Export Approval Number: IS-ES-072109-175
Between The Sword and Shield: Between The Sword and Shield: The Role of the The Role of the
Network Operations & Security CenterNetwork Operations & Security Center
John Osterholz Vice PresidentCyber Warfare and CybersecurityBAE Systems Information Solutions
David Garfield Managing DirectorElectronics Systems GroupDetica – A BAE Systems Company
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
Cybersecurity … Cyber Defense … Critical Infrastructure
Jeez, this is really getting complicated
Social MediaEntertainment
GamingPeer to Peer (P2P)
DWDM technologyVoice Over IP (VOIP)
Anything Over IP (AOIP)Services Oriented Architecture (SOA)
Personal Back Office Convergence
and Sharing
Dat
a P
riva
cy
Dot com Dot govDot mil Dot edu
Dot “pick your noun”
We Love a Hard ProblemWe Love a Hard Problem
Nation StatesOrganized Crime
TerroristsJust about anyone
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
An Evolving Threat - Post Millennium
• In just six months in 2007:• Requirements for system “cleanings” increased 200 percent• Trojan malware downloads and drops increased 300 percent
• “Over the past few years, the focus of endpoint exploitation has dramatically shifted from operating system to the Web browser and multimedia applications.”*
* Ref: IBM Internet Security Systems X-Force 2008 Mid-Year Trend Statistics
Net Present Impact in operational terms
Characteristic of exploitive attacks since 2004
“CEOs who think cybercrime is just the business of CIOs are like
Enron’s shrugging off the companies books as something for the accounting department.”
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
The Growing Role of the Insider Threat
“ “Daddy, something’s wrong with your Blackberry …”Daddy, something’s wrong with your Blackberry …”
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
"In the very near "In the very near future, many future, many
conflicts will not conflicts will not take place just on take place just on the open field of the open field of
battle, but rather in battle, but rather in spaces on the spaces on the
Internet, fought with Internet, fought with the aid of the aid of
information information soldiers”soldiers”
"In the very near "In the very near future, many future, many
conflicts will not conflicts will not take place just on take place just on the open field of the open field of
battle, but rather in battle, but rather in spaces on the spaces on the
Internet, fought with Internet, fought with the aid of the aid of
information information soldiers”soldiers”
Nikolai Kuryanovich, former member of the Russian Duma
“… it is useless for us to occupy it; but the utter destruction of its roads, houses, and people, will cripple their military resources..”
GEN W.T. Sherman1864
Georgia I Georgia I ““I Will Make Georgia Howl”I Will Make Georgia Howl”
Total Warfare Then and Now: The Lesson of Two Georgias
“… Russian tanks rolled into the country's territory, in what experts said Wednesday was an ominous sign that cyber-attacks might foreshadow future armed conflicts.”
Moscow Times2008
Georgia IIGeorgia IIThe Next DimensionThe Next Dimension
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
Cybersecurity and Cyber Defense –Its no longer just about Comms and Networks
Limitations of a Communications and Network Technology Mindset
Application & Data Intensive
Environments Cognitive Heuristics –Time Constrained
Reasoning
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
The US and UK Alignment is Significant and Growing
NATO UNCLASSIFIED
NATO UNCLASSIFIED 5
Cyber Defence Efforts Cyber Defence Efforts in NATO in NATO –– WhatWhat’’s Nexts Next
• New Strategic Concept: Delineate cyber defence roles of NATO and Nations
• Expand NATO’s cyber defence capability
• Implement cyber events into military exercises
• Coordinate & implement national best practices through the cyber defence Centre of excellence
• Field a Command & Control reference capability – Stress / attack the NATO reference system for vulnerabilities
Successfully managing our information resources against Successfully managing our information resources against Advanced and Persistent Threats will require an Advanced and Persistent Threats will require an
organizational integration of network and security disciplinesorganizational integration of network and security disciplines
U.S. Cyberspace Policy Review (2009)
