Jack Wilmer, Deputy Chief Technology Officer for Enterprise Services, Defense Information Systems Agency, speaks during the Federal Innovation Summit 2014. (Rob Curtis/Staff)
As the Defense Department moves toward an enterprise-focused approach to its networks and IT, the Defense Information Systems Agency is taking on a growing role in maintaining cybersecurity. That role includes a range of programs, initiatives and measures, one of which includes the employment of Big Data analytics that help officials monitor network activity.
The use of cloud to comprehensively compile events and activities throughout military networks, and the analytics to make sense of all the raw data, comprises much of the mission within DISA’s Cybersecurity Situational Awareness Analytic Cloud, or CSAAC. The cloud compiles data coming in from sensors and Internet access points throughout DoD’s networks and data centers, fusing that information to monitor for any issues, events or anomalous behavior.
Not only does that fusion and analysis help defense officials get a better understanding of what’s happening on DoD networks at any given time, but the hope is that it will also create a sharper operational picture that can be shared among DoD partners—particularly as the military moves to the Joint Information Environment. It’s a capability that holds significant promise to benefit the military up and down the ranks and across the department, according to DoD officials.
Federal Times senior staff writer Amber Corrin recently sat down with DISA’s Jack Wilmer, deputy chief technology officer for enterprise services, on the sidelines of the Federal Innovation Summit held in Washington on July 22. Wilmer is helping build CSAAC into the watchful cloud capability that aims to improve DoD network security.
So what exactly is CSAAC and how does it work?
It’s a big data solution, so what CSAAC does it take all these piles of data — the information we get from the Internet access points, the information we get from our sensors within the data centers, all the way up to the servers themselves — and dumps it into basically one solution that we can then run analytics across.
CSAAC exists on our networks now, fusing the information. We’re also standing it up inside of our data centers. We get lots of information from lots of different sensors. Everything on the DoD network, we’re monitoring; every time you log into the DoD network you have to click the banner to accept to being monitored. So what CSAAC does is it takes information from all the various sensors across the department.
You may notice a network anomaly somewhere, say a high spike in utilization in some devices. But if you’re only focused on that specific event, you might miss some correlating events elsewhere in the network or higher up the stack.
The ability to bring the analytics together — the logs from applications tied in with network defenses, etc. — and then run the analytics across that allows you to really understand and have a better picture of what’s really going on and what folks are trying to do as it pertains to our network.
MORE FROM THE INNOVATION SUMMIT
How is the transition going? What are some of the challenges you’re dealing with along the way?
A lot of the issues that we’re dealing with now really get down to cultural change and tactics, techniques and procedures: how are we going to operate, how do we actually defend things given these pools of information that we have available? And how do I make it available to, say, the Air Force, which might be hosting their capability on my virtual data center? They’re responsible and accountable for that application, but they need visibility into what’s going on from the Internet access points, the data center sensors and so on. So how we fuse all of that together is a big amount of work that’s going on at CSAAC now.
We have a lot of challenges right now; how do we improve cybersecurity, improve operational effectiveness and really drive down cost and become more agile? Balancing and finding solutions that enable us to do all of those things is a really tricky problem, but one we’ve invested heavily in and one where we’re making a lot of good headway.
What do you see coming in CSAAC’s future? What’s next?
One of the areas we’re working on is what we’re doing with our mission partners — Air Force is a really big one. We have operations centers, they have operations centers, so how do we get the right visibility into information for all of our mission partners and ourselves? A big part of JIE is moving to this enterprise operations center construct … the notion is tying together all of these different operations centers so we can have one consistent way of looking at information.
We’re also looking at how we use the commercial cloud. How much of that integration, how much of that tying-in of the data feeds — versus just tippers and certain events occurring — do we need? And a bigger problem set, one that we’re spending a lot of effort on now, is how do I integrate all of the different feeds that we have?
At DoD we have the NIPRNet, which is our unclassified network. We have very finite points for access, gateways to the Internet, so we have a number of sensors that exist throughout our infrastructure. The Internet access points, basically the doorsteps to each base, the data centers, and so on. We can take all that information and fuse it together to form a picture. So the question is, if we now have capabilities out in the commercial cloud and it’s not on our network, how do we get the same level of visibility to be able to defend and operate those capabilities? And a more important question, do I need the ability to defend the capabilities that are out in the commercial cloud?
Where does this effort fit in with DISA’s broader mission?
We have three factors, three challenge areas, that kind of form how we make our trade space.
The first is operational effectiveness — that is what we exist for. For example, in the network, how do I increase bandwidth? How do I enable all of the end customers and mission partners to have more bandwidth? Inside the enterprise services, it’s how do [we] add more functionality into existing capabilities?
The second one of our pillars is cybersecurity. That is an area that from basically the bottom up, every single capability we design has cybersecurity in mind. We have a lot of experience with techniques that people use to try and get at our capabilities, so we build those defenses in from the ground up and then we also provide capabilities that we use to better operate and defend the department’s network, computing centers and other capabilities. So there’s certain cybersecurity tools that we bring to the forefront and are there explicitly for the purpose of securing the infrastructure.
The third is how do we cut costs? How do we ultimately drive down the cost to our mission partners with the services we provide and drive down the costs of us providing the services ourselves? We basically use that as our decision calculus. A lot of the decisions we make on how to provide computing and networks are going to be factored in with how do we do this as cost-effectively as possible, how do we maintain cybersecurity and how do we ideally increase operational effectiveness? Fundamentally, where we go is to take those factors, balance them and then make [a] decision as to how to best provide services to the department.
Whenever you’re providing a capability to multiple different organizations ... it’s very difficult to balance the needs of all those different organizations together and provide that central solution. With [cybersecurity], it’s very much a rapidly evolving, complex landscape that we have to defend.