An abundance of data and expansion into the cloud and mobile environments present unique challenges for defensive cyber operations (DCO), said members of the Defense Information Systems Agency’s (DISA) DCO Division during a panel discussion at the Armed Forces Communications and Electronics Association’s Defensive Cyberspace Operations Symposium May 16 in Baltimore.
Army Col. Darleen Straub, chief of DISA’s DCO Division, led the Challenge of Cyberspace Defense and Cybersecurity Service Provider (CSSP) Services panel, which included Robert Mawhinney, chief of the DCO Current Operations Branch; Darrell Fountain, chief of the DISA CSSP Branch; and Paul Barbera, chief of the DCO Plans and Requirements Branch.
Straub said DISA stood up a consolidated DCO Division in the summer of 2017. The division plans, transforms, coordinates, synchronizes, and directs the security and defense of the agency's enterprise infrastructure and the delivery of DISA Cyber Security Services to the Department of Defense.
“The DoD is in the middle of a cultural shift,” said Straub. “That cultural shift is now saying that sometimes the protection of the network and what is in the network is more important than the availability of the network.”
Evolving methods for monitoring data
One of the responsibilities of DCO is to monitor, track, and analyze suspicious activity within the Department of Defense Information Network (DoDIN).
“At the end of the day, that is what we are looking at,” said Mawhinney. “That is what we are trying to decipher … what is going on in the networks.”
A massive amount of data is trafficked through the DoDIN. Ciphering through data, the cost of storage space, the additional volume of metadata and alerts, and the increase of cyber speed — the speed in which the networks are moving and operating — contributes to the continuously changing requirements for DCO.
Mawhinney emphasized the need to incorporate artificial intelligence (AI), advanced analytics, and machine learning as part of the cyber-defense environment to provide the initial blocking and tackling of malicious data.
“Get that (initial protection) out of the analysts’ hands and let them really start to focus on the cyber kill chain aspects of understanding where to go next,” said Mawhinney.
Barbera reiterated the importance of incorporating automated resources that process data and alert the defensive team where to look to find malicious activity.
“How can we do things better, faster, stronger?” asked Barbera. “We need that machine learning; we need AI.”
Defense of new environments
The transition to virtual environments — cloud and mobility ? also changes the way operators perform DCO. The defensive framework that previously existed no longer aligns with the functionality of the cloud and mobility environments, and new frameworks must be developed.
“We have been working (on a defensive framework for) cloud for four years,” said Mawhinney.
When data is hosted in the cloud, separate from the network, there is a disconnect between cyberdefense and direct access to the data. It is difficult to redirect the original data back into the DoDIN to be analyzed and filtered for malicious activity, as required by cyber directives.
Fountain said his main concern is developing a global defense for the cloud environment. The CSSP established preliminary services to address the DoD’s current cloud need, but further standards and capabilities are required to create an environment that provides the same protection as a traditional enclave scenario used in the DoDIN defense, he said.
“Our challenge is to keep the entire global team knitted together into one fabric that provides defense around the clock; 24 hours a day, seven days a week, 365 days a year.”
Mobile device use within the DoD doubled over the last year, said Mawhinney, who addressed the challenge of monitoring mobile devices and the mobility environment.
“Mobility is going to be our endpoint solution in a few years,” he said.
Mawhinney said it is critical that DCO understands how to defend the mobility environment, how to redirect data back into an environment that the DoDIN can analyze holistically, and evaluate what is normal or abnormal for data in this environment.
Mawhinney also emphasized the importance of incorporating innovative ideas when addressing DCO for the cloud and mobility environments.
“What DISA brings to the fight that few others can is end-to-end visibility,” said Fountain. “We own the backbone. We own the internet access points. We have a fleet of sensors spread across the globe. And we have a global presence that allows us to capitalize on all that and bring defense to our mission partners.”
Additional editing by CHIPS Magazine.