Automating Information Security Responses: The Evolution of the JHUAPL SOAR Pilot into Automated Threat Intelligence Ingestion via MISP

About the Program

Category: Information Technology (Best in Category)

Year: 2021

In 2020 The Maricopa County Information Security Operations team (InfoSec SecOps)spent months partnering with Johns Hopkins University Applied Physics Laboratory (JHUAPL), MS-ISAC and other state, local, tribal, and territorial (SLTT) governments in a Security Orchestration and Automated Response (SOAR) pilot program designed to mitigate cybersecurity threats with planned, automated responses. As the pilot successfully concluded, Maricopa County implemented the protocols and learned practices into a production response platform consisting of three key components. Using the open source Malware Information Sharing Platform (MISP) for threat intelligence gathering, the Splunk security information event management (SIEM) system for log correlation, and the Siemplify (SOAR) system for automated incident handling, Infosec created a cyber defense system providing high fidelity threat intelligence with automated responses.Maricopa County’s team played a pivotal role in creating solutions that efficiently share and mitigate thousands of cybersecurity threats for the county and participating agencies throughout Arizona. They continue to be instrumental integrating new responses into the MISP platform and the direction of threat intelligence sharing in Arizona.