1. Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.
Visualisation for Network Situational Awareness in Computer Network Defence
Marc Grégoire, DRDC Ottawa
Luc Beaudoin, Bologik Inc.

2. Outline Network as a battlespace Need for Network SA
Joint Network Defence & Management System (JNDMS)
JNDMS Challenges
Visualisation
Integration into COP

3. Networks are critical assets to Canadian Forces Operations
Assure network services in support of operations
GCCS
HRMS, FMAS, CFSSU
Defend network during operations
Vs hackers
Vs virus
Vs technical failures

4. The network as a Battlespace
Avenues of
Approach
CND
CNE
Firewall &
Guard
Intrusion
Sensor
Ref: LCol R. Knight, CFIOG, DND
Land, Sea and Air activities are predicated increasingly on networks
An attack on a network can dramatically upset operations. Currently, it is difficult and time consuming to understand the effect of a network attack on the mission and to plan an appropriate response.
Must maintain network situational awareness

5. Network Situational Awareness
Knowing the level of threats and the current status of all network assets supporting military operations.
IT Infrastructure (circuits, hardware, software)
Defensive posture;
Security events (C, I, A, etc) ;
Military Operations;
Interdependencies.

6. Fight the Networks Operational Command Network Operations Centre IT
Service
Desk
Network
Control
Computer Incident
Response Team

7. Mission/Role Operational Command Network Operations Centre IT Service
Peace Keeping;
Search and Rescue;
Assistance to civil power;
NORAD;
NATO;
For operational IT systems:
“Fight the Networks”
Preserve Confidentiality;
Maintain Integrity;
Assure Availability.
Network
Operations
Centre IT
Service
Desk
Network
Control
Computer Incident
Response Team
Provide user with 1st line IT support;
Assure quality of IT service to the users.
Maintain connectivity;
Monitor network performance;
Network security monitoring;
Intrusion detection;
Intelligence analysis;

8. Information Types Operational Command Network Operations Centre IT
Resources
Priorities
IT services
Supporting ops
Locations
Schedule
Operational
Command
ALL TYPES
Network
Operations
Centre IT
Service
Desk
Network
Control
Computer Incident
Response Team
Trouble tickets
Users
Hosts
Locations
Applications
Host Status (Up/Down)
Links usage
Circuits/Topology
Locations
IP addresses
Ports
Host
Locations
Vulnerabilities
Attack signatures

9. Example: Inputs resulting from events
Operational
Command
Network
Operations
Centre IT
Service
Desk
Network
Control
Computer Incident
Response Team
3 users report that a military Web site providing weather maps is not responding.
Monitoring tool alerts of sudden surge in traffic on a base Local Area Network (LAN).
Intrusion detection system alerts of intensive scanning activities on a subnet.

10. IT Service Desk View
IT SD

11. Network Control View
NetCon

12. CIRT View
CIRT

13. NOC View
3 users report that a military Web site providing weather maps is not responding.
Monitoring tool alerts of sudden surge in traffic on a base LAN.
Intrusion detection system alerts of intense scanning activities on a subnet.
NOC
So what ?

14. Operational Command View
Option 1:
Silos information report :
SERVICES:
3 users report that a military Web site providing weather maps is not responding.;
PERFORMANCE:
Monitoring tool alerts of sudden surge in traffic on a base LAN.
SECURITY:
Intrusion detection system alerts of intense scanning activities on a subnet. OR
Option 2:
Integrated information report:
IMPACT:
Weather services to all deployed ships is inaccessible.
CAUSE:
One vulnerable IIS server infected by SQLSlammer worm. Infected server is scanning surrounding hosts to propagate the worm. This scanning activity creates a denial of service for all servers on subnet.
Cmd

15. How to get option 2, and quicker?
Integrate data
IT infrastructure
Security events
Military operations
Common source of information to achieve Network Situational Awareness at the NOC and to answer the “So what?”
Improve decision making
Faster (option space Vs time)
Quality (support risk acceptance option)
Prioritize
NOC

16. Sharing
Share with the NOC sub-units to improve their own processes by giving them more context.
Tactical decisions may require strategic level information.
Let others look at it in a way meaningful to them (UDOP: User Defined Operating Picture)
NOC

17. Joint Network Defence & Management System (JNDMS)
This is a high level view of the JNDMS concept.
There are 3 types of input data.
The first one is security events data. This could include alerts from network intrusion detection systems, alerts from network managements tools, and intelligence reports.
The second type is military operations data. This is data on operations and their associated IT services and assets.
The third type of input data is IT infrastructure data. This is the topology and the configuration.
The integration creates contextual data inside of the JNDMS.
The output is network situational awareness, which is knowledge used for decision support.

18. JNDMS Visualisation Challenges
Filtering/aggregating/tailoring
Real-time display requirements?
Battle tempo in cyberspace could be fast
Logical and geospatial views
Correlate cyber events and physical events
Display defensive posture
Symbology
Displaying interdependencies
Large volume of data
Historical data

19. JNDMS Integration of data Data correlation Data presentation
DRDC, Impact assessment tool
DRDC, JNDMS Concept document

20. Contributing to Ops Commander’s COP
Cmd
Should we? We think so!
How?
Sharing data: Requires compatible data sets.
C2IEDM? Possibly, needs extension.
How to display?
Does it imply geospatial map? (not always relevant, symbology, clutter issue)
Need to capture reliance of military operations on cyber assets.
At what level of details?
Export snapshot of NOC view
e.g. a separate window in COP 21

22. Questions?