castles in the clouds: do we have the right battlement...
TRANSCRIPT
![Page 1: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/1.jpg)
The Nation's Army in Cyberspace 1
1
The Nation's Army in Cyberspace
“AMERICA’S ARMY:
THE STRENGTH OF THE NATION”
US Army Cyber Command
and Second Army
COL Mark Schonberg, ARCYBER G6 (CIO)
11 March 2016
OVERALL CLASSIFICATION:
UNCLASSIFIED
Castles in the Clouds: Do we have the right
battlement? (Cyber Situational Awareness)
![Page 2: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/2.jpg)
The Nation's Army in Cyberspace 2
DOD Cyber Security Planning Process
• This is a Hyper-Complex Environment
![Page 3: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/3.jpg)
The Nation's Army in Cyberspace 3
• Convergence: A whole lot going on
• Lines of Effort
• Three Keys moving Forward
– Design: Security Upfront gives you the right battlement
– Data Management Strategy
– Work Force Development (Training)
• Take Aways
• Questions?
Agenda
UNCLASSIFIED
UNCLASSIFIED
![Page 4: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/4.jpg)
The Nation's Army in Cyberspace 4
Convergence
ISPDataTablet,
Computer
VoiceVOIP,
Smartphone
RadioMilitary C2
TVNetflix, Cable
SatelliteSmartphone
FinancialWall Street, Banks
WaterPumpingStations
PowerPower Grid
GasNuclear
Adversary
U.S. Govt & MilitaryUSCYBERCOM
YOU!
Grandma
UNCLASSIFIED
UNCLASSIFIED
![Page 5: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/5.jpg)
The Nation's Army in Cyberspace 5*Network focused/Threat agnostic
DCO – Response Actions (DCO-RA)
DCO – Internal Defensive Measures
(DCO-IDM)
* Mission focused/Threat specific
DCO –IDM
DCO –RA
DoDINOps
Provide Freedom of Maneuver
in Cyberspace
Cyber forces execute cyber actions:
Cyberspace ISR
Cyberspace OPE
Defensive Cyberspace Operations (DCO)
* Project power in and through cyberspace.
DoDIN Operations
Offensive Cyberspace Operations (OCO)
Cyber Protection
Teams (CPT)
Cyber Mission Teams (CMT)
Maritime
Land
Air
Space
Cyber
Maritime
JFCMission
ObjectivesNat’l
Mission Teams (NMT)
Cyberspace Lines of Effort
UNCLASSIFIED
UNCLASSIFIED
![Page 6: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/6.jpg)
The Nation's Army in Cyberspace 6
Cyberspace EnvironmentUNCLASSIFIED
Physical
Network
Geographic
Cyber
Persona
Logical
Network Data, databases,
webpages and
associated IP
addresses
ISP
Infrastructure
Victim’s Attack SurfaceAdversary Infrastructure
Attackers have the advantage
since they need only succeed
once. Defenders must succeed every
time.
Physical
Persona
UNCLASSIFIED
Each layer of Attacker’s Infrastructure and
malware tools used can provide
opportunities for mitigation.
Every layer of the targeted victim’s organization (people and infrastructure) must be defended against attacks.
Information
devices
Information
users
Physical
locations
Bethesda, MD
IP 172.16.31.126
Cyb3rK1ll3r
AdamSmith
![Page 7: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/7.jpg)
The Nation's Army in Cyberspace 7
Joint Regional Security Stack (JRSS) Architecture
Security Upfront
UNCLASSIFIED
UNCLASSIFIED
• Standardization (NIST)• Common lexicon; shared
understanding of definitions
• Globally Directed• Regionally Aligned• Locally Responsive
![Page 8: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/8.jpg)
The Nation's Army in Cyberspace 8
Data Management Concept
Big data platform
Within context of attack chain methodology
(enabling)
Intelligence support to
cyberspace operations
(enabling)
Operations
Center
Commander
Mission
Requirements
Logic / Patterns
Critical information requirements:Priority intelligence requirements
Essential elements of friendly informationFriendly force information requirements
OUTPUT:
Commander’s decision
Current operations
JIMS*
Common operational picture
*Joint Information Management System
Data(common event format)
Products
Data management strategy critical non-materiel artifact, what you collect determines your ability to see yourself
SituationalAwarenessBig Data
ManeuverDCO-IDM
OperationsTools
UNCLASSIFIED
UNCLASSIFIED
![Page 9: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/9.jpg)
The Nation's Army in Cyberspace 9
Cyber Situational AwarenessSituational Awareness: Knowledge and understanding of the current situation which promotes timely, relevant and accurate assessment of friendly, enemy and other operations within the battle space in order to facilitate decision making (Army FM 5.0)
Cyber Situational Awareness: The ability to aggregate and visualize specific network and intelligence data from key terrain in a manner that provides understanding of perimeter defense, coverage and control, availability/reliability, application security and mission context
Cyber Situational Awareness
Perimeter defense
E-mail threat, HBSS, Time to Remediate, web proxy logs, Attacks, full
packet capture
Coverage and control
HBSS signature updates, patch management
system, host configuration, vulnerability management
Availability and Reliability
Network up time, historical outages,
network flow
Application Security
Red team reports, pen testing reports,
defense in depth reports
External Threat and Current Operations
Intel reports, Operational reports
Functional Category
Data Source
UNCLASSIFIED
![Page 10: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/10.jpg)
The Nation's Army in Cyberspace 10
• Defined End-States
Every data project has four components:
Understanding the business need. In our case it is threat detection.
