This document discusses how adaptive network automation can help address cyber defense challenges faced by the Department of Defense (DoD). It outlines how network automation can help provide real-time network visibility and flexible automation. The adaptive network automation framework utilizes a comprehensive data model to generate dynamic maps and define automation tasks. This framework can then apply automation before, during, and after cyber events to help identify threats, mitigate attacks, and strengthen defenses.
NGO working for orphan children’s education kurnool
Network Automation in Support of Cyber Defense
1. NetBrain Technologies
15 Network Drive
Burlington, MA 01803
+1 800.605.7964
info@netbraintech.com
www.netbraintech.com
Network Automation in
Support of Cyber Defense
Rick Larkin
Senior Network Engineer
NetBrain Technologies, Inc
23 June 2016
2. o DoD Cyber Defense Challenges
Real-time network visibility
Flexible network automation
o Adaptive Network Automation Framework
o Adaptive Network Automation Applied to Cyber Defense
Before
During
After
Agenda
4. “DISA is a case in point. With 4.5 million users and 11 core data centers, its
infrastructure generates about 10 million alarms per day…
Approximately 2,000 of those become trouble tickets…
…Then there’s hacking: DISA logs 800 billion security events per day…
…Between countermeasures, configuration fixes, and the rest, DISA makes
about 22,000 changes to its infrastructure every day…”
MG Zabel, Vice Director, DISA
http://www.cio.com/article/3068663/networks-need-automation-just-ask-the-us-military.html
𝑇𝑜𝑑𝑎𝑦′
𝑠 𝑇ℎ𝑟𝑒𝑎𝑡 =
1986
2016
𝐼𝑇 𝐶ℎ𝑎𝑙𝑙𝑒𝑛𝑔𝑒𝑠 𝑥 10
Cyber Defense Challenges
5. DoD Cyber Defense Challenges
NIST RMF DIACAP
8500s ATC/ATT/ATOCNDSP
ASIs
POND
POA&M
CCRIs IAVAs
OPREP/SITREP/CASREPs
AARsSTIGs
JIE JRSS
o Cyber Threats evolving rapidly, requirements increasing, resources strained
o Network Automation is a key force multiplier!
6. Two Unsolved Challenges
o Lack of Real-Time Network Visibility
» Traditional methods don’t work. Example:
Static Network Maps.
» Need “real-time” network visualization, end
to end
o Limited Network Automation
» Current network automation has limited
functional scope, need to write complex
regular expressions, not portable, etc.
» Need for Network Automation 2.0, that is,
o Data-driven
o Dynamically created
o Simplified
7. 3 Generations of Network Visibility
o Generation 1:
» Discover the Network with SNMP
» Generate Asset and Inventory Reports
Discovery Inventory
9. 3 Generations of Network Visibility
o Generation 3:
» Network model based (configuration, SNMP, NETFLOW, network tables, etc)
» Real-time, up-to-date, adaptive, dynamic solution
Discovery
Comprehensive
Data Model
Dynamic, Data
Driven map
13. Map as the Single Pane of Glass
» Automated Analysis – Fully Customizable
» Execute manual tasks in seconds
» Initiated by operators or automatically from integrated
systems like IDS/IPS, Trouble Tickets, SIEM or CMDB.
14. Before – Discovery & Asset Identification
o Deep Network discovery
» Accurate, Fast
o Inventory Report
» Derived from comprehensive data model
o Dynamic network documentation, updated daily and on demand
» Supports ATO development, CCRI preparation and supports operations
15. o Automated Compliance validation & verification
» NIST RMF, DISA/NSA STIGs, IAVAs, CC/S/A specific
o Proactive NetOps & CyberOps
» Automation technology can help CPTs, as well as on-site Network & IA staff
Before – Vulnerability Assessment
16. Triggered by human intervention or backend systems (IDS/IPS, Logs, CMDB, …)
» Map the threat (e.g. an attack path to a server)
» Run diagnosis and health analysis on the map
» Identify network changes
During – Threat Identification
17. Apply network changes and patches with automation:
» Configure policies (ACL/QoS/etc.)
» Redirect traffic (honeypot)
» Disable ports
During – Attack Mitigation
18. Apply lessons-learned from attack:
o Forensics/analysis
o Enhance executable intelligence
o Update network data model automatically
After – Strengthen Cyber Defense w/ Automation
19. o Cyber Event Management – Automation can significantly reduce response time
o Allows for collaboration between NetOps & CyberOps, as well as Tiered Teams.
o Runbooks allow process chaining in response to Asymmetric Cyber threats.
NetOps CyberOps
Vendor
Management
Collaboration & Escalation of issues
20. Summary
Adaptive Network Automation Framework in support of Cyber Defense
o Before
» Maintain accurate, up to date documentation – ATOs, CCRI, best practice
» Verify & Validate compliance – NIST RMF, STIGs, IAVAs, CC/S/A specific
o During
» Identify and isolate impacted data, systems & networks
» Triage environments, and support rapid remediation
o After
» Based on new discovered threat(s), apply new configurations and update
documentation
» Leverage historical information for AARs and forensics
21. o Founded in 2004, NetBrain is the first software provider to apply the
concept of CAD automation to network management.
» Awarded multiple patents in Computer Aided Network Engineering (C.A.N.E)
o Customer overview
» 1,300+ customers worldwide
» Multiple sectors
Adaptive Automation – Here and Now