Retour aux nouvelles

13 juillet 2020 | International, C4ISR, Sécurité

Making DoD Security Operations Centers More Effective: Security Automation

Security orchestration, automation, and response (SOAR) software frees DoD analysts to apply cognitive skills to actually fixing problems.

By SPLUNKon July 10, 2020 at 6:39 PM

The Defense Department's most recent National Defense Strategy (NDS) describes a complex military environment characterized by increased global disorder, a decline in the long-standing rules-based international order, myriad threats from rogue states like Iran and North Korea, great power peers like China and Russia, malicious hackers, and terrorists in places like Yemen. One of the military domains where this dynamic is most evident is cyberspace, where bad actors arguably have comparable or better cyber capabilities than us.

“This increasingly complex security environment is defined by rapid technological change, challenges from adversaries in every operating domain, and the impact on current readiness from the longest continuous stretch of armed conflict in our nation's history,” the NDS states. “In this environment, there can be no complacency—we must make difficult choices and prioritize what is most important...”

More cybersecurity threats mean more cyberattacks on DoD networks. Essye Miller, former principal deputy for the DoD CIO, said recently that attacks on department networks are surging and that the attack surface is expanding as adversaries target DoD employees working from home during the coronavirus pandemic.

This surge in cyberattacks means that analysts working in DoD information security operations centers (SOCs) are being bombarded with security alerts. With so many events, it's hard for them to differentiate true alerts from false ones, and to determine which events are priorities to address immediately. Through no fault of their own, they end up chasing their tail when their time could be better spent on mission-critical activities that directly support warfighters.

The solution for this domain is automation. While popular in commercial software segments for years—including SalesForce automation, marketing automation, human resources automation, and IT automation—DoD security teams are just beginning to realize the benefits of what's known as security orchestration, automation, and response.

The Value of Security Automation

“Automation is nothing new to the military. The Defense Department is making great inroads into DevSecOps, for example,” explained Drew Church, senior security advisor at Splunk, referring to an agile software development process where software is quickly developed, tested, and improved over weeks and months rather than years. “A key, fundamental concept of DevSecOps is automation. The point of automation in DevSecOps is to bring together different technologies, tools, people, and processes to develop code and get it out to the war fighter more rapidly.

“Automation provides that same capability inside IT operations procedures, security operations procedures, and other business processes,” said church. “It does this in a reliable and repeatable fashion every time, and at speed and scale.”

Splunk's SOAR solution is called Phantom. It helps security teams work to identify, analyze, and mitigate threats facing their organizations. It can be used to improve efficiency, shorten incident response times and reduce the growing backlog of security incidents, even when there's a shortfall of DoD security personnel to analyze the volume of daily security alerts.

Phantom does so by integrating teams, processes, and tools, and by automating tasks, orchestrating workflows, and supporting a range of SOC functions to include event and case management, collaboration, and reporting.

In essence, it frees SOC analysts of the usual Tier I-type activities of gathering data from the security information and event management (SIEM) platform, prioritizing these alerts, performing triage to determine if an alert is real or a false alarm, configuring and managing security monitoring tools, and generating trouble tickets.

Instead, Splunk Phantom lets them spend more time on the value-added work of Tier II SOC analysts. This includes actually investigating the trouble tickets, responding to incidents, and leveraging threat intelligence to better understand the threat and be proactive rather than reactive.

“Focusing on the bureaucracy of security rather than the actual doing of security limits the effectiveness of security analysts,” said Church. “Better to free them of the tasks that can be easily automated like reviewing IP addresses, domain names, and URLs so that they can be force multipliers in conducting the thoughtful work needed to protect DoD networks.

“That automation is done for them in Phantom. It let's analysts focus on investigating and taking remediation or mitigation steps as appropriate. Where humans excel is in actually thinking through a problem. Copying and pasting from websites, emails, and reports is not the most effective use of a highly paid, resource-limited talent pool.”

Integration With Existing SOC Tools

SOC analysts make their decisions by gathering information. They sometimes review classified military intelligence, but usually they look at a lot of open-source information and data from commercial off-the-shelf products from myriad providers of cybersecurity threat intelligence products.

Some of the common ones that are relevant to the Defense Department include: McAfee's ePolicy Orchestrator, which the DoD refers to as Host Based Security Systems (HBSS); and Tenable's Security Center, which is known inside the DoD as Assured Compliance Assessment Solution (ACAS).

