Albert Einstien once famously said, "We cannot solve our problems with the same thinking we used when we created them." This quote resonates deeply in today’s cybersecurity landscape. After three decades of battling cyber threats, it’s clear that relying on individual company defenses has its limits. Instead, companies should embrace new thinking and collaborate to enhance their collective cyber defense.
Corporate collaboration is not an anathema. Just as companies united to address common policy issues and develop standards, they can also work together to strengthen cybersecurity. Moving beyond information exchange, this collaboration could involve building a shared defense infrastructure to supplement individual company defenses.
An Automated Cyber Defense Federation (ACDF) offers a straightforward structure: a leadership council to set technical support, budget, and success metrics, and, if needed, an operations coordinator to manage tools. The primary goal of an ACDF is to reduce the time it takes to detect and respond to cyber events by leveraging cloud-based automated security tools. This collaboration is not just about protecting individual companies — it’s about securing the whole network.
As for costs, the financial commitment of an ACDF would be determined by its members. Companies could “buy in” to a federation or invest in a platform that manages multiple defense federations. This flexibility allows each company to choose a level of involvement that aligns with its resources and needs, making ACDFs a practical and scalable solution for modern cybersecurity challenges.
Here’s how an ACDF would function:
- Intelligence Management: Using automation, normalize, fuse, and prioritize data from companies and recirculate relevant output to member companies. For example, companies could not only automate the exchange of indicators of compromise (IOCs), but also, the circulation of malware code detection sets would expedite malware identification.
- Data analytics: Over time, an ACDF would create a “cyber memory” from past events that members could tap to expedite problem identification. This data could be used to train ML protocols to accelerate event identification.
- Response coordination: An ACDF would circulate Security Orchestration and Automated Response (SOAR) playbooks.
How does an ACDF differ from an ISAC/ISAO?
Traditional Information Sharing and Analysis Organizations (ISAOs) are essential in fostering information exchange within infrastructure sectors, but there’s room for improvement. ACDFs self-organize by need rather than industry or interest groups. They can range from just a couple of companies to several hundred. For example, a large company could form an ACDF to boost the security of its supply chain partners. ACDFs complement, rather than replace, ISACs or ISAOs, which focus on sector-specific needs and work with government agencies like CISA at DHS.
What is the role of an analyst in an ACDF?
Analysts sift through large volumes of material from security tools and threat intelligence reporting in a traditional SOC. They hop from tools and sources and manually fuse data. The process is tedious, fusing information from security tools and intelligence sources. They are often confronted with conflicting information. For example, threat feeds assign differing levels of severity to intelligence, forcing analysts to pause and evaluate source credibility. In the case of an ACDF, an analyst would have a minimal role as contributing organizations would leverage automated intelligence workflows.
What is the role of AL/ML?
Using ACDFs opens up the opportunity to apply Machine Learning and Artificial Intelligence. It offers a chance to build a powerful cyber memory between the participating parties via LLMs. As each participant contributes suspicious event data, the ACDF will become more valuable to members, increasing their collective defense capabilities. Even if some organizations submit inaccurate data by accident, experiments have shown that neural networks can learn their subject matter even with unreliable data. According to Ray Kurzweill in The Singularity is Nearer, “if training data is labeled correctly only 60% of the time, a neural net can still learn its lessons with an accuracy well over 90%.”
Given that more than two organizations will contribute insights to the ACDF, ML/AI can be applied to enrich data , accelerating the identification of threats. Suspicious code-shared by membership, for example, can train machine learning, speeding up future detections. As analysts will have a minimal role in ACDFs, they become autonomous SOCs. While there may be concern about their viability, there is reason for optimism. Daniel Kahneman, Oliver Sibony & Cass Sunstein in Noise discuss bias in decision-making. They state:
“When there is a lot of data, machine-learning algorithms will do better than humans and better than simple models. But even the simplest rules of algorithms have big advantages over human judges: they are free of noise, and they do not attempt to apply complex, usually invalid insights about predictors.”
For example, if companies collaborate in real-time, AI could identify markers from past events combined with new attack attributes, helping analysts focus on novel threats. Currently, data exchange is mostly manual, costing analysts time. Automation can speed up this exchange, fusing data with multiple members to deliver richer insights.
Ready to strengthen your organization's cybersecurity posture? Dive deeper by exploring Cybersecurity's New Frontier to understand the evolving landscape and the importance of proactive defense strategies. For more in-depth insights and current trends, check out Splunk's latest State of Security 2024: The Race to Harness AI report.
