Integrated Cyber Defense Working Group (ICD WG) Introduction Cory Huyssoon Allison Cline October 16, 2017 2017 by The Johns Hopkins Applied Physics Laboratory. Material is made available under the Creative Commons Attribution 4.0 International License.
Agenda Today s Goals What is Integrated Cyber Defense (ICD)? Background Overview Information Sharing and Automation ICD WG Purpose and Goals Strategy Overall Plan Next Steps Community Actions Next ICD WG
Today s Goals To kick off the ICD WG To define the group s purpose and plan To communicate about the effort to the larger community
Background National Security Presidential Directive 54/Homeland Security Presidential Directive 23 established the Comprehensive National Cybersecurity Initiative (CNCI), with 12 sub-initiatives CNCI Initiative #5 (CNCI-5) called for increased connections between Federal Cyber Centers to create cyber shared situational awareness In 2012, CNCI-5 was recast by the Administration as the Enhance Shared Situational Awareness (ESSA) Initiative machine-speed sharing became an increased focus ESSA provided one of the cyber community s only mechanisms for future-looking, operational collaboration; it has facilitated: Development and implementation of requirements-based community-wide capabilities Development and adoption of processes and standards across DHS, DOD, DOJ, the IC, and the DOE 4
National Roles and Responsibilities ( Bubble Chart )
Background Information Sharing Architecture (ISA) Developed by the Enhance Shared Situational Awareness (ESSA) participants as a framework to guide investments in shared and organizational capability The ISA Framework was designed to establish a construct for multi-partner sharing and delineated capability and information needs for collaboration across multiple domains It defined seven cybersecurity functions that encompass cybersecurity activities performed by a particular organization It also defined seven categories of information, called Enduring Functional Exchanges (EFEs), which are exchanged on an ongoing basis to enhance SSA and enable integrated operational response The ISA Framework defined a list of technical needs, that established the baseline for developing capabilities being implemented today, that enable real-time cyber information sharing
(U) Former ESSA Coordination Forums (U) Inter-organizational Coordination Group (ICG) (U) Strategic Management and policy level coordination across the ISA (U) Establishes IPTs, WG, and coordinating policies among the members (U) Implementation Working Group (IWG) (U) An interagency and inter-organizational body that will develop and coordinate the execution of the plan for the realization of the ISA. (U) Policy Working Group (PWG) - (U) Will Identify and solve functional policy requirements necessary to resolve policy issues that impede net-speed cybersecurity information sharing among ISA participants and their partners
ESSA Producing the Foundation December 2010 Published and delivered to the community and ODNI the Information Sharing Architecture (ISA): Framework April 2011 As-Is Definition and Assessment of current information sharing activities among Centers October 2013 ISA: Shared Situational Awareness Requirements Document v2.1 (Mission, Technology, and Information) released 2012 2015 ESSA funds initial STIX/TAXII development February 2014 ISA: Access Control Specification (ACS) version 1.1 released April 2014 ISA: Technical Implementation Plan v2.0 released September 2016 ESSA stands down; full transition to DHS, Shared Capability Providers (SCPs), and community
ICD Overview ICD Overview
Integrated Cyber Defense Overview Integrated Cyber Defense Extensible and flexible integration of cyber defense capabilities across all levels (platform, service, system, enterprise, multi-enterprise) that: Enables rapid insertion of emerging solutions Measurably reduces timeline for cyber defense operations Measurably increases the effectiveness of cyber defense operations Endures in capability while allowing changes in hardware, software, and services Extends across both traditional and emerging environments
Relationship Between Cyber Threat Information Sharing and Active Cyber Defense Automation Increased Cyber Threat Information Sharing Sightings Intelligence Industry-driven Automated Sharing Automated Indicator Sharing (AIS) ESSA Malware Storefront STIX Advanced Autoimmunity Threat Intelligence Platforms (TIP) Increase in Shared Information Increased Active Cyber Defense Automation Deduplication Security Orchestration Products SOC Automation Increased Automation Indicator Sightings Automated Indicator Generation Analytics-based IT Automation Refined Information Sharing To Further Advance Automated Capabilities IACD An increase in the volume and types of Cyber Threat Information Sharing both enable and require Active Cyber Defense Automation.
ICD Working Group ICD Working Group
ICD WG Purpose and Goals Definition A common forum to discuss, question, and strategize cross-cutting technical evolution and migration Purpose To create and communicate a single, cohesive vision of common technology and information needs To work with Departments/Agencies to further advance AIS and IACD, and potentially other associated federal infrastructure Goals Produce community-accepted guidance for technical implementation of capabilities that enable automated defensive actions and cybersecurity information sharing
Overall ICD WG Plan Identify the hard technical challenges Lay out the order based on dependencies Summarize each challenge and invite feedback and input from the IACD Community Allows for input from vendor and private communities Establish focus groups for each challenge Identify POCs to lead Identify participants Define products and schedule Report plan and progress back to ICD WG Leverage ICD WG for review and comment Finalize products
Next Steps Next Steps
Actions to Community Identify ICD WG POCs from Federal Departments and Agencies Work within your organization to identify candidate challenges that should be worked by the ICD WG
Next ICD WG Meeting November 14, 2017 Plan the working group s activities List of candidate technical challenges What are the common hard challenges to solve? Prioritize based on urgency and interdependencies What do we look at first? Establish first focus group Draft the charter outline for review and comments Describe the gap this WG is meant to fill Lay out who we are and why we are here Establish expectations for: Scope and Time Constraints Activities Membership Reporting/Deliverables
Questions or Concerns? Back-up Slides
Backup Slides Back-up Slides
ICD WG Meeting Logistics Repository of Materials Shared online working space OMB MAX https://max.gov/maxportal/home.action Meeting Schedule Nominally every 6-8 weeks Roster primary/alternates/support staff Listserv for managing large membership roster Establish Prioritization Process Establish Review and Comments Process
Potential Candidate Challenges Tiered Trust Markings Feed Management Scoring IACDaaS De-duplication / Echo Chamber Sightings COA Sharing Onboarding Revocation What else?
https://secwww.jhuapl.edu/iacd @IACD_automate https://www.linkedin.com/groups/8608114 icd@jhuapl.edu