A New Paradigm to Meet the Executive Order Incident Response Mandate
The Executive Order on Improving the Nation’s Cybersecurity (Executive Order) sets out an ambitious plan for enhancing federal agency and supply chain security. Covering everything from cloud-first initiatives to zero trust architecture, the Executive Order covers many topics. It will likely have a wider reach than just Federal Civilian Executive Branch (FCEB) agencies. For security operations center (SOC) teams, Section 6, “Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents,” has the most significant impact on their day-to-day activities.
What does Section 6 say?
According to the Executive Order, the current processes for identifying, remediating, and recovering from vulnerabilities and incidents are so varied that they undermine agency security. To enhance cybersecurity, the Executive Order lays out a plan for establishing standardized processes that would enable FCEB agencies to coordinate their responses and create a centralized incident catalog.
Section 6 further outlines that agency directors will develop a standard set of operational procedures called a playbook. FCEB agencies will use the playbook to plan and conduct their vulnerability and incident response activities. According to the Executive Order, the playbook will:
- Incorporate relevant National Institute of Standards and Technologies (NIST) standards
- Be used by FCEB agencies
- Outline incident response phases while also providing for flexibility
- Define key cybersecurity terms to create a shared vocabulary
However, this section also notes that any procedures deviating from the playbook need to be reviewed by the Director of the Office of Management and Budget (OMB) and Assistant to the President for National Security Affairs (APNSA).
What this means for SOC teams
As agencies move their mission-critical operations to the cloud, the SOC teams need tools that can provide the appropriate security investigation and response support. Ideally, these solutions should also be cloud-native since the Executive Order focuses on cloud-first and cloud-only initiatives. Unfortunately, many current tools lack the ability to enable federal SOC teams.
Moving to the cloud changes the investigation process. As agencies migrate their operations, SOC teams will use data across on-premises and multi-cloud infrastructures. Meanwhile, agencies will be onboarding software-as-a-service (SaaS) applications, moving away from legacy software. These applications generate large amounts of data that also needs to be collected, aggregated, correlated, and analyzed. As the digital footprint grows, data duplication becomes a problem because bringing the information into a centralized location leads to overlaps.
Despite the use of automation, setting up investigative tools remains a manual process. SOC teams need to create queries from scratch and build them into the tool. Although the tool may automate some query processes after this, SOC teams still need to engage in manual processes. If the saved queries fail to provide answers, they need to pivot and start a new search. Additionally, once they complete the investigation, they need to manually respond by initiating or updating tickets in their service management tool and engaging in remediation actions.
AI-enabled research and response in a unified control plane
Across industries, organizations struggle to achieve nimble and effective mean-time-to-respond (MTTR) metrics. For agencies, the challenge is often greater as they suffer from legacy technology stacks and tools.
However, the Executive Order may be a turning point. In Section 3, “Modernizing Federal Government Cybersecurity,” subparagraph (a) notes that the federal government must “invest in both technology and personnel to match these modernization goals.” Investing in technology may not be enough. The government and agencies need to invest in the right technologies that give them a way to enhance cybersecurity vulnerability and response activities.
To do this, agencies and the organizations in their supply chain need cloud-native solutions that eliminate the problems associated with traditional tools. To comply with these initiatives, computer security incident response teams (CSIRTs) need to embrace a paradigm shift away from legacy processes.
This new paradigm should give security teams the ability to:
- Access to data where it lives: a control plane acting as the connective tissue across multi-cloud and on-premises infrastructures and providing federated search capabilities
- Investigate incidents using automation: a single solution triaging and normalizing alert data across platforms and creating intelligent dashboards with visualizations that provide at-a-glance visibility into outliers
- Respond quickly: ability to initiate one-click response and annotation capabilities, eliminating the time manual processes take
With all investigation and response activities contained to a single control plane, security teams are empowered to create robust cybersecurity programs that align with the Executive Order’s mandate.
Query.AI provides the market’s only security investigations control plane. Our patented browser-based platform delivers real-time access and centralized insights to data across your on-premises, multi-cloud, and SaaS applications, without duplicating it from its native locations.
Query.AI provides a simple and effective way for agencies to meet their security investigation and response goals while simultaneously reducing costs.
To learn more about how Query.AI, visit: https://query.ai/solutions/