by Paul Kurtz, Co-Founder, TruSTAR

Presidential Executive Order: “Collect and Preserve” Incident Data. Is this the Catalyst for Cybersecurity’s Black Box?

President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity defines a solid path forward for the Federal government and its suppliers to address systemic problems in defending cyberspace. The EO calls on suppliers to “collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation,” in effect, calling on government agencies and suppliers to deploy black boxes for cybersecurity. Rather than see this as an onerous requirement, it is worth remembering how the FAA’s requirement for all commercial aircraft to carry black boxes with flight data recorders dramatically improved aviation safety and security. A similar outcome is possible for cybersecurity. 

In 1967 the U.S. government required commercial aircraft to carry a black box that contained a cockpit voice recorder and a flight data recorder.  Black boxes helped the government and aviation industry piece together aviation events ranging from near misses to crashes. The requirement drove important safety and security improvements, benefiting the aviation industry and the flying public. Given the rash of debilitating cyberattacks -- from nation-state actors and criminal organizations -- the Federal government, its suppliers and private sector companies should embrace the concept.    

Cloud-based Black Boxes

The Cloud has enabled security vendors and companies to easily integrate and automate data from disparate security tools and threat intelligence sources. Companies rely on these capabilities given the flexibility to securely manage intelligence from detection systems and external threat intelligence sources. For example, today companies integrate and automate data from internal security tools such as Spunk ES, QRadar, and ServiceNow with open source and proprietary intelligence feeds. Fusion in the Cloud reduces the mean time to detect and respond to events, and reduces analyst cycles.

So, how does this relate to the EO and black boxes?  The data -- event alerts, case management tickets and threat intelligence -- are ingested and reside in secure, cloud-based repositories. TruSTAR refers to repositories as enclaves. Enclaves give a company a holistic understanding of its cyber intelligence. Security tools can automatically recall and connect past events with new alerts. Companies can leverage no-code intelligence workflow capabilities to enrich events, automatically updating security applications with high-priority events.

Enclaves, it turns out, can support the requirement under the EO to “collect and preserve” incident data, similar to black boxes. As discussed in the Cloud Security Alliance’s Cloud-based, Intelligent Ecosystems whitepaper, enclaves fulfill an operational need within companies for a living “cyber memory,” updated in real-time with event data to ensure continuity of knowledge. However, in an incident, enclaves address the need to “collect and preserve” incident-related information, as called for in the President’s EO. Data stored within enclaves is encrypted with permission-based access controls.

Enclaves can fulfill other elements of the executive order, including reducing the barriers to information sharing. For example, cloud-based enclaves allow for seamless exchanges of information, and include natural language processing to redact proprietary or personally identifiable information.

CONTINUE READING (TruSTAR blog).