Cyber Analytics Reference Architecture
By Tim Lunderman and John Sprague
"There are more security and analytics tools available to the Department of Defense Information Assurance (IA) teams now than ever before. The list is extensive and includes network sensors, endpoint sensors, and cloud sensors and yet cyber security breaches are on the rise. Cyber incidents are slow to detect and remediate with the average time to detect well over 200 days. The integration of an enterprise security methodology with a Cybersecurity Analytics Reference Architecture (CARA) provides a comprehensive solution to cyber protection and threat defense challenges. It shows the need for competencies around security, big data, data center, networking, wireless and other technologies - the functional domains that must be considered to accomplish a best-in-class security posture. This session will include a CARA introduction employing a methodology called Readiness, Awareness, Defense, Analytics, and Response (RADAR). • Readiness is an understanding of the security controls, processes and technology used to effectively measure, understand, monitor and manage the security readiness of an organization. • Awareness is the visibility of the threat landscape, involving people, processes and technology, along with considerations for how this landscape changes in complexity and scope over time. • Defense is an implementation of a defensive security architecture, configured to optimize capabilities and maximize business benefits. • Analytics is an advanced perspective on known and unknown threats using analytics systems that compliment defensive controls and enable rapid identification and response with accuracy and adaptability. These technologies and architectures also provide forensic capabilities to analyze and define the potential scope of security incidents when they occur. • Response is a protocol for incident response based on capabilities that focus not only on eradication and remediation of a security incident, but more importantly on implementing adaptive learning and response modification to security events. The session will define the problem statement and review a high level architectural approach. CARA includes a cyber analytics maturity scale ranging from Level 1 (Distributed) through Level 5 (Real Time Analytics). Level 1 (Distributed) includes discussions around network segmentation, malicious software, IA boundaries, mobility, inventory, vulnerabilities, identity management, access management and data protection. Level 2 (Correlation) discussions will focus on correlation mechanisms and Security Information and Event Management (SIEM). Level 3 (Business Context) will focus on asset content and compliance. Level 4 (Advanced Analytics) will discuss areas in data science, big data, anomaly detection, scoring, and historical analysis. Level 5 (Real Time Analytics) will focus on open source options, commercial options and packet capture. The optimization of sensor design, placement and (most importantly) data analysis will be the focus. Cybersecurity Analytics Reference Architecture (CARA) is designed in the framework of a reference architecture, guided by the typical network domain structure most agencies and organizations employ (including the US Navy). CARA combines network access tools, aggregated sensor data, threat feeds and security analytics to combat sophisticated attacks, including advanced persistent threats. CARA includes a central operations collector of sensor telemetry that combines the power of data science, analytics, and security automation."