Automation is Essential for Effective Cybersecurity
Industry Perspective
The U.S. Department of Defense faces a host of evolving cyberthreats amid a backdrop of expanding networks and rapidly changing technologies. As DoD and military organizations go digital to facilitate greater efficiency and mobility, it has become harder to keep attackers out of the network. DoD officials must contend with insider threats, zero-day attacks, compromise of networked systems within data centers, as well as distributed denial-of-service attacks designed to disrupt the operation of 2 – Au to matio n is Esse nt i a l for Effe c t i v e Cy b erse c uri ty
wide- and local-area networks. Assured Command and Control (C2) demands resilient and reliable transmission of critical combat information, even in the face of active cyberattacks. That’s why the DoD needs an automated approach to cybersecurity that includes seamless integration and advanced analytics to help facilitate policy enforcement at the application layer as well as enable security operators to respond to incidents in real time.
Introduction Cyberattacks are on the rise, and the U.S Department of Defense’s networked resources are on the front lines of this cyber war. State and non-state actors are relentless in their efforts to disrupt and undercut the nation’s technological and military advantage through cyberattacks and cyber-enabled theft of intellectual property. As a result, the DoD has taken steps to develop its cyber forces and strengthen its cyberdefense and cyber deterrence posture. “The DoD has the largest network in the world and DoD must take aggressive steps to defend its networks, secure its data, and mitigate risks to DoD missions,” according to the DoD Cyber Strategy released in 2015. The DoD has three primary missions related to cyber: Defend DoD networks, systems and information; defend the U.S. homeland and U.S. national interests against cyberattacks of significant consequence; and provide cyber support to military operational and contingency plans. In this new digital age, the DoD and its military services are more dependent than ever on its networks. The networks are constantly expanding, incorporating new technologies such as mobile devices, cloud services, ever more sensors and devices related to the Internet of Things. It’s no surprise that the complex interconnectedness of computer networks complicates efforts to protect critical assets, from the data center to the cloud to ad hoc wireless networks on the battlefield.
“The DoD has the largest network in the world and DoD must take aggressive steps to defend its networks, secure its data, and mitigate risks to DoD missions,” - DOD CYBER STRATEGY GUIDE To gain better visibility into network behavior and better protect critical assets, the DoD needs an automated approach to cybersecurity that includes analytics and open application program interfaces (APIs) that will help enable technology integration and facilitate policy enforcement at the application layer. It also will enable security operators to respond to incidents in real-time. To discuss this issue, GovLoop and Cisco, a leader in networking and security solutions, partnered for this industry perspective. In the following pages, we’ll look at some of the high-level threats DoD organizations face — the insider threat, zero-day attacks and malware remediation, attacks on networked systems within data centers and attacks on wide-area networks — and suggest solutions defense agencies can employ to strengthen their cyber defense and cybersecurity posture.
I ndustry Pe rsp ect i ve – 3
The Insider Threat: Challenges and Solutions An insider is any person with authorized access to a proprietary resource; in the government, that can include personnel, facilities, information, equipment, networks or systems. An insider can pose a threat if he or she uses their authorized access, intentionally or unwittingly, to harm the security of the United States through intellectual property theft, network sabotage, data exfiltration, espionage, or reputational harm, according to the National Insider Threat Task Force (NITTF) within the Office of the Director of National Intelligence. The NITTF has been working closely with the DoD to figure out how DoD agencies can build solid insider threat programs. The insider threat is not an easy issue to address because tomorrow’s attack won’t look much like yesterday’s, said Matthew Galligan, Cisco Systems’ Regional Manager for the DoD Cybersecurity Team. “The challenge is to identify what normal behavior is today, not knowing what the vector of attack is going to be in the future,” Galligan said. Information security professionals must be able to identify network activities that are abnormal, and alert analysts at the Security Operations Center (SOC) so they can initiate a response. But they can’t do it alone. Advanced cybersecurity solutions that baseline normal activity automatically and identifies suspicious traffic patterns are important because people can no longer react quickly enough to keep up with the onslaught of attacks. Large data transfers leaving the network or large data transfers within the network are indicators that something abnormal is occurring. Large data transfers leaving the network would indicate data exfiltration, or somebody stealing intellectual property or classified or sensitive material. Large data transfers within the network would suggest activities such as data hoarding, where a person with access to certain systems or servers stores the information on servers or maybe secret servers with the intention of downloading the data later — a practice employed by Edward Snowden.
