How DISA's Continuous Monitoring and Risk Scoring (CMRS) System Uses Big Data Against Cybersecurity Threats
It’s one thing to filter 150,000 web events per second and prevent the bad ones from compromising a network, such as the Defense Department’s. It’s another to learn from those 150,000 web events per second to ensure that the network’s security posture gets stronger and smarter. The latter is a Big Data challenge.
“We can do better filtering,” said Bill Keely, deputy chief technology officer for mission assurance at the Defense Information Systems Agency (DISA). Keely spoke Jan. 14 at the AFCEA Bethesda Big Data Technology Symposium in Washington. “We can [go] a little deeper by storing [the data] and quickly looking at it … and coming up with policies.”
To accomplish that, Keely said, DISA is taking its web-filtering data and uploading it to the agency’s new cloud-based analytics warehouse, known as Acropolis. Acropolis is based on commodity servers and the Hadoop Distributed File System.
“These are capabilities that are enhanced by Big Data,” Keely said. “The biggest challenge is getting data into Acropolis, getting it stored and organized.”
How Continous Monitoring and Risk Scoring (CMRS) is Putting Big Data to Work
In addition to web filtering, DISA plans to use Acropolis and Big Data analytics for its Continuous Monitoring and Risk Scoring program. The CMRS system is a web-based visualization tool that monitors cybersecurity risk for systems throughout the DOD.
Prior to assuming his current job at Fort George G. Meade in Maryland, Keely ran DISA’s Field Security Operations, which enforces information assurance for the DOD. His team would conduct up to 700 risk analyses per year on systems at military bases throughout the world. If a system was deemed “healthy enough,” it was green-lighted to operate for another three years.
“What’s emerging now is we’re collecting data from all these systems [and] monitoring risk on at least a weekly basis,” Keely said. “It’s a much more dynamic capability, and it’s using Big Data rather than these periodic inspections. Now, we can’t do everything with this kind of centralized data analysis, but it probably does about 80 percent of the job that my teams used to do.”
Along with exploiting its Acropolis analytics cloud, DISA is also developing its enterprise presentation layer — the tools with which analysts glean usable information from the underlying Big Data.
DISA currently has 1,300 users and developers of its Ozone Widgets Framework, which is based on technology developed at the National Security Agency. Keely likens widgets to apps that analysts can stitch together into a single screen of data intelligence, including lists, charts and other representations. The challenge is ensuring that widgets remain useful.
“As we come up with new widgets, one of our concerns was that there would be diminishing returns,” he said. More specifically, according to Keely, the more widgets that analysts could quickly pull together on-screen, the more they might simply stick with what they’re already comfortable using. “They wouldn’t see new things,” he said.
To prevent that, DISA is currently working on a widget index and a training program for using the environment. Such training would be open to other federal users.
“We’re trying to set up an environment so that people can not only create analytics quickly and create widgets quickly, but they can reuse them,” Keely said.