The Defense Information Systems Agency (DISA) offers a cloud-based set of solutions that enables the collection of large amounts of data from across the DoD Information Networks (DoDIN) and provides the analytics and visualization tools to make sense of the data. The set of solutions is called Cyber Situational Awareness Analytical Capabilities (CSAAC) and is available on both the Nonsecure Internet Protocol Router Network (NIPRNET) and Secret Internet Protocol Router Network (SIPRNET).
By using CSAAC, DoD network analysts and operators have a broader and more comprehensive view of DoDIN activity than ever before. CSAAC enables informed decision making and enhances the overall security posture of DoD networks.
“As we take the data through our system, we work to parse it and make some sense of it. In doing that, we can sort the data and ask questions to find things that we are looking for, such as problems or anomalies. From those, we can write analytics to look for that anomaly across the networks,” said Dan Bart, chief of the agency’s Cyber Situational Awareness Systems Branch. “Ultimately, the goal is to build a picture to help the operator or a user answer a question or make command and control decisions.”
CSAAC provides the following types of capability:
- DoDIN operations and situational awareness. Monitoring of DoD Enterprise Email is an example of CSAAC providing operators with near real-time situational awareness on incidents, detailed provisioning statuses, email gateway filtering, and more.
- Defensive cyber operations (DCO). Fight by Indicator (FbI) is an example of a defensive cyber operations capability within CSAAC. FbI provides enterprise computer network defense analysts with the ability to automate workflows that review cyber threat reports and extract potential indicators and warnings for further processing and, if needed, execution of an automated DoD countermeasures workflow.
- Anomaly detection. The anomaly detection suite is a CSAAC capability focused on detecting authorized users who pose a threat to the confidentiality, integrity, or availability of sensitive DoD data. The service also allows analysts to alert the proper authorities if a potential insider threat is detected.
The suite of capabilities within CSAAC is enabled by the Big Data Platform (BDP). BDP is a DISA-developed open source solution that supports the data ingest, correlation, and visualization infrastructure. The BDP common architecture can be installed across hundreds of servers in several hours, according to Bob Landreth, BDP program manager.
BDP enables data, visualizations, and analytics from CSAAC to be shared with mission partners, to include: DoD cyber operators in other organizations, enterprise service users, cyber mission forces and cyber protection teams, and other federal agencies.
The BDP environment is comprised of open source and unclassified components, and also leverages technology transfer from other DoD entities. The open-source, shared infrastructure model provides DoD with an increased return on investment and significantly improves the time to market, or amount time it takes to make capabilities available to end users.
“One of the big benefits behind this program is that when we developed it, we didn’t want to just say that this is a DISA solution and we are only going to install it on DISA servers, so we handed it out to some of the other services and other folks so they can install locally within their environment,” Landreth said. He also said the installation is very straightforward; anyone with Linux and Hadoop experience should be able to install it.
Bart says the biggest challenge he sees is not in the technology, but in finding people with the right skillset to analyze the data.
“The challenge is looking at the data and understanding it,” he said. “We see a huge drought in data scientists and we look out to our mission partners and industry partners to encourage this field and to bring more data scientists on your team and into your operations. The more we can understand the data, the more we can understand what we can actually do with the data.”
For additional information regarding CSAAC and Big Data Platform: