December 2020

Press Release for State, Local, Tribal, and Territorial Indicators of Compromise Automation Pilot Results

Pilot Overview.png

A new automated data feed that helps defend state and local government computer systems from cyberattacks and rapidly blocks threats across state lines reduced cyber defense time from some three days to less than three minutes in a successful pilot program across four states.

Under the live pilot on active government systems, Louisiana, Massachusetts, Texas, the state of Arizona and Maricopa County, Arizona, together with the Multi-State Information Sharing and Analysis Center (MS-ISAC), effectively flagged indicators of a cyberattack and rapidly blocked traffic to and from threatening IP addresses, domains and files across the shared network markedly faster than current manual processes.

August 2020

Get the Report

Get the Report

Shareable Workflows for scoring, sharing and responding to cyber Indicators of Compromise (IOCs)

Download BPMN (XML) versions of the workflows

Download BPMN (XML) versions of the workflows

As part of the pilot work conducted by Johns Hopkins Applied Physics Laboratory (APL) under a grant from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), APL has developed multiple automation workflows to support the SLTT community. These workflows help establish both an automated threat feed of IOCs tailored to be actionable by network defenders and workflows that can be easily tailored for SOAR platforms to enable the triage and response to this threat intelligence. These workflows are provided to assist the larger community who may be searching for examples and guides for deploying automation in their own cyber defense environments.

More examples of SOAR workflows are available on the Playbook, Workflow and Local Instance Example Page.

JULY 13, 2020

Johns Hopkins APL Enlists States for
Cyber Defense Technology Pilot Program

As cyber threats to the nation grow and adversaries move with increasing stealth, the Johns Hopkins Applied Physics Laboratory (APL) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are teaming up to help state and local governments enhance their online defenses.

Under a pilot program, Arizona, Louisiana, Massachusetts and Texas, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC), are applying Security Orchestration, Automation and Response (SOAR) to this effort. SOAR tools enable organizations to collect security-threat data through multiple sources and perform triage response actions significantly faster than with manual processes. This initiative will enable state, local, tribal and territorial (SLTT) governments to quickly and broadly share information — in near real time — and leverage automation to prevent or respond to cyberattacks.

Specifically, the SLTT Indicators of Compromise (IOC) automation pilot will focus on the curation of the feed and the processes used by the participants to triage, prioritize and act upon the resultant IOCs. Automation and orchestration will be used to gain efficiencies in tasks, processes and resultant actions for the producer and consumers of the IOCs. In particular, the program will:

  • identify key areas for potential reduction of manual tasks

  • promote actionable information sharing across government levels and agencies

  • identify orchestration services needed to integrate responses — such as sensing, understanding, decision-making and acting — to cyber threats

The effort stems from recent APL research and pilot programs with critical infrastructure industries that showed how automated information sharing can shore up cyber defenses by reducing response time.

Using the Integrated Adaptive Cyber Defense (IACD) framework, developed by APL under an effort sponsored by DHS and the National Security Agency for cybersecurity automation, orchestration and information sharing, response time dropped from 11 hours to 10 minutes. In some instances, preapproved responses were implemented in one second.

“The opportunity to work with state, local, tribal and territorial organizations as they adopt the IACD framework is rewarding,” said Cindy Widick, APL’s deputy principal investigator on the SLTT pilot. “Automating low regret, high impact indicators will improve the security of their networks and alleviate some of the manual processing required today. This will allow talented network security personnel to address more complex cyber threats.”

The results of the pilot, anticipated this fall, will be technology agnostic and could serve as a model for other states and local governments to quickly and easily augment their cyber defense capabilities. For more information, contact Charles Frick, pilot principal investigator, at charles.frick@jhuapl.edu.

ABOUT THE PARTNERS

CISA

CISA is the nation’s risk advisor, working with partners to defend against threats and collaborating to build more secure and resilient infrastructures.

APL

For more than 75 years, the Applied Physics Laboratory, a not-for-profit division of the Johns Hopkins University, has met critical national challenges through the innovative application of science and technology. APL has integrated more than 50 commercially available security and information technology management products, information feeds and cybersecurity services into the IACD framework. Most recently, the Laboratory provided technical assistance and consultation to the first financial institution implementation of IACD.

Arizona

Within Arizona’s Department of Administration, the Arizona Strategic Enterprise Technology program’s mission is to deliver forward-thinking and secure IT solutions to state agencies by putting the customer first, offering world-class services and focusing on value, not cost.

Maricopa County, Arizona

Maricopa County’s Office of Enterprise Technology (OET) provides enterprise infrastructure and application support that allows the county to effectively operate on a daily basis. OET also provides IT consulting as a trusted advisor to over 30 county departments.

Louisiana

The Office of Technology Services functions as the centralized provider of IT support services for executive cabinet agencies of state government and is designated as the sole authority for information technology procurement.

Massachusetts

The mission of the Massachusetts Executive Office of Technology Services and Security (EOTSS) is to provide secure and quality digital information, services and tools to customers and constituents when and where they need them. EOTSS offers responsive digital services and productivity tools to more than 40,000 state employees as well as digital services and tools that enable taxpayers, motorists, businesses, visitors, families and other citizens to do business with the commonwealth in a way that makes every interaction with government easier, faster and more secure.

Texas

Both the Texas Department of Information Resources (DIR) and Department of Public Safety (DPS) are participating in the SLTT IOC automation pilot. DIR serves the Texas government by leading the state’s technology strategy, protecting state technology infrastructure and offering innovative and cost-effective solutions for all levels of government. DPS’s mission is to proactively protect the citizens of Texas in an ever-changing threat environment while always remaining faithful to the U.S. and state constitution.

MS-ISAC

MS-ISAC, managed by the Center for Internet Security, is the focal point for cyber threat prevention, protection, response and recovery for the nation’s SLTT governments. The mission of MS-ISAC is to improve the overall cybersecurity posture of SLTT governments. Collaboration and information sharing among members, the U.S. Department of Homeland Security and private sector partners are the keys to success.

Media contacts:

Amanda Zrebiec, 240-592-2794, Amanda.Zrebiec@jhuapl.edu
Sara Sendak, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, CISAmedia@hq.dhs.gov
Barbara Ware, Center for Internet Security, Barbara.ware@cisecurity.org 

The Applied Physics Laboratory, a not-for-profit division of The Johns Hopkins University, meets critical national challenges through the innovative application of science and technology. For more information, visit www.jhuapl.edu.