Jan 26 2021

Cybersecurity Automation for the Federal Government

Automation can allow federal agencies to focus their time and resources on emerging dangers while still keeping secure from remedial threats.

Cybersecurity has always been a major concern across the federal government, but the issue has been supercharged in the past month in the wake of the disclosure a suspected Russia-based cyberattack that has compromised agencies and the private sector. More details about the attack continue to emerge, and there likely will not be easy fixes.

Alejandro Mayorkas, President Joe Biden’s nominee to lead the Department of Homeland Security, said at his Senate confirmation hearing that he would review DHS’ Einstein and Continuous Diagnostics and Mitigation programs to determine whether they “are appropriately designed and appropriately and effectively executed” to stop similar attacks, according to FCW. “And if not, what other defenses need we develop in the federal government to best protect our very valuable equities and resources?” he added in response to a question from Sen. Maggie Hassan during the hearing.

One avenue that the federal government has been exploring in recent years is cybersecurity automation, which may get a push in the Biden administration in the wake of the attack.

Automating cybersecurity controls can help agency IT security teams handle a high volume of alerts. Additionally, cybersecurity automation can help cybersecurity analysts speed up investigations and remediation.

REGISTER: Sign up for free to hear cybersecurity expert Theresa Payton discuss today’s pressing IT security challenges.

Is Cybersecurity Automation a Reality?

Cybersecurity automation is not new, but many agencies are still experimenting with it. However, its benefits are clear.

“Security automation and orchestration provide these teams with a fighting chance to work their way through an almost insurmountable volume of work to detect, eradicate and recover from cybersecurity incidents,” writes Jeff Falcon, CDW cybersecurity practice lead, in a CDW blog post.

A move to embrace cybersecurity automation could save agencies time and money and allow cybersecurity analysts to focus on actually analyzing data and coming up with new security strategies as opposed to looking through log reports, for example.

“We’ve got to get away from the mindset of ‘you can account for every alert.’ You’ve got to embrace orchestration and [security orchestration, automation, and response] technologies — artificial intelligence, machine learning. You have to embrace this,” Mike Witt, associate CIO for cybersecurity and privacy at NASA, says in a webinar recorded in August 2020, according to GCN. “You have to take advantage of playbooks and push your teams to basically do a lot of these automated responses so that you can focus your limited analyst power … on some of the more interesting things.”

Rishi Bhargava, a vice president of product strategy at Palo Alto Networks, agrees with Witt. “Automation can play a critical role in aiding security teams with a deluge of security alerts, speeding up their investigations and handling the manual busywork that comes with triaging incidents,” he says. “This helps to effectively reduce the mean time to respond for alerts.” The MTTR measures the average time it takes to control and remediate a threat.

How to Use Cybersecurity Automation in Government

There are numerous ways in which cybersecurity tasks can be automated at government agencies. Here are some examples, but this list is by no means exhaustive.

  1. Automation can and should be used for tasks that are repeatable, repetitive and happen with a high degree of frequency, according to Bhargava.

    “For example, phishing is a good use case for automation because it’s a common attack vector and the process for dealing with suspected phishing emails is relatively consistent from one email to the next,” Bhargava says. “You need to determine where the email originated from, if it is malicious or a false positive, who was impacted by the email, delete all instances of the email, block the offending sender and follow up with the impacted end users. Rinse and repeat for each email.”

    He notes that “each of these steps performed manually would involve multiple systems and lots of communications between teams, averaging about 45 minutes for each incident, taking a huge chunk of the security team’s time.”

    Automation tools can gather relevant data and present this information in an easily consumable format to the human analyst, Bhargava says, “who then makes the final decision to treat the email as malicious (and thereby spin off a series of automatic remediation actions) or close the incident as a false positive.”

  2. Cybersecurity automation tools can be used to correlate and aggregate logs and threat intelligence feeds, “stitching together incidents to gain context and applying analytics to uncover stealthy attacks and in dealing with incident response cases,” Bhargava says.

  3. Automation tools can be used in incident response cases, such as those involving phishing, endpoint malware infections, vulnerability alert management, threat intelligence management, anomalous user behavior, cloud policy misconfigurations and cloud threats, according to Bhargava.

    Anil “Neil” Chaudhry, director of AI implementations at the IT Modernization Centers of Excellence General Services Administration, tells FedTech machine learning tools can enable agencies to train a model and the model can be periodically reinforced to help “identify cybersecurity threats and remediate them at scale.”

    “So, it’s a very interesting concept, because now what you have is your cybersecurity workforce in your agency is no longer engaged in administrative firefighting,” he says. “They’re actually focused on emerging threats that are using combinations of technology and social engineering, and working on planning for future attacks and how future intrusions will take place.”

  4. Additional security use cases for automation include security compliance violations, SSL certificate management, remote user access monitoring and Internet of Things security threats, Bhargava says.

  5. An open and extensible Security Orchestration, Automation and Response (SOAR) platform can be used to extend automation beyond security teams to HR case management, network performance monitoring, DevOps processes, employee shift management, identity and password management, and even physical security management, according to Bhargava.

READ MORE: Learn why agencies should take a new approach to data security in 2021.

Cybersecurity Automation Tools: What Is a SOAR Platform?

SOAR platforms that “unify security orchestration, automation, case management and threat intelligence management are the amalgamation of three historically distinct technologies,” according to Bhargava.

Those are security incident response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs).

Anil “Neil” Chaudhry, Director, AI implementations, IT Modernization Centers of Excellence, General Services Administration
So, it’s a very interesting concept, because now what you have is your cybersecurity workforce in your agency is no longer engaged in administrative firefighting.”

Anil “Neil” Chaudhry Director, AI implementations, IT Modernization Centers of Excellence, General Services Administration

The key to making cybersecurity automation work is conducting a risk analysis to see which gaps exist already, says Jim Richberg, a Fortinet field CISO focused on the U.S. public sector.

“Automation technology including machine learning or artificial intelligence can close gaps by correlating threat intelligence and coordinating responses at machine speed,” Richberg says. “In particular, government IT leaders with limited budget resources and staff should leverage automated technologies to accelerate detection and response first and foremost, which in turn immediately frees up time for humans to focus on other cybersecurity needs.”

This kind of automation “is not easy to set up, and it will take a good understanding of your environment, tools and processes to make it work,”

Jesse Wiener, a solution domain manager for CDW’s security practice, writes in a CDW blog post, “Tapping Automation to Improve Your Threat Response.” However, he notes that solutions such as Splunk Phantom and others can help.

MORE FROM FEDTECH: Find out how SIEM tools enhance federal cybersecurity.

How Agencies Are Approaching Cybersecurity Automation

Federal agencies have been dabbling with cybersecurity automation tools and are looking to see how they work before potentially expanding their use.

Lou Charlier, deputy CIO at the Labor Department, tells FedTech that the agency has been “very aware of automation tools and AI and machine learning for quite a while.” Last year, the department teamed up with the GSA’s IT Modernization Centers of Excellence program and implemented some robotic process automation tools for security. The department is also using AI and machine learning tools.

“They allow the IT security team to detect any suspicious activity before the attack occurs,” he says. “We’re piloting or planning to use additional ones.”

The Labor Department sends and receives 18 million emails on a monthly basis, Charlier notes, after the 77 million it routinely blocks. Much of that work is done with AI and machine learning tools, which Charlier says “enhance our capabilities, because they use that data to learn the habits and the patterns that pose that threat and then predict behaviors and create that digital footprint that notices when something’s happening out of the ordinary.”

In some cases, Charlier says, the AI tools “can recommend responses to situations and make predictions based on the historical data.”

“So, this technology just helps our staff handle the higher volume of threats and allows us to focus on those higher risk threats, stretching our ability to respond to those,” he says.

The Defense Department has been a major proponent of cybersecurity automation tools, Wendi Whitmore, vice president of IBM X-Force, which focuses on incident response and threat intelligence, tells Nextgov.

The Defense Innovation Unit in July 2020 issued another transaction agreement for a new prototype that will bring an “intelligent decision automation platform” to the Air Force Network, FedScoop reports.

The tool uses an older form of artificial intelligence, and “instead of creating large neural networks based on data, uses advanced probability-based mathematics that simulates decision-making,” FedScoop reports. The publication adds that if the pilot is successful in the Air Force, it could be scaled across the military.

gorodenkoff/Getty Images