presented by

U.S. Marines with the Special Purpose Marine Air Ground Task Force 19.2 Crisis Response Command Element prepare field condition crisis response center networks in Kuwait. (U.S. Marine Corps photo by Sgt. Robert Gavaldon)

As data proliferates and attack surfaces expand, the Defense Department continues to have a fundamental need to discover, understand, track, and manage its data and intellectual property that is exposed on the internet.

The House Armed Services Committee noted the need to manage this process in an integrated end-to-end fashion in its markup of the National Defense Authorization Act for Fiscal Year 2021.

“The Department of Defense (DoD) lacks a similar comprehensive understanding of the internet-connected assets and attack surface across the DoD enterprise; the committee notes in this regard that the DoD only recently discovered that it has twice as many managed connections to the internet as it thought it did—connections established and maintained by components that were not protected like the other sanctioned Internet Access Points managed by the Defense Information Systems Agency.

“Despite strides made by Joint Force Headquarters-Departments of Defense Information Network (JFHQ-DODIN) in improving its enterprise-wide visibility of DoD networks, DoD networks are controlled by individual components, with JFHQ-DODIN deriving most of its situational awareness from component reporting. The committee believes that it is critical that JFHQ-DODIN achieve real-time visibility over all DoD networks.”

This complexity makes DoD networks particularly ripe for the application of what’s known as Internet Operations management (IOM). IOM capabilities enable organizations to:

  • Understand what their on-premise and cloud-hosted attack surfaces look like in near-real time, how elements of their networks behave externally; and
  • Detect previously unknown compromises, unsanctioned connections, misconfigurations, vulnerabilities, and threat activity.

“When we kind of look at Internet Operations Management from the perspective of military networks, it’s easy to see the applicability of IOM, not just for the military but also for federal agencies, large government networks, and commercial customers,” said Joseph Lin, vice president of product management for Cortex, Palo Alto Networks. “All of them have these fundamental problems.”

An IOM platform aggregates all of this data into a single, secure data lake, using machine learning algorithms and data analytics to discover anomalies and derive insights. Decisionmakers can then use this information to make, enforce, and verify IT and security policies and orders in an actionable, scalable, and automated way across the entire enterprise.

What is a data lake? Lin explains.

“At a very basic level, a data lake is an environment holding an enormous amount of data, as well as highly heterogeneous data, that is brought together, integrated, and made mutually interpretable so that the data is able to relate to one another. At the end of the day, you’re not just collecting data for data’s sake, but are collecting it so that you can run analytics on top of that data. You can use machine learning in order to derive insights from the multitude of data that you’re able to collect from your entire system.”

IOM Is Well Suited to Military Networks

Military networks are, generally speaking, very large. They can be highly federated in nature, which makes managing all of their internet-facing assets that much more difficult.

Because of the large, distributed, highly federated nature, and sometimes expeditionary nature of military networks, management/command and control of their internet-facing assets is difficult and complex.

They are inefficient and insecure in other ways, as well—specifically in six areas.

  1. Self-reporting: In most cases, network operators have no independent way to verify reports from individual components. If a component is unresponsive or makes an error in its reply, the operator would not be aware.
  2. Lack of shared source of truth: Network managers and the components themselves do not have a shared understanding of which IP ranges and internet assets belong to which components. Many IP ranges are claimed by multiple components, others by none at all. Existing inventory databases that should be the comprehensive source of truth for the enterprise’s IP ranges are usually outdated and incomplete. If vulnerabilities exist in IP space that no organization is directly responsible for, they will never appear on self-reported lists.
  3. Multicloud and third-party hosting as extended attack surfaces: Enterprise assets hosted by commercial Cloud Service Providers and Internet Service Providers are often insufficiently monitored or entirely unmanaged. While the risks posed by these assets vary, a meaningful subset of this attack surface periodically includes the potential loss of Controlled Unclassified Information (CUI) or other potentially high-value enterprise assets.
  4. Difficult to identify points of contact: For even those portions of the network that both the network manager and the relevant component are tracking, there is a lack of awareness of who the relevant point-of-contact is to find and fix a vulnerability on a given IP range.
  5. Potential for human error: The current process relies on email and spreadsheets. The potential for mistakes as spreadsheets are copied, emailed, and compiled into larger spreadsheets is high. Accidental omissions leave the network manager blind to potential problems.
  6. Slow response and remediation: Even under ideal circumstances, it can take at least 24 hours between the moment a network manager is made aware of a new vulnerability and when there is a complete accounting of the scope of the problem and remediation can begin.

IOM Addresses Those Issues

It is those inefficiencies that lead to insecurities that are driving the need for enterprise-wide security enforcement among militaries around the world.

Cybersecurity and IT operations are most effective when there is centralized visibility and operational control over the entire network. The DoD owns some of the world’s largest and most complex networks, with millions of IP addresses and endpoints in multi-tiered enclaves. Yet, they continue to lack enterprise-wide network visibility and rely on late-20th century technologies for tasks as straightforward as developing, disseminating, and enforcing new IT policies.

DoD organizations and service members deserve best-in-breed technologies and processes such as those found with IOM to centralize and manage their security and network- operations. The good news is that these technologies already exist commercially and are widely deployed across legacy networks, especially in the private sector and a handful of government agencies.

“A major part of managing legacy network systems is that they are properly secured behind firewalls and not exposed on the public internet because of vulnerabilities associated with their software that are simply unpatched, or are no longer supported by their original manufacturer,” said Lin. “Because these vulnerabilities can be easily exploitable by adversaries, it’s that much more important to ensure that they’re properly secured.

“What IOM enables owners of legacy systems to do is, first and foremost, ensure that they’re not exposed on the public internet, that they’re not discoverable by adversaries, and that they’re properly configured and secured.”

Conclusion

DoD and wider U.S. government cyber defense, detection, response, and recovery capabilities are inadequate. This problem is most fundamentally due to the lack of centralized visibility and operational control over federal information technology.

In addition, there is a huge gap between the mandate to secure, defend, and monitor government-wide networks and the highly disparate technologies and processes in place. Solving this problem is not only possible, it is happening now with existing technologies and processes in the private sector and within some individual federal agencies.

IOM products like Palo Alto Networks’ Cortex suite of systems, including Cortex Xpanse and XSOAR, enable JFHQ-DODIN to meet the requirements detailed by the FY21 NDAA through the development of IOM procedures that provide JFHQ-DODIN real-time visibility over all DOD networks.

Situational awareness is a basic requirement in all forms of conflict, and with Cortex IOM Defense Department organization can continuously discover, manage, and monitor all globally deployed DoD internet assets through daily attack surface scanning and regular mapping.

Comprehensive awareness and visibility across all of its networks will let DoD network managers confidently answer questions as straightforward as, “What are all of my IPs?”, “How many endpoints or servers do I have?” and “What is the software running on them?” Without IOM, they would be hard pressed to do so.