defence r&d canada r et d pour la défense canada visualisation for network situational...

Defence R&DCanada

R et D pour la défenseCanada Canada

Visualisation for Network Situational Awareness in Computer Network Defence

Marc Grégoire, DRDC Ottawa

Luc Beaudoin, Bologik Inc.

Defence R&D Canada R et D pour la défense, Canada

Outline

• Network as a battlespace

• Need for Network SA

• Joint Network Defence & Management System (JNDMS)

• JNDMS Challenges– Visualisation– Integration into COP


Networks are critical assets to Canadian Forces Operations

– Assure network services

in support of operations• Email

• GCCS

• HRMS, FMAS, CFSSU

– Defend network during operations

• Vs hackers

• Vs virus

• Vs technical failures


The network as a Battlespace

Avenues ofApproach Firewall &

Guard

Intrusion Sensor

CND

CNE

CNE

CNERef: LCol R. Knight, CFIOG, DND

Must maintain network situational awareness


Network Situational Awareness

Knowing the level of threats and the current status Knowing the level of threats and the current status of all network assets supporting military operations.of all network assets supporting military operations.

– IT Infrastructure (circuits, hardware, software)

– Defensive posture;

– Security events (C, I, A, etc) ;

– Military Operations;

– Interdependencies.


Fight the Networks

OperationalCommand

NetworkOperations

Centre

ITService

Desk

NetworkControl

Computer IncidentResponse Team


Mission/Role

OperationalCommand

NetworkOperations

Centre

ITService

Desk

NetworkControl


– Peace Keeping;– Search and Rescue;– Assistance to civil power;– NORAD;– NATO; For operational IT systems:

– “Fight the Networks”– Preserve Confidentiality;– Maintain Integrity;– Assure Availability.

– Provide user with 1st line IT support;– Assure quality of IT service to the users.

– Maintain connectivity;– Monitor network performance;

– Network security monitoring;– Intrusion detection; – Intelligence analysis;


Information Types

OperationalCommand

NetworkOperations

Centre

ITService

Desk

NetworkControl


- Resources- Priorities- IT services- Supporting ops- Locations- Schedule

- Trouble tickets- Users- Hosts- Locations- Applications

- IP addresses- Ports- Host- Locations- Vulnerabilities- Attack signatures

- Host Status (Up/Down) - Links usage- Circuits/Topology- Locations

ALL TYPES


Example: Inputs resulting from events

OperationalCommand

NetworkOperations

Centre

ITService

Desk

NetworkControl


3 users report that a military Web site providing weather maps is not responding.

Intrusion detection system alerts of intensive scanning activities on a subnet.

Monitoring tool alerts of sudden surge in traffic on a base Local Area Network (LAN).


IT Service Desk View

IT SD


Network Control View

NetCon


CIRT View

CIRT


NOC View

NOC

So what ?

3 users report that a military Web site providing weather maps is not responding.

Intrusion detection system alerts of intense scanning activities on a subnet.

Monitoring tool alerts of sudden surge in traffic on a base LAN.


Operational Command ViewOption 1:

Option 2:

Silos information report :

Cmd

-SERVICES:-3 users report that a military Web site providing weather maps is not responding.;

- PERFORMANCE:-Monitoring tool alerts of sudden surge in traffic on a base LAN.

- SECURITY:-Intrusion detection system alerts of intense scanning activities on a subnet.OR

-IMPACT:-Weather services to all deployed ships is inaccessible.Weather services to all deployed ships is inaccessible.

- CAUSE:- One vulnerable IIS server infected by SQLSlammer worm. Infected server is scanning surrounding hosts to propagate the worm. This scanning activity creates a denial of service for all servers on subnet.

Integrated information report:


How to get option 2, and quicker?

• Integrate data – IT infrastructure – Security events– Military operations

• Common source of information to achieve Network Situational Awareness at the NOC and to answer the “So what?”

• Improve decision making– Faster (option space Vs time)– Quality (support risk acceptance option)– PrioritizeNOC


Sharing

• Share with the NOC sub-units to improve their own processes by giving them more context.

• Tactical decisions may require strategic level information.

• Let others look at it in a way meaningful to them (UDOP: User Defined Operating Picture)

NOC


Joint Network Defence&

Management System(JNDMS)

!


JNDMS Visualisation Challenges

• Filtering/aggregating/tailoring• Real-time display requirements?

– Battle tempo in cyberspace could be fast

• Logical and geospatial views– Correlate cyber events and physical events

• Display defensive posture• Symbology• Displaying interdependencies• Large volume of data• Historical data


JNDMS

•Integration of data•Data correlation•Data presentation

DRDC, Impact assessment tool

DRDC, JNDMS Concept document


Contributing to Ops Commander’s COP

• Should we? We think so!• How?

– Sharing data: Requires compatible data sets. • C2IEDM? Possibly, needs extension.

– How to display?• Does it imply geospatial map? (not always relevant,

symbology, clutter issue)

• Need to capture reliance of military operations on cyber assets.

• At what level of details?

• Export snapshot of NOC view– e.g. a separate window in COP 21

Cmd

Defence R&DCanada

R et D pour la défenseCanada Canada

Questions?Questions?

defence r&d canada r et d pour la défense canada visualisation for network situational...

Documents

defence rd canada r

canada outline network

canada networks

dfense canada visualisation

canada example

network services

network assets

canada noc view noc