As government and critical infrastructure sectors prepare to confront a rapidly evolving threat landscape, coordinating security across organizations has become a critical imperative.
Key steps toward closer international collaboration include NATO’s Madrid Summit Declaration announcing plans to stand up a rapid response cyber force as well as recent statements indicating an increased focus on building greater shared situational awareness with the European Union. Initiatives such as the Joint Cyber Defense Collaborative focus on collaboratively gathering, analyzing and sharing information across organizations and between the public and private sector to better defend against cyber threats.
At the most basic level, security for an enterprise entails developing and sharing a common operating picture of threat activity and of driving response, functions that are interrelated but can be addressed separately. Building strong cyber defenses within a single organization is a complex task, especially for an organization with a broad operating footprint, complex networks, and multiple missions or core functions.
It is a difficult task to accomplish within a government agency, a well-resourced corporation or especially for a small business or local government department, and it is exponentially harder to federate security across organizations.
Organizations working together on shared or federated security often differ markedly in capabilities and resources. Their internal processes and standards may not align, they may use different tools and technology and their leaders, analysts and security operation center operators may have uneven skills and experiences that can lead them to read and understand data differently.
Different types of threat information and the human element
Cyber threat information exists in multiple types that differ in volume and in relative importance to understanding and taking action on threats. Tactical information is largely technical data such as digital signatures that identify a piece of malicious software; operational information is often generated from technical and tactical data to deduce patterns such as tactic, techniques or procedures used by malicious cyber actors. Production and use of tactical data is largely automated and done by security devices, while operational level information is often produced and used by humans.
Situational awareness is a human issue; security devices do not need a threat board or map in order to take action. Cyber situational awareness is often built from operational level information, showing patterns of activity. Response actions, on the other hand, tend to be driven by tactical information.
Developing shared situational awareness and a common operating picture of network health and of threat activity is a cognitive challenge. While the task of gathering data can be automated and some elements of the analytic process can leverage AI and machine learning, at its heart both generating and using situational awareness is a human problem.
Individual threat analysts and SOC operators do the cognitive tasks of gathering data and making sense of it, and over time, individuals get better at these processes. They develop mental shortcuts and gain valuable experience, which distinguishes the speed and work quality of a seasoned analyst or SOC operator from that of a novice. Since SOCs typically contain multiple teams of varied levels of skill and experience, agencies often try to level set between individuals by practices such as Standard Operating Procedures, templates and common lexicons for threat reporting. Many government agencies also provide or leverage formal analytic training and tradecraft standards to try to provide a high-level common denominator across individuals.
These tools are less likely to be available when federating security across SOCs, even within the federal government. As a result, efforts to establish top-down situational awareness and have a common operating picture of threat are most likely to succeed when they are limited in scope to a single department or agency.
Why situational awareness fails us when we need it most
Critically, the challenges around developing and maintaining situational awareness became most acute under cognitive duress, information overload and operator fatigue — in other words, during a major cyber incident. Further, sharing situational awareness across organizations with different protocols and teams of varying skill and experience who may not be used to working together becomes commensurately harder under pressure.
Consider NATO’s 2021 Locked Shields exercise: a coordinated international defense of a hypothetical nation against a cyberattack. Analysis of the exercise found that in a mock crisis scenario, Blue Teams comprised of member nations of NATO’s Cooperative Cyber Defence Centre of Excellence consistently struggled with the same roadblocks that inhibit collaboration at the best of times. CCDCOE’s annual report cited protecting unfamiliar specialized systems, writing good situation reports under serious time pressure, detecting and mitigating attacks in large and complex IT environments and coordinating teamwork effectively as key areas for improvement.
But even under optimal, non-crisis conditions, generating shared situational awareness and figuring out how to use it tends to consume the bulk of the available time and resources in a SOC. Simple arithmetic suggests that if 55 or more minutes of every hour are spent on generating situational awareness and figuring out how to respond to threats, the remaining time available for response should be spent as efficiently as possible.
Approaches for enabling integrated response
Fortunately, response actions are typically driven by tactical information — data that can be generated and used by machines in an automated fashion and at scale. There are numerous ways to handle enabling efficient and automated cyber response to threats in a federated operating environment.
One focuses on building response actions from cyber threat data in common formats such as STIX or TAXII. This allows for outcomes that are customized to the organizations being defended, but typically these solutions are custom-built, costly and have relatively large lead times to generate.
Another approach is to leverage key cybersecurity functions, especially Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) tools. These widely available off the shelf products are typically designed to deal with diverse input and to generate output that is compatible with a wide range of vendors and tools.
A third approach is to leverage architectural overlap between the organizations being integrated, such as public cloud services and providers or multivendor cybersecurity mesh architecture ecosystems of interoperability.
Both the tools and common platform approaches to federated response allow organizations to leverage integration work done by others, rather than building solutions from scratch. All three approaches benefit from using common playbooks of response and standard operating procedures common across organizations.
Some organizations have tried to take a more time-balanced approach to federating security, spending less time and effort on developing situational awareness and more on response. They are willing to accept working from an admittedly incomplete picture of threats and problems to ensure that they are maximizing their collective response. In other words, they may not understand the full magnitude of a threat, but they want to ensure that they are doing all that they can to respond to it.
Despite the challenges of working together to combat global cyber threats, better collaboration is the only way to get ahead of threat actors who grow increasingly sophisticated and emboldened with every successful attack.
As agencies and governments pivot towards a long-term heightened security posture, establishing a consistent cyber response based on best practices can minimize risk and enable cyber defenders to better work together. A robust federated cybersecurity plan should allow the diverse constellation of U.S. agencies and external partners — including allied governments and critical infrastructure providers — to act together quickly and effectively.
Jim Richberg is public sector field CISO at Fortinet.