Every January on the SEI Blog, we present the 10 most-visited posts of the previous year. This year’s list of top 10 is presented in reverse order and features posts published between January 1, 2021, and December 31, 2021.

10. Top 10 Considerations for Effective Incident Management Communications

by Brittany Manley

Communications are essential to the overall sustainability and success of cybersecurity centers and incident management teams, both in times of crisis and during normal operations. Due to the importance of communications, and the fact that communications planning is often overlooked, the SEI developed the Guide to Effective Incident Management Communications as a resource for cybersecurity centers and incident response organizations looking to improve their communications planning and activities. This blog post is adapted from that guide and it provides 10 considerations for effective communications planning, and considerations and best practices for communications responsibilities in support of incident response services.

Cybersecurity centers and incident response teams focus on mitigating threats by identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents. These teams may be responsible for many different types of communications, ranging from communications with constituents to sharing information with the general public and the media. How organizations plan for and manage these communications and how they are received will influence trustworthiness, reputation, and ultimately the organization’s ability to perform incident management services effectively. The guide provides considerations for various types of communications, including constituent, media, and crisis communications. It addresses best practices for the dissemination of timely and accurate information, including organizational considerations, types of communication and content, and examples of what should be included within communications plans.
Read the entire post.

9. Benefits and Challenges of SOAR Platforms

by Angela Horneman and Justin Ray

Network and defense analysts are facing increasing numbers of security alerts and, as a result of fielding those alerts, burnout. Dark Reading reported that the average security operations center (SOC) receives 10,000 alerts each day from layer upon layer of monitoring and detection products. While the cyber threat landscape is marked by an upward trending number of actors, network and defense analysts must also contend with ever-increasing numbers of false positives (sometimes at rates as high as 80 percent). Due to resource constraints on already overwhelmed analysts, many alerts are ignored, and, according to a recent report, less than 10 percent of alerts are actively investigated.

Security orchestration, automation, and response (SOAR) platforms, a term first coined by Gartner, refers to “technologies that enable organizations to collect inputs monitored by the security operations team. For example, alerts from the SIEM system and other security technologies—where incident analysis and triage can be performed by leveraging a combination of human and machine power—help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.” It enables already overwhelmed network and defense analysts to compile threat-related data from various disparate sources and then use machine learning to automate responses to low-level threats. SOAR was one of the initial products aimed at easing the burden not only on security operations center (SOC) analysts, but on other security professionals such as security information and event management (SIEM) operators, threat hunters, and compliance managers. In this blog post, we introduce and analyze SOAR platforms, which help analysts deal with alert fatigue.
Read the entire post.

8. How to Use CMMC Assessment Guides

by Douglas Gardner

To receive certification under the Cybersecurity Maturity Model Certification (CMMC) 1.0 program, Department of Defense (DoD) contractors must successfully complete a third-party assessment. The DoD has released two CMMC assessment guides, the fundamental tools for both assessors and contractors to evaluate adherence to the CMMC framework. This blog post is intended for DoD contractors looking for additional clarification as they prepare for a CMMC assessment. It will walk you through the assessment guides, provide basic CMMC concepts and definitions, and introduce alternate descriptions of some practices. The goal is to help those unfamiliar with cybersecurity standards to better understand the CMMC practices and processes.

CMMC is a certification program to improve supply-chain security in the defense industrial base (DIB). Eventually, the DoD will require that all DIB companies be certified at one of the five CMMC levels, which include both technical security controls and maturity processes laid out in the Cybersecurity Maturity Model framework.
Read the entire post.

7. Taking DevSecOps to the Next Level with Value Stream Mapping

by Nanette Brown

This post explores the relationship between DevSecOps and value stream mapping, both of which are rooted in the Lean approach to systems and workflow. It also provides guidance on preparing to conduct value stream mapping within a software-intensive product development environment.

If the focus of post-waterfall software engineering could be summed up in one word, it would be flow, which focuses on reducing the time for items of customer value (e.g., features) to move from concept to deployment. Lean software development, DevSecOps, and value stream management all consciously orient their principles and practices around flow optimization. Although Agile software methods don’t often mention flow explicitly, flow optimization is implicit in Agile’s focus on the incremental delivery of value and the use of empowered, cross-functional teams to minimize impediments and delays.

Flow is an intuitively accessible concept. Rivers flow unless impeded by dams or rock formations. Our minds in a state of flow are unimpeded, focused, and energized. Software development is not concerned with the flow of water or internal consciousness but rather with the flow of value to customers and end users. By focusing on flow, we aim to achieve value as soon as possible and to eliminate any impedance or friction. Iterative and incremental development, continuous integration and delivery, minimum viable product, and minimum viable capability release all have the rapid flow of value as their raison d’etre.

A focus on flow underlies and unifies the topics discussed in this post. Value streams and DevSecOps are rooted in the premise that organizational boundaries should be subsumed in the pursuit of flow. Value stream mapping provides a framework for identifying existing barriers to flow and designing a future state in which value flows more freely.
Read the entire post.

6. Remote Work: Vulnerabilities and Threats to the Enterprise

by Phil Groce

For many organizations, COVID-19 dramatically changed the risk calculation for remote work. In January 2020, many enterprises viewed remote work with skepticism; by March, the choice for many was to become a remote-first enterprise or to shut down.

As one might expect, embracing long-resisted technologies and practices has been chaotic for many, with actions dictated primarily by urgency. By now, most enterprises--to the surprise of some--have successfully adapted to the new environment. A few, such as Twitter and Slack, have even reinvented themselves by choosing to make their remote enterprises permanent.

