The Defense Department’s big data approach to cybersecurity is paying big dividends. Through better analytics, DoD’s cyber experts have seen a 500 percent increase in the number of counter measures they can apply to thwart hackers.
Dave Mihelcic, the chief technology officer at the Defense Information Systems Agency, said the big data platform uses Hadoop with security enhancements, and acts as a data lake pulling information from network sensors, audit logs and other software running on end hosts.
“We can use that to build advanced analytics to do detection of cyber attacks and also the work flow associated with being able to counter those cyber attacks,” Mihelcic said on Ask the CIO. “One of the biggest applications today is called Fight by Indicator (FBI). FBI gives our analysts the ability to not only take the data about that attack and compare it against all known data and then be able to pick the best cybersecurity mitigation mechanism and actually directly task that mechanism. It has improved our effectiveness in being able to detect, diagnose and mitigate attacks by 500 percent.”
What’s different for DoD isn’t the data, but the tools on top of the information, and the military’s cyber experts’ ability to use them in near real-time.
Mihelcic said this integration of people, data and tools will become even more important as DoD upgrades the big data platform in the next few weeks.
“We had the existing platform and the cybersecurity awareness analytics cloud (CSAAC) which were the analytics that ran on top of it. But one of the problems we had is the CSAAC analytics were all certified and accredited and developed as one thing. We wanted to come up with an architecture that will allow us to develop other analytics not just for cybersecurity, but for other purposes like network performance monitoring, and be able to rapidly deploy them,” he said. “So by putting in place an architecture that allows you to take a copy or a virtualized instance of the data in that big data platform, in that analytic cloud, and use that for a dedicated purpose, you can run analytics that don’t affect the other analytics running so you have isolation between the various analytics.”
He said another goal of the enhancement is to get data into the cloud more rapidly and then let experts develop tools based on that information from their desks, which was something they couldn’t previously do.
DoD, like so many agencies, brings in petabytes of data every day, but the goal is making sense of what’s happening on its network and then preventing or stopping cyber attacks as soon as possible.
“Being able to bring the data together and correlate it, say this event, a detection of an illegal IP address traversing one of our Internet access points is correlated with a log-event, someone rattling the door of an end-user host within the Defense Department are actually the same events, determine that it is, in fact, a hostile attack and not just some random, sporadic network traffic, and be able to then task an information assurance capability to mitigate that,” Milhelcic said.
The big data platform also is broadening the access to cyber data to more people and improving internal collaboration.
Milhelcic said the platform, especially FBI, has accelerated the sharing across all cyber organizations and discussion about what’s happening on the network, thus letting DoD take action to mitigate or prevent attacks more quickly.
He said core analytics platform is currently being used at DISA’s new Global Operations Command, also known as DISA Global, at Scott Air Force Base in Illinois. DISA officially opened its operations command on Aug. 11.
DISA says the $100 million facility, which was completed on time and under budget, will be home to approximately 950 military personnel as well as civilian and contract employees. The 31,000-square-foot cyber operations center is designed to run 24/7 cyber operations and seats more than 330 employees per shift, making it the largest of its kind in the DoD.
DISA Global builds on the agency’s reemergence into the cyber defense world. In January 2015, DISA launched the Joint Task Force-DoD Information Networks (JTF-DoDIN).
Another tool that DoD is testing out is one that lets them unencrypt traffic going through their network.
Milhelcic said DoD piloted this “break and inspect” tool over the last year and now has funding to expand and operationalize the capability.
“Essentially what it comes down to, in your Web browser when it says ‘http,’ that data is unencrypted, and when it says, ‘https,’ that data is encrypted. If you notice, much more data is https. All traffic going back and forth to Google is now https encrypted. That’s a good thing because it protects your transaction traversing the global Internet, which can be a wild and wooly place,” he said. “But the key is since we have centrally located cybersecurity systems, we need to temporarily remove that encryption, be able to inspect the traffic to make sure there is no malware or adversarial activity within that encrypted tunnel and then re-encrypt it and pass it along to the destination.”
DISA has tested out this technology with one vendor on DISA’s network traffic. He said expanding this technology to the rest of DoD makes sense because it will reduce the number of injections of malware as well as the number of command and control channels set up by hackers once they do get onto the network.
“Whether it is email, file downloads or website access, this is not being broken so we can watch users conduct the day-to-day actions, but it’s being broken so we can feed traffic through specific information assurance capabilities, some of them commercial, some of them government unique so we can defend against attacks,” he said. “The expansion will happen in fiscal 2017. We are going to continue with the pilot we have today. We will conduct an evaluation of the not only the current capability, but also other industry competitive capabilities to determine what the best approach is and acquire and deploy that in 2017.”