DISA seeks automated tools to identify potential cyber threats, conduct analysis
by Marcus Johnson
DISA Strategic Communication and Public Affairs
Leaders from the Defense Information Systems Agency’s (DISA) Defensive Cyber Operations (DCO) Division discussed some of the agency’s top DCO challenges during a panel discussion at AFCEA’s TechNet Cyber 2019 symposium in Baltimore May 15.
Led by Army Col. Greg Griffin, DISA’s DCO division chief, the panel included Rob Mawhinney, DCO plans and requirements chief; Army Lt. Col. Jim Lacovara, DCO current operations chief; and Darrell Fountain, DISA’s Cyber Security Service Provider (CSSP) chief.
The DCO division’s primary mission is planning, synchronizing, organizing, and directing the security defense of the Defense Information Systems Network (DISN) – a worldwide protected telecommunications network that enables interoperable information exchanges.
Griffin explained coordinating the DISN’s protection is a significant challenge.
“It’s not that we have such a broad space, we have a number of different organizations out there that are operating within [the space, and their interactions need to be synchronized],” Griffin said. “From the different theaters, such as DISA Pacific Field Command, DISA Global Operations Command, DISA Europe Field Command, and other DISA entities, executing cyber defense and synchronizing all those organizations together has been a challenge, and that’s the mission of the team I lead.”
In addition, defending the agency against cyberattacks is no small task considering the sheer number of potential attacks the agency receives daily.
According to Lacovara, every day, DISA’s cyber-defense tools block 300 million malicious actions, log 800 million events, and generate 10 million log alerts and alarms.
“Defensive cyber operations is a fight against a thinking adversary who is adaptive, and agile. It requires a different mindset. We need processes that support a fight against a thinking and adaptive adversary,” Lacovara said.
The subject matter experts agreed that standardizing, synchronizing, and automating security tools and processes across the enterprise will help optimize the defense of the massive amount of data flowing through the DISN.
More than 300 terabytes of data flow through the DISN. With such a high volume of data and potential attacks, cybersecurity analysts often find themselves triaging which network events and incidents should receive greater analysis.
“It’s clear to say humans can’t keep up with this type of scale. Not only do we need tools to [help identify the possible threats], we need tools to actually do some of the work for us, otherwise some of that work is sort of falling on the floor,” Lacovara said.
One way DISA can push threats further away from DOD networks is through virtualized cloud technologies, which enable web browsing but prevent threats from entering the network.
“Not only are we keeping threats out of our network, but it’s also data we never need to collect or push to a cybersecurity analyst,” Lacovara said.
Fountain explained DISA needs its industry partners to help the agency develop tactics, techniques, and procedures to optimize its use of the cybersecurity tools it employs to defend against cyberattacks.
“We need your help to move [DISA’s cybersecurity analysts] up the defensive value chain,” Fountain said, referring to the agency’s need to better utilize its cybersecurity analysts. “We need to stop sifting through data and move up to the intuitive space that the machine can’t necessarily do quite yet. That’s where we need help from [our industry partners]. We’re doing a lot of things to help optimize our environment today, but that’s where we can use help as we continue to evolve in the future,” he said.
Posted May 20, 2019