Splunk Phantom has more than 300 out-of-the-box integrations with products like HBSS and ACAS.

“Being integrated with each of those products permits the analyst to get the information they need without having to go to another browser window, or another tab, or a different computer,” said Church. “Phantom automatically brings all that data to the analyst. That takes somebody who spends most of their time copying information from page A into system B and lets them make more rapid and accurate determinations about the threat.”

Through the use of APIs (application programming interface), that same integration is also found with government off-the-shelf (GOTs) solutions that haven't before been integrated with Splunk Phantom because there was never a request to do so. The same goes for a custom app created by a DevSecOps shop like the Air Force's Kessel Run project in Boston, for example.

Automating these vital but drudgerous processes also pays dividends during both staffing shortfalls and times of surge, and brings consistency to SOC activities. Military service members are constantly rotating and changing duty stations; senior leadership turns over regularly. Contractors have to be relied upon to provide continuity from tour to tour.

That means that SOC processes that were well oiled on a Monday may no longer be operating smoothly on Friday because of a change of command. Or maybe there is a compelling event that grabs everyone's attention. Or possibly there are legal or policy requirements that need to be addressed, and though they don't add mission value they still must be completed.

Automation by Splunk Phantom smooths out the bumps associated with those all-to-common scenarios by keeping the flow of vital data moving to where it can be acted upon best.

“The computer's running the marathon for you so that you are free to sprint and swarm on the problems that need the most resources at any particular time,” said Church.

The Takeaway

For security analysts, incident handlers/responders, IT operations managers, security operations managers, and forward-leaning business process experts, Splunk Phantom is all about removing barriers so people can get back to accomplishing the mission, maximizing productivity of skilled personnel and organizations.

“For anybody that has a business process, a mission process, an IT operations process, or a security process and wants to free those skilled workers to get back to what you brought them onboard to do, we can help you with that,” said Church. “We do that through orchestration, we do that through automation. We bring in collaboration, and we're able to do that at scale because of the value that a company like Splunk brings to the table. By being able to have a rich ecosystem of partners and support across the board, we're able to do that even with differences from organization to organization.”

Splunk Phantom addresses technology-based processes, and orchestrates and automates those processes to get people back to doing what they do best.

https://breakingdefense.com/2020/07/making-dod-security-operations-centers-more-effective-security-automation/

Sur le même sujet

  • To build stockpiles of weapons, UK looks at two-pronged approach

    9 janvier 2019 | International, Aérospatial

    To build stockpiles of weapons, UK looks at two-pronged approach

    By: Aaron Mehta WASHINGTON — When the U.K. rolled out its Modernising Defence Programme report last month, it highlighted a need to increase stores of weaponry to deal with threats from great powers around the globe. In his speech unveiling the document, Defence Secretary Gavin Williamson specifically stated that to “improve the combat effectiveness of our forces, we will re-prioritize the current defense program to increase weapon stockpiles. And we are accelerating work to assure the resilience of our defense systems and capabilities.” But what does that actually entail? During a Tuesday visit to Washington, Director for Strategic Planning Will Jessett said the U.K. plans to go about increasing weapon stockpiles in two ways. The first is the easy route: throw money at the problem. And a certain amount — the Ministry of Defence employee wouldn't say exactly how much — of the recent budget increase given by Parliament will indeed be going toward increasing stockpiles of armaments. The second part is more difficult, but goes to a throughline for the strategy document: the need to be smarter about how the British military uses its gear. “We've spend a shedload of money on producing the force structure that we have already. We're not necessarily generating and using it as effectively as we might have done,” Jessett said. “The first thing to do is to make sure that we are making the best of the existing capability that we have, and that [includes] making sure that we've got both the weapon stockpiles and the spares to make sure that you can actual[ly] generate the right numbers of aircraft squadrons." “So some of this will be the new money out of the couple of billion but a lot of this is going to be telling the services themselves,” he added. “There isn't a dollar figure, but there are strong incentives now back on the services to say: ‘Guys, you've got to [use] the capabilities that you've got already.' ” Looking at the Pentagon's efforts over the last few years shows that may be easier said than done. Pushing to find new efficiencies inside the U.S. Defense Department is an annual affair, with the latest attempt delayed by the removal of Chief Management Officer Jay Gibson and the fallout from the resignation of Defense Secretary Jim Mattis. And building up missile stockpiles is a logistical challenge for the department right now, with the Pentagon warning last May that producers of vital parts and materials are on the verge of going out of business or beholden to foreign ownership. Jessett acknowledged the Brexit-shaped elephant in the room, noting that the ability of the MoD to invest funding into new defense priorities will be directly impacted by any deal reached between Britain and the rest of Europe, particularly with foreign-made equipment. “Amongst the reasons we started to face this affordability delta in 2017 were because exchange rates did fall, relative to where they were in 2015,” he said. “I think back to this [question] about the terms of the deal. If we get a deal that's OK, I can imagine, personally, exchange rates not just stabilizing but somewhat improving. If not, it is by definition going to add further pressure into this.” But, he added, “that's not what we're planning for at the moment.” https://www.defensenews.com/global/europe/2019/01/08/to-build-stockpiles-of-weapons-uk-looking-at-two-pronged-approach

