Citizenship and Immigration Services ramps up SOC automation

CISO Shane Barney is growing his team of 100 developers within the security operations center, which is even testing bots in machine learning.
(Getty Images)

U.S. Citizenship and Immigration Services is expanding its Security Operations Center automation team with plans to become a Center of Excellence (COE) in the area for the rest of the department, according to the agency’s CISO.

Shane Barney said the SOC — one of 17 the Department of Homeland Security uses to monitor and defend its systems from cyberthreats — no longer uses analysts to confirm incidents and issue alerts.

“We managed to actually get rid of our complete Tier 1 in our SOC at USCIS, primarily because we automated it out of existence,” Barney said at an AFCEA Bethesda event Thursday. “I was sick and tired of paying people to stare at screens.”

USCIS generates 5 terabytes of data a day — too much for employees to analyze — making automation critical, he added.


Redundant tasks like vulnerability management and ticket creations should be automated, as should analysis of cybersecurity incidents including desktop logs, user information and information on data exfiltrated, Barney said.

Automating Tier 1 allows SOCs to move incident analysts into response roles. Another DHS agency, the Federal Emergency Management Agency, is currently training employees to sit at the end of the analysis workflow, said CISO Togai Andrews.

“What I really want out of my SOC…is to reduce the time it takes to detect and respond to an incident,” Andrews said.

USCIS also uses automation to improve collaboration between its SOC and its Network Operations Center, which are co-located but haven’t always worked closely. While not perfected, the idea is to flag incidents as network-based or security-based automatically to decide who which arm handles response, Barney said.

The CISO said USCIS is focused on improving machine learning at the SOC to help with data ingestion and analytics and has even looked at using bots because they’re “good at cranking things out.”


Several bot programs are running at the agency, but USCIS is in the process of shifting its monolithic development model to one using containers and microservices.

“A serverless environment like that does not meet [Federal Information Security Management Act] standards for a system, and neither do bots,” Barney said.

The CISO said he has issues with other agencies’ solution to, in essence, treat bots like people in order to credential them for robotic process automation (RPA). For one, USCIS’s current personal identity verification process requires employees to show up in person with proper identification, which a bot can’t do.

RPA is part of DHS’s information technology modernization effort, but the idea of credentialing bots like people didn’t sit well with FEMA’s CISO either.

“That really scared the living hell out of me a little bit, especially when it comes to identity and how you ensure the security controls,” Andrews said.


FEMA is currently running a three-month financial management RPA pilot program to figure out how to properly provision identity to bots, he added.

Barney’s proposal? Give the pipeline an authority to operate so anything developed within it is covered.

Were it to become a DHS COE for SOCs, USCIS could develop automation solutions for the entire department’s use and serve as a resource for other agencies.

With between 80% and 90% of USCIS systems having been migrated to the cloud, the agency has become a development shop with nearly 4,000 developers — about 100 in the SOC alone, Barney said.

The CISO said he’s working on diversifying his development team because USCIS’s Amazon Web Services, Google and Microsoft Azure clouds each need subject matter experts in the SOC to assist with incident response.


“If your infrastructure is code, your security is code, too,” he said. “Your SOC floor better have development teams on it, and if you don’t, you’ve not just lost the battle — you’ve lost the war.”

Latest Podcasts