Role of Trust in Intelligence Sharing and Automated Operations I

  • TYPE: Combined Session DATE: Thursday, October 10, 2019 TIME: 13:00-14:00 LOCATION: Murrow-White-Lisagor


Organizations are expanding the use of automation and orchestration in their security operations. An indication of this is the sharp rise in the adoption of Security Orchestration Automation and Response (SOAR) platforms. The security of these platforms is a key concern, and in particular the security of Application Programming Interface (API) keys used by both the SOAR platform and Security Operations Center personnel. The exposure of APIs from security tools is crucial to permitting automation and orchestration, however it is also important to secure the usage of these capabilities. This presentation highlights methods for securing API usage and ways to remediate compromised API keys.

Security Orchestration Automation and Response (SOAR) adoption is predicted to rise from 1% to 15% from 2018-2020. This rapid growth is currently being realized by the explosion of options available within the SOAR marketplace. Organizations are adopting SOAR in order to adapt to the speed and scale of threats in the current cyber landscape. SOAR platforms are becoming a hub within the stack of security tools employed by an organization. This adoption is also driving the increased exposure of features from security tools via Application Programming Interfaces (APIs). These APIs are crucial to permitting the automation and orchestration of security operations, however the exposure of these capabilities provides a new attack surface with which attackers can exploit. To help address this concern, the Integrated Adaptive Cyber Defense (IACD) program has conducted research to help identify best practices for API security. As automation takes on an increasingly larger role in cyber defense, it is important for organizations to secure these new capabilities to ensure they are not abused.

Through our initiatives and pilots in various critical infrastructure sectors, IACD has found that most SOAR platforms provide basic mechanisms to protect API keys. However, IACD believes that the usage and security of these APIs is often overlooked, and more should be done to secure them. Recent findings have found that many of these keys are issued and utilized with more access features than needed for specific tasks and are occasionally distributed widely throughout an enterprise's infrastructure. There have also been instances where API keys have also been compromised by attacks and used by cyber attackers to access sensitive data. 

This talk will provide a summary of recent research and current industry best practices to protect API usage through gaining visibility to all API requests, rapid banning and re-issue of compromised API keys, controlling which requests an API may issue based on the asset making the request, and controlling which assets are allowed to use which API key for specific requests. A Q&A session with the audience will be held at the end to discuss current concerns with API security.

This talk will be provided by the IACD integration team, which has hands-on experience with a large variety of SOAR solutions and has been developing capabilities for security orchestration and cyber information sharing since 2014. IACD has continuously provided impartial technical guidance for all enterprises and has been instrumental in the creation of a large community throughout academia, industry, and critical infrastructure to further the use and development of the IACD framework.

Attendees will learn techniques to address the risks associated with the rising convenience of automation, proactive vs. reactive automation practices, and will help mitigate current security gaps faced by organizations with and without security automation.

Key take-aways:
Attendees will learn best practices for managing API usage through the use of an API gateway. Additionally, remediation methods will be explored to address compromised access of security tools via stolen API keys.



Several years ago, aviation OEMs began creating crypto graphically signed parts (called Loadable Software Aircraft Parts-LSAP) to be installed onboard an aircraft; this was true not only for the latest e-Enabled aircraft such as the Boeing 737MAX/787 Dreamliners, or Airbus A220s, but also older aircraft such as the Airbus 319s, and includes software updates, configurations, and carrier-specific data such as thrust control, and navigation data.

While understanding that maintaining the integrity of onboard components and assuring that aircraft are safe to operate, or that changes came only from a valid and authorized source, LSAPs introduced several potential issues for aircraft operators. You might even ask how does one compare aviation to ICS? Well...

To contrast aviation against the ICS/SCADA and critical infrastructure world, aircraft share many commonalities such as uptime, safety, reliability, third-party vendors and more. And, in fact, there are hundreds of embedded parts onboard each aircraft, and might even be akin to roaming "sites" that require the utmost rigor when managing, operating, and maintaining.  Therefore, it might be fair to assume - aviation may have arrived at signed firmware before the ICS/critical infrastructure world.

Unfortunately, the advent of new secure industrial devices are upon us with standards such as ISA-62443, and so many of the short falls/challenges that are present when dealing with large scale Public Key Infrastructure (PKI), certificates, signing, part/firmware/project stores and skills/resources will likely rear their heads in the near future for asset owners.  And it is here that, we as a community need to create solutions that automate, minimize solution overhead, and properly enable critical infrastructure operators to employ adequate security when managing cryptographic primitives, lists, and secure files.

This session is dedicated to:

  • helping asset owners, product owners, integrators and any other party interested to learn from known challenges in the secure firmware/document/PKI world as it relates to critical infrastructure
  • provide insight/discussion allowing them to safely navigate those challenges as they deploy a product (and related infrastructure) that utilizes these new security features using a parallel based-on a real-world aviation use-case.


Log in to download the presentation:  


Session Links

Washington, D.C. - USA


CyberNext Summit 2019

Registration fee:
€1000.00 $1250.00 S$1600.00 11000.00 kr
Mastercard Visa American Express PayPal INVOICE
Contact person:

Mr. Levent Kara
+49 211 23707710
  • Oct 08 - 10, 2019 Washington, D.C. - USA