DISA wants to automate 75% of cyber activities, but it’s nowhere near the goal

“It's an aggressive goal for us and something that we're working hard to get after. But we're not real close at all,” said DISA's Brian Hermann.

The Defense Information Systems Agency estimates that about 75% of defensive cyber analysts’ daily activities can be automated, but the agency is “not close at all” to reaching that level of automation, Brian Hermann, DISA’s director of the cybersecurity and analytics directorate, told reporters last week.

“I think that’s an aggressive goal for us. But it’s something that we’re working hard to get after,” Hermann said at the AFCEA TechNet Cyber conference in Baltimore.

The agency has some automated tools that can perform automatic blocking, among other functions, specifically at the perimeter where the DoD’s terrain connects to the internet. But it’s “not where it needs to be,” said Hermann.

Those tools in place are not capable of analyzing the combined results of all the cybersecurity tools in use and suggesting whether there is malicious traffic. Once the tools are implemented, it will only require acknowledgment from a defensive cyber analyst rather than doing a laborious and time-consuming manual analysis.

“We have a long way to go,” said Hermann. “We have a literal mountain of data that the tools that we provide produce, and it creates some challenges for our defensive cyber analysts and cybersecurity service professionals to be able to make sense of that data and take action.”

DISA doesn’t have a firm timeline for automating 75% of its cyber activities, but a number of modernization efforts are enabling the agency to inch closer to that goal.

First, it is working on streamlining its data. The agency’s data analytics team is creating a data lake architecture in the environment where cybersecurity tools are providing data, which will minimize exfiltration and transition costs.

“We had data in a number of different silos. And we’ve also artificially defined data that is cyber data versus data that is for Network Operations functions. And the truth is, it’s all cyber data. And it can be used for multiple purposes,” said Hermann. “And if you think about this, it connects back to the DoD’s cloud strategy.”

Meanwhile, the agency is developing a system that will allow cyber analysts to search data across multiple data sources from a single interface instead of logging into various databases.

“We’re also allowing our team to have a federated search of that data wherever it exists instead of having to go into multiple tools. The message that I got loud and clear from our analysts was that we’ve created a number of different silos that generated the need for them to log into a lot of different environments that do their job on a day-to-day basis. We’d like to have more of a federated approach where they log into one portal and they’re able to get access to all the data and get all the insights that they need,” said Hermann.

“One of the most notable things that comes as part of zero trust is the connection of the tools to each other. Historically, we had protections at the perimeter, we had protections at the local users, desktop stations, we had firewalls that existed at the various parts of our infrastructure, and they didn’t really talk to each other very much. Now they’re starting to talk to each other. They’re providing common datasets that allow us to say, ‘I’m seeing something odd over here.’”

The agency is also updating and enhancing cyber tools and capabilities that protect the organization’s network perimeter. DISA’s new intelligence directorate, U.S. Cyber Command and the NSA help the agency identify the tactics, techniques and procedures used by malicious actors, which allows DISA to thwart cyber attacks.

“The next part is modernizing that perimeter. We have a number of capabilities that are several years old. And in the cybersecurity space, nobody’s going to sit down and write me a requirements document for a cybersecurity tool. It happens because we monitor where technology is going at a place like TechNet Cyber and talking to industry about what they’re doing, what they’re providing and how things are changing. And then we also get intelligence,” said Hermann.

“Now we’re looking at how we modernize the tools that we’ve had in place for a number of years. Maybe they’ve been on a sustainment track. But our adversaries haven’t been on that same sustainment track. They’re taking advantage of new things. We have to look at how we should adjust fire for that as well.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories