National Defense Information Sharing and Analysis Center (ND-ISAC), working groups, provide collaborative environments for ND-ISAC members share expertise, best practices, threat information, and mitigation techniques, as well as discuss standards, tools, and policies based to the needs of the members.
Working groups members are encouraged to meet on a regular basis. Additionally, they are encouraged to attend ND-ISAC events for in-person collaboration to provide strategic guidance, industry context, and subject matter expertise.
All working groups have a dedicated space in the ND-ISAC portal for group collaboration and to use as a document repository. Working groups also have a personalized ND-ISAC staff member to assist with start-up and administrative questions. ND-ISAC is continuously identifying new working groups to meet member needs. New working groups are established based on ND-ISAC member requirements or formed from discussions at ND-ISAC hosted events. All new working groups are reviewed by ND-ISAC staff and approved by the ND-ISAC Board of Directors before being recognized as an ND-ISAC working group.
If you are interested in joining an existing working group, leading a working group, or establishing a new working group, please reach out to firstname.lastname@example.org for additional information.
ND-ISAC Working Groups:
The Application Security Working Group will focus on the development, sharing, coordination and adoption of best practices for getting cybersecurity into enterprise software development lifecycle efforts. The working group will share best practices associated with ensuring awareness of security risks and methods to inject security into the SDLC. The Application Security Working Group will provide a forum for discussion as well as a repository for best practices for members of the ND-ISAC.
Capabilities, Processes & Readiness
The ND-ISAC Capabilities, Processes & Readiness (CPR) Working Group assists small/medium sized companies grow or develop cybersecurity capabilities by producing and discussing general security best practices. Members discuss effective threat intelligence sharing and develop procedures, processes and tips to help build threat intel and IR teams. Additionally, the working group works on security tool development and suggestions and general awareness to prepare for an incident (proactive instead of reactive).
Members for the CPR Working Group include those within their organization who have experience with incident response and/or threat intelligence, knowledge of their organizational security capabilities, and the ability to influence (or discuss with someone who can influence) security decisions within their organization. If you are interested in learning more or becoming a member of the CPR Working Group contact email@example.com.
Cloud Security & Architecture
The Cloud Security Architecture Working Group discusses, develops and publishes recommended security architectures and settings that can be implemented to ensure the secure operation of cloud services that are subscribed to by a member organization. This can include IaaS, PaaS, and SaaS type services from CSPs. Additionally, this working group identifies security controls for common cloud services in compliance with DFARs regulations and meets best practice security for A&D industry data protection.
The Cloud Security Architecture Working Group members include practitioners responsible for cloud security implementation or architecture standards within their organization. Members should be technical security engineers familiar with hardening cloud implementations. If you are interested in learning more or becoming a member of the Cloud Security Architecture Working Group contact firstname.lastname@example.org.
The DoD Assessments is a subgroup of the Cybersecurity Policy, Standards, and Regulations, that focuses on DFARS 252.204-7012/NIST SP 800-171 and DoD assessments such as CMMC, MDA Pilot, and DCMA. If you are interested in learning more or becoming a member of this working group contact email@example.com.
Cybersecurity Policy, Standards, and Regulations
The Cybersecurity Standards and Regulations Working Group focuses on Government actions of impacting ND-ISAC members. The working group engages with government on the impact of policies on the national defense community. The working group also focuses on Government actions related to DFARS Clause 252.204-7012, NIST SP 800-171/172 and DoD regulations impacting cybersecurity policy and operations. The working group keeps up to date on National Archives and Records Administration (NARA) compliance issues.. In addition to discussing best practices, lessons learned and DoD strategies/publications/regulations, this working group also reviews and drafts comments for interim rules and provides an official ND-ISAC position for meeting these requirements. If you are interested in learning more or becoming a member of this working group contact firstname.lastname@example.org.
Data Classification + DLP
The Data Classification and Data Loss Prevention (DLP) Working Group defines standards and best practices with a primary focus on technology engineering and policy. This working group discusses vendors and offerings, engineering, and other common approaches that can be adopted by members.
The Data Classification and DLP Working Group welcomes SMEs that understand the relationship between data classification and DLP and are from organizations that already have a classification or DLP program (or both) in place. Members should have a basic understanding of technologies and capabilities underlying classification or DLP and must have some experience testing, implementing, or evaluating these technologies. Attorneys are also welcome to participate in this working group. If you are interested in learning more or becoming a member of the Data Classification & DLP Working Group contact email@example.com.
