Amid the lingering shadow of the Colonial Pipeline ransomware attack, President Biden signed an executive order last week that outlines “bold changes” that overall take a risk-led approach to cybersecurity and attempt to bridge the gap between cyber threat intelligence and operations.
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the order states.
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity,” the White House said in a statement.
Realignment: Risk, Threat, Response
While the new executive order is not a significant departure from those issued by previous administrations, it does attempt to realign and standardize security processes and procedures to take a risk-led approach to cybersecurity and to bridge the gap between threat intelligence and operations.
“The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies,” the order states. “Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.”
The order also gives the Secretary of Homeland Security 120 days to develop a standard playbook for cyber incident response.
“Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans varies widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.”
The executive order also creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. “Robust and consistent logging practices will solve much of this problem,” the White House stated.
The federal government, and the broader business and critical infrastructure communities, desperately need to bridge the gap between cyber threat intelligence (CTI) and security operations. A modern CTI program can provide the government and the private sector a prioritized view of the following:
- Financial risk
- Tactical threat
- Actions to take
The realignment called for in the Biden administration’s executive order clearly attempts to fuse risk, threat, and response to create a complete decision and operational support system for cybersecurity.
ThreatConnect has long been known as a leader in the Threat Intelligence Platform (TIP) market. We understood the need to enable large enterprises to aggregate all available threat data – both internal and external, structured and unstructured – analyze it rapidly, distill it down to understand the most critical threats, automate actions, and then produce tactical, operational, and strategic threat intelligence all in one place.
We also believe that a TIP should allow secure crowdsourcing to surface more intelligence than you could on your own – that’s why we built CAL (Collective Analytics Layer) to harness the work of thousands of threat analysts around the globe. But that wasn’t enough. We recognized the need to make this intelligence work with your other systems to automate action based on workflows you establish.
Security orchestration and automation integrates different technologies and allows you to conduct defensive actions: it increases your effectiveness in stopping, containing, and preventing attacks.
What should you look for in a world-class SOAR Platform? Your SOAR should be capable of:
- Providing a central location to integrate security tools and processes
- Automating collection, mapping, enrichment, hunting, and tracking of threats
- Operationalizing curated intelligence faster
- Increasing speed of holistic context on intelligence by connecting technologies
- Leveraging Playbooks to delegate and automate tasks and remove roadblocks
- Real-time collaboration across roles and teams
- Workflows and Case Management to improve efficiency
- Record, Analyze and interact with all information related to a case
- Expedite artifact collection from a variety of sources
- Reduce the risk of missing critical steps
- Get instant updates with a team-based notification system
- Creating a continuous feedback loop across intelligence, operations, and response teams