Unprecedented: Cloud Giants, Feds Team on Unified Security Intelligence

The top five US cloud service providers (CSPs) are part of a new and wholly unprecedented effort to set aside competition and create a National Cyber Feed — with an aim to deliver continuous threat-monitoring data to federal cybersecurity authorities. However, as with most things, the devil is in the details.

Amazon, Microsoft, Google, IBM, and Oracle are all participating in the National Cyber Feed Initiative, which is a top priority of the Cloud Safe Task Force (CSTF), formed last fall by MITRE, the Cloud Security Alliance (CSA), the Advanced Technology Academic Research Center (ATARC), and the IT Acquisition Advisory Council (IT-AAC). The idea behind this public-private partnership is "to create an integrated, single national view of our nation's security," according to a CSTF white paper published last month.

In February, the CSTF, which was created to evaluate the government's cloud infrastructure and establish a road map for improving its ability to combat cyber threats, identified the need for a better threat intelligence strategy — and one that is more time-sensitive. Dave Powner, executive director of MITRE's Center for Data-Driven Policy, says agencies like the Department of Defense currently only receive delayed feeds from CSPs.

"The CSPs provide a monthly screenshot to FedRAMP," Powner says, referring to the government's current FedRAMP framework for gathering threat intelligence, which requires certain reporting from the CSPs.

Instead, the government needs a real-time picture of actionable intelligence about the threat landscape, he notes. The effort is gaining momentum: In the white paper, CSTF defined various metrics for the national feed, and the stakeholders are now holding weekly meetings to hammer out the details, including a three-hour webinar earlier this month attended by Dark Reading.

A Lag in Threat Intelligence Reporting

This month's panel discussions were useful and could set the stage for an eventual pilot, Powner says, but sticking points remain. For instance, there are ongoing discussions about how CSPs might deliver data without posing competitive, compliance, or data-leakage risks to each other.

John Bergin, Microsoft's director of federal digital security and risk, says that the CSPs need to find a common approach to sharing data from their different frameworks, while addressing those associated problems.

"We have structures, contractual agreements, executive orders to hand that data over — the question is, how do we do more and think differently about our role in threat hunting?" he says. "I don't believe, personally, that the FedRAMP data set is sufficient or meaningful to the hunters. But I think the question we've got to get to is, how do we add and extend and then use that FedRAMP framework of contractually required data to the government with explicit data-handling requirements?"

Standardizing, Managing & Integrating Data

Another aspect that's under discussion is how to make the combined data consumable. Major Julian Petty, a cyber warfare officer with the US Army Cyber Command at the Defense Department, said during the webinar that a national feed will require a unified data approach, with the same tagging, logging, and retention duration standards across the board.

For instance, "How do I take the analytics that were developed with this particular SIEM [security information and event management] in mind but translate it over to a completely different instance that I'm using?" Petty asked.

Dave Catanoso, the Department of Veterans Affairs (VA) director of cloud and edge application hosting, said that the amount of logging data that the VA receives is already overwhelming, so any firehose of continuous monitoring data needs to also potentially be curated.

"How can they feed us telemetry that would be standardized so that we can consume it with whatever tools we're using for each of our missions, and then get it summarized by some form of AI [artificial intelligence]?" Catanoso asked. "We wouldn't want to get another feed of just large amounts of data. We want to get an intelligent feed that has useful information and is not something we have to sift through on our end because that would just increase our costs. We want to get it in a summarized way."

Beyond Continuous Monitoring

Speaking of AI, Mari Spina, a cloud security capability leader at MITRE, says that while continuous monitoring is a critical requirement, it's not enough, especially now that adversaries are using the technology to accelerate their attacks. She notes that the attack attempts on the Pentagon have exceeded 1 million per day.

"I'm pushing for continuous monitoring to include continuous testing," Spina says. "And not only with an emulated adversary, but also a predictive adversary."

MITRE has numerous predictive threat models, including FiGHT for 5G, MITRE ATLAS for AI, and CAVEaT for Cloud in collaboration with the CSA, she adds. These models are different from MITRE ATT&CK, which focuses on what to do after an attack has occurred.

"Predictive models, predictive threat models, are going to play a much greater role in any kind of adversary emulation," Spina says.

Powner says he found the latest talks encouraging and believes the CSTF's cyber feed will advance.

"I love the momentum that we're getting with this because I think both sides see a win-win," he says. "Clearly, the government can win from this because there are gaps in what they see. The conversation among the CSPs is, if you gave this information to them, anonymized it, combined it, and fed it back, there's value back to them, too."