Analytics could be the key to cyber defense

DOD officials talk about the automated, big data tools that could do a lot to protect DOD networks.

With Defense Department networks under constant attack, officials have been at pains to develop necessary defensive measures. One approach: big data tools and analytic capabilities that have played a big role in the past and will continue to be vitally important in defending against a vast array of attacks.

Many have called for more automation in responding to cyber incidents given the rapid pace cyber attacks occur. DOD Terry Halvorsen, however, is taking this a step further. “I want autonomous basic security tools – not automated, I want autonomous basic security tools that I can just let go that will look at my network, sensor it, and say, ‘You know what, there’s an attack happening here, we’re immediately going to quarantine this part of the network, we’re going to add some security protection,” he said at the Brocade Federal Forum on June 15, while requesting industry help in this area. “I can’t have people in that loop…it’s too fast.” 

Analytic tools can help monitor network traffic and the threats coming across. These tools include the Cybersecurity Situational Awareness Analytic Cloud, or CSAAC, which aggregates and fuses data from various sensors and endpoints to analyze potential threats across the network, David Mihelcic, Defense Information Systems Agency CTO, said at an AFCEA sponsored breakfast June 15.

According to DISA, CSAAC allows for more informed decision-making based upon broader information sets driven from open source and classified components in addition to leveraging community tech transfers from other DOD entities. CSAAC also supports the Joint Information Environment – a unified command and control IT architecture shared across all the services – and the Joint Regional Security Stacks, enabling greater cross-DOD collaboration and stronger defense of the DOD Information Network. 

Mihelcic announced plans to upgrade CSAAC’s underlying technology in August. This update to DISA’s big data platform will enable data in the cloud to be copied and have custom mission focused analytics run on top that don’t interact with the rest of the platform. The benefit here is “we’ll be able to take either commercially developed analytics or analytics…operated out in the field and run those against some or all of that data without necessarily having it interact with the purpose-build and certified core analytics,” Mihelcic said. This capability will really accelerate the development and deployment of analytics at the tip of the spear, he added, noting that it will enable analytics to be built on the fly. 

Other analytic tools include indicators, which include reports of malicious activity. “What happened prior to our analytics is that we received these reports and by hand we would have to go and translate these reports into figuring out, OK, here’s the various countermeasures, so here’s the blocks where we’re going to put different tools to be able to defend ourselves against whatever these threats are,” Jack Wilmer, vice director for the development business center at DISA, said at the same breakfast. “So we were able to automate a lot of that and I think there’s 500 percent increase in the amount of countermeasure that each analyst could implement, basically, per day, which yielded pick your number of thousands of additional countermeasures that we could deploy every month, year, etc.”

Wilmer added that there are significant investments being made in this area. “There seems to be an endless stream of desire for, ‘Hey, maybe we could take various sources of data and come up with this metric or this analytic or all kinds of other areas,’” he said. In line with Halvorsen’s plea to industry, Wilmer said there is the desire for “more of a near real-time ability to do some of these defenses, so not necessarily having to have the people in the loop to implement things.” 

Mihelcic also noted there are several opportunities for industry in hunt tools, something he said he expects to see more of in the future. The Cyber Protection Teams – which will number 68 of the eventual 133 cyber teams under Cyber Command and focus specifically on DOD’s number one mission, defense of the network – use tools to find adversaries on the network. These tools could be used “on a persistent basis to look across the information that’s available in the network to look for adversaries,” he said. 

Mihelcic told Defense Systems following the panel that there are at least three commercial companies he knows of working on hunt tools, though he declined to name them. He added that these tools could and should be used by everyday administrators in addition to CPTs. “I think we’re going to need these hunt tools for our day to day systems and cyber administrators so essentially they can on a regular basis try to use the data out of the network to identify adversaries and then pass that along to the CPTs to actively eject them from the network,” he said.

The hunt mission is somewhat of a change in procedure for DOD and DISA. “The biggest change both in DOD and the commercial world … is we’re going out and hunting for the enemy on a daily basis,” John Hickey, DISA’s cyber security authorizing official, said in January. “We don’t really talk about where we’re hunting, obviously, we don’t even tell the people on the inside where we’re necessarily hunting things and we’re certainly not going to tell the folks on the outside, right?”

Officials also discussed the need for vigilance. “In almost every attack that we see … bad guys exploit the same old preventable vulnerabilities that we’ve been saying we need to prevent for 20-25 years,” DOD’s Deputy CIO for Cybersecurity Richard Hale, said.

“We’ve got to be vigilant about patching those systems.  We’ve got to be vigilant about operating the systems – not just talking about the cybersecurity professionals, for the system administrators, monitoring logs, etc,” Mihelcic added.