“The Nation also needs a strategy for cybersecurity designed to shape the international environment and bring like-minded nations together …”
The Strategy highlights the need for Government, business, international partners and the public to work together to meet our strategic objectives of reducingrisk and exploiting opportunities …”Cyber Security Strategy of the United Kingdom (2009)
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
An Overarching Organizational Model
Data collectionIn
form
ation
Risk M
anag
emen
t and
In
form
ation
Assu
rance P
olicies
Threat monitoring and analysis
Threat response
Behaviour, responsibility and training
Th
e Intern
et
Cyb
ertech
nical
research
Business systems and processes
Threat coordination
ICT infrastructure
• The business systems and processes for which cyber space is used
• The ICT infrastructure
• Dedicated threat detection together with associated responses
• A strong coordination layer providing situational awareness as well as alignment with activities outside the cyber domain
The Network Operations and Security Center (NOSC) represents a key operational instantiation of this model
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
Enter the Network Operations & Security Center(NOSC)
Network OperationsCenter
Security OperationsCenter
Network Operations and Security
Center
LegacyCONOPS
New CONOPS
NATO-ACT ID ’08 Brussels, Belgium
Dynamic Situational AwarenessDynamic Situational Awareness Degraded OperationsDegraded Operations
Cyber Defense Information SharingCyber Defense Information Sharing
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
Key Functionality of the Leading Edge NOSC Moving from Cyber Forensics to Run Time Cyber Operations
--
Test, Training & Exercise (TT&E)Test, Training & Exercise (TT&E)
Advanced &
Persistent Threats
CyberCollection
Environment
IntelligenceAnalysis
ReportingVisualization
DigitalProcessing
Environments
IntelligenceAnalysis
ReportingVisualization
Cross DomainInfo Sharing
Data - KnowledgeData - Fusion
Cross DomainInfo Sharing
Critical Cyberspace
Domains
All SourceInformation
MissionUser
MissionUsers
MissionUser
MissionUsers
IntelOPCollaboration
IntelOPCollaboration
Operations ManagementVisualization
Network • .mil• .gov• DIB partners• .nato.int• etc.
Leading Edge NOSCFocus
• Dynamic Situational AwarenessDynamic Situational Awareness• Degraded OperationsDegraded Operations• Cyber Defense Information SharingCyber Defense Information Sharing
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
High Level Cyber Architecture Implications of a NOSC
--
Test, Training & Exercise (TT&E)Test, Training & Exercise (TT&E)
Advanced &Persistent Threats
CyberCollection
Environment
IntelligenceAnalysis
ReportingVisualization
DigitalProcessing
Environments
IntelligenceAnalysis
ReportingVisualization
Cross DomainInfo Sharing
Data - KnowledgeData -Fusion
Cross DomainInfo Sharing
Critical Cyberspace
Domains
All SourceInformation
MissionUser
MissionUsers
MissionUser
MissionUsers
IntelOPCollaboration
IntelOPCollaboration
Operations ManagementVisualization
Network • .mil• .gov• DIB partners• .nato.int• etc.
--
Test, Training & Exercise (TT&E)Test, Training & Exercise (TT&E)
Advanced &Persistent Threats
CyberCollection
Environment
IntelligenceAnalysis
ReportingVisualization
DigitalProcessing
Environments
IntelligenceAnalysis
ReportingVisualization
Cross DomainInfo Sharing
Data - KnowledgeData -Data - KnowledgeData -Fusion
Cross DomainInfo Sharing
Critical Cyberspace
Domains
All SourceInformation
MissionUser
MissionUsers
MissionUser
MissionUsers
MissionUser
MissionUsers
MissionUser
MissionUsers
IntelOPCollaboration
IntelOPCollaboration
Operations ManagementVisualization
Network Operations
ManagementVisualization
Network • .mil• .gov• DIB partners• .nato.int• etc.
1
2
3
4
5
1
• Operate at Net Speed• Multiple Phenomenology• Analyst Agile
2
• All Source Scope• Autonomic Assist• Forensic & Run Time• Cognitive Visualization
3• Data to Knowledge• Inherently Cross-Domain• Federated Operational Trust
4
• Cognitive Visualization• Course of Action Agile• Inherently Cross-Domain• Federated Operational Trust
5• Salient Environment• Flexible and Extensible• Embedded Capability
BAE SYSTEMS EI&S Operating Group April 2009Export Approval Number: IS-ES-072109-175
The New Frontier Mission
Innovative applications of information technology capabilities, solutions and services needed to adapt, assure and sustain mission operations while under attack