Malware? Cyber-crime? Call the ICOPs!

To fully understand the state of cybersecurity at enterprise organizations, it’s worthwhile to review a bit of history.  In the early days of Internet connectivity, information security was viewed as a necessary evil, so enterprise security budgets tended to be pretty stingy.  CEOs didn’t want good security, they wanted “good enough” security so they were only willing to provide minimal funding. 

Given measly cybersecurity budget dollars, security managers spent money where they had to – mostly on host-based security software (aka antivirus), and perimeter defenses like email security gateways, firewalls, IDS/IPS, etc.  Additional security defenses were added organically as countermeasures to new types of cyber-threats (i.e. web threats, APTs, etc.).

So 15 years of dealing with cybersecurity on a tactical basis led us to where we are today.  Enterprise cybersecurity infrastructure is made up of an army of independent point tools that require individual administration and deliver discrete reporting and security telemetry.  Piecing together a holistic view of security monitoring and defense-in-depth is dependent upon manual processes and the individual skill sets of cybersecurity team members.

Simply stated this piecemeal and human-dependent cybersecurity infrastructure is no match for today’s malware volume, sophisticated cyber-adversaries, and targeted attacks. 

So what can be done?  Many organizations believe that they can improve security efficacy and operational efficiency by unifying disparate point tools into a common security architecture.  According to ESG research, 48% of security professionals say that their organization plans to build an integrated cybersecurity infrastructure featuring central command-and-control (i.e. policy management, configuration management, security analytics, etc.) and distributed policy enforcement as part of their cybersecurity strategy moving forward (note: I am an ESG employee).

In the past, cybersecurity integration was synonymous with a proprietary architecture from a single vendor but this is finally changing with the rise of Integrated Cybersecurity Orchestration Platforms (ICOPs).  There are a number of burgeoning ICOPs in the market, from open source options (i.e. Netflix Fully Integrated Defense Operations (FIDO), to government initiatives (i.e. Integrated Active Cyber Defense (IACD) from the US Dept. of Defense), to a number of more turnkey ICOPs from startups like First Hour, Hexidite, Invotas, Phantom Cyber, and Resilient Systems.

At a high-level, ICOPs act as a cybersecurity hub to:

• Aggregate inputs.  ICOPs consume telemetry from detection and forensics tools from vendors like Bit9 + Carbon Black, FireEye, Hexis Cyber Products, and Palo Alto Networks as well as threat intelligence from firms like iSight Partners, Norse, Symantec, and Webroot.  The telemetry is accessible from a central system, alleviating the need to analyze security intelligence on a tool-by-tool basis.
• Correlate, enrich, and manage security data.  Independent alerts and anomalies are combined with other relevant data in order to present analysts with a much more detailed picture of any security events or cyber-attack in progress.  For example, when an anti-malware gateway discovers a suspicious file, ICOPs can then correlate this alert with endpoint and network forensics data, further malware analytics, and threat intelligence sources.  As part of this correlation, ICOPs can be programmed with threat scoring algorithms, to help SOC teams prioritize the security events that demand immediate attention.
• Initiate outputs.  Beyond analysis, ICOPs can work with distributed enforcement technologies to expedite response actions like quarantining a zombie PC, generating a new firewall rule, or simply opening a trouble ticket.

ICOPs work best when individual cybersecurity technologies are designed for out-of-the-box integration with open APIs, message buses, and threat intelligence standards support (i.e. STIX, TAXII, etc.).

The cybersecurity industry is booming, generating an obscene amount of hype.  In spite of all the hot air however, ICOPs could be the real deal as they have the potential to help CISOs mitigate risk, accelerate incident detection/response, and streamline cybersecurity processes.  I’ll be paying close attention to ICOP development in the months to come.