May 3, 2021
Driving the success of every mission is one key factor: knowledge. The quality, the quantity, and immediacy of information can make the crucial difference in responses and outcomes. That’s the rationale behind the Air Force’s Advanced Battle Management System (ABMS)—that more complete, timely information leads to better, faster decision making, and that sharing vital data is crucial to the success of joint and multi-domain operations. But as cyber is now one of the most used threat vectors, balancing the need for access to data with the realities of the threat environment requires vigilance and agility.
In the first article of this three-part series, we looked at the obstacles to enterprise-wide, multi-domain data access, and how Elastic enables near real-time answers from data wherever it is stored. Now, in part two, Elastic looks at the critical issues of security, and how the ability to analyze data enterprise-wide can also support smarter responses to cyber threats.
The Perimeter is Always in Flux
The formerly well-defined network perimeter has blurred. The Internet of Battlefield Things (IoBT) has grown the number of sensors exponentially and turned objects into endpoints, while mobile users frequently move in and out of secure areas, creating new challenges for secure connectivity.
Truly assessing the military’s cyber stance requires a holistic view of the complete environment, from the network core to the edge. Point solutions that can protect specific resources don’t recognize a crucial element — how attacks interact with each other. Does an event in one segment have implications for other resources? Are there patterns that could provide insight into other attacks? Can anomalies be identified and categorized quickly and accurately? And can users understand the nature of the issue fast enough and clearly enough to respond before damage is done?
By viewing all data across all sources, security-focused teams gain the ability to identify previously unseen connections. But doing so goes beyond securing IT systems alone.
OT Data is Crucial, Yet Vulnerable
Complicating security is that the lines between physical and virtual domains are blurring — kinetic actions can impact the digital domain and vice versa. Attacks on operational technology (OT) devices, such as aircraft, robots, sensor mesh, and IoBT instruments, use IT means.
The good news is that, even with the additional risk factors, there are opportunities to understand and defend against attacks. By analyzing OT data in relation to IT data, it becomes easier to spot vulnerabilities and mitigate potential threats before they affect systems, personnel and the mission itself. Again, the holistic approach is essential to comprehensive security.
Barriers to a Comprehensive View
If it makes sense to assess data from multiple sources to support both operations and security, why isn’t this approach widespread? There are three main obstacles, each of which affects the others.
First, there are technical considerations. In the past, some data lake attempts were not successful. They led to higher cost and complexity without enough benefit to justify the effort. Speed and scalability issues were significant, and led to an inability to produce comprehensive answers in time to make a difference.
The policy aspect presents another challenge. Of course, compliance with standards is absolute. In addition, the issue of data ownership needs to be addressed to ensure that those with the responsibility to protect, maintain, and share data also have the authority to do so effectively.
Lastly, there is a cultural component to consider. There are legitimate concerns that not all data should be shared. This is partly a matter of whether access can be segmented by classification, but also due to a truism that too much data can cause more problems than it solves. But these are no longer issues, as it is now possible to enable both policy-driven segmentation and near-instant answers from across petabytes of data. The solution lies in an approach that combines data management with security and enterprise-wide visibility.
Complete Security Demands Complete Real-time Information
At its most basic, cyber defense requires identifying and defending against known attack signatures. The next step is to use machine learning to assess if suspicious activity resembles those known signatures to a degree, then alert users to those potential threats. To be effective, the security system needs both enterprise-wide data and a way to monitor activity across all interconnected systems — data management plus security plus visibility, all working together.
This is the model Elastic employs, for example, where its security and observability solutions coordinate to spot both bottlenecks and potential threats in near real-time. Since Elastic indexes data as it is ingested, answers and analyses can be delivered in seconds, which can contain a cyber attack before it spreads throughout the network.
Elastic’s holistic approach also assures system, application, and data owners that segmentation is possible, limiting access to those with a specific, legitimate need — enabling policy-driven access controls for a Zero Trust ecosystem that manages and protects data and the shared environment.
As a result, security teams can identify issues and respond faster, and gain the insight needed to head off potential threats before they become active attack vectors. Alerts can be defined to include next steps, enabling personnel at all skill levels to understand events and take remedial action in the least amount of time.
Security as a Force Enabler
ABMS establishes data sharing as a standard that can create a common operational picture, but security naturally remains paramount. Cyber security can do more than protect assets from threats, even inadvertent ones. It can provide confidence that data is uncorrupted, provide easy access for those who need it, and keep users from creating more risk. In short, securing data must balance access with accountability.
The holistic approach, championed by Elastic, frees critical data from sharing constraints while maintaining high levels of access control and security — and is crucial to achieving mission velocity that allows our forces to outpace adversaries in both the physical and digital domains.