Zero Trust Architecture
The Zero Trust Architecture working group will focus on sharing best practices on collapsing network security perimeters closer to applications and data. In this working group SMEs will compare where they are on the road to implement Zero Trust, approaches, and roadblocks. Members will also share common software suppliers needed to get them to see the need to adopt this approach.
Zero Trust drives adopters to:
- Ensure companies have a strong inventory and authentication of users, devices, apps, and service
- Strongly authenticate every transaction
- Encrypt and integrity protect all network traffic
- Manage, monitor, and be able to assert the health of devices and apps to communicating parties
- Monitor transactions, hosts, and applications deeply, since network transmissions will be encrypted by default
If you are interested in learning more or becoming a member of this working group contact firstname.lastname@example.org.
Insider Threat Best Practices
The Incident Response Best Practices Working Group focuses on the business process that formalizes the management and use of an enterprise’s incident response protocols. IR Best Practices will focus on the people, processes, and technologies that enable organizations to collect security threats data and alerts from different sources for use in preventing and responding to incidents. They help to analyze and prioritize incident analysis and response procedures. Lastly, this working group reviews the threat landscape to make recommendations on where to deploy resources. The working group will be structured to allow for the sharing of practical guidance and lessons learned from member organizations, rather than simply a collection of ideal best practices.
The Insider Threat Working Group develops and publishes cyber operational strategies and best practices with respect to a wide-range of business and risk objectives in response to cyber security threats, attacks, and vulnerabilities. This working group reviews threat intelligence from member companies and other sources, with an analytical focus on threat and risk rather than any specific threat actor.
The Insider Threat Working Group welcomes new members who have experience with insider threats, including: SMEs, cybersecurity leads, and managers. If you are interested in learning more or becoming a member of the Insider Threat Working Group contact email@example.com.
The Mobility Working Group focuses on policies and best practices for protecting mobile devices with an emphasis on mobility as a growing vector for breaches and theft of information. This working group also reviews and recommends industry-leading initiatives and management strategies to help companies in crafting policies related to mobile devices.
The Mobility Working Group is looking for members with wide-ranging based knowledge in multiple domains of information security including mobile protection and policy. If you are interested in learning more or becoming a member of this working group contact firstname.lastname@example.org.
Mutual Aid Incident Response
The Mutual Aid Incident Response Working Group defines policies, procedures, and guidelines for incident response and incident response services. This working group also conducts table top exercises to assist
ND-ISAC member organizations prepare for an actual incident and provides guidance to member organizations on what additional skills/tools would be needed to enhance their incident response. The working group is designed to prepare members for an incident but is not a replacement for incident response services.
The Mutual Aid Incident Response Working Group includes SMEs, SOC managers, network administrators, security operations administrators, IR specialists, and threat intelligence analysts. Working group members must be adaptable to different organizational needs. If you are interested in learning more or becoming a member of the Mutual Aid Incident Response Working Group contact email@example.com.
Operational Technology (OT)/Internet of Things (IoT)
The OT/IoT Working Group focuses on OT and IoT technologies with physical consequences or implications. This peer collaboration group defines standards, approaches, and guidance toward appropriate security of OT and IoT spanning a variety of business integrations (ICS, SCADA, site logistics, IoT, and other cyber-physical solutions); produces and discusses cyber-physical security best practices; and educates members on risks inherent in OT applications.
Members include those within their organization who work directly with security solutions for OT/IoT with physical implications, understand the foundational aspects of computing technologies, and have the ability to influence (or discuss with someone who can influence) security decisions within their organization. If you are interested in learning more or becoming a member of the OT/IoT Working Group contact firstname.lastname@example.org.
Platform as a Service (PaaS)
The Plat as a Service (PaaS)Working Group focuses on reviewing and providing comment on IT Service Management products that connect the tools of legacy networks. This working group will seek ways to offer comments and observations to the manufacturers of PaaS and SaaS products so that they can better tailor products to ND-ISAC member companies. If you are interested in learning more or becoming a member of this working group contact email@example.com.
Red Team Working Group
The focus of the red team working group (RTWG) is to collaborate and develop effective offensive security practices to better simulate real-world attacks and provide starting points for others who may launch Red Team based projects.
The RTWG will investigate and provide documented recommendations based on the interest of the members. The following represent some of the possibilities to be discussed.
