The HEDC provides a hosting service for more than 100 information systems supporting the USAF. See how they innovated to deliver logging and DoD compliance monitoring for the life-cycle of hosted information systems as an integrated service within the HEDC PaaS using Elastic Cloud Enterprise.

1. 1
Monitoring and Securing a Geo-Dispersed Data
Center
Doug Babb, Chief Architect – HEDC, SI Inc. contractor
Frank Unpingco, Cybersecurity Subject Matter Expert – HEDC, SI Inc. contractor
Nate Benson, Cloud Hosting Subject Matter Expert – HEDC, SI Inc. contractor
October 25th, 2018

2. 2
America’s Best –
Ready to Fly, Fight, Win Together
Disclaimer:
This session does not
represent a product
endorsement by the United
States Air Force, Hill Air
Force Base or any other
component of the
Department of Defense.

3. 3
Hill Enterprise Data Center
(HEDC)
- Information System Hosting Service
- Private Cloud Infrastructure supporting Engineered
PaaS
-Business Agility
-Time-to-Value
-Positive Outcomes

4. 4
HEDC Information System Hosting Service
Engineered Platform-as-a-Service
Hosted Information System A
Hosted Information System
Support Services:
• Backup and Recovery Services
• File Services and Dataset Archival
(SaaS)
• Log Aggregation and Analysis
• SecOps, Compliance, STIG’ing
• Change Management Support
Facilities Infrastructure: • Base Power & Capital Assets
Hosted Information System B Hosted Information System C
Hosted Platform (PaaS)
Automation and Service Catalog
Virtualization – Software Defined Infrastructure
Compute, Storage, Network Infrastructure Hardware
Base Facilities Infrastructure: • Base Electrical Power and Comms Access
• Capital Infrastructure
HEDC Engineers
and Operational
Personnel
Base Civil Eng.
IS App Admin
• Database Administration
• Application Tier
Administration
• ERP Application Support
• BI and Analytics

5. 5
HEDC Private Cloud – Geo-Dispersed Infrastructure
HEDC Engineered PaaS Deployed to Portable Operating Data Centers (PODs) and
Commercial Cloud
GovCloud West
GovCloud East

6. 6
HEDC Private Cloud – Geo-Dispersed Infrastructure
HEDC Engineered PaaS Deployed to Commercial Cloud Service Providers (CSPs)
& Secure Anywhere

7. 7
HEDC Logging Use-Case
HEDC – Log Aggregation and Analysis Service
1. Logs from all component layers of the Engineered PaaS gathered and aggregated for
correlation
2. Simple instrumentation method for a wide-variety of infrastructure components and a
diverse collection of hosted information systems
3. Gather and aggregate logs for each unique hosted information system without
inappropriately exposing information that pertains to the underlying PaaS infrastructure to
tenants
4. Self-help/self-service for information system owners and application administrators to
access and analyze logs specific to their information system.

8. 8
HEDC Logging Use-Case – continued
HEDC – Log Aggregation and Analysis Service
5. Co-existence with other systems of record and stand-alone services leveraging these
systems/services by correlating their content with PaaS content and applying a consistent
machine learning toolset to the correlated content
6. Provide log aggregation and analysis service across all Information Systems and
supporting infrastructure regardless of geographic location; provide cross-boundary
forensics capability
7. Support continuous compliance monitoring and compliance automation for Risk
Management Framework (RMF) Compliance and for Command Cyber Readiness
Inspection (CCRI)
8. Provide a mitigation backstop for legacy Information Systems that do not comply with the
requirements of NIST SP 800-53 Audit and Accountability Controls

9. 9
ECE Deployment Example – Tenant Information System Deployments

10. 10
ECE Deployment Example – PaaS Infrastructure Deployment

11. 11
Nodes (X)Logstash
HEDC Log Aggregation and Analysis Service Architecture
Beats
Load Balancer
Elastic Cloud
Enterprise
X-pack
Stacks (X)
Big-IP VE (X)
Info Sys A Info Sys B Info Sys C Info Sys D HEDC Infrastructure
Syslog
Machine
Learning
Physical Infrastructure
Hosted Information
System Support
Services
Virtual Infrastructure
A01 D03D02D01C03C02C01B03B02B01A03A02
Information System A Information System B Information System C Information System D
Active for Traffic Group 1, Standby for Traffic Group 2 Active for Traffic Group 2, Standby for Traffic Group 1
vips

12. 12
Translate Filter
w/Memcache
Plugin
FileBeats, Logstash, and Elastic Cloud Enterprise
Logstash Enrichment Layer
Logstash
Elastic Cloud
Enterprise
Information System A HEDC Infrastructure
Route
A01 A03A02
Information System A
Scalable Enrichment
Layer
ECE Deployment
Layer

13. 13
Translate Filter
w/Memcache
Plugin
FileBeats, Logstash, and Elastic Cloud Enterprise
Logstash Enrichment Layer
Logstash
Elastic Cloud
Enterprise
Information System A HEDC Infrastructure
Route
A01 A03A02
Information System A
Scalable Enrichment
Layer
ECE Deployment
Layer

14. 14
Information System Lookup System
Example of Customer/Information System Data Records Used to Enrich Logs Via
Lookups (NOTE: Records are Simplified, Truncated & Fictionalized)
INFO_SYS_UID CUST_UID ITIPS_UID EMASS_UID INFO_SYS_NAME CUST_NAME
X00A 001 PD-4757-G7XY 9583-YQBM-47 Information System A KWYF
X00B 003 AV-8975-P9UX 6197-XHQQ-20 Information System B VZVA
X00C 002 XF-2364-S4DT 8354-NABX-82 Information System C ECSZ
X00D 004 FT-7207-L0ZB 1551-ACTP-77 Information System D HNAV
X00E 003 CZ-9851-B0ML 2913-lHBB-46 Information System E VZVA
X00F 001 GJ-7422-J0FG 4730-BMBP-77 Information System F KWYF

15. 15
Logstash Enrichment Example -
Pseudo Code for Column/Key-Value Lookup:
/* Use Translate Filter to support a lookup request to compare unique customer ID and unique information system ID to provide log routing to the appropriate
ECE deployments.
For example, Information System E supports customer VZVA and has a Java application element running on a VM.
All VM's for Information System E follow a standard that contains the unique information system ID as well as VZVA’s unique customer ID as part of its
hostname:
X00E == Information System E UID
0003 == Customer VZVA UID
The Java application VM has a hostname like X00E.0003.host-001 and all logs from this VM are delivered to Logstash via FileBeat where a Logstash Filter will
perform column/key-value pair lookup from an external data source and will route the logs to both the Information System E ECE instance and the
Infrastructure ECE instance.
In the Logstash configuration we codify this with pseudo logic: */
(info_sys_uid, cust_uid) = getInfoSystem(beat_host_name)
es_cluster_name = getCluster(info_sys_uid) # does lookup
if info_sys in info_sys_map {
elasticsearch_write(es_cluster_name, app_index)
}

16. 16
Role-Based Access Control - Kibana in Tenant Information System C Deployment

17. 17
ECE Role-Based Access Control – Kibana in PaaS Infrastructure Deployment

18. 18
“What we need is no bullshit security
compliance! We need to gather,
correlate, and analyze everything!
We need to automate compliance!
No more paper compliance!”
From a frustrated general officer who is certainly not going to admit to saying it

19. 19
Nodes (X)Logstash
Supporting Systems of Record with HEDC Log Aggregation and
Analysis Service Architecture
Load Balancer
Elastic Cloud
Enterprise
X-pack
Stacks (X)
Big-IP VE (X)
Info Sys A Info Sys B Info Sys C Info Sys D HEDC Infrastructure
Machine
Learning
vips
ACAS ARAD BCM SCCM TA

20. 20
HEDC Private Cloud – Geo-Dispersed Infrastructure
Future of Log Aggregation and Analysis Service?
GovCloud West
GovCloud East
ECE v2.1
Cross Cluster Search

21. 21
Thank You