One key capability that is being worked on to improve the situational awareness of cyber threat data is increasingly applying analytics to the information to make it more useful for stakeholders, a Department of Homeland Security (DHS) official said on Tuesday.
The way forward with cyber threat information that DHS obtains includes “improving our analytics, improving our capability to look across the entire landscape, piece it together and provide it back out to our stakeholders,” Danny Toler, acting assistant secretary for the Office of Cybersecurity and Communications at DHS, said at a government forum hosted by the cyber security firm Akamai. And we’re going to provide that back out not just as another information point but something that is actually actionable, tangible to the recipients.”
Moreover, he said, DHS wants that this enhanced data to be delivered to its stakeholders “in a way that is machine consumable,” which means it can be acted on at machine speeds.
Toler said that DHS will not tell its customers to take their people and analysts out of the loop in assessing the threat data the department shares with them “but we want to give you the capability to do that.” He said some organizations may be concerned that eliminating analysts from assessing cyber threat data may lead to too many false positives.
Toler said DHS is also looking to improve the cyber security posture of federal departments and agencies based on real-time threat dynamics rather than the current compliance-based approach to authorization and governance driven by information security regulations such as FISMA. The current approach is often described as a check-the-box approach to meeting cyber security standards.
With the current approach, a system might be authorized to operate for several years yet “a lot of stuff” happens in that time, he said.
Instead, DHS wants to shift to a “more of a detected, real world look assessment on an ongoing basis where any organization or any element, whatever it may be, where they stand at any given time relative to the threats that exist at that moment in time,” Toler said.
In the longer-term, Toler believes that DHS will shift from an approach aimed at protecting infrastructure from cyber threats to one that is more data centric.
“I think we are increasingly going to be assuming that any infrastructure can be compromised,” he said. “That’s just a fact. So how do we accept that fact but then still protect the data? Protect the mission execution that uses that data? Infrastructure is replaceable and recoverable. Data? Not so much.”
Several industry officials involved in cyber security recently told a House panel that DHS’ year-old Automated Indicator Sharing (AIS) portal that receives cyber threat indicators and signatures from stakeholders in the private and public sector and also shares indicators with those sectors was a step in the right direction. The portal allows for sharing cyber threat signatures in near-real time.
DHS has 34 federal and 98 non-federal entities connected to AIS. These entities are able to receive and share the cyber threat indicators. Several of the connected non-federal entities are Information Sharing and Analysis Centers (ISACs) or cyber providers who can redistribute indicators to their members. The department also has almost 100 non-federal entities that have signed up to participate but are not yet connected.
However, the industry officials also said there needs to be more context around the data being shared to make it easier to analyze aspects of the threat, such as where it may be coming from.
Toler said that DHS has been using reputation scores for the indicators to help give them credibility and context, such as how often something has been seen.
An initial assessment of the indicators being shared through AIS shows that it is “quality” and “timely” data, Toler said. He added that DHS is “polling” its stakeholders to find out how they are “operationalizing” the indicators the department is sharing.
“We don’t want to give any of our stakeholders just one more piece of information that goes into the flood of data and information they already have, Toler said. “We want to give them something that again is actionable, is tangible that truly impacts their operations.”
Toler also said that DHS wants to gather the data it receives from stakeholder on how they are operationalizing the threat indicators and use it to create best practices that can be shared across the “broader community.”