White Paper:
Cyber Response Solutions: A taxonomy of response,
recovery, restoration and remediation tools
Not all response tools are the same
Inside:
 Know the response tool market
 Identify your technology needs
 Refine your requirements
1
About This Paper
The National Institute of Standards and Technology (NIST), working collaboratively
across a broad range of stakeholders, released a Cybersecurity Framework in February
2014. This framework, based on the functions of Protect, Detect and Response, has
been adopted as a common model for actions for highly performing cyber security
operations.
The response portion of the cybersecurity framework is the topic of this white paper.
Specifically, this paper focuses on a taxonomy of capabilities and the technologies that
can assist enterprises in the response function.
About The Authors
The primary authors of this paper, Bob Flores, Bob Gourley and Roger Hockenberry,
are all experienced enterprise Chief Technology Officers and technology executives
with extensive design experience. They leveraged this experience in interviews with
technology executives in government and commercial enterprises and engineers at both
Intel and Cloudera to produce the mission focused design tips presented in this paper.
Sources and Methods
After a detailed review of the NIST Cybersecurity Framework and associated
references, we examined over 200 firms in the cybersecurity space. To find these firms
we surveyed the portfolios of Venture Capital firms, reviewed the sponsors, attendees,
and speakers at major cybersecurity tradeshows and expos (like RSA, Black Hat, and
our own FedCyber conference), and surveyed sponsors and product directories of
major cybersecurity periodicals (Security Magazine, SC Magazine, InfosecurityMagazine). We then created a master list of all firms with capabilities relevant to
enterprise cybersecurity response and categorized them by which sub area of this field
they operate in.
The resulting taxonomy and critical requirements in each category are provided below.
2
The NIST Cybersecurity Framework
In response to a Presidential Executive Order, NIST embarked on a yearlong activity
collaborating across multiple sectors of industry, academia and government to collect
best practices in enterprise cybersecurity and then codify them in an executable
framework. The first iteration of this framework was published in February 2014.
The framework focuses on using business drivers to guide cybersecurity activities, and
is at its heart an outline of management best practices. However, it is also an important
organizing guide for technologists, since every business-focused capability in the
framework can be achieved by technology.
The five key functions of the core NIST framework are





Identify: Foundational enterprise awareness
Protect: Safeguards to enhance Confidentiality, Integrity, Availability
Detect: Appropriate activities to identify the occurrence of a cybersecurity event
Respond: Activities to take action regarding detected events
Recover: The restoration of functions to normal operation after events
Response
The response function is of increasing importance to the modern enterprise and is a
critical component of the NIST cybersecurity framework. NIST articulates this as
“appropriate activities to take action on regarding a detected cybersecurity event.”
Response activities include for response planning, communications and collaboration
during an event, analysis of event data, and mitigation/removal of malware.
This paper will focus on the enabling technologies involved in automating the response
activity and can be used as a guide to help decision-makers better understand options
and opportunities that exist in the marketplace.
Automating Response
The concept of enhanced automation for security has taken off like wildfire in the
enterprise security community. For a decade we have all been collectively working
towards better ways to automate continuous monitoring of our IT infrastructure. Now the
conversation around the concept is shifting towards continuous remediation, including
3
the automatic removal of malicious code. Automated engagement and removal are now
seen as the only way to keep up with adversaries that have automated their attacks.
Taxonomy of Response Capabilities
The NIST framework categorization of response activities provides a solid taxonomy for
the categories of technologies that can aid in response. These categories include:
Category
Response
Planning
Description
Technologies that contribute to the creation, maintenance and
execution of plans and policies for response. This includes
technologies that contribute to response rehearsal and response
training.
Communications Technologies that are designed to ensure uninterrupted
and
communication during cyber events, both with internal and external
Collaboration
stakeholders. Information sharing tools are included in this
category. This includes communication of forensics data to law
enforcement as required. Technologies that enable and enhance
the collaboration between and among members of response teams
internally and externally as required.
Analysis
Technologies that contribute to analysis of data in a timely enough
way to contribute to event response actions. Includes technologies
that contribute to notifications from detection systems for analysis.
Includes technologies that contribute to the ability to conduct rapid
analysis over large data sets.
Mitigation
Technologies that contribute to event containment, the reduction in
what adversaries are able to do and the limiting of damage. Also
technologies that identify new vulnerabilities and automatically
remediate them.
Removal of
Technologies that automate the identification of and removal of
Malware
malicious code including rootkits, bots, self-propagating code, in
memory code or any executables.
A Market Survey: Technologies categorized by response
capabilities
Our survey of over 200 technology firms provides actionable context for enterprise CTO
and CISOs seeking to meet key response mission needs. Below is a categorization of
4
key firms we found based on their function and ability to support various components of
the response taxonomy.
Category
Response
Planning
Communications
and
Collaboration









