Networks are not under attack; they are under siege. Industry trends towards orchestration and automation challenge large organizations that are effectively a patchwork of diffuse networks. For such organizations, strategies that rely on unified enterprise solutions run the risks of micromanaging network enclaves and creating a weak homogeneous cybersecurity posture [ 1 ]. At the same time, such strategies are critical to securing the network by providing baseline policies: rules for network access, secure configuration guidance, common defense architecture, acceptable software and hardware offerings, and continuous updates to known vulnerabilities. The practical expression of this tension occurs when global security policy degrades local mission function or when a global policy fails to address a discrete localized risk. A federated approach to network defense resolves these conflicts.

II.

Recently, Federation has been regarded as the notion of creating interoperability between disparate information systems [ 2 ], [ 3 ]. With respect to cybersecurity, we expand upon this notion to define Federation as a method to arbitrate among independent enclaves of a distributed network. In enterprise technologies evolved from manager/sensor architectures, policy is created at the top of the organization and subordinate enclaves are limited to redistribution and consumption. If a conflict occurs between a policy and subordinate mission function, a network enclave has few options. The enclave can isolate themselves from the policy creators or apply the policy and accept the degraded function until the policy or the mission is altered. A MISSION CONFLICT OR A LOCAL THREAT NOT ADDRESSED BY THE GLOBAL POLICY The enclave may also create new policy to address local risks not covered by the baseline. This shift returns focus to local ownership, without diminishing the relevance of cybersecurity baselines. Cybersecurity personnel at network enclaves spend time and effort implementing cybersecurity baseline requirements (i.e. checking boxes). However, local attributes such as mission, location, personnel, asset value, and external partnerships are all unique factors that contribute to risk at an enclave. These factors change frequently, making it difficult for an organization to address every risk with a cybersecurity baseline. Yet rather than creating policy aligned to the risk profile at their enclave, cybersecurity personnel are preoccupied with administrative tasks. This has promoted stagnation, with cybersecurity personnel disengaged from active defense.

Federation resolves stagnation through promotion of innovation and adaptation. When a network enclave encounters a mission conflict or a localized risk, Federation supports the enclave’s authority to modify or create new policy. Given the breadth of talent within the enclaves, it is likely that a solution to a local conflict will provide benefits throughout the organization. While not all adaptations will be relevant beyond the local enclave, analysis of this feedback provides a heterogeneous source of innovation that engages cybersecurity personnel in defending their enclaves and fosters resilience throughout the organization.

IV.

Federation enables network enclaves to defend themselves according to their authority. This extension of responsibility to the enclave reinforces accountability amongst cybersecurity personnel as attributable successes and failures invests all in creating a strong defensive posture. Federation does not infringe on the benefits of cybersecurity baselines. Enclaves without the resources to tailor baseline policy to their unique risk profile would simply implement it as-is.

Federation is not a call for anarchy, nor are we advocating that each operator or enclave have blanket authority to change or reject policy. Federation does not grant authority. Organizations under Federation will continue to structure their networks as strictly or loosely as their guiding bodies determine. For example, a federated network may behave similar to a judicial appeals process; challenges to global law are heard by local authorities, work their way up to regional bodies, and eventually may be integrated as global amendments. boundaries invisible to the client does not remove them. Risk deferred is still risk, and a federated approach applies to Cloud and SECaaS providers alike. Wherever an organization has internal policy conflicts, Federation will be a viable strategy.

Extending more responsibility to local enclaves requires resources for training and specialized talent, outside of those required to create cybersecurity baselines. An untrained cyber workforce at one network enclave threatens the security of the whole network. Yet, with billions spent annually on cyber defense [ 4 ], cybersecurity incidents continue to rise at an alarming rate [ 5 ], [ 6 ]. The current approach to cybersecurity has become stagnant, and without a shift, the return on investment on cybersecurity will diminish.

Adaptations are only relevant if they are vetted, presenting a strain on the global creators and potentially introducing as many failures as successes – if they are implemented at all. While this culture shift will doubtless come with a learning curve, sourcing innovation from all levels of an organization has proven successful at technology companies such as Google [ 7 ] and Amazon [ 8 ]. As the Federation is refined at an organization, best practices will emerge to optimize the method and format of communicating policy, streamlining the vetting process and shortening the time to distribute new ideas.

A federated organization is harder to direct from a central governing body, as each enclave exercises their independent authority. A homogenous network is simpler to manage than one where each enclave has a unique defense policy. To the former, the organization determines how much authority the federated enclaves have. However, if an enclave has authority, they should be trusted to exercise it. To the latter, being simpler to manage does not translate into being simpler to secure. "Just like genetic diversity, which prevents an epidemic from wiping out a whole species at once, diversity in software is a good thing." [ 9 ]

VI.

The cybersecurity marketspace is becoming increasingly automated [ 10 ], with artificial intelligence and machine learning techniques being introduced into anomaly detection and predictive analytic applications across the spectrum of cybersecurity solutions. Future autonomous agents will analyze data from throughout the enclave: network traffic, vulnerability scans, log files, behavior models, etc. Agents will search the data for indicators of attacks and weaknesses in the enclave's cyber defense posture. As the agents become trusted in identifying attack vectors, they will be deployed to author cybersecurity policy to quickly pivot resources and strengthen the cyber defense posture. Such policy will be an invaluable source of threat intelligence and shared with designated enclaves throughout the organization. These enclaves will correlate the intelligence with their own data – weighted on factors such as proximity, network similarity, organizational relation, and source authority. This will form a resilient, symbiotic defense matrix.

Federation paves the way for these defense matrices to share policy with the organization. As autonomous cybersecurity solutions become more prevalent, the concerns about Federation will become less relevant and the benefits more apparent. In order to promote persistent resilience in network defense and to prepare for the reality of autonomous cybersecurity, Federation must become a core design tenant in cybersecurity technologies and organizational structures going forward.