Cybersecurity Capabilities Overview Jack Wilmer Infrastructure Development Executive March 2016
Day in the Life of DISA INTERNET DoDIN DISN Operate DISA Provides, Operates and Assures the DODIN - $30 B network, 11 Core Data Centers hosting >1000 Enterprise apps, worldwide transport Command >10K personnel in 18 States, 8 Countries DoD s Cyber Forward Edge of the Battle Area - 102 CDSP customers defended Defend Events/day >10 Million Alarms 2400 Trouble Calls Incidents / Day >2,000 Tickets >22,000 Changes Events requiring Orders Exercises Operations CPT Employment Compliance Monitoring DCO Events / day Sensor feeds >798 Million Security Incident Events DCO Incidents / day 45 Orders Tracked >36 Cybersecurity Incidents >14 Phishing Attacks INCIDENTS EVENTS Critical Issues Orders 10 Worked 7 Published 3 Recieved Tippers / Counter Measures Day 39 / 85 ACTIONS 30+ Named Operations, 1.9 Mil DEE Users, all DoD members supported OUR GOAL = 100% Mission Assurance 20160216 (v6.0) 2
Layered Defense PHYSICAL Initial screening of non-us citizens entering the US Fingerprints, terrorist watch lists, security clearance info, checkpoint screenings, etc. Screening of all personnel entering a DoD installation. Perimeter gates and sensors. Control traffic, restrict base access, and respond to base incidents Robust access controls (e.g., SCIF, cypher locks, alarms) Common access controls (e.g., locks, access lists, credentials) Border Control & Enforcement Global threat and criminal database Installation Gates & boundaries Regional & Local Police Sensitive Facility Protection Common Facility Protection NATIONAL DEFENSE DOD INSTALLATION DEFENSE FACILITY DEFENSE Internet Access Points Mission Partner Gateways Cyber Situational Awareness & Analytic Capability (CSAAC) Joint Regional Security Stacks Cyber Protection Forces & Computer Net Defense Service Providers (CNDSP) Sensitive Data Protection Base Network/ Workstation Protection 3 CYBER Initial screening of non-dod traffic (WWW, e-mail, etc.) entering DoD Cyber threat signatures, incident & event monitoring, mission impact analytics Screening all DoD network traffic, control traffic flows, identify & block unauthorized traffic & isolate net intrusions. Control network traffic, restrict cyber access and respond to attacks Robust data center access controls to protect applications/data (data security stacks) Common access and configuration controls (e.g., PKI, HBSS, identity/access mgt, and endpoint security) 3
JIE Cybersecurity Architecture 4
DISA Cybersecurity Capabilities Overview Cyber SA Big Data Platform Cyber Analytics Security Information/Event Manager Defense Industrial Base Net CMRS Perimeter Security Content Filtering Email Security Gateway Sensors Net Flow, Full Packet Capture Demilitarized Zones (DMZ) Distributed Denial of Service Mitigations Cross Domain Enterprise Services Joint Regional Security Stacks Intrusion Detection/Prevention Systems Protocol, File and Forensic Sensing/Analysis Full Packet Capture Data Loss Prevention Endpoint Security Host Based Security System Public Key Infrastructure Vulnerability Scanning Continuous Monitoring Security Technical Implementation Guides 5
Analytics Defensive Cyber Ops Audit Management Mission Mapping / Continuous Monitoring DODIN Ops / Situational Awareness Fight by Indicator (FbI) Insider Threat Detection Service Enterprise Services Monitoring Roadmap Capability Analytics User Base Metrics DISA Command Center, OPS, CONUS, EUR, PAC, EIS, STRATCOM, JSSC, EE, Ent Ops NORTHCOM, SOUTCHCOM DECCs: OKC, MECH, ESD-NA CYBERCOM ACOIC, 561 st NOS DOK Joint Staff, NSA, IAD, OSD, NTOC, HQDA/ITA, NCDOC HQ Air Force, NCWDG NETCOM, ARCYBER, USCG, TRANSCOM, Army CIO/G6 USTRANSCOM, AFCYBER USSOUTHCOM, JFHQ DoDIN AFCYBER, DES Community 24 ingested data sources 138+ deployed widgets 1237+ users 6
DoD Mobility Objective State USER Office package with content management; variety of apps, device/carrier agnostic; limited BYOD APPs Federated apps stores, common SDKs, easy access to PUMA, GOTS and COTS apps, monitoring tools INFRASTRUCTURE COMPONENTS MDM/MAS/MCM services in the cloud, modular components, automated access to gateways & VPNs BUSINESS SYSTEM & PROCESS One stop shopping and telephony management SECURITY & IDENTITY MANAGEMENT Dynamic security tools; automated IDAM; use of biometrics NETWORK & SERVICE PROVIDERS Carrier agnostic; network detection tools and monitoring; WiFi access points worldwide POLICY & STANDARDS Used across DoD and Federal Government to enable reuse and interoperability 7
8