Analysis










Mitigation


Removal of
Malware

Representative Technologies
Acuity: Enterprise governance risk and compliance tools.
AlgoSec: Security policy management for the enterprise.
MetaCompliance: Compliance management software.
PhishMe: Training and education and response preps
around Phishing attacks.
Akamai: Very reliable communications, content distribution
and the ability to weather DDoS attacks
AlephCloud: Secure collaborative environment and cloud
tools
Cisco: Collaboration tools and end to end comms
CyberIQ: Collaborate over incidents and data.
Gigamon: Know the status of networks and data flows.
AccelOps: Analytics driven IT operations management
Adallom: Monitor and analyze cloud and other services
BeyondTrust: Known for scanners and account
management and analysis
LogRhythm: SIEM and analysis
Norse: Correlate and analyze across broad networks
Plixer: Netflow and analysis
Rapid7: Scan, correlate and analyze
Splunk: Machine data. Search. Analytical tool.
Tenable: Software and hardware for gathering and analysis
Hexis Cyber Solutions: Analysis over network data
Mandiant: Agents enable detection and human response
Hexis Cyber Solutions: Human guided or pre-planned
response
Hexis Cyber Solutions: Proven ability to remove malware
of all types anywhere in the enterprise
Planning Guidance
As a decision-maker in the enterprise, executives should conclude that no one product
has the ability to fully automate response for cyber incidents or threats and that a
5
deliberate approach to integrate several capabilities will lead to a stronger readiness
posture to meet threats before, and as they occur.
The key in the response matrix and taxonomy is to quickly contain, and react to an
incident in near real-time while also allowing for the forensic analysis after an event to
ensure that full impact and down stream effects can be calculated and remediated if
necessary.
A review of the capabilities above provides insights into what the market has to offer
and can inform enterprise decision-makers on what they should be requesting as
capabilities for their enterprise. This assertion allows us to articulate key requirements
for technologies in each of these categories that we believe enterprise technologists
should consider.
Category
Response
Planning




Communications
and
Collaboration

Analysis

Mitigation


Removal of
Malware


Key Capabilities For Enterprise Response
Field technologies that enable executive and technology
leadership to establish and execute policies.
Ensure interoperability with legacy systems.
Ensure automated testing of response across spectrum of
threat actions
Seek technologies that can automate policy implementation
(important at response time).
Ensure enterprise communications are resilient and plan for
use of backup solutions in case primary nets are down.
Establish collaborative environments for response teams to
work internal and means to collaborate external to the
enterprise.
Important to field technologies that can make use of both
internal and external data for full spectrum analysis.
Ensure you have architected to retain all relevant data
Integrated family of products and services to ensure
mitigation is key. Automated mitigation, sometimes human
guided and when policy allows totally automated
The automated removal of malicious code, including rootkits,
bots, any executable, any malware, is a critical requirement.
In looking at these key areas, the decision-maker should be aware that interoperability
is the key factor to consider and we recommend that an enterprise undertake a small
proof-of-concept to ensure efficacy and scale while building the necessary
competencies to run these types of solutions for the Enterprise.
6
Concluding Thoughts
The NIST framework provides useful guidance for enterprises to plan responses. As
shown here, it also helps when planning for your technology implementation.
The taxonomy of response tools we provide here, Planning, Communications and
Collaboration, Analysis, Mitigation and Malware Removal, flow from the NIST
cybersecurity framework. The taxonomy provides a useful way to think about your
response technologies. If your organization is not automating in any particular area
above there is a good chance you are sub-optimizing your response.
It is especially important to consider the technologies you are putting in place for
automated threat mitigation and automated malware removal. If you are not automating
these actions, then your adversaries have a significant leg advantage.
Malware, viruses and threats can be detected, understood and remediated in near real
time before data exfiltration, making incident response teams more effective and
allowing them to focus on more pressing issues. Use of integrated platforms to
aggregate and use data from existing digital infrastructure is a best practice that
reduces cost, making this a particularly virtuous approach.
A critical success criteria for any security solution: You should architect for
automated removal of malware.
7
More Reading
For more federal technology and policy issues visit:
• CTOvision.com- A blog for enterprise technologists with a special focus on Big Data.
• CTOlabs.com - A reference for research and reporting on all IT issues.
• J.mp/ctonews - Sign up for the government technology newsletters including the Government
Big Data Weekly.
About the Authors
Bob Flores is a co-founder and partner at Cognitio. Bob spent 31 years at the Central Intelligence
Agency. While at CIA, Bob held varous positions in the Directorate of Intelligence, Directorate of
Support, and the National Clandestine Service. He was the agency’s Chief Technology Officer. Bob
serves on numerous government and industry advisory boards
Bob Gourley is a co-founder of Cognitio and editor and chief of CTOvision.com He is a former
federal CTO. His career included service in operational intelligence centers around the globe where
his focus was operational all source intelligence analysis. He was the first director of intelligence at
DoD’s Joint Task Force for Computer Network Defense, served as director of technology for a
division of Northrop Grumman and spent three years as the CTO of the Defense Intelligence Agency.
Bob serves on numerous government and industry advisory boards.
Roger Hockenberry is a co-founder and partner at Cognitio. Following a two-decade career in
industry — first as a technology consultant and later as a management consultant and Managing
Partner at Gartner — Roger took a four-year detour into government service in the intelligence
community where he was charged with driving the realization of the vision he had helped craft as a
consultant.
For More Information
If you have questions or would like to discuss this report, please contact me. As an advocate for
better IT use in enterprises I am committed to keeping this dialogue up open on technologies,
processes and best practices that will keep us all continually improving our capabilities and
ability to support organizational missions.
Contact:
Bob Gourley
bob.gourley@cognitiocorp.com
© August 2014
CTOlabs.com
8