An airman from the 707th Communications Squadron reads through incoming user issues and creates work order tickets at Fort George G. Meade, MD. (U.S. Air Force photo)
Earlier this year, Breaking Defense conducted an hour-long webcast with Robert Kimball, Senior Research Scientist for Cybersecurity at the C5ISR Center at US Army Combat Capabilities Development Command, where we discussed network automation, software-defined networking, Zero Trust, and identity and access management as it relates to the Army and greater Defense Department.
The following are some of the highlights of that webcast related to network automation and SOAR (security orchestration, automation and response) software tools.
Breaking Defense: Describe the military’s motivation for using SOAR software.
Kimball: It has to do with how overwhelming and busy cyberspace is these days. The number of alerts that we have to deal with can range from hundreds of alerts up to thousands. A lot of that is not critical, but every one of them has to be checked.
One of the things that is very evident — if you go back and do forensic analysis of not just the malware we have seen, but of the process by which we detected intrusions or malicious activities or cyber events — it almost always comes down to an analyst or a set of analysts who are able to run down the thread of leads, build a picture of what is going on, pull that thread, and find the malicious act.
Given that a high number of alerts are benign, what we really want to do— and what any organization that has to operate in cyberspace has to do — is to have your trained analysts focus on the most important thing, the critical alerts. You need to give them room to maneuver so they can apply their training and critical-thinking skills to find what is important. The best way to do that is to take a tool like SOAR that will allow the mundane parts of an analyst’s job to be taken over by a machine.
The other thing that is important as attacks get much more sophisticated is that data becomes a huge component to defend ourselves. Think about all of the possible data that is available and the tremendous rate that it comes, which can potentially overwhelm a human. Certainly, for the critical things, analysts find out what is going on by streaming all of the facts together to build a picture that they can use to mitigate the cyber event.
But for everything else, that means a vast number of potential alerts just get washed into the bucket. We don’t want analysts checking the low-level alerts and clearing logs. What we really want them to do is apply their training and their critical thinking to solve the hard problems, and let machines solve the easy ones.
Having a machine being able to do that fusion and look at every single alert no matter how benign allows the analysts to pull bigger threats and make them more effective.
As we head toward the future, having AI and ML solutions driving our cyber operations is definitely where the future is going. Having these automation tools in place is a good way to introduce these solutions into the cyber world.
Breaking Defense: Looking at all the cybersecurity tools and strategies — automation software, AI, Zero Trust, and identity and access management — how do they work together, especially for legacy systems?
Kimball: So part of it is extraordinarily easy, right? Zero Trust is a framework for protecting data and closely controlling access, so the need for robust identity solutions for the user and device is a critical part of Zero Trust. The other element of Zero Trust is you don’t want to give the user access to the entire enterprise. They don’t need it. They need a portion of the network resources and enterprise resources to get their job done, and they need to get access to those resources, but no more. Automation or orchestration are key elements of Zero Trust, because they enable you to dynamically configure networks to support that.
The AI system will allow us to look at this huge amount of data that is coming in and generate the correlations that we need and that we can feed to an analyst so they can do something with it. It is super critical.
As we gain more trust in AI systems, we are going to see more AI-driven automation and that will feed into Zero Trust, as well. We will be able to make our Zero Trust systems that much more robust when we add AI into the various policy and decision points on whether I give access or don’t give access. This will also have a positive effect on user experience. One of the worst things you can do for someone who legitimately is supposed to have access to the data is deny that access. (AI-driven automation) will add nuance, and look at more variables and constraints to get to a more robust and more resilient solution.
Breaking Defense: What should organizations look for in a SOAR tool or solution?
Kimball: The first thing you need to do when you’re looking for a SOAR solution is to understand your own processes. It is very hard to automate what you can’t define. How well do you know yourself and how well do you know what your processes are?
There are a varying number of features in different tools, some are better at some things versus others, so you need to look at the features. You need to ask yourself the question about the training level of your staff. Are you going to be able to write your own playbooks or do you need help? Some services have robust service organizations that can help you with the playbook development. Other organizations don’t need that help because they have the staff on hand that can develop the playbooks.
Some of these companies have rich, robust integrations with other tools. Other companies have less so.
Another thing to consider is, how are you going to integrate this? Is your plan going forward to integrate this within an AI/ML system? If so, there are some available solutions that have walked down that road pretty far already, others not so much. Those are some things that you want to consider.
