between the sword and shield: the role of the network operations & security center

Export Approval Number: IS-ES-072109-175

Between The Sword and Shield: Between The Sword and Shield: The Role of the The Role of the

Network Operations & Security CenterNetwork Operations & Security Center

John Osterholz Vice PresidentCyber Warfare and CybersecurityBAE Systems Information Solutions

David Garfield Managing DirectorElectronics Systems GroupDetica – A BAE Systems Company

BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175

Cybersecurity … Cyber Defense … Critical Infrastructure

Jeez, this is really getting complicated

Social MediaEntertainment

GamingPeer to Peer (P2P)

DWDM technologyVoice Over IP (VOIP)

Anything Over IP (AOIP)Services Oriented Architecture (SOA)

Personal Back Office Convergence

and Sharing

Dat

a P

riva

cy

Dot com Dot govDot mil Dot edu

Dot “pick your noun”

We Love a Hard ProblemWe Love a Hard Problem

Nation StatesOrganized Crime

TerroristsJust about anyone


An Evolving Threat - Post Millennium

• In just six months in 2007:• Requirements for system “cleanings” increased 200 percent• Trojan malware downloads and drops increased 300 percent

• “Over the past few years, the focus of endpoint exploitation has dramatically shifted from operating system to the Web browser and multimedia applications.”*

* Ref: IBM Internet Security Systems X-Force 2008 Mid-Year Trend Statistics

Net Present Impact in operational terms

Characteristic of exploitive attacks since 2004

“CEOs who think cybercrime is just the business of CIOs are like

Enron’s shrugging off the companies books as something for the accounting department.”


The Growing Role of the Insider Threat

“ “Daddy, something’s wrong with your Blackberry …”Daddy, something’s wrong with your Blackberry …”


"In the very near "In the very near future, many future, many

conflicts will not conflicts will not take place just on take place just on the open field of the open field of

battle, but rather in battle, but rather in spaces on the spaces on the

Internet, fought with Internet, fought with the aid of the aid of

information information soldiers”soldiers”

"In the very near "In the very near future, many future, many

conflicts will not conflicts will not take place just on take place just on the open field of the open field of

battle, but rather in battle, but rather in spaces on the spaces on the

Internet, fought with Internet, fought with the aid of the aid of

information information soldiers”soldiers”

Nikolai Kuryanovich, former member of the Russian Duma

“… it is useless for us to occupy it; but the utter destruction of its roads, houses, and people, will cripple their military resources..”

GEN W.T. Sherman1864

Georgia I Georgia I ““I Will Make Georgia Howl”I Will Make Georgia Howl”

Total Warfare Then and Now: The Lesson of Two Georgias

“… Russian tanks rolled into the country's territory, in what experts said Wednesday was an ominous sign that cyber-attacks might foreshadow future armed conflicts.”

Moscow Times2008

Georgia IIGeorgia IIThe Next DimensionThe Next Dimension


Cybersecurity and Cyber Defense –Its no longer just about Comms and Networks

Limitations of a Communications and Network Technology Mindset

Application & Data Intensive

Environments Cognitive Heuristics –Time Constrained

Reasoning


The US and UK Alignment is Significant and Growing

NATO UNCLASSIFIED

NATO UNCLASSIFIED 5

Cyber Defence Efforts Cyber Defence Efforts in NATO in NATO –– WhatWhat’’s Nexts Next

• New Strategic Concept: Delineate cyber defence roles of NATO and Nations

• Expand NATO’s cyber defence capability

• Implement cyber events into military exercises

• Coordinate & implement national best practices through the cyber defence Centre of excellence

• Field a Command & Control reference capability – Stress / attack the NATO reference system for vulnerabilities

Successfully managing our information resources against Successfully managing our information resources against Advanced and Persistent Threats will require an Advanced and Persistent Threats will require an

organizational integration of network and security disciplinesorganizational integration of network and security disciplines

U.S. Cyberspace Policy Review (2009)

“The Nation also needs a strategy for cybersecurity designed to shape the international environment and bring like-minded nations together …”

The Strategy highlights the need for Government, business, international partners and the public to work together to meet our strategic objectives of reducingrisk and exploiting opportunities …”Cyber Security Strategy of the United Kingdom (2009)


An Overarching Organizational Model

Data collectionIn

form

ation

Risk M

anag

emen

t and

In

form

ation

Assu

rance P

olicies

Threat monitoring and analysis

Threat response

Behaviour, responsibility and training

Th

e Intern

et

Cyb

ertech

nical

research

Business systems and processes

Threat coordination

ICT infrastructure

• The business systems and processes for which cyber space is used

• The ICT infrastructure

• Dedicated threat detection together with associated responses

• A strong coordination layer providing situational awareness as well as alignment with activities outside the cyber domain

The Network Operations and Security Center (NOSC) represents a key operational instantiation of this model


Enter the Network Operations & Security Center(NOSC)

Network OperationsCenter

Security OperationsCenter

Network Operations and Security

Center

LegacyCONOPS

New CONOPS

NATO-ACT ID ’08 Brussels, Belgium

Dynamic Situational AwarenessDynamic Situational Awareness Degraded OperationsDegraded Operations

Cyber Defense Information SharingCyber Defense Information Sharing


Key Functionality of the Leading Edge NOSC Moving from Cyber Forensics to Run Time Cyber Operations

--

Test, Training & Exercise (TT&E)Test, Training & Exercise (TT&E)

Advanced &

Persistent Threats

CyberCollection

Environment

IntelligenceAnalysis

ReportingVisualization

DigitalProcessing

Environments



Cross DomainInfo Sharing

Data - KnowledgeData - Fusion


Critical Cyberspace

Domains

All SourceInformation

MissionUser

MissionUsers

MissionUser

MissionUsers

IntelOPCollaboration


Operations ManagementVisualization

Network • .mil• .gov• DIB partners• .nato.int• etc.

Leading Edge NOSCFocus

• Dynamic Situational AwarenessDynamic Situational Awareness• Degraded OperationsDegraded Operations• Cyber Defense Information SharingCyber Defense Information Sharing


High Level Cyber Architecture Implications of a NOSC

--


Advanced &Persistent Threats

CyberCollection

Environment



DigitalProcessing

Environments




Data - KnowledgeData -Fusion


Critical Cyberspace

Domains


MissionUser

MissionUsers

MissionUser

MissionUsers





--


Advanced &Persistent Threats

CyberCollection

Environment



DigitalProcessing

Environments




Data - KnowledgeData -Data - KnowledgeData -Fusion


Critical Cyberspace

Domains


MissionUser

MissionUsers

MissionUser

MissionUsers

MissionUser

MissionUsers

MissionUser

MissionUsers




Network Operations

ManagementVisualization


1

2

3

4

5

1

• Operate at Net Speed• Multiple Phenomenology• Analyst Agile

2

• All Source Scope• Autonomic Assist• Forensic & Run Time• Cognitive Visualization

3• Data to Knowledge• Inherently Cross-Domain• Federated Operational Trust

4

• Cognitive Visualization• Course of Action Agile• Inherently Cross-Domain• Federated Operational Trust

5• Salient Environment• Flexible and Extensible• Embedded Capability


The New Frontier Mission

Innovative applications of information technology capabilities, solutions and services needed to adapt, assure and sustain mission operations while under attack

between the sword and shield: the role of the network operations & security center

Documents