Jack Wilmer, DISA's deputy CTO for enterprise services, speaks during the Federal Innovation Summit. (Rob Curtis/Staff)
As the Defense Information Systems Agency gains momentum in the use of its cybersecurity analytics cloud, officials are looking toward better using the analytics to help secure Defense Department networks.
Currently, DISA’s Cybersecurity Situational Awareness Analytical Cloud, or CSAAC, compiles data coming in from sensors and Internet access points throughout DoD’s networks and data centers, merging that information to monitor for issues, events or anomalous behavior.
Defense officials say CSAAC is helping them get a better understanding of what’s happening on DoD networks at any given time, but the hope is to create an even more comprehensive, sharper operational picture that can be shared among DoD partners—particularly as the military moves to the Joint Information Environment.
“We have a lot of challenges right now. How do we improve cybersecurity, improve operational effectiveness and really drive down cost and become more agile?” said Jack Wilmer, deputy chief technology officer for enterprise services at DISA. “Balancing and finding solutions that enable us to do all of those things is a really tricky problem, but one we’ve invested heavily in and one where we’re making a lot of headway.”
Wilmer spoke at the Federal Innovation Summit in Washington, D.C. on July 22.
MORE FROM THE INNOVATION SUMMIT
Top priority right now is partnership with other DoD components, particularly the Air Force, as DISA works to bring together the respective operations centers and provide better visibility into each other's networks. A big part of JIE is moving to an enterprise operations center construct that ties together the multiple pieces into a consistent view, Wilmer noted.
“A lot of issues that we’re dealing with now really get down to cultural change and tactics, techniques and procedures – how are we going to operate, how do we actually defend things given these pools of information that we have available?” he said. “And how do I make it available to, say, the Air Force, which might be hosting their capability on my virtual data center? They’re responsible and accountable for that application, but they need visibility into what’s going on from the Internet access points, the data center sensors and so on. So how we fuse all of that together is a big amount of work that’s going on at CSAAC now.”
At the network level, CSAAC can give its users a more detailed understanding on what’s happening on DoD networks, of which there are many that are widely dispersed and monitored by different entities throughout the department.
“You may notice a network anomaly somewhere, say a high spike in utilization in some devices. But if you’re only focused on that specific event, you might miss some correlating events elsewhere in the network or higher up the stack,” Wilmer said.
That’s one reason CSAAC is a benefit for components throughout the military. Organizations are able to take advantage of each other’s analytics and in-house capabilities, according to Mark Orndorff, DISA program executive officer for mission assurance and network operations and chief information assurance executive.
Last August DISA announced the launch of Acropolis, a big-data cloud project modeled after a National Security Agency platform and designed to aggregate, correlate, reduce and analyze cyber threats, including insider threats. Today Acropolis is serving as the big data storage portion of CSAAC, enabling the cloud to provide an “array of capabilities including big data analytics and a combination of government-developed analytics as well as multiple commercial tools,” Orndorff said.
Beyond expanding CSAAC’s shared operational picture, DISA officials also are looking at how to improve the platform’s abilities to ingest data, Orndorff added.