Gathering, messaging and preparing the data.
Doing the modeling.
Operationalizing the outcome.
1
2
3
4
UNCLASSIFIED
UNCLASSIFIED
![Page 11: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/11.jpg)
The Nation's Army in Cyberspace 11
Evolving Operational of the Environment (Emergence of Cyberspace Demands Training Evolution)
PastClassical – AirLand Battle
TodayClassical–Network Enabled
FutureLandCyber
Our Adversaries have leveraged cyberspace to organize a new kind of force that leverages cyberspace as operational terrain and exploits the virtual dimension of human
and machine behavior to revolutionize operations.11
• WW II thru Vietnam • DS/DS thru OEF/OIF• Network Enabled operations - PED from back in CONUS
• Network Effects• Force-on-force in Cyberspace operating in Phase 0• No going back to grease pencils
UNCLASSIFIED
UNCLASSIFIED
![Page 12: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/12.jpg)
The Nation's Army in Cyberspace 12
Post-incident Analysis/Forensics
Planning Incident Prevention
DetectionContainmentRemediationRecovery & Restoration
Incident Response Lifecycle
Post-incident Analysis/Forensics
Planning Incident Prevention
DetectionContainmentRemediationRecovery & Restoration
Incident Response Lifecycle Failure Points / Gaps
Post-incident Analysis/Forensics
Incident Prevention
DetectionContainmentRemediationRecovery & Restoration
Automated Failure Point / Gap Remediation
Best Practice
Problem
Solution
Planning / Indicators of Compromise
UNCLASSIFIED
UNCLASSIFIED
![Page 13: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/13.jpg)
The Nation's Army in Cyberspace 13
Training Environment
UNCLASSIFIED
UNCLASSIFIED
ACAS
EPO
ESM / ArcSight
Integrated Capability / New DoctrineMandated Systems / Existing Doctrine
Today Tomorrow
ACAS
HBSS
Train
Operate
Field
Anytime
DEMO
OPERATE&
TRAIN
Anywhere
Developed Software
Joint Information Environment
(JIE)
Cyber Protect Teams -- Cyber Combat Mission Teams -- Cyber National Mission Teams
Open Source / DCO Focus
IA TOOLS
NETOPS TOOLS
Baseline PlatformTask Order
(Requirement)Integrate, Test, Field and Train =
Integrate in to the Army environment while fully automating manual incident response actions
![Page 14: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/14.jpg)
The Nation's Army in Cyberspace 14
• No Common Lexicon
• Cost prohibitive: function
specific software
• Lack of Security tools
• Lack of Cyber Ranges for
OT and associated systems
• Limited ability to execute
operations
OT Training Challenges
UNCLASSIFIED
UNCLASSIFIED
![Page 15: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/15.jpg)
The Nation's Army in Cyberspace 15
• Embrace Cyberspace as a contested domain; Design Security Upfront
• Understand your network and cyber key terrain; emplace sensors and monitor
key reporting tools to create the right Cyber Situational Awareness (SIEM/BDP)
• Focus on Common standards; System Integration is key (OT - to - IT)
• Train your Cyber Workforce on processes do not get focused on tools; build the
high-end engineering bench
• Don’t be afraid to take something off of the table; resources are limited
Take Aways …
UNCLASSIFIED
UNCLASSIFIED
![Page 16: Castles in the Clouds: Do we have the right battlement ...cdn.osisoft.com/corp/en/media/presentations/2016/... · ArcSight Mandated Systems / Existing Doctrine Integrated Capability](https://reader034.vdocuments.us/reader034/viewer/2022052005/60184012eb7bfb71501c2ff7/html5/thumbnails/16.jpg)
The Nation's Army in Cyberspace 16
Questions?
You are here
UNCLASSIFIED
UNCLASSIFIED