As the urgent threat to business continuity has receded, some IT staff and other stakeholders are finding time to ask themselves other important questions: How has this change in the way we work altered our security posture? How has it changed our attack surface, and what should we be doing to defend it? In this blog post, I explore the answers to these questions.
Read the entire post.

5. A Framework for DevSecOps Evolution and Achieving Continuous-Integration/Continuous-Delivery (CI/CD) Capabilities

by Lyndsi Hughes and Vanessa Jackson

The benefits of operating a development environment with continuous-integration and continuous-delivery (CI/CD) pipeline capabilities and DevSecOps practices are well documented. Leveraging DevSecOps practices and CI/CD pipelines enables organizations to respond to security and reliability events quickly and efficiently and to produce resilient and secure software on a predictable schedule and budget. Although the decision by management to adopt this methodology may be easy, the initial implementation and ongoing improvement of the methodology can be challenging and could result in incomplete adoption or ineffective implementation.

In this and a series of future blog posts, we provide a new framework to guide organizations in the planning and implementation of a roadmap to functional CI/CD pipeline capabilities.

This framework builds on well-established applications of DevSecOps principles and provides additional guidance for applying DevSecOps principles to infrastructure operations in an on-premises computing environment by providing an ordered approach toward implementing critical practices in the stages of adoption, implementation, improvement, and maintenance of that environment. The framework also focuses on the leverage of automation throughout the process.
Read the entire post.

4. Architecting the Future of Software Engineering: A Research and Development Roadmap

by Anita Carleton, John Robert, Mark Klein, Doug Schmidt, Forrest Shull, John Foreman, Ipek Ozkaya, Robert Cunningham, Charlie Holland, Erin Harper, and Edward Desautels

Software is vital to our country’s global competitiveness, innovation, and national security. It also ensures our modern standard of living and enables continued advances in defense, infrastructure, healthcare, commerce, education, and entertainment. As the DoD’s federally funded research and development center (FFRDC) focused on improving the practice of software engineering, the Carnegie Mellon University (CMU) Software Engineering Institute (SEI) is leading the community in creating a multi-year research and development vision and roadmap for engineering next-generation software-reliant systems. This blog post describes that effort.

Software Engineering as Strategic Advantage

In a 2020 National Academy of Science Study on Air Force software sustainment, the U.S. Air Force recognized that “to continue to be a world-class fighting force, it needs to be a world-class software developer.” This concept clearly applies far beyond the Department of Defense. Software systems enable world-class healthcare, commerce, education, energy generation, and more. These systems that run our world are rapidly becoming more data intensive and interconnected, increasingly utilize AI, require larger-scale integration, and must be considerably more resilient. Consequently, significant investment in software engineering R&D is needed now to enable and ensure future capability.
Read the entire post.

3. Zero Trust Adoption: Managing Risk with Cybersecurity Engineering and Adaptive Risk Assessment

by Geoff Sanders

Zero trust adoption challenges many organizations. It isn’t a specific technology to adopt, but a security initiative that an enterprise must understand, interpret, and implement. Enterprise security initiatives are never simple, and their goal to improve cybersecurity posture requires the alignment of multiple stakeholders, systems, acquisitions, and exponentially changing technology. This alignment is always a complex undertaking and requires cybersecurity strategy and engineering to succeed.

In this and a series of future posts, we provide an overview of zero trust and management of its risk with the SEI’s cybersecurity engineering assessment framework. This adaptive framework incorporates multiple assessment methods that address lifecycle challenges that organizations face on a zero-trust journey.
Read the entire post.

2. Requirements in Model-Based Systems Engineering (MBSE)

by Nataliya Shevchenko

Model-based systems engineering (MBSE) is a formalized methodology that supports the requirements, design, analysis, verification, and validation associated with the development of complex systems. MBSE in a digital-modeling environment provides advantages that document-based systems engineering cannot provide. These advantages have led to increased and growing adoption since MBSE can save costs by reducing development time and improve the ability to produce secure and correctly functioning software. The SEI CERT Division has begun researching how MBSE can also be used to mitigate security risks early in the system-development process so that systems are secure by design, in contrast to the common practice of adding security features later in the development process.

Although MBSE does not dictate any specific process, any MBSE process should cover four systems engineering domains: requirements/capabilities, behavior, architecture/structure, and verification and validation. In this blog post, I describe how MBSE addresses the first of these domains: requirements, which describe the problem(s) to address.
Read the entire post.

1. The Current State of DevSecOps Metrics

by Bill Nichols

In the BBC documentary series Connections, science historian James Burke traced how technical innovations build on one another over time. New capabilities create new possibilities, new challenges, and new needs. This pattern also applies to the evolution of software engineering, where changes in software engineering practices are often driven by changes in underlying technologies. For example, the practice of frequent compiling and testing of code was a legacy of the post-punchcard era in the 1980s. When dedicated desktop compilers increased the convenience of compilation, it became easier for engineers to compile and test more frequently, which then became a common practice.

This evolution continues today in the practices we associate with DevSecOps, such as continuous integration (CI), continuous delivery/deployment (CD), and infrastructure as code, all of which are made possible by improvements in underlying technology that automate the development-to-production pipeline. These DevSecOps practices will potentially generate more information about development and operational performance than has ever been readily available before. In this blog post, I discuss the ways in which DevSecOps practices yield valuable information about software performance that is likely to lead to innovations in software engineering metrics.
Read the entire post.

Looking Ahead in 2022

In the coming months, look for posts highlighting our work in building a cybersecurity engineering strategy, artificial intelligence, digital engineering, and edge computing. We publish a new post on the SEI Blog every Monday morning.