See how the CERDEC/ARL leverages the Elastic Stack to gain critical insights into activities and trends among the networks they cover and enables research into new methods of protecting our nation’s defenses.
Countering Threats with the Elastic Stack at CERDEC/ARL
1. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
U.S. ARMY RESEARCH,
DEVELOPMENT AND
ENGINEERING COMMAND
DR. CURTIS ARNOLD
CHIEF, SUSTAINED BASE NETWORK ASSURANCE BRANCH
CERDEC
25 OCT 2018
Elastic{ON} Tour 2018
2. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
2
Premier Laboratory
for the
advancement of
Cybersecurity at the
speed of Cyber.
Vision
SBNAB CORE BUSINESS FUNCTIONS
Collaborating with other Cybersecurity Leaders amongst DoD, EDU, and Private Industry
Cybersecurity
Research
Cybersecurity Tool
Development
Cyber Insider Threat
Cybersecurity
Service Provider
(CSSP)
Army Cyber-
research Analytics
Laboratory (ACAL)
Assessments
Mission
Conduct Defense Cyber Operations and research, by leveraging real time operational
data through the application of new technologies and advanced analytics to confront
the most sophisticated and damaging cyber threats.
Integrated Partners
3. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
3
CYBERSECURITY SERVICES
PROTECT
DETECT
RESPOND
SUSTAIN
▪ Vulnerability Assessment & Analysis
▪ Vulnerability Management Program
▪ Malware Protection
▪ INFOCON/CPCON
▪ Information Security Continuous
Monitoring
▪ Insider Threat
▪ Warning Intelligence
▪ Attack Sensing and Warning
▪ Cyber Incident Handling
▪ Program Management
▪ Personnel
▪ Security Administration
▪ 24X7 Information Systems and
Networks Support
See DODI 8530.01, Cybersecurity Activities Support to DOD Information Network Operations and the Evaluator Scoring Metrics (ESM), DoD Cybersecurity
4. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
4
• RDECOM CSSP reviewed DOD Cloud CONOPS, ARCYBER Cloud CONOPS, and DOD
Cloud Computing SRG for requirements
• IaaS, PaaS and SaaS
• Impact Level 2,4,5 Offerings support:
• Endpoint coverage
• Vulnerability coverage
• Cloud Service Provider collaboration
• Web assessment for annual validation
• Remote cyber inspection assessment
• Threat Identification
• Network Flow integration
• API Calls and Configuration Monitoring
• Unauthorized sources (such as IP addresses)
• ACL Changes
• Large number of Instances (Virtual Machines)
being shut down or powered up
CLOUD CSSP OFFERING
5. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
5
OUR ROLE AS A CSSP IN THE DOD
We come from Research roots (ARL)
– Using only standard tools for network security analysis has never been sufficient
for us
– We are constantly developing and improving tools and techniques for
discovering changing threat landscape
– Always looking to take advantage of new technologies and capabilities in
advanced computing and algorithm development
We lead the DoD by ‘solving the hard problems’ that nobody else wants to tackle
6. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
6
THE NEED FOR DISTRIBUTED SEARCH
Traditional network-based sensors are losing their visibility
– Data is more commonly encrypted
– Growing application space necessitates unachievable growth in
network data normalization and signature generation
– Defense-in-depth for back-doors in to network
Log data from appliance, OS, and application layers can provide
additional insight in support of traditional tools
– Many sources of semi-structured data
Managing and ‘mining’ these all these new data sources requires fast,
scalable, and robust search and analysis capabilities
7. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
7
Data is streamed from multiple sources to central location
–”RAW” data gets saved to cloud storage
–Data gets processed, filtered and enriched
–Data is ingested into Elastic Cloud Enterprise (ECE)
cluster
CLOUD DATA INGEST
Flow logs from
CSP
Data Ingest
API Logs from
CSP
Application
Logs
Cloud Storage
ECE
8. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
8
SCALABILITY
– The more data sources you have, the more insights and effective analysis can be
done
– Ability to do cross-site analysis with data compartmentalization
• Customer sites see only their own data
• CSSP analysis can correlate across sites
9. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
9
–“Interactive”-class latency
• Allows analysts to “hunt” and follow various leads and pivot
through data in continuous thought process
LATENCY
10. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
10
Availability / resiliency
– 24/7/365 operations in support of many different “threads”
of analysis
– Maintainable platform without too much overhead
AVAILABILITY
11. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
11
ELASTIC CLOUD ENTERPRISE
ECE enables more course-grained separation of data from different sites
– Each customer gets their own cluster and ability to see their data and administer
user base to some degree.
X-Pack features such as field-level authorization enable different roles within the
CSSP or customer groups
Machine learning complements our existing efforts to explore data
12. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
12
HOW WE USE ELASTIC
Policy enforcement
– Data artifacts can directly identify policy violations
– Alerts on collected data support reportable
Anomaly detection: “Hmmm… That looks weird”
– Human and machine anomaly detection
Hunting
– Start with a hunch and interact with data to find interesting activity
Turn these in to searches
– Suspicious activities can usually be expressed as a search that can be shared,
visualized or “turned in to a snort rule”
Programmatic access
– REST APIs are enablers for outside analysis
13. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
13
DETECTING POLICY VIOLATIONS
• Shift to Cloud is still relatively new to the DoD
• Policy alignment with on-prem requirements is
sometimes lost in translation to cloud
• We can detect and visualize actions taken on
cloud resources where multi-factor authentication
has and has not occurred.
• The fact that this type of search and visualization
is so quick and easy to render allows our analysts
to express and convey the state of security easily
to those that are in the position to remediate
14. APPROVED FOR PUBLIC RELEASE
APPROVED FOR PUBLIC RELEASE
14
UN-MONITORED CLOUD USAGE
• DoD sites deploying to cloud must have a
CSSP for cloud instance
• Sites accessing cloud management
resources in a regular pattern are more
likely to have deployed to cloud
• This is distinguishable from sites that
merely access other people’s cloud
resources
• A simple analysis that is easy to express
with data and visualization capabilities and
then monitor for unauthorized behaviors