4 – Au to matio n is Esse nt i a l for Effe c t i v e Cy b erse c uri ty
Network and security administrators are using myriad solutions to combat these threats, including examining security or system logs gathered by security information and event management systems (SIEM), which collect logs and other security-related documentation for analysis from multiple locations. Some organizations apply an open source software framework like Hadoop, which provides low-cost, large-scale data storage and processing, and apply advanced, big data analytics against that data. Another approach is using NetFlow and NetFlow Analytics. Most networks have monitoring capabilities built in. For instance, network traffic metadata such as NetFlow — an open source network protocol for collecting data developed by Cisco — is inherent in most network infrastructure devices, including routers, switches and firewalls. By analyzing flow data, a picture of network traffic flow and volume can be built. By collecting and analyzing NetFlow data, network administrators can see where network traffic is coming from and going to and how much traffic is being generated. Security analysts can use this intelligence to identify abnormal behavior in the network traffic. The whole point is to be able to understand what is normal in a network and what’s not normal by looking at new traffic patterns and employing analytics to better understand the data, said Michael Overstreet, a Security Systems Engineering Manager for Cisco. That entails coordinating this cybersecurity knowledge gleaned from technology with existing people and process controls, driving an immediate and effective response. Action can be taken manually or automatically where the identity server or network access control server is alerted to block a certain user from the network. Or if someone is demonstrating bad behavior, then the server is alerted to disconnect that user from the network. In fact, the network is being used as a sensor. Data flowing across the network can be pulled in through NetFlow, and since there is a baseline set for what is normal, analysts can better detect an anomaly on the network — but automation is absolutely essential for swift and effective action.
Remediation of ZeroDay Attacks/Malware: Challenges and Solutions A zero-day exploit is an undisclosed application vulnerability that could be exploited to negatively affect hardware, applications, data or networks. “Zero day” refers to the fact that developers have zero days to fix a problem that has been exposed. Hackers can exploit the vulnerability by launching a cyberattack on the same day the flaw is discovered, before a fix for the problem is available. Analysts must identify and remediate zero-day attacks as quickly as possible. A file might pass through an organization’s intrusion prevention system, and using threat intelligence, analysts can determine whether it’s malware and it can be automatically blocked. Another file might come through the IPS that needs further examination, so analysts put it in a sandbox and study its content. If it is malware, it’s blocked. But if there are no signs that it is malware, it is let through. Organizations should have the ability, however, to track the file trajectory across the network and on the endpoints wherever it goes. In two weeks, maybe, an alert is generated saying it is indeed malware. How do you remediate that? If you can look at the trajectory and see where that file has gone, then you could automate the response, and delete that file wherever it is. If you don’t have that capability, you may have to go in and remediate every personal computer, every server that the malware infected, which is a lengthy process. The other aspect of detecting and mitigating a zero-day attack or malware is tracking its behavior once it downloaded, said Overstreet. “There are behavioral analytics that we can use to determine if the activity is not normal at the host, or system level, as well as in the network.” For instance, if a recently downloaded file overwrites a system level file on the host system, that’s bad behavior, which should be flagged and investigated, if not stopped.
Some recent high-profile cyberattacks on federal agencies have exploited a zero-day vulnerability. One attack on a specific federal agency and exfiltration of information had been going on for months before it was detected. In fact, there were flows of data coming out of the servers that would not have occurred with proper host and network-based solutions in place. Personnel files flowing out to some server in China is not normal. “You’re trying to establish what is known good behavior,” Galligan said. This involves a plethora of tools and techniques, including utilizing the network as a sensor, analytics that examine what is bad and good behavior from the network to the desktop and automation to stop the attack and/or remove the malware threat. Analysts in SOCs are being deluged with alerts. Cisco takes this deluge and identifies the events which are the most urgent or are indications of compromise (IOC). Using application programming interfaces, or APIs, administrators can link SIEMs or logging systems to feed data into a main management console — one source of truth — so analysts in an SOC or data center can evaluate the information and determine if they need to act. Admins can then go to individual consoles for tools to get more details. “We can feed actionable data to their SIEM or log, or logging mechanism that they built themselves,” Overstreet said. “We have APIs to collect and provide that information, whether it’s contextual information, or whether it’s data analytics, or whether it’s information flowing from the cloud to the customer.” Security admins can then focus on the console needed for that problem, instead of being inundated with 50 different products and consoles that do not share information, which requires manual manipulation of information across all of them.
