1 Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc. Visualisation for Network Situational Awareness in Computer Network DefenceMarc Grégoire, DRDC OttawaLuc Beaudoin, Bologik Inc.
2 Outline Network as a battlespace Need for Network SA Joint Network Defence & Management System (JNDMS)JNDMS ChallengesVisualisationIntegration into COP
3 Networks are critical assets to Canadian Forces Operations Assure network services in support of operationsGCCSHRMS, FMAS, CFSSUDefend network during operationsVs hackersVs virusVs technical failures
4 The network as a Battlespace Avenues ofApproachCNDCNEFirewall &GuardIntrusionSensorRef: LCol R. Knight, CFIOG, DNDLand, Sea and Air activities are predicated increasingly on networksAn attack on a network can dramatically upset operations. Currently, it is difficult and time consuming to understand the effect of a network attack on the mission and to plan an appropriate response.Must maintain network situational awareness
5 Network Situational Awareness Knowing the level of threats and the current status of all network assets supporting military operations.IT Infrastructure (circuits, hardware, software)Defensive posture;Security events (C, I, A, etc) ;Military Operations;Interdependencies.
6 Fight the Networks Operational Command Network Operations Centre IT ServiceDeskNetworkControlComputer IncidentResponse Team
7 Mission/Role Operational Command Network Operations Centre IT Service Peace Keeping;Search and Rescue;Assistance to civil power;NORAD;NATO;For operational IT systems:“Fight the Networks”Preserve Confidentiality;Maintain Integrity;Assure Availability.NetworkOperationsCentreITServiceDeskNetworkControlComputer IncidentResponse TeamProvide user with 1st line IT support;Assure quality of IT service to the users.Maintain connectivity;Monitor network performance;Network security monitoring;Intrusion detection;Intelligence analysis;
8 Information Types Operational Command Network Operations Centre IT ResourcesPrioritiesIT servicesSupporting opsLocationsScheduleOperationalCommandALL TYPESNetworkOperationsCentreITServiceDeskNetworkControlComputer IncidentResponse TeamTrouble ticketsUsersHostsLocationsApplicationsHost Status (Up/Down)Links usageCircuits/TopologyLocationsIP addressesPortsHostLocationsVulnerabilitiesAttack signatures
9 Example: Inputs resulting from events OperationalCommandNetworkOperationsCentreITServiceDeskNetworkControlComputer IncidentResponse Team3 users report that a military Web site providing weather maps is not responding.Monitoring tool alerts of sudden surge in traffic on a base Local Area Network (LAN).Intrusion detection system alerts of intensive scanning activities on a subnet.
13 NOC View3 users report that a military Web site providing weather maps is not responding.Monitoring tool alerts of sudden surge in traffic on a base LAN.Intrusion detection system alerts of intense scanning activities on a subnet.NOCSo what ?
14 Operational Command View Option 1:Silos information report :SERVICES:3 users report that a military Web site providing weather maps is not responding.;PERFORMANCE:Monitoring tool alerts of sudden surge in traffic on a base LAN.SECURITY:Intrusion detection system alerts of intense scanning activities on a subnet.OROption 2:Integrated information report:IMPACT:Weather services to all deployed ships is inaccessible.CAUSE:One vulnerable IIS server infected by SQLSlammer worm. Infected server is scanning surrounding hosts to propagate the worm. This scanning activity creates a denial of service for all servers on subnet.Cmd
15 How to get option 2, and quicker? Integrate dataIT infrastructureSecurity eventsMilitary operationsCommon source of information to achieve Network Situational Awareness at the NOC and to answer the “So what?”Improve decision makingFaster (option space Vs time)Quality (support risk acceptance option)PrioritizeNOC
16 SharingShare with the NOC sub-units to improve their own processes by giving them more context.Tactical decisions may require strategic level information.Let others look at it in a way meaningful to them (UDOP: User Defined Operating Picture)NOC
17 Joint Network Defence & Management System (JNDMS) This is a high level view of the JNDMS concept.There are 3 types of input data.The first one is security events data. This could include alerts from network intrusion detection systems, alerts from network managements tools, and intelligence reports.The second type is military operations data. This is data on operations and their associated IT services and assets.The third type of input data is IT infrastructure data. This is the topology and the configuration.The integration creates contextual data inside of the JNDMS.The output is network situational awareness, which is knowledge used for decision support.
18 JNDMS Visualisation Challenges Filtering/aggregating/tailoringReal-time display requirements?Battle tempo in cyberspace could be fastLogical and geospatial viewsCorrelate cyber events and physical eventsDisplay defensive postureSymbologyDisplaying interdependenciesLarge volume of dataHistorical data
19 JNDMS Integration of data Data correlation Data presentation DRDC, Impact assessment toolDRDC, JNDMS Concept document
20 Contributing to Ops Commander’s COP CmdShould we? We think so!How?Sharing data: Requires compatible data sets.C2IEDM? Possibly, needs extension.How to display?Does it imply geospatial map? (not always relevant, symbology, clutter issue)Need to capture reliance of military operations on cyber assets.At what level of details?Export snapshot of NOC viewe.g. a separate window in COP 21