  • Telephonics Corporation Awarded Support Contract for U.S. Navy’s MH-60R/S Helicopter Programs from Lockheed Martin RMS

    21 avril 2021 | International, Naval, C4ISR

    Telephonics Corporation Awarded Support Contract for U.S. Navy’s MH-60R/S Helicopter Programs from Lockheed Martin RMS

    The initial contract has a five-year base, running through 2025, and a two-year option with a contract value of $162M with current funded backlog of $84M.

  • New in 2019: The Army’s new way of warfighting will continue to evolve

    7 janvier 2019 | International, Naval, Terrestre, C4ISR

    New in 2019: The Army’s new way of warfighting will continue to evolve

    By: Todd South Each of the past three years has seen the Army build and upgrade its newest warfighting concept, one that leaders look to transform the service in an era of greater competitionand multi-faceted threats. That concept, while improved, will continue to evolve in the coming year as well, with more experimentation and feedback from soldiers at all levels. The Army will fight its future battles through formations geared toward multi-domain operations and guided by real-world threats to global military superiority, according to an updated version of Army warfighting called Multi-Domain Operations 2028. “U.S. Army in Multi-Domain Operations 2028” is both a revision to ongoing warfighting plans and an invitation for input from across the force. “The American way of war must evolve and adapt,” Army Chief of Staff Gen. Mark Milley wrote. “It describes how U.S. Army forces, as part of the Joint Force, will militarily compete, penetrate, dis-integrate, and exploit our adversaries in the future.” And while it has been formed by commanders at Army Training and Doctrine Command, Army leaders know it needs more. “Every one of you is part of our evolution and the construction of our future force,” Milley wrote, addressing soldiers, “and we want your critical feedback.” The main task of this new battle concept is to get after “layered stand-off,” in which adversaries have created ways to deny historical U.S. dominance of domains such as air-land-sea, and new ones such as information and electromagnetic spectrums to keep U.S. and allied military units at bay. In the newly released document's preface, Gen. Stephen Townsend, TRADOC commander, focused on how the Army will operate and enable the joint force in future conflicts. “If deterrence fails, Army formations, operating as part of the Joint Force, penetrate and dis-integrate enemy anti-access and area denial systems; exploit the resulting freedom of maneuver to defeat enemy systems, formations and objectives and to achieve our own strategic objectives; and consolidate gains to force a return to competition on terms more favorable to the U.S., our allies and partners,” he wrote. To reach those goals, the Army will need some new functions, new equipment and advanced processes to select, train and retain capable soldiers. Some of that was evident this past summer in the Pacific, where fires soldiers found novel approaches to integrating traditionally land-focused Army assets and networks to link up with partner forces and U.S. Navy and Marine Corps teams to share information and strike ships at sea in simulated, contested environments. The director of the Army's Capabilities Integration Center, Brig. Gen. Mark Odom, in an Army release, highlighted key factors in the new concept's importance. The concept focuses on operational problems with competitors such as Russia and China, as opposed to the counterinsurgency and counterterrorism focus in recent decades. This means it returns the Army to a focus on threats rather than capabilities-based approaches, he wrote. https://www.armytimes.com/news/your-army/2019/01/04/new-in-2019-the-armys-new-way-of-warfighting-will-continue-to-evolve

Toutes les nouvelles