Transcript Visualisation for Network Situational Awareness in

Visualisation for Network Situational
Awareness in Computer Network Defence
Marc Grégoire, DRDC Ottawa
Luc Beaudoin, Bologik Inc.
Defence R&D
Canada
R et D pour la défense
Canada
Canada
Outline
• Network as a battlespace
• Need for Network SA
• Joint Network Defence &
Management System (JNDMS)
• JNDMS Challenges
– Visualisation
– Integration into COP
Defence R&D Canada
R et D pour la défense, Canada
Networks are critical assets to
Canadian Forces Operations
– Assure network services
in support of operations
• Email
• GCCS
• HRMS, FMAS, CFSSU
– Defend network during
operations
• Vs hackers
• Vs virus
• Vs technical failures
Defence R&D Canada
R et D pour la défense, Canada
The network as a Battlespace
CND
CNE
CNE
Avenues of
Approach
Ref: LCol R. Knight, CFIOG, DND
CNE
Firewall &
Guard
Intrusion
Sensor
Must maintain network situational awareness
Defence R&D Canada
R et D pour la défense, Canada
Network Situational Awareness
Knowing the level of threats and the current
status of all network assets supporting military
operations.
– IT Infrastructure (circuits, hardware, software)
– Defensive posture;
– Security events (C, I, A, etc) ;
– Military Operations;
– Interdependencies.
Defence R&D Canada
R et D pour la défense, Canada
Fight the Networks
Operational
Command
Network
Operations
Centre
IT
Service
Desk
Network
Control
Defence R&D Canada
Computer Incident
Response Team
R et D pour la défense, Canada
Mission/Role
Operational
Command
For operational IT systems:
– “Fight the Networks”
– Preserve Confidentiality;
– Maintain Integrity;
– Assure Availability.
IT
Service
Desk
– Provide user with 1st
line IT support;
– Assure quality of IT
service to the users.
– Peace Keeping;
– Search and Rescue;
– Assistance to civil power;
– NORAD;
– NATO;
Network
Operations
Centre
Network
Control
– Maintain connectivity;
– Monitor network
performance;
Defence R&D Canada
Computer Incident
Response Team
– Network security
monitoring;
– Intrusion detection;
– Intelligence analysis;
R et D pour la défense, Canada
Information Types
Operational
Command
ALL TYPES
IT
Service
Desk
- Trouble tickets
- Users
- Hosts
- Locations
- Applications
- Resources
- Priorities
- IT services
- Supporting ops
- Locations
- Schedule
Network
Operations
Centre
Network
Control
- Host Status (Up/Down)
- Links usage
- Circuits/Topology
- Locations
Defence R&D Canada
Computer Incident
Response Team
- IP addresses
- Ports
- Host
- Locations
R et -DVulnerabilities
pour la défense, Canada
- Attack signatures
Example: Inputs resulting from events
Operational
Command
Network
Operations
Centre
IT
Service
Desk
3 users report that
a military Web site
providing weather
maps is not
responding.
Network
Control
Monitoring tool alerts of
sudden surge in traffic on
a base Local Area
Network (LAN).
Defence R&D Canada
Computer Incident
Response Team
Intrusion detection
system alerts of
intensive scanning
activities on a
R et subnet.
D pour la défense, Canada
IT Service Desk View
IT SD
Defence R&D Canada
R et D pour la défense, Canada
Network Control View
NetCon
Defence R&D Canada
R et D pour la défense, Canada
CIRT View
CIRT
Defence R&D Canada
R et D pour la défense, Canada
NOC View
3 users report that
a military Web site
providing weather
maps is not
responding.
Monitoring tool alerts of
sudden surge in traffic on
a base LAN.
Intrusion detection
system alerts of
intense scanning
activities on a
subnet.
NOC
So what ?
Defence R&D Canada
R et D pour la défense, Canada
Operational Command View
Option 1:
Silos information report :
-SERVICES:
-3 users report that a military Web site providing weather
maps is not responding.;
- PERFORMANCE:
-Monitoring tool alerts of sudden surge in traffic on a
base LAN.
- SECURITY:
-Intrusion detection system alerts of intense scanning
activities on a subnet.
OR
Option 2:
Cmd
Integrated information report:
-IMPACT:
-Weather services to all deployed ships is inaccessible.
- CAUSE:
- One vulnerable IIS server infected by SQLSlammer
worm. Infected server is scanning surrounding hosts to
propagate the worm. This scanning activity creates a
Defence
Canada onRsubnet.
et D pour la défense, Canada
denial of service
for R&D
all servers
How to get option 2,
and quicker?
• Integrate data
– IT infrastructure
– Security events
– Military operations
• Common source of information to
achieve Network Situational Awareness
at the NOC and to answer the “So what?”
• Improve decision making
NOC
– Faster (option space Vs time)
– Quality (support risk acceptance option)
– Prioritize
Defence R&D Canada
R et D pour la défense, Canada
Sharing
• Share with the NOC sub-units to
improve their own processes by
giving them more context.
• Tactical decisions may require
strategic level information.
• Let others look at it in a way
meaningful to them (UDOP: User
Defined Operating Picture)
NOC
Defence R&D Canada
R et D pour la défense, Canada
Joint Network Defence
&
Management System
(JNDMS)
!
Defence R&D Canada
R et D pour la défense, Canada
JNDMS Visualisation Challenges
• Filtering/aggregating/tailoring
• Real-time display requirements?
– Battle tempo in cyberspace could be fast
• Logical and geospatial views
– Correlate cyber events and physical events
•
•
•
•
•
Display defensive posture
Symbology
Displaying interdependencies
Large volume of data
Historical data
Defence R&D Canada
R et D pour la défense, Canada
JNDMS
•Integration of data
•Data correlation
•Data presentation
DRDC, Impact assessment tool
DRDC, JNDMS Concept document
Defence R&D Canada
R et D pour la défense, Canada
Contributing to Ops Commander’s COP
Cmd
• Should we? We think so!
• How?
– Sharing data: Requires compatible data sets.
• C2IEDM? Possibly, needs extension.
– How to display?
• Does it imply geospatial map? (not always relevant, symbology,
clutter issue)
• Need to capture reliance of military operations on cyber assets.
• At what level of details?
• Export snapshot of NOC view
– e.g. a separate window in COP 21
Defence R&D Canada
R et D pour la défense, Canada
Defence R&D Canada
R et D pour la défense, Canada
Questions?
Defence R&D
Canada
R et D pour la défense
Canada
Canada