Velocity by Booz Allen

CYBERSECURITY

To fight the adversaries of tomorrow, defensive minds must focus on the development of innovative detection and prevention capabilities. Improving fundamental architectures, establishing common standards, and maturing analytic approaches can make integrating tools and software less cumbersome and free up time for more original thinking.

A Digital Tapestry WEAVING AI INTO UNIFIED CYBER DEFENSE Patrick Myers and Aaron Sant-Miller Contributions from Michael Dahlberg and Colin Friedman E very day, federal agencies are locked in an intense struggle to defend, monitor, and remediate To protect against today’s most advanced adversaries, cyber defenders must develop and deliver tradecraft that is equally advanced and dynamic.

Challenges with an “Acquisition-First” Mentality To stand up defensive cyber suites, federal agencies often buy commercial tools to collect network and endpoint data, procure products to monitor that data, and purchase licenses for software to store and analyze it. In effect, acquisition trends dictate the tools and technologies agencies use to comprehensive cyber solution stack all too often amounts to a jumble of vendor tools that don’t integrate well. What’s more, establishing these defensive suites consumes significant time and resources, which limits the Government’s ability to adjust tooling over time. Now, as adversaries grow defend and monitor networks. In this product-rich market, a more inventive, the Government’s defenses evolve only as quickly as commercial tools advance. Without the flexibility to rapidly field advanced capabilities like AI/ML, federal cyber defenses may be constrained by enhancements to vendor capabilities that have already been procured.

exchange of advanced detection capability, AI/ML models, and intelligence across systems and organizations. As tradecraft is often tightly coupled to commercial tools, distributing these capabilities either requires a common tool procurement for all agencies or the reengineering of tradecraft across products. The Government is, therefore, confronted with either overtly expensive tradecraft- sharing costs or a vendor-lock scenario that disincentivizes commercial innovation. To fight the adversaries of tomorrow, detection and prevention capabilities. Improving fundamental architectures, establishing common standards, and maturing analytic approaches can make integrating tools and software less cumbersome and free up time for more original thinking. This will improve the solutions of today and help futureproof existing platforms to deliver more advanced capability and tradecraft. As adversaries develop new and nuanced attacks, defenders can defensive minds must focus on the development of innovative

More broadly, federal agencies are faced with several infrastructure challenges that limit effective fielding of AI/ML, including: • Data visibility limitations , where data is siloed to specific locations, tools, or vendors • Procuring duplicative capability , such that an analogous defensive and monitoring suite exists within each platform When the Federal Government chooses to invest directly in advanced detection tools (e.g., AI/ML), these tools often become deeply intertwined with the commercial platforms used by the agency. This integration limits the Government’s ability to retain intellectual property (IP) and consequently hampers the sharing of tradecraft across the federal community. In practice, adversaries attack the Federal Government in diverse ways, using consolidated campaigns against multiple federal networks simultaneously, increasing the need for defenders to unify their defenses. This requires the free

train and develop AI/ML to detect the methods used in those attacks, sharing these models across the community to harden all federal networks simultaneously. A Balanced Approach to Manage Advanced Capabilities Federal agencies can extract maximum value from commercial offerings while retaining the agility to implement advanced detection capabilities (e.g., AI/ML) without being solely reliant on commercial entities. The key to this equilibrium, where both commercial and noncommercial tools can harmoniously coexist, is adopting open, modular, and purpose-driven architectures. As illustrated in Figure 1, this architecture centers around two core components: 1. A data broker that seamlessly channels data flow across multiple systems 2. A versatile framework for

vulnerabilities across their ever- expanding attack surface. It’s a mission that gets more difficult each day as cybercriminals, insider threats, and nation-state adversaries adopt increasingly creative and dynamic tactics to breach networks. Many of these tactics are powered by AI and machine learning (ML), which allow adversaries to generate new attacks with increasing scale and efficiency while providing methods to tailor attacks to the characteristics of the cyber defenses that are in place. Traditional defensive strategies— from blocklists to signature-based detection—aren’t enough to stop sophisticated adversaries: Novel, advanced detection techniques are needed. These new defenses must be able to identify emerging threats as they evolve, uncover previously undetectable behaviors, differentiate the malicious from the anomalous, and harden defenses before adversaries can deliver their effects.

This means operationalizing AI/ML models of our own that can learn patterns in higher dimensional space, across a wider range of data sources, and be correlated with adversarial actions or known threats, tactics, and procedures (TTPs). While adversaries can dynamically adjust their execution of attacks, their methods are often consistent and generalizable. AI/ML models are designed to detect these methods, enabling more proactive defenses that are harder to circumvent. When applied correctly and correlated with reputable threat intelligence sources, AI/ML can harden networks

against previously undetectable signatures faster and with more precision.

While individual federal agencies may invest in the development of AI/ML for advanced detection, these investments struggle to scale across the enterprise. As a result, a unified, government- wide approach to cyber defense is increasingly difficult to sustain.

deploying and managing advanced detection tools, like AI/ML

TRADITIONAL APPROACH

MODERN APPROACH

PUBLISHERS

SUBSCRIBERS

Central data broker connects sensor data and platforms, where modular AI and advanced detection capabilities run upstream to downstream platforms.

Multiple and manual data- to-platform connections, where AI and advanced detection capabilities are coupled with the platforms in which they are executed.

ANALYST TOOLS

ENDPOINTS

Network

Security Operations Center (SOC)

Network

Security Operations Center (SOC)

Endpoint

Custom Tools & Dashboards

Endpoint

Custom Tools & Dashboards

Data Broker

Firewall

Long-Term Data Storage

Firewall

Long-Term Data Storage

Threat Intelligence

Security Information and Event Management (SIEM)

Threat Intelligence

Security Information and Event Management (SIEM)

AI Deployment Solution

Figure 1: Comparison of Traditional vs. Modern Data Broker Approach