defensive cyber operations industry overview 3 apr 18 · 4/23/2018 unclassified 2 • wwii was won...
TRANSCRIPT
UNCLASSIFIED
LTC Scott Helmore
Defensive Cyber Operations Industry Overview
3 APR 18
Introduction
• Welcome • Transforming I3C2 to DCO• Themes:
• Innovation• Secure Communications• Collaboration
4/23/2018 UNCLASSIFIED 2
• WWII was won with American manufacturing • Cold War was won with military industrial complex
• How will we win the cyber war?
Defensive Cyber Overview
3
Operational ForceU.S. Army Cyber Command (ARCYBER)
41 Army CPTs•20 Active Duty•21 USAR / ARNG
CPTs
TRADOC Capability Manager ‐ Cyber
Cyber Center of Excellence
DCO ONSs
PdM ‐ DCO
Materiel Developers
U.S. Army Cyber Protection BrigadeFT Gordon, GA
*11 Requirements Definition Packages
USAR
ARNG
DCO IS ICD
PM MC**TDI Only
PdM TCNO**TDI ONS Only
ARCYBER**Limited Acquisition Authority
UNCLASSIFIED / FOUO11
Program
s
Tailored Acquisition
UNCLASSIFIED 4
1. Single Material Development Decision for suite of capabilities
2. Reduced Documentation
3. Empower Leaders (0‐6 Level Decision Makers) ACAT IVs
4. Flexible Resourcing ‐ allocated to Suite of Capabilities instead of specific programs
5. Continual Test Environment – “Forge”
MDD
From Formal Acquisition
To Evolutionary Acquisition
Capability Release DecisionsPrototyping
Providing Acquisition Capabilities at the Speed of Relevance
Focused on Capability drop decisions vs traditional milestone decisions
DCO Evolutionary Acquisition
Other Transactional Agreements
Emerging
Techn
ologies • Build our Cyber Industrial Bench
• Connect with Industry/Government ranges• Pre‐emptive Risk Management Assistance• Industry Recommends new Technology• “Shark Tank” Rapid Pitches• “Crucible” Assessment Events• “Constellation” Tiered Industry Experts”
30 Day Prototype ProcessC‐RAPID
Innovation
System Integrator Contracts
Integration Sustaining
• Programs of Record (Multiple)• Five Year Efforts• Integrate OTA Innovation• Modularity• Focused on Open Source and Open Architecture
• 30 Day Integration
Fielding Stability
Forge Armory• Assess/Develop Technology• Integrate Capabilities• Anytime Training
• Forward Deployed Support• Latest Integrated Capabilities• Mission Focused Training
Evolutionary Acquisition
Securing Acquisitions
• Screening Questions• Facility Clearance• Experienced Integration capabilities• No Foreign Supply Chain/Control Issues• SIPR capabilities (communication)
• Monitoring• Scanning of Equipment and Code
UNCLASSIFIED 6
• Lead Members are given direct access to Operational Data and problems; Have weekly sync with PM and ARCYBER
• Must have TS/SCI facility clearance• Multiple Leads (No more than eight per topic)• Recommend Technologies• Can be rotated if not productive
• Cleared Advisors have security Clearances and are selected by Lead Member• Innovative Firms do not require clearances andare selected by Cleared Advisors or Lead Members
Constellation
Industry Subject Matter Expert sub-consortiums
UNCLASSIFIED 7
Constellation (example)
(1) Lead
(20) Cleared Advisors
(50) Innovative firms
Constellation Leads may include: (1) Government, (1) Academia, (1) FFRDC, and (4) Industry
Get Ahead of Threats; Building the Cyber Bench
Acquisition Steps
• April - Request for Proposal – Garrison DCO Platform; Deployable DCO System
• April – Consortium Management Firm selection• April – Forge Stand-up• June – Request for Proposal – Analytics• July – Request for Proposal – Mission Planning• September – User Activity Monitoring &
Forensics/Malware
UNCLASSIFIED 8
Continual Technology Reviews using C‐RAPID and Forge
User Activity Monitoring
UNCLASSIFIED 9
Program Description
User Activity Monitoring (UAM) is the primary capability within the Army’s overall Insider Threat program. UAM will mitigate gaps that inhibit the Army’s ability to identify anomalous or malicious user activity that may pose a threat to the Joint Worldwide Intelligence Communications System (JWICS) and Secure Internet Protocol Router Network (SIPRNet) networks. UAM is a software‐based, scalable solution that proactively identifies and mitigates internal risks associated with the theft or misuse of critical, mission essential data. It utilizes an integrated approach with a centralized UAM cell sending data to a core Insider Threat Hub.
Capabilities
• Endpoint activity monitoring and control, capture and analysis of user actions (with the ability to replay), investigations, and the adaptation of an organization’s Insider Threat countermeasures
• Identify individuals who are at higher risk for being targeted by foreign intelligence or more likely to misuse access privileges
• Provides audit and trigger data to designated cyber forces based on predefined policies
• The Army will implement UAM for all Soldiers, civilians, and contractors with access to JWICS and SIPRNet
• 2017 ‐ Assess Data Analytics Services to attach to Raytheon Innerview™
• 2018 – Employment of Securonix‐ Big Data Platform Assessment
• 2019 – Program of Record
Forensics and Malware
UNCLASSIFIED 10
Program Description
The Forensics and Malware Analysis (F&MA) capability will be composed of a set of applications used to provide the enterprise‐level function to detect, analyze, mitigate and eradicate malicious IT threats (malware) on defended networks. F&MA will hunt for malware residing on processing components, including, clients, servers and network components. It will also provide information support on assessment of damages, and restoration. The applications will examine the operation of malware, isolate, and extract it from the contaminated network to a controlled environment.
Capabilities
• Rapidly triage an incident and place the impacted system back in service
• Quickly review information stored on deployed computers in real‐time – without altering or damaging it
• Assist in determining subsequent actions in order to collect, process, search, and analyze evidence from portable electronic devices, removable media, system hard drives, and random access memory
• Automated and dynamic malware decomposition and behavior analysis to determine impacts
• 2017 – Deployed as part of Tool Suite
• 2018 – Enterprise Pilot
• 2019 – Program of Record
Discussion
UNCLASSIFIED 11
‐ How should technologies be recommended?‐ How can we make a better partnership?‐ How can we be Open but Secure?‐ How many Constellations? ‐ Can we buy solutions?‐ Can we build a Cyber Coliseum?
UNCLASSIFIED
LTC Scott [email protected]
Thank-youAnh NguyenExecutive Assistant to PdM and DPdMDefensive Cyber Operations (DCO)(O) [email protected]