RA.L3-3.11.3e  

Reference: CMMC v2.13

Family: RA

Level Introduced: 3

Title: Advanced Risk Identification

Practice:
Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.

Further Discussion:
Advanced automation includes tools to correlate and reduce the cyber data overload created by defensive tools, making the data understandable to the analyst. Automation also allows the defensive mechanisms to respond rapidly when adversary events are identified. Examples of such capabilities are SIEM; Security Orchestration, Automation, and Response (SOAR); and Extended Detection and Response (XDR) tools. An example of an automated rapid response action is a security alert being pushed to the SIEM while the organization’s SOAR solution communicates to the network firewall to block communications to the remote system identified in the security alert.

SIEM is primarily a log collection tool intended to support data storage and analysis. It collects and sends alerts to security personnel for further investigation. SOAR is a software stack that enables an organization to collect data about security threats and respond to security events without human assistance in order to improve security operations. Orchestration connects and integrates disparate internal and external tools. Automation, fed by the data and alerts collected from security orchestration, ingests and analyzes data and creates repeated, automated responses. SOAR incorporates these capabilities based on the SIEM data and enables disparate security tools to coordinate with one another. SOAR can use artificial intelligence to predict and respond to similar future threats, if such tools are employed.

XDR streamlines security data ingestion, analysis, prevention, and remediation workflows across an organization’s entire security stack, providing a single console to view and act on threat data. However, the presence of these tools by themselves does not necessarily provide an advanced capability. It is essential that the security team employ critical thinking in support of the intrusion detection and threat hunting processes.

Example
You are responsible for information security in your organization. The organization holds and processes CUI in an enterprise. To protect that data, you want to minimize phishing attacks through the use of Security Orchestration and Automated Response (SOAR). Rather than relying on analysts to manually inspect each inbound item, emails containing links and/or attachments are processed by your automation playbook. Implementation of these processes involves sending all email links and attachments to detonation chambers or sandboxes prior to delivery to the recipient. When the email is received, SOAR extracts all URL links and attachments from the content and sends them for analysis and testing [a]. The domains in the URLs and the full URLs are processed against bad domain and URL lists. Next, a browser in a sandbox downloads the URLs for malware testing. Lastly, any attachments are sent to detonation chambers to identify if they attempt malicious activities. The hash of the attachments is sent to services to identify if it is known malware [b]. If any one of the items triggers a malware warning from the sandbox, detonation chamber, domain/URL validation service, attachment hash check services, or AV software, an alert about the original email is sent to team members with the recommendation to quarantine it. The team is given the opportunity to select a “take action” button, which would have the SOAR solution take actions to block that email and similar emails from being received by the organization [c].

Potential Assessment Considerations
• Has the organization implemented a security information and event management system [a,c]?
• Has the organization implemented security orchestration, automation, and response tools [a,b,c]?
• Does the organization use automated processing integrated with the SIEM system to perform analytics [c]?
• Can the organization demonstrate use of relevant threat data to inform detection methods that in turn provide automated alerts/recommendations [c]?
• Has the organization implemented an extended detection capability [c]?
• Does the organization have the ability to merge traditional cyber data, such as network packet captures (e.g., PCAP), or process logs with enrichment data, such as reputation or categorization data [c]?
• Can the organization provide examples of both basic and emerging analytics used to analyze alert anomalies, e.g., both simple queries and unsupervised machine learning algorithms that both improve their effectiveness and automatically filter, reduce, or enrich alerting capabilities [c]?

Source: CMMC v2.13