Presidential Executive Order: “Collect and Preserve” Incident Data. Is this the Catalyst for Cybersecurity’s Black Box?

President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity defines a solid path forward for the Federal government and its suppliers to address systemic problems in defending cyberspace. The EO calls on suppliers to “collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation,” in effect, calling on government agencies and suppliers to deploy black boxes for cybersecurity. Rather than see this as an onerous requirement, it is worth remembering how the FAA’s requirement for all commercial aircraft to carry black boxes with flight data recorders dramatically improved aviation safety and security. A similar outcome is possible for cybersecurity. 

In 1967 the U.S. government required commercial aircraft to carry a black box that contained a cockpit voice recorder and a flight data recorder. Black boxes helped the government and aviation industry piece together aviation events ranging from near misses to crashes. The requirement drove important safety and security improvements, benefiting the aviation industry and the flying public. Given the rash of debilitating cyberattacks — from nation-state actors and criminal organizations — the Federal government, its suppliers and private sector companies should embrace the concept.    

Cloud-Based Black Boxes

The Cloud has enabled security vendors and companies to easily integrate and automate data from disparate security tools and threat intelligence sources. Companies rely on these capabilities given the flexibility to securely manage intelligence from detection systems and external threat intelligence sources. For example, today companies integrate and automate data from internal security tools such as Spunk ES, QRadar, and ServiceNow with open source and proprietary intelligence feeds. Fusion in the Cloud reduces the mean time to detect and respond to events, and reduces analyst cycles.

So, how does this relate to the EO and black boxes?  The data — event alerts, case management tickets and threat intelligence — are ingested and reside in secure, cloud-based repositories. TruSTAR refers to repositories as enclaves. Enclaves give a company a holistic understanding of its cyber intelligence. Security tools can automatically recall and connect past events with new alerts. Companies can leverage no-code intelligence workflow capabilities to enrich events, automatically updating security applications with high-priority events.

Enclaves, it turns out, can support the requirement under the EO to “collect and preserve” incident data, similar to black boxes. As discussed in the Cloud Security Alliance’s Cloud-based, Intelligent Ecosystems whitepaper, enclaves fulfill an operational need within companies for a living “cyber memory,” updated in real-time with event data to ensure continuity of knowledge. However, in an incident, enclaves address the need to “collect and preserve” incident-related information, as called for in the President’s EO. Data stored within enclaves is encrypted with permission-based access controls.

Enclaves can fulfill other elements of the executive order, including reducing the barriers to information sharing. For example, cloud-based enclaves allow for seamless exchanges of information, and include natural language processing to redact proprietary or personally identifiable information. Today, several sharing organizations, such as the IT-ISAC and RH-ISAC, leverage TruSTAR’s enclaves to exchange event information. In addition, enclaves could support the National Cyber Safety Review Board established under the EO to investigate significant incidents. 

Perhaps most exciting is the potential long-term benefit of creating a collective memory of cyber events. Holistic analysis of event data across enclaves will expose patterns heretofore unknown. Analysis of data across several enclaves can reveal previously unknown connections between events or success strategies. For example, in the federal government’s case, one agency may successfully identify or thwart a problem while another falters. A data-centric approach to analyzing data across enclaves will foster successful defense strategies as much as it would expose failures.  

TruSTAR was founded to prevent intelligence failures in cyberspace. Cyberspace represents a far more complex problem than counter-terrorism given the pace and volume of attacks and dependence on information systems. Cyberspace is society’s lifeblood and Achilles Heel. A data-centric approach to integrating and automating security data and removing technical barriers to information sharing is critical. The President’s EO is a significant step in the right direction to not only help prevent cyber 9-11s, but advance our overall cybersecurity strategies.