- Baselining techniques, tactics and procedures (TTPs)
- Adversary simulation
- Purple team strategies
- Red Team Infrastructure design and deployment
- Engagement structure and guidance
- Reporting standards
- Automating attacks and re-tests
- Ethics guidelines and Red Team member expectations
The Remote Access Working Group will focus on the security and architect of virtual private network technology, including defining standards, approaches, and guidance. The working group will develop remote access cybersecurity best practices, educate members on risks and discuss vulnerabilities and remediation techniques. The working group will also create a single online view of remote access services and help to define a common vocabulary to create a “single voice” to use with providers on security, operational issues, and enhancements.
Members include those within larger organizations who are responsible for building and influencing supplier and vendor cybersecurity risk management processes, experienced with suppliers and vendor cybersecurity risk management, and have the time and focus help to drive repeatable solutions that can be used by the ND-ISAC membership. If you are interested in learning more or becoming a member of the Supply Chain Working Group contact firstname.lastname@example.org.
Social Media Security
The Social Media Security Working Group focuses on initial techniques and best practices for social media monitoring as well as helping members realize and recognize when there is a problem with social media, including:
- Adversary targeting of employees
- Sending messages to employees via social media
- Social engineering practices
- Malware delivery
- How to possibly identify and alert on exfiltration of data
Social media security is the “new/next frontier” targeting and attack vector that has the possibility of hitting almost every kill chain phase within an organization. It is an area that security teams are just starting to learn how to deal with. The working group allows organizations to come together and discuss ideas and share knowledge about social media security.
Members include those within the organization who can initiate a social media monitoring program and those who understand how their network is setup if you are interested in learning more or becoming a member of the Social Media Security Working Group contact email@example.com.
Splunk Enterprise Security Working Group
This working group will work to identify components of Splunk Enterprise Security that are most beneficial to the members of the working group. The intent is that we would share Splunk content with group members as well as overall configurations to illustrate how we can leverage components of Splunk to meet our collective security posture needs best. Splunk ES Admin / User training has been found to be rather light on content & we would like to share what content we can. Users of Splunk Enterprise and Splunk Enterprise with Enterprise Security are welcomed to join this working group. Particular focus will be given to how best to automate detection, investigation, and remediation actions that can be initiated from Splunk or other integrated solutions. We will also give particular attention to when & why to use accelerated data models and share Splunk best practices to make results return faster, in more actionable formatting.
Supply Chain Risk Management
The Supply Chain Working Group assists members with the management of supply chain cybersecurity risk by developing and discussing best practices; educating organizations about supplier and vendor cybersecurity risk management; assisting with cyber assessments, and recommending tools and services to protect data in the supply chain and help suppliers be compliant.
Members include those within larger organizations who are responsible for building and influencing supplier and vendor cybersecurity risk management processes, experienced with suppliers and vendor cybersecurity risk management, and have the time and focus help to drive repeatable solutions that can be used by the ND-ISAC membership if you are interested in learning more or becoming a member of the Supply Chain Working Group contact firstname.lastname@example.org.
Tools and Best Practices
The Tools and Best Practices Working Group oversees the development and acquisition of tools and capabilities that most effectively and efficiently meet the functional requirements of ND-ISAC member company end-users. This working group also conducts an annual Tools and Uses Survey. If you are interested in learning more or becoming a member of this working group contact email@example.com.
The User Authentication Working Group focuses on the various network access methods of identifying an individual that goes beyond usernames and passwords. This working group explores COTS products that can replace traditional means of end user authentication to prevent unauthorized network access.
The User Authentication Working Group welcomes new members who have experience with evaluating and developing information systems security tools. In addition, the working group members will include those who are cybersecurity leads and/or managers with responsibility for network access. If you are interested in learning more or becoming a member of this working group contact firstname.lastname@example.org.
Vulnerability Management Working Group
The vulnerability management working group (VMWG) will explore solutions and publish guidance based on the interest of the working team in the following areas:
- The lifecycle process to identify and classify assets
- Key roles/comparison of methods across companies
- Risk rating methodology
- Emergent vulnerability response processes / tabletop exercises
- Intelligence data sources/uses
- Patch management scope / best practices
- Automation of issue tracking and compliance tools
- Partner with other working groups to integrate common areas of focus
- How to effectively scale the risk management process to support both small and large companies
The focus of the VMWG is to stay ahead of emerging threats and vulnerabilities, share knowledge, and reduce the need to invoke an incident response process.