22 May 2015

How DISA defends DoD networks


May 13, 2015

The Defense Information Systems Agency is charged with a significant role in defending the Defense Department's networks, a role that is changing under evolving threats, policies and IT infrastructure. The launch of DoD's joint regional security stacks (JRSS), the transition to the Joint Information Environment (JIE) and a new cyber strategy from the Defense secretary all comprise a changing cyber landscape for the military.

DISA handles numerous systems and initiatives dealing with cybersecurity, but three critical programs in particular currently are undergoing developments aimed at improving DoD's cyber stance. The Cyber Situational Awareness Capability (CSAAC), a next-generation host-based security system (HBSS) and the Acropolis cyber-intelligence platform all are up for contract action, and they all provide critical layers to DoD's expanding cyber defense by fitting in with the broader efforts under JRSS, JIE and the new cyber strategy.

"In JIE, we are looking at the evolution of our security architecture. And, ultimately, moving toward a single security architecture, which really gets down to the notion of trying to do inspection at the minimal number possible of points, centralized commands and the full end-state of where we really want to get with security," said Jack Wilmer, DISA deputy chief technology officer for enterprise services.

The defense layer starts at the Internet access point, where DoD networks actually connect to the Internet — all Web traffic goes through the access points. The next layer is JRSS, which replaces what used to be individual security stacks at every base, post, camp and station across the military. At the end point — users' computers and devices — is HBSS, an application that monitors for and counters against known threats.

With the individually operated security stacks, "it was very difficult to get that consistency of capability and rule sets and things along those lines," Wilmer said. "So, in JRSS we are able to aggregate each of these functions into that regional layer, which previously did not exist. So, again, at the top level you have the Internet access points. You then grill into that regional security stack layer. And then the base layer is where HBSS and those kinds of host-based roles fit in. So there are different security capabilities that we have on all of what we call the endpoint. So the computers, the servers, the network equipment, etc., is where we actually have post-base security systems."

The Internet access points, JRSS and HBSS all contain sensors that report up the security chain and feed information back into a centralized repository. That's where CSAAC fits in.

"We've got the separate and discreet cyber-defense capability sensors at the Internet access points, the regional security stack layers and at each of the individual hosts. But we really need to be able to ask questions across and correlate information across all three of those layers in order to be able to determine if something is going on or if it is just a local problem," Wilmer said. "Network defenders can then leverage CSAAC to execute analytics, which really just means run queries across all that big data, piles of information, in order to basically see different threats and indicators to figure out what we want to do to defend the networks."

CSAAC operates within Acropolis, DISA's big data internal cloud that was modeled after a National Security Agency platform and serves as the infrastructure behind a number of the agency's cyber-defense capabilities.

"Acropolis I think of as the nexus of where a lot of the sensors pump their data into and where a lot of the fusion occurs. Acropolis is that supporting infrastructure," Wilmer said. "I would describe CSAAC as the big data capability that exists within Acropolis to take a lot of the information from those different sensors … and present the user interface so that the cyber defenders can actually execute queries across and do their work in defending against."

The technical pieces of the layer approach are an integral part of Defense Secretary Ash Carter's new, broader cyber-defense strategy, a key objective of which calls for defense of the DoD information network, or DODIN. The Pentagon earlier this year stood up Joint Force Headquarters-DODIN to support that goal.

"The real key place where [JRSS, HBSS, CSAAC and Acropolis] fit in is in defending the DODIN. As you look at the strategic goals section of the cyber strategy, No. 2 is defend the DoD Information Network, secure DoD data, and mitigate risks to DoD missions," Wilmer said. "The bulk of [what] DISA provides in the cybersecurity space is really focused there on enabling the department to better defend the DODIN."

As DISA officials work to align cyber capabilities with DoD's overarching policies, they have to strike a balance in where to direct finite resources — namely, funding.

"Where do we want to invest? And how do we make the best investment of the dollars that we have? So how do we get the best value of out that?" Wilmer said. "As an example, as we bring JRSS online, there is going to be a tremendous amount of information that is generated from all of the sensors that are inside of JRSS, which previously existed, but down at each of those base levels. So we are now going to be able to get the enterprise visibility into that information that is generated. And the richness of that is really going to enable us to create analytics that are going to let us identify what is going on in our networks, which ultimately allows us to better defend those networks at, frankly, a much better rate."

CSAAC, Acropolis and HBSS are at what Wilmer described as inflection points. CSAAC was expected to see multiple contract awards throughout fiscal 2015 to acquire technical, engineering and integration support for a range of its capabilities, including design, development, enhancement, integration, deployment and sustainment. In March, DISA awarded Northrop Grumman a $74 million task order supporting Acropolis. And in January DISA issued a request for information for a next-generation HBSS, the future of which currently remains unclear as the agency seeks new ways to defend what is a fluid definition of the endpoint device.

"The endpoint has evolved to encompass a complex hybrid environment of desktops, laptops, mobile devices, virtual endpoints, servers and infrastructure, involving both public and private clouds. New technologies — including those for virtualization, workforce mobility, and cloud services — are changing the way we conceptualize the desktop," the RFI stated, noting that the agency is looking for "innovative solutions to provide security services in heavily virtualized environments that provide economies over replicating security services in each virtual endpoint. Traditional approaches have used signature based defenses; however, these methods have become un-scalable."

The evolution of DISA's portfolio of cyber capabilities underscores the agency's changing role in cyber defense, as well as DoD's shifting approach to cybersecurity writ large, from the IT systems and networks to the options and resources routed down the chain of command.

"When you start looking at the command and control and the capabilities that we are going to put at the combatant commander's fingertips, not necessarily at the signal, communicator, cyber fingertips, we are getting ready to change the way we work," DISA Director Lt Gen Ronnie Hawkins said recently at the C4ISR & Networks conference in Arlington, Virginia.

The developing cyber stance goes beyond just DISA, or even DoD. Agency officials say that by further developing these capabilities, they can better contribute to federal and commercial cybersecurity as well, including by improving on what gets shared through efforts like the Defense Industrial Based Network (DIBNet) and the Enhanced Shared Situation Awareness Capability (ESSAC).

"Both of those are things that we are currently working on, basically better sharing of these threats and indicators that we have," said Christopher Paczkowski, DISA cyber situational awareness and analytics division chief. "So it's being able to learn from our partners and then being able to share the information from our partners. Within that, everything that we have talked about with CSAAC and all these sensors allows us to basically identify threats and indicators against our network. So with DIBNet, that allows us to share the information with the defense industrial base and also to pick up things that they have learned and then leverage that in our defenses. And ESSAC takes basically that same concept, except it enables us to share across the federal government on cyber."

No comments: