How a Common Language for Cyber Threats Boosts Security

Steve Kirk is the vice president of federal at Fortinet.

Cyberattacks are increasing in frequency, and government agencies are under constant attack. This nonstop assault is facilitated by the rapidly growing complexity of today’s networks. Cloud-based services, internet-of-things devices, bring-your-own-device programs and wireless connectivity have dramatically expanded the threat landscape, creating a greater number and diversity of vulnerabilities.

To combat these threats, most agencies have stacked their security strategy with multiple security devices, typically from multiple vendors.

The problem is those devices often don’t talk to one another. These interoperability challenges can hamper efforts to share cyber threat information across and between networks and frustrate attempts to respond to threats in a timely manner.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Driven by the needs to standardize threat intelligence communications across various business applications on the network, implement open architectures and automate security tasks, security requirements for federal and local governments are in a state of flux. To remain responsive, resilient and agile, government organizations must adopt open, integrated and automated security architectures.

Creating Specifications

The federal government and private sector agree on the need for a common language to enable the rapid exchange of intelligence. The first step, then, in sharing threat information is to standardize the structure and format of threat data so that it is interoperable across various networks and platforms.

Several groups have created technical specifications for this purpose. The U.S. Computer Emergency Readiness Team strongly encourages the use of the Trusted Automated eXchange of Indicator Information, or TAXII, the Structured Threat Information eXpression, or STIX, and the Cyber Observable eXpression, or CybOX. TAXII, STIX and CybOX are free, community-driven technical specifications that represent cyber threat information in a standardized format. They enable automated information sharing and thus foster cybersecurity situational awareness, real-time network defense and sophisticated threat analysis.

The National Cybersecurity and Communications Integration Center (part of DHS’ Office of Cybersecurity and Communications) and US-CERT are supporting global adoption of these standards to be used around the world in order to enable nations to share information in the battle against cybercrime.

Why Interoperability is Critical

Interoperability between security tools is enabled by standardizing threat intelligence formats. Using an open API architecture, products and systems from different vendors can connect, share information and work as a unified security platform. Such a platform also supports end-to-end visibility across all components of a security architecture. This advantage is a force multiplier and the reason why government acquisition requirements specify open architectures and connectivity. 

Another element that facilitates easier enforcement of government standards is an open architecture. This is the idea behind the National Institute of Standards and Technology Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” This publication defines everything government agencies, and organizations working with government agencies, must have in place to secure their systems along with what is often extremely sensitive data.

Publications like this can be long and complicated. Determining whether a particular product is consistent with the guidance they provide is often a time-consuming manual task. An open architecture gives government acquisition organizations the ability to use a centralized, automated compliance mechanism to rapidly evaluate offerings from different vendors against standards and regulations.

Enabling Automation

Orchestration and automation may be the most significant advantages governments obtain when they adopt standard threat information formats. It’s no secret there is a cybersecurity talent shortage. To manage a growing volume of increasingly sophisticated threats, it is critical to have infrastructure and security tools that enable quick, automated and synchronized responses without human intervention.

The goal of Open C2 and other groups work is to expand the development of orchestration software and standardized command and control languages. Central to the OpenC2 movement’s platform is the idea that standardizing language between machines enables rapid response to shared threat intelligence.

As the OpenC2 forum states, “Future defenses will require the sharing of indicators, the coordination of responses between domains, synchronization of cyber defense mechanisms and automated actions at machine speed against current and pending attacks.”

Another benefit of standardized command and control languages and interfaces is they simplify integration. There’s no need to train staff on every new technology in order to support enterprise adaptation and integration.

A Holistic Network Security Approach

The vision for a more secure network is a holistic approach that automates the processing and analysis of threat information from many different sources. A system like this would rapidly detect network threats and then respond with a coordinated effort. These would be labor-intensive and time-consuming tasks to perform manually, but an automated process enables a security response almost instantaneous.

By standardizing threat information and command and control language and using open architecture, global cooperation is possible. This not only strengthens network security, but it also helps government agencies prevent breaches—all without adding to the payroll. The technology exists today to make this vision a reality, which should be pursued to maximize the safety of government and citizen data.