two additional research efforts that appear promising to me and highlighted here include 1) Lockheed Martin’s framework for Adaptive Immune Response (AIR); and, 2) a tool to engineer adaptive security capabilities called SecurITAS.

The AIR framework combines behavior-based sensing, adaptive pattern recognition, immunological memory, and control synthesis to achieve a system that learns to respond quickly and adapt its response to evolving cyber threats. Its data-driven approach is able to learn the appropriate mitigating action and eliminates the need for a large rule-base, enabling it to scale to complex networks. See www.atl.lmco.com/papers/2021.pdf for more information on AIR.

SecuriTAS is a novel tool, especially appealing to security architects, and is designed to support adaptive security from requirements modeling to system execution. SecuriTAS uses an economic valuation approach and a set of models (security goals/controls, assets, threats) to represent and analyze security concerns for an application or an entire network. SecuriTAS can also be used at runtime to identify an optimal set of security controls necessary to protect the system based on changes to conditions. Find out more about SecuriTAS here.

My quick survey of automated orchestration tools reflects a wide diversity in methods and utility, and I know I am barely scratching the surface. Please let me know if any of these tools suit your fancy or if there are other tools and approaches you like better and why.

Thanks for reading and stay proactive.