NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed

Security experts, vendors, business and the NSA are developing a standardized language that rather than autonomously understands threats, acts on them.

NEW YORK–The dynamics of a cyberattack often include speed, automation and adaptive tradecraft. Mounting an effective defense, however, isn’t always fast enough. To help even the score, a group led by the National Security Agency called OpenC2.org is developing an open, standardized computer language for the command and control of computer defenses.

“The attackers are attacking at the speed of light, and the defenders are defending at the speed of lawyers. We have to change that,” said Duncan Sparrell, OpenC2.org member and consultant with SFractal Consulting.

Speaking at the Borderless Cyber conference today, Sparrell said attackers have the upper hand as security experts, vendors and businesses struggle to coordinate and streamline fast defenses.

“OpenC2.org is advocating automated command and control. It is the single biggest thing missing in the industry today,” he said.

OpenC2 is a language that enables the coordination and execution of command and control of defense components between domains and within a domain. OpenC2.org is the organization promoting the idea. The group has 88 members, representing 50 companies and government agencies including Bank of America, Cisco and Zepko, a UK-based managed security provider.

While two open standards, STIX and TAXII, already exist, Sparrell points out with those the focus is on identifying threats, and not on taking action.

“STIX and TAXII compliment what we are doing,” he said. Industry coordination on identifying threats is the easy part. Sparrell said, in an industry dominated by vendors selling defensive solutions, an open-platform that automates actions is harder to achieve than across-the-board industry buy-ins.

Sparrell explains OpenC2 allows companies to move at machine speed. It compliments vendor solutions. This is a limited language that only conveys an action that is part of a vendor cybersecurity process. It’s about which action to take, based on what the event trigger is.

The goal is working with the cybersecurity industry to standardize interfaces and protocols that enable interoperability of different tools, he said.

Despite the fact the OpenC2 is still under development, it has a few flagship users such as Zepko and Phantom Cyber. Sparrell said OpenC2 helped Phantom Cyber save a $1 million on stopping phishing attacks.

“Yes it’s being deployed, yes it’s being adopted, but no it’s not fully standardized and it’s still in development,” he said.

This month the OpenC2.org took an important step toward becoming an industry standard and is now under the umbrella of the Organization for the Advancement of Structured Information Standards, or OASIS — a nonprofit international consortium that develops open IT standards. OASIS is hosting this week’s Borderless Cyber conference.

Suggested articles