The top five U.S. cloud service providers (CSPs) have set aside their competition to join a completely unprecedented new effort to create the National Cyber Feed, with the goal of providing federal cybersecurity officials with a continuous stream of threat monitoring data. But as with most things, the devil is in the details.
Amazon, Microsoft, Google, IBM and Oracle are participating in the National Cyber Feed initiative, a top priority of the Cloud Safe Task Force (CSTF), formed last fall by MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC) and the IT Acquisition Advisory Council (IT-AAC). According to a CSTF white paper, the idea behind this public-private partnership is “to create a single, integrated national perspective on the nation’s security.” Published last month.
The CSTF, which was formed in February to assess the government’s cloud infrastructure and establish a roadmap for improving its ability to counter cyber threats, recognized the need for a better threat intelligence strategy — and one that’s more time-sensitive. Dave Powner, executive director of MITRE’s Center for Data-Driven Policy, said agencies such as the Department of Defense currently only receive delayed feeds from CSPs.
“CSPs provide screenshots to FedRAMP on a monthly basis,” Powner said of the government’s current Federal A framework for collecting threat intelligence that requires specific reporting from CSPs.
Instead, governments need actionable intelligence on the threat landscape in real time, he noted.The effort is gaining momentum: In a white paper, the CSTF defined various metrics for the national feed, and stakeholders are now meeting weekly to hammer out the details, including a three-hour webinar earlier this month that Dark Reading participated in.
Delays in threat intelligence reports
Powner said this month’s panel discussion was informative and set the stage for the eventual pilot, but hurdles remain. For example, there are ongoing discussions about how CSPs can distribute data without competing with each other, compliance and risking data leaks.
John Bergin, director of federal digital security and risk at Microsoft, said CSPs need to find a common approach to sharing data from different frameworks while addressing the issues involved.
“We have the structures, contractual agreements and executive orders to hand over that data. The question is how do we do more and think differently about our role in threat hunting,” he says. “Personally, I don’t think the FedRAMP datasets are sufficient or meaningful for hunters. But I think the question we have to address is how do we add to, extend and use the FedRAMP framework for data that is contractually required for governments that have clear data processing requirements.”
Data Standardization, Management, and Integration
Another aspect being discussed is how the combined data will be made available. Maj. Julian Petty, cyber warfare officer for the Defense Department’s U.S. Army Cyber Command, said during the webinar that a national feed would require a unified data approach, with tagging, logging and retention standards being the same across the board.
For example, “How can we leverage the analytics developed in this particular SIEM? [security information and event management] Do you visualize it in your mind and then translate it into a completely different instance where you’re using it?,” Petty asked.
Dave Catanoso, director of cloud and edge application hosting at the Department of Veterans Affairs (VA), said the amount of log data the VA receives is already so large that it may need to curate a firehose of continuous monitoring data as well.
“How do they provide us with standardized telemetry so that it can be consumed by the tools that we use on each of our missions and then summarized by some form of AI? [artificial intelligence]Catanoso asked. “We don’t want to just get a load of data as a feed. We want an intelligent feed with useful information, not something that we have to sift through, or else it will just increase our costs. We want it in a summarized form.”
Beyond Continuous Monitoring
Speaking of AI, Mari Spina, cloud security capability leader at MITRE, said that while continuous monitoring is a critical requirement, it’s not enough, especially now that adversaries are using AI techniques to accelerate their attacks. She noted that there are more than 1 million attempted attacks on the Department of Defense per day.
“I’m asking that continuous monitoring include continuous testing,” Spina said, “not just against emulated adversaries, but also against predictive adversaries.”
MITRE has a number of predictive threat models, including FiGHT for 5G, MITRE ATLAS for AI, and CAVEaT for cloud, which it developed in collaboration with the CSA, she added. Miter Attack & CKfocuses on what to do after an attack has occurred.
“Predictive models, predictive threat models, are going to play a bigger role in emulating all kinds of adversaries,” Spina said.
Powner said the recent talks have been encouraging and he believes CSTF CyberFeed will move forward.
“I think the momentum we’re getting on this is great because I think it’s a win-win,” he says. “The government would obviously benefit from this because there are gaps in the information they’re looking at. The CSPs are saying that if we give them this information, anonymize it, combine it and feed it back to them, they’ll get value back.”