To understand the Integrated Adaptive Cyber Defense system that U.S. banks and other financial institutions agreed to adopt this week, you have to think about plumbing.
“When you go to the hardware store to buy plumbing supplies, you don’t have to wonder ‘Will this fit with the plumbing I already have in my home?’ because there are universal standards,” said Tony Sager, senior vice president and chief evangelist for the Center for Internet Security.
The idea of the Integrated Adaptive Cyber Defense (IACD) system is to bring that approach to cybersecurity, explained Sager, who was a senior executive at the National Security Agency for many years. Government entities like the Pentagon and industries like banking “spend millions on these tools … and then they can’t work together,” he said, because of completely different architectures or proprietary interfaces.
Many of the latest tools come equipped with an application programming interface (API) — essentially a software portal that allows other tools to integrate. But Sager dismissed that as a jury-rigged solution.
“That’s like, I’m a builder and I publish specs: Here’s the kind of pipes you need to connect to the plumbing in the houses I build. No. Not good enough,” he said.
IACD, developed by scientists at the Johns Hopkins University — Advanced Physics Laboratory (JHU-APL), is an attempt to fix that problem at a deeper level. This week, the Financial Services Information Sharing and Analysis Council (FS-ISAC) said it was adopting the system, which is basically a collection of best practices, community-consensus driven standards, and open-source software projects.
By ensuring that software performing different automated security tasks was integrated, the IACD framework “helped reduce investigation and response time from 11 hours to 10 minutes,” the council said in a statement. In some cases, automated systems were able to respond it as little as one second. IACD also enabled a security operations team handling 65 events per day to automatically process up to 95 events at the same time.
One element of IACD is the Department of Homeland Security’s Automated Indicator Sharing program — which pumps threat and attack indicators out at machine speed to participating organizations. Another is OpenC2 — an open-source programming language that lets the different elements of a cyber-defense system communicate in real time. A third is SCAP — Security Content Automation Protocol — a set of specifications that helps integrate and automate configuration, vulnerability and patch management systems.
“We are pleased to support the IACD framework,” said Jason Witty, US Bank chief information security officer and FS-ISAC board of directors vice chair. “It represents the best of public-private partnership … to make the financial critical infrastructure more secure. Rather than reinventing the wheel each time, IACD builds on lessons and investments DHS made, adding tools and innovations.”
“We absolutely believe that we can change the game on cyberdefense,” IACD lead Wende Peters told a conference at JHU-APL last month. But she added, the game-change wouldn’t be wrought through amazing technological breakthroughs. “It starts with non-exciting, not-going-to-change-the-world [or] split-the-atom kinds of technologies … It is about leveraging what we already have … through integration.”
By ensuring an organization’s different cyber tools — endpoint solutions, network monitoring and perimeter defenses — all work together seamlessly, in real time and at machine speed, IACD can transform the defensive posture of any organization, she said.
But there have historically been few incentives for vendors to make their products work nicely together, Sager pointed out. In fact, the incentives have generally pointed in the other direction, if anything. “Every vendor wants to lock you in,” he said, to make sure that you have to keep buying their products and services.
“For many years the integration engine was human beings” — either through cut and pasting or retyping, added Sager.
Given the wide variety of approaches and different kinds of technologies that cybersecurity vendors employ, Sager said, network managers and system administrators wanted and needed to be able to buy a variety of solutions from different companies.
“I want to use multiple vendors, but I want their products to talk to each other,” he said.
Peters echoed that sentiment: “I don’t want a new solution out of the box that has to be integrated with all my other tools. We need to pull things that work together,” she said.