Cybersecurity’s data-driven nature means that information is being collected from network devices in large numbers, but not quite everything. It falls to the Defense Information Systems Agency to figure out where is the best and most appropriate place to put all that data, based on the mission and customer base being served.
Drew Malloy, technical director for DISA’s Cyber Development Directorate, explained his team must then segregate the data between real-time systems for alerting and monitoring, and the historical data stores which help for troubleshooting forensics-type missions. Internally, DISA protects and defends the Defense Information Systems Network and externally protects the enterprise IT portfolio.
“I don’t have numbers with me right now, but I will say that it is in the petabytes. And that is just for DISA’s instance of our big data platform,” Malloy said on Federal Monthly Insights — Cybersecurity (and aggregating cyber-related data). “The big data platform is actually shared amongst the services and they have their own instantiations. And they are tracking petabytes, as well as a unified platform that is really Cyber [Command] and the Air Force as the executive agent trying to pull all of that data together.”
DISA has no hard and fast policies on data retention, but the agency is moving toward operational requirements on retention. It’s not possible or feasible to store all data forever, but DISA is transitioning much of its information to the cloud.
“I will say that we do have a significant [Secret IP Router Network] presence as well as some isolated secret networks. And so we can’t make that transition just yet. We’re still awaiting what that enterprise solution is going to be. But we’re starting more on the [Non-classified Internet Protocol Router Network] side,” Malloy said on Federal Drive with Tom Temin.
For performance physical reasons, Malloy said DISA is not trying to centralize big data in one place. Keeping computing within the cloud incurring costs for data egress is the question the agency must ask itself.
But aside from storage, DISA also has to protect data against cyber attacks, and considering the agency is a supplier of shared services for the whole Defense Department, the Cyber Development Directorate needs to understand indicators of compromise.
“We’ve been very heavily network focused in the past, and with good reason. But as threats are evolving, you’re starting to see a trend more towards the application and data layer, especially when you are in essence, distributing a lot of that trust and a lot of that responsibility to a cloud service provider,” he said.
Meanwhile, for forward deployed or remote military units either with limited reach back or which are working in an impaired environment, monitoring data on edge computing devices is another challenge facing DISA. Malloy said it still comes back to the common data standard, however.
“And that’s where kind of that distributed computing architecture comes into play, to figure out how we put a capability as close to the edges as possible where, one, it can be actionable by the actual mission owners who are at that data edge, but two, it’s standard and formatted correctly — so that you can report up to higher headquarters,” he said. “We can help share analytics indicators of compromised down, and that data sharing occurs.”