Title: CyberSecurity Analytics Reference Architecture
Author(s): John Sprague, Tim Lunderman, and John Gidders; World Wide Technology
Network owners today are overwhelmed with choices in technologies, vendors and capabilities. Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) are struggling with sorting through the maze of vendors to produce an overall architecture that is functional and within budget while reducing company risk. Many vendors portray their product as the end all, be all for a specific section of the network. For instance, endpoint, Secure Socket Layer (SSL) decrypt, or next generation firewall products may be the best in class, but how they integrate into the overall architecture is critical Each product creates vast amounts of alerts and data but that is just information. The technology might even be the best available in their lane but how does it incorporate into the overall Information Technology (IT) infrastructure. The art of a great architecture digests the information and creates actionable knowledge to those defending the network. Having eyes on the event from a given portion of the network does not mean defenders are able to process and see the overall implications of the attack. Additionally, if an architecture is already in place, what is the strategy and capability required to upgrade portions of the network without buying duplicative technologies? If the choice is to buy new technology how well does it integrate into the existing architecture? Vendors in the IT space make firewalls while others are the center of the network switching and routing. The issue is there are few if any that build the overall enterprise network with an integrated strategy. Realizing every enterprise is different, it would be helpful to create an easy, repeatable and comprehensive way to build a secure network architecture. CyberSecurity Analytics Reference Architecture (CARA) provides a methodical, comprehensive solution to build a secure, diverse network infrastructure while allowing the best of breed technologies to be integrated. This architecture is a combination of real world experience and utilizes industry leading standards set by the National Institute of Standards and Technology (NIST) milestones. Building secure, diverse enterprise networks with the ability to grow/contract requires expertise in competencies around security, big data, data center, networking, wireless and other technologies - the functional domains that must be considered to accomplish a best-in-class security posture.? Utilizing the integrated framework of CARA enables the users to measure their progress along the way. Utilizing a cyber analytics maturity scale, network owners can better understand where they are and how to get to a more integrated, secure environment. The methodology for implementing varying levels in the CARA architecture can be broken down into the segments of Readiness, Awareness, Defense, Analytics, and Response (RADAR). Integration and optimization of sensor design and most importantly data analysis is the focus to create knowledge. CARA is designed to build a framework of diverse technologies into a comprehensive USN/USMC architecture. CARA combines a methodical way to integrate network access tools, aggregate sensor data, ingest threat feeds and provide security analytics to combat sophisticated attacks. Additionally, CARA advocates for a central operations collector of sensor telemetry to build knowledge from information. With knowledge, the network owners can then move from reactive response to proactive response through security automation.