JHUAPL Brings SOAR Technology to Universities As Part of Educational Outreach and Adoption Strategy

Adopting a new technology can be fun but also challenging, especially if the technology is new to the market and there isn’t a lot of veteran users around who can help teach. An emerging technology such as SOAR, which aims to converge security orchestration and automation, security incident response, and threat intelligence capabilities into single solutions can be particularly difficult to learn due to its rules complexity and different integrations. SOAR solutions are not “plug-and-play,” often requiring multi-week professional services engagements to deploy as every organization’s processes and technologies are different.

Enter JHUAPL. Through the auspices of NSA and DHS, JHUAPL has been shepherding the IACD program for the last several years, which showcases the technical concepts and business value of SOAR technology. JHUAPL has been taking SOAR to the DoD and commercial users with many developed artifacts including tested integrations, playbooks, lessons learned, and much more. Recently, I learned in a discussion with Michael Herring of NSA, who has been the NSA liaison for the IACD program, about how JHUAPL is going even further to educate users by developing college level course materials to share with universities. Now students can get acquainted with the technology and concepts even before joining the work force. So read the interview below with Mr. Michael Vermilye – the JHUAPL IACD adoption lead – on how this SOAR education program is rolling out.

Spotlight on Mr. Michael Vermilye

» Title: ICD Adoption Lead, Johns Hopkins University Applied Physics Lab (JHUAPL)

» Website: https://www.iacdautomate.org/

» LinkedIn: linkedin.com/in/michael-vermilye-6745551

Read his bio below.

Chris Daly, Active Cyber™: Please give us some background on IACD and your role at JHUAPL with SOAR (Security Orchestration, Automation, and Response) technology.

Mr. Michael Vermilye, ICD Adoption Lead, Johns Hopkins University Applied Physics Lab: Integrated Adaptive Cyber Defense (IACD) is an effort that has spanned five years and is jointly supported by DHS and NSA. At its beginning there was no SOAR marketplace and a number of current SOAR vendors have credited IACD with laying the technical foundation for SOAR as well as providing a neutral place for vendors to discuss the challenges with a non-competitor.

IACD focuses on demonstrating the art of the possible using commercial products to demonstrate the power of automating defensive cybersecurity operations across the enterprise. Beyond demonstrations using products available in the rapidly developing SOAR marketplace IACD has also developed and made available references, capability descriptions for products (“thin specs”), and supporting materials for adopters.

I am the IACD lead for adoption engagement and have worked with multiple ISACs/ISAOs, state/local governments, and Federal civilian departments and agencies. The goal is to make the audiences more familiar with the SOAR concepts and advantages as well as give them materials that would ease the effort needed to implement SOAR technologies.

Active Cyber™: What was the catalyst for developing the educational modules for SOAR? How did you go about the development of the course materials and the outreach process?

Vermilye: From the inception of IACD there was a realization that a major part of shaping the marketplace and making people more aware of the advantages of SOAR was education. Education would need to span the existing workforce, SOC personnel, IT/OT maintenance staff, risk management officers, and senior C-suite officers. For that audience we have produced a number of white papers and set of materials to assist them in their decision making and implementation. The other portion of the education puzzle is the prospective workforce. This audience was the target for the newly developed set of college level course modules.

The modules were developed using existing IACD materials and contain a business case modeled after the Harvard Business Review format. We reviewed the modules internally at APL and did some sanity checks with APL staff that instruct at the graduate level.

Active Cyber™: What has been the reaction by educational institutions? What level of educational provider are you targeting? Who are some of the early adopters? How do educational providers sign up for the course modules? Do instructors receive training as well? Are instructor materials also provided?

Vermilye: The reaction by the educational institutions has been uniformly positive. The best indication that we hit the mark was the number of institutions that wanted the materials prior to final release so they could incorporate them into their Fall courses.

To this point the distribution of the modules has been based on contacts made during the trips to preview the modules. There are plans to distribute them formally through the National Centers of Academic Excellence so there is a sustainable distribution model. Instructors do not receive training but I will note that none have requested training. Instructor materials are part of the packages.

Active Cyber™: What types of outcomes are you hoping to achieve through this education outreach program? What types of secondary or tertiary effects do you believe the program will stimulate?

Vermilye: We want other members of the community to develop and provide course content and supporting products to the educational institutions that are training the next generation of cybersecurity professionals. Further effects we desire is a more informed SOAR user community that can provide the feedback and use cases that incentivize the product providers to continue to develop and enhance the capabilities and compatibility of the marketplace.

Active Cyber™: How is the course structured and what types of educational modules are available? Is this a full course or part of a larger course of instruction? What type of degree / level of education curriculum are you targeting to support? Is hands-on lab instruction part of the delivery of the course? When did you first make the materials available?

Vermilye: We developed two module packages and an optional lab exercise. This is not a full course but developed to be incorporated into existing courses. The level of education is upper undergraduate and graduate level. Module A could be incorporated into a business/MBA curriculum and Module B and optional lab module are technical and would be in a Computer Science curriculum. The lab module is part of the distribution.

Active Cyber™: Can you provide a short synopsis of what subjects are covered in the course?

Vermilye: Module A is a business case that covers an intrusion and response use case and prompts students to review the intrusion in terms of what things could have been better, on both the cybersecurity and business process side, and how SOAR technologies could have contributed to a better outcome. Module B is more technical and walks through the steps needed to develop process playbooks and derived workflows. The lab module has exercises where the students would develop and execute workflows in the educational institution’s lab environment.

Active Cyber™: What has been the reaction by SOAR vendors? What roles can vendors play in developing and/or providing SOAR education as part of this program? Is their participation enlisted through JHUAPL or directly by the educational provider involved? Is a vendor product certification achieved by students upon successful completion of the course? Are there vendor tools and licensing involved?

Vermilye: The reaction from vendors has been uniformly positive. They see the benefit of familiarizing students with SOAR technologies and the benefits in an enterprise setting. A number of vendors have stated that they are in the process of developing educational materials of their own for distribution to the wider community. In the distributed materials, there are points of contact with a number of vendors that have agreed to educational licensing so the institutions can reach out directly. Any vendor certifications would be arranged and supported by the individual vendors.

Active Cyber™: SOAR technology often requires the participation of multiple tools and playbooks to execute a course of action. Do you provide recommendation of the types of tools and/or templates of playbooks that might be needed to support the course or lab?

Vermilye: We have example templates in the course material as well as on www.iacdautomate.org . We do not provide recommendations as to products or lab configuration.

Active Cyber™: What are the longer term course curriculum development goals? How will you sustain the course and keep the materials up-to-date? Are there opportunities for internships to support the education program?

Vermilye: Currently we cannot commit to updating the materials long-term. This is based on the current task that the materials were developed under. Individual institutions may develop their own internship programs to revise and support the modules.

Active Cyber™: Have your received any feedback yet on the course materials or the actual course instruction?

Vermilye: Initial feedback was very positive. Educational staff wanted to incorporate the draft versions prior to release. Based on the timing we do not expect detailed feedback until after the Spring semester classes end and student feedback is submitted.  

Thank you Michael for this insightful look at the way JHUAPL is helping to promote the adoption of SOAR technology across multiple industries while also helping students gain valuable knowledge and experience in the use of this important technology. I look forward to seeing how the roll-out of the SOAR education modules will improve the adoption of SOAR technology in the coming years, while also laying the foundation for the skills needed to improve our nation’s overall cyber posture. I am sure with assistance from JHUAPL and the universities in the program, that students will also find promising opportunities in the workplace armed with this new knowledge and skills in applying SOAR technology. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other emerging technology topics such as augmented reality and spatial web. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.