I ndustry Pe rsp ect i ve – 5
Data Center Security: Challenges and Solutions Data centers have become increasingly dynamic. They accommodate rapid application changes on the fly, high volumes of east-west application traffic (device-to-device traffic), as well as deployments that span private and public clouds. Security, while improving with white-list policies and micro-segmentation, has remained static in some ways, though, based on perimeter appliances such as firewalls or other network segmentation solutions. Security policy is also pinned to Virtual LANs (VLANs), IP parameters, ports, subnets and zones. So, security still has a manual element and can still be error-prone. The problem? The DoD is building these very large data centers to host high volumes of data and applications, and major complexity exists in how applications are communicating and the policies tied to them. DoD can leverage analytics as a method for mapping these applications dependencies, policies and communications. From a network perspective, the use of segmentation in the data center is a very powerful way to leverage security. Data center micro-segmentation can provide enhanced security for east-west traffic within the data center. Data centers historically have been protected by perimeter security technologies, including firewalls, intrusion detection and prevention platforms, and custom devices. These technologies have been designed to analyze incoming traffic and ensure that only authorized users can access data center resources. These services interdict and analyze north-south traffic — traffic coming into and going out of the data center. These services can be very effective at the perimeter, but they generally have not been provisioned to analyze device-to-device traffic within the data center or east-west traffic. Micro-segmentation divides the data center into smaller, more protected zones. For instance, a micro-segmented data center has security services provisioned at the perimeter, between application tiers and even between devices within
tiers. In this scenario, if one device is compromised, the breach will be contained to a smaller fault domain. Another approach is to deploy a very scalable, powerful, analytics engine that will give security analysts visibility into real-time data. The emphasis is still on achieving behavior-based insight just like with insider threats and zero-day attacks, but at the application layer, said Craig Hill, a Distinguished Systems Engineer within Cisco’s U.S. Public Sector CTO Office. An analytics engine like Cisco’s Tetration, for example, allows organizations to understand an application’s behavior and security vulnerabilities in realtime, and apply security policies specific to that application’s movement in the data center. Additionally, administrators can enforce policies based on contextual info and metadata of the packet. Open APIs once again can play a big role, which is particularly important for the DoD because specific DoD applications can be customized to a specific mission. This applies to wide-area network security as well, Hill said. “Whether you are dealing with command and control-type traffic or some mission application specific to that particular agency or mission, the concept is that we can tailor how operators (or security applications leveraging APIs) react to these application vulnerabilities, for example in the data center, and tailor it to the DoD-specific application,” Hill said. It’s about leveraging real-time analytics engines and being able to detect contextual information on how the applications are behaving. Leveraging the Tetration analytics engine, Cisco uses a concept called application dependency mapping that lets administrators view exactly how the applications are behaving. How is one application talking to the multiple tiers of that application? Is the policy being enforced properly? Again, this falls under the concept of the network as a sensor.
“Whether you are dealing with command and control-type traffic or some mission application specific to that particular agency or mission, the idea here is that we can tailor how they react to these application vulnerabil“Whether you dealing command and control-type traffic ities, for are example in thewith data center, and tailor it to the or someDoD-specific mission application application,” specific to that particular agency
or mission, the concept is that we can tailor how operators (or security applications leveraging APIs) react to these application vulnerabilities, for example in the data center, and tailor it to the DoD-specific application.”
