Post on 10-Jan-2016
description
Defence R&DCanada
R et D pour la défenseCanada Canada
Visualisation for Network Situational Awareness in Computer Network Defence
Marc Grégoire, DRDC Ottawa
Luc Beaudoin, Bologik Inc.
Defence R&D Canada R et D pour la défense, Canada
Outline
• Network as a battlespace
• Need for Network SA
• Joint Network Defence & Management System (JNDMS)
• JNDMS Challenges– Visualisation– Integration into COP
Defence R&D Canada R et D pour la défense, Canada
Networks are critical assets to Canadian Forces Operations
– Assure network services
in support of operations• Email
• GCCS
• HRMS, FMAS, CFSSU
– Defend network during operations
• Vs hackers
• Vs virus
• Vs technical failures
Defence R&D Canada R et D pour la défense, Canada
The network as a Battlespace
Avenues ofApproach Firewall &
Guard
Intrusion Sensor
CND
CNE
CNE
CNERef: LCol R. Knight, CFIOG, DND
Must maintain network situational awareness
Defence R&D Canada R et D pour la défense, Canada
Network Situational Awareness
Knowing the level of threats and the current status Knowing the level of threats and the current status of all network assets supporting military operations.of all network assets supporting military operations.
– IT Infrastructure (circuits, hardware, software)
– Defensive posture;
– Security events (C, I, A, etc) ;
– Military Operations;
– Interdependencies.
Defence R&D Canada R et D pour la défense, Canada
Fight the Networks
OperationalCommand
NetworkOperations
Centre
ITService
Desk
NetworkControl
Computer IncidentResponse Team
Defence R&D Canada R et D pour la défense, Canada
Mission/Role
OperationalCommand
NetworkOperations
Centre
ITService
Desk
NetworkControl
Computer IncidentResponse Team
– Peace Keeping;– Search and Rescue;– Assistance to civil power;– NORAD;– NATO; For operational IT systems:
– “Fight the Networks”– Preserve Confidentiality;– Maintain Integrity;– Assure Availability.
– Provide user with 1st line IT support;– Assure quality of IT service to the users.
– Maintain connectivity;– Monitor network performance;
– Network security monitoring;– Intrusion detection; – Intelligence analysis;
Defence R&D Canada R et D pour la défense, Canada
Information Types
OperationalCommand
NetworkOperations
Centre
ITService
Desk
NetworkControl
Computer IncidentResponse Team
- Resources- Priorities- IT services- Supporting ops- Locations- Schedule
- Trouble tickets- Users- Hosts- Locations- Applications
- IP addresses- Ports- Host- Locations- Vulnerabilities- Attack signatures
- Host Status (Up/Down) - Links usage- Circuits/Topology- Locations
ALL TYPES
Defence R&D Canada R et D pour la défense, Canada
Example: Inputs resulting from events
OperationalCommand
NetworkOperations
Centre
ITService
Desk
NetworkControl
Computer IncidentResponse Team
3 users report that a military Web site providing weather maps is not responding.
Intrusion detection system alerts of intensive scanning activities on a subnet.
Monitoring tool alerts of sudden surge in traffic on a base Local Area Network (LAN).
Defence R&D Canada R et D pour la défense, Canada
IT Service Desk View
IT SD
Defence R&D Canada R et D pour la défense, Canada
Network Control View
NetCon
Defence R&D Canada R et D pour la défense, Canada
CIRT View
CIRT
Defence R&D Canada R et D pour la défense, Canada
NOC View
NOC
So what ?
3 users report that a military Web site providing weather maps is not responding.
Intrusion detection system alerts of intense scanning activities on a subnet.
Monitoring tool alerts of sudden surge in traffic on a base LAN.
Defence R&D Canada R et D pour la défense, Canada
Operational Command ViewOption 1:
Option 2:
Silos information report :
Cmd
-SERVICES:-3 users report that a military Web site providing weather maps is not responding.;
- PERFORMANCE:-Monitoring tool alerts of sudden surge in traffic on a base LAN.
- SECURITY:-Intrusion detection system alerts of intense scanning activities on a subnet.OR
-IMPACT:-Weather services to all deployed ships is inaccessible.Weather services to all deployed ships is inaccessible.
- CAUSE:- One vulnerable IIS server infected by SQLSlammer worm. Infected server is scanning surrounding hosts to propagate the worm. This scanning activity creates a denial of service for all servers on subnet.
Integrated information report:
Defence R&D Canada R et D pour la défense, Canada
How to get option 2, and quicker?
• Integrate data – IT infrastructure – Security events– Military operations
• Common source of information to achieve Network Situational Awareness at the NOC and to answer the “So what?”
• Improve decision making– Faster (option space Vs time)– Quality (support risk acceptance option)– PrioritizeNOC
Defence R&D Canada R et D pour la défense, Canada
Sharing
• Share with the NOC sub-units to improve their own processes by giving them more context.
• Tactical decisions may require strategic level information.
• Let others look at it in a way meaningful to them (UDOP: User Defined Operating Picture)
NOC
Defence R&D Canada R et D pour la défense, Canada
Joint Network Defence&
Management System(JNDMS)
!
Defence R&D Canada R et D pour la défense, Canada
JNDMS Visualisation Challenges
• Filtering/aggregating/tailoring• Real-time display requirements?
– Battle tempo in cyberspace could be fast
• Logical and geospatial views– Correlate cyber events and physical events
• Display defensive posture• Symbology• Displaying interdependencies• Large volume of data• Historical data
Defence R&D Canada R et D pour la défense, Canada
JNDMS
•Integration of data•Data correlation•Data presentation
DRDC, Impact assessment tool
DRDC, JNDMS Concept document
Defence R&D Canada R et D pour la défense, Canada
Contributing to Ops Commander’s COP
• Should we? We think so!• How?
– Sharing data: Requires compatible data sets. • C2IEDM? Possibly, needs extension.
– How to display?• Does it imply geospatial map? (not always relevant,
symbology, clutter issue)
• Need to capture reliance of military operations on cyber assets.
• At what level of details?
• Export snapshot of NOC view– e.g. a separate window in COP 21
Cmd
Defence R&D Canada R et D pour la défense, Canada
Defence R&DCanada
R et D pour la défenseCanada Canada
Questions?Questions?