1 / 22

Visualisation for Network Situational Awareness in Computer Network Defence

Visualisation for Network Situational Awareness in Computer Network Defence. Marc Gr égoire, DRDC Ottawa Luc Beaudoin, Bologik Inc. Outline. Network as a battlespace Need for Network SA Joint Network Defence & Management System (JNDMS) JNDMS Challenges Visualisation Integration into COP.

meg
Download Presentation

Visualisation for Network Situational Awareness in Computer Network Defence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Visualisation for Network Situational Awareness in Computer Network Defence Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.

  2. Outline • Network as a battlespace • Need for Network SA • Joint Network Defence & Management System (JNDMS) • JNDMS Challenges • Visualisation • Integration into COP

  3. Networks are critical assets to Canadian Forces Operations • Assure network services in support of operations • Email • GCCS • HRMS, FMAS, CFSSU • Defend network during operations • Vs hackers • Vs virus • Vs technical failures

  4. CNE CNE CNE Avenues of Approach Firewall & Guard Intrusion Sensor CND The network as a Battlespace Ref: LCol R. Knight, CFIOG, DND Must maintain network situational awareness

  5. Network Situational Awareness Knowing the level of threats and the current status of all network assets supporting military operations. • IT Infrastructure (circuits, hardware, software) • Defensive posture; • Security events (C, I, A, etc) ; • Military Operations; • Interdependencies.

  6. Fight the Networks Operational Command Network Operations Centre IT Service Desk Network Control Computer Incident Response Team

  7. Mission/Role Operational Command • Peace Keeping; • Search and Rescue; • Assistance to civil power; • NORAD; • NATO; • For operational IT systems: • “Fight the Networks” • Preserve Confidentiality; • Maintain Integrity; • Assure Availability. Network Operations Centre IT Service Desk Network Control Computer Incident Response Team • Provide user with 1st line IT support; • Assure quality of IT service to the users. • Maintain connectivity; • Monitor network performance; • Network security monitoring; • Intrusion detection; • Intelligence analysis;

  8. Information Types • Resources • Priorities • IT services • Supporting ops • Locations • Schedule Operational Command ALL TYPES Network Operations Centre IT Service Desk Network Control Computer Incident Response Team • IP addresses • Ports • Host • Locations • Vulnerabilities • Attack signatures • Trouble tickets • Users • Hosts • Locations • Applications • Host Status (Up/Down) • Links usage • Circuits/Topology • Locations

  9. Example: Inputs resulting from events Operational Command Network Operations Centre IT Service Desk Network Control Computer Incident Response Team Intrusion detection system alerts of intensive scanning activities on a subnet. • 3 users report that a military Web site providing weather maps is not responding. • Monitoring tool alerts of sudden surge in traffic on a base Local Area Network (LAN).

  10. IT Service Desk View IT SD

  11. Network Control View NetCon

  12. CIRT View CIRT

  13. NOC View • Monitoring tool alerts of sudden surge in traffic on a base LAN. Intrusion detection system alerts of intense scanning activities on a subnet. • 3 users report that a military Web site providing weather maps is not responding. NOC So what ?

  14. Operational Command View Option 1: Silos information report : • SERVICES: • 3 users report that a military Web site providing weather maps is not responding.; • PERFORMANCE: • Monitoring tool alerts of sudden surge in traffic on a base LAN. • SECURITY: • Intrusion detection system alerts of intense scanning activities on a subnet. OR Option 2: Integrated information report: • IMPACT: • Weather services to all deployed ships is inaccessible. • CAUSE: • One vulnerable IIS server infected by SQLSlammer worm. Infected server is scanning surrounding hosts to propagate the worm. This scanning activity creates a denial of service for all servers on subnet. Cmd

  15. NOC How to get option 2, and quicker? • Integrate data • IT infrastructure • Security events • Military operations • Common source of information to achieve Network Situational Awareness at the NOC and to answer the “So what?” • Improve decision making • Faster (option space Vs time) • Quality (support risk acceptance option) • Prioritize

  16. NOC Sharing • Share with the NOC sub-units to improve their own processes by giving them more context. • Tactical decisions may require strategic level information. • Let others look at it in a way meaningful to them (UDOP: User Defined Operating Picture)

  17. Joint Network Defence & Management System (JNDMS)

  18. JNDMS Visualisation Challenges • Filtering/aggregating/tailoring • Real-time display requirements? • Battle tempo in cyberspace could be fast • Logical and geospatial views • Correlate cyber events and physical events • Display defensive posture • Symbology • Displaying interdependencies • Large volume of data • Historical data

  19. JNDMS • Integration of data • Data correlation • Data presentation DRDC, Impact assessment tool DRDC, JNDMS Concept document

  20. Cmd Contributing to Ops Commander’s COP • Should we? We think so! • How? • Sharing data: Requires compatible data sets. • C2IEDM? Possibly, needs extension. • How to display? • Does it imply geospatial map? (not always relevant, symbology, clutter issue) • Need to capture reliance of military operations on cyber assets. • At what level of details? • Export snapshot of NOC view • e.g. a separate window in COP 21

  21. Questions?

More Related