CRAIG HILL SYSTEMS ENGINEER, CISCO
I ndustry Pe rsp ect i ve – 7
Challenge: Wide-Area Network Protection Wide-area networks (WANs) are prone to distributed denial-of-service attacks, and because of the wide breadth WANs cover in DoD networks, the impact can be devastating. A DDoS can cause application disruption in performance or downtime. A DDoS is an attack method used to deny legitimate users access to an online service, such as a bank or e-commerce website, an application or any other service accessible via the network. Using a vast array of computing resources, which they either built themselves or obtained by compromising vulnerable computers around the world, attackers send bogus traffic to a site. If the attacker sends enough traffic, the system becomes overwhelmed with requests and can’t service legitimate users. The WAN, branch, campus networks and the networks at the edge of the data center are common areas that can be targeted by DDoS attacks. “The idea is that these attacks target the network elements and anything to do with the network itself, such as network links, routers, switches, DNS servers, firewalls — anything that forwards packets through it,” Hill said. The key challenge is how to combat the different variations of denial-of-service attacks on the various aspects of the network and services. During a DDoS attack, a user might be able to leverage network resources, but performance could be degraded. The worst case
is the shutting down of services, such as DNS servers or router elements that are extremely congested due to the attack. From a DoD perspective, DDoS attackers attempt to target both the DoD’s Non-classified Internet Protocol (IP) Router Network (NIPR) and the Secret Internet Protocol Router Network (SIPR). Networks with access to mission-critical applications using WANs in the data center are susceptible to attack, as well as networks accessing the internet and those used for command and control. Defending against DDoS attacks requires an analytical approach like protection against insider threats, zero-day attacks and threats on the data center. But the toolsets are different. “The idea again is you are using a variation toolset to capture these anomalies and vulnerabilities. Some are standalone appliances, open source tools, and some are embedded within routers themselves with capture and mitigation capabilities,” Hill said. Concepts such as software-defined networking (SDN) — an approach to computer networking that allows network administrators to programmatically monitor, process, change and manage network behavior dynamically via open interfaces — lets security operators use various collection engines, or open source toolkits and protocols — like Apache Kafka — published
3 Ways to Mitigate DDOS Attacks APIs — and open standard YANG models — to detect and respond to network security vulnerabilities and events. Apache Kafka provides a unified, high-throughput, low-latency platform for handling real-time data feeds. YANG (“Yet Another Next Generation”) is a data-modeling language that can be used to define the format of event notifications emitted by network elements. Cisco is making a strong push towards model-driven support using openly published YANG models, including native, IETF, and OpenConfig variants, for both programmability and telemetry from the network elements. The whole idea is to leverage machine-learning capabilities for detection — using third-party applications or Cisco partner tools — and open APIs or model-driven programmability with YANG models to read telemetry data from routers or program routers in a more open fashion. The next step is to apply the enforcement policies and rules to block attacks in real-time, and can be applied any areas of the DoD networks — to campus, WAN, branch offices or data centers, Hill noted. “All of this ties into taking a holistic end to end view to enforce security” of the network, Hill said.
Drop network traffic. When a vulnerability or attack is detected, an automated response can be launched that pinpoints the area of the attack and drops network traffic from that point. This is a hardcore approach. Selectively drop network traffic. Based on correlation engine information, administrators can selectively drop certain types of traffic, using standard capabilities such as BGP flow specification rules. Administrators can get more granular about network traffic. Instead of dropping a link, they can be more application-specific based on information from the correlation engine. Some DoD customers are exploring the use of BGP flow specs. Redirect network traffic. Maybe security administrators don’t want to drop the traffic. In that case, they can redirect traffic to a collection engine for further analysis.
I ndustry Pe rsp ect i ve – 9
Conclusion DoD’s leadership is trying to cope with evolving threats, expanding networks, rapidly changing technologies and declining resources. DoD officials recognize the department and components need to change, adapt and innovate to meet today’s challenges, as well as to ensure effective defense against cyberthreats well into the future. An automated approach combined with analytics, using the network as a sensor, open source APIs and enforcement of policy at the application layer will give DoD administrators greater visibility into network operations and enable a quicker response to incidents. 1 0 – Au to matio n i s Esse nt i a l for Effe c t i v e Cy be rse c uri ty
About Cisco
About GovLoop
Cisco designs and sells broad lines of products, provides services, and delivers integrated solutions to develop and connect networks around the world. For over 30 years, we have helped our customers build networks and automate, orchestrate, integrate, and digitize IT-based products and services. In an increasingly connected world, Cisco is helping to transform businesses, governments, and cities worldwide.
GovLoop’s mission is to inspire public sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to the public sector.
Learn more at: http://www.cisco.com/go/federalgovernment
For more information about this report, please reach out to info@govloop.com.
I ndustry Pe rspect i ve – 1 1
1152 15th Street NW, Suite 800 Washington, DC 20005 Phone: (202) 407-7421 | Fax: (202) 407-7501 www.govloop.com @GovLoop
1 2 – Au to matio n i s Esse nt i a l for Effe c t i v e Cy be rse c uri ty