The U.S. Department of Defense is constantly working to defend its intelligence network from active threats in cyberspace. One way this happens is through defensive cyber operations.
Per the Joint Staff’s cyberspace operations doctrine, DCO missions aim to “defeat specific threats that have bypassed, breached, or are threatening to breach security measures.”
Precisely how specific threats are defeated varies by context. In some instances, a DCO mission may entail setting up a network-attached system known as a “honeypot” to lure attackers away from legitimate targets. It also includes the passing of data, including suspicious or malicious data, into an isolated environment, or enclave, for analysis and forensics.
Let’s take a closer look at DCO enclaves and how organizations can support their DCO missions by ensuring the secure sharing of information across high-side (classified) and low-side (unclassified) networks.
Benefits (and one big drawback) of DCO enclaves
DCO enclaves are an important component of federal cybersecurity, and offer a couple of key benefits:
— Separating data allows the DoD to perform defensive monitoring in a stealth manner by monitoring sensitive information away from the prying eyes of adversaries
— By pulling data off the operational network and into an enclave, agencies can work with potentially suspicious and risky data within a safely contained DCO network or sub-network.
Setting up enclaves requires time, money, and resources — all of which are limited in the federal government space. And the more complex the environment, the more difficult an enclave will be to monitor and maintain.
Fortunately, the process of journaling, auditing, and logging makes monitoring, analyzing, and securing sensitive data across enclaves easier. With JAL, organizations record events, including the impacted entity, time of occurrence, and other details. This information is gathered from multiple separate networks all running at different classifications levels. All of this data is ultimately consolidated at the highest security level or “on the high-side”—away from the operational networks, where it is analyzed.
Consolidating data in the DCO enclave on the high side gives security teams the ability to monitor their organizations’ security postures across all networks from a single location. From there, they can use centralized behavioral analytics to identify anomalous or high-risk behavior across networks. They can analyze user activity, identify questionable behaviors, and tie those back to potential attacks. They can also receive clarity into tactics or activities that may threaten multiple enclaves—and better defend those enclaves as necessary.
Secure and fast data sharing
Transferring data from the low- to high-side can be done securely using cross-domain solutions such as data guards and data diodes. A data guard can automate bidirectional data transfer where appropriate, promoting rapid, bi-directional (yet secure) data transfer between networks at different classification levels. Meanwhile, a data diode allows data to be transferred in a single direction only and reduces the risk of any backwards communications.
Data guards and data diodes can be used in combination with more traditional forms of cybersecurity, such as firewalls. A firewall is an effective option in many situations, but it’s also a binary choice for protection, indiscriminately blocking information from passing between networks.
Guards and diodes are more sophisticated and flexible than a traditional firewall. For example, data guards enable the fast and secure transfer of data across network boundaries and can be adapted to fit specific security policies and data types. They don’t restrict data transfers as much and ensure that only the right data gets transferred, and then protect it as it passes between enclaves. They are essential in a world in which collaboration and information sharing is critical to defense operations.
Meanwhile, although data diodes only allow for unidirectional data transfers, they do so quickly, all the while ensuring that information transferred from the low- to high-side does not inadvertently get sent back to the unclassified network. They use physical barriers with hardware enforcement that is not subject to software attack to create an air gap between networks. As such, they are great options for agencies with the need for DCOs and cross-domain solutions that are connected to high-threat networks.
Additionally, cross-domain access solutions can be utilized to actively monitor networks at each classification level. These cross-domain access solutions compliment cross-domain transfer solutions by providing a single screen view to analyst. By consolidating the view of all networks, regardless of classification level, they can get a comprehensive view of any potential attacks.
Stronger and more efficient cybersecurity
DCO enclaves play a key role in helping defeat specific threats and returning government networks to secure and functional states, but they’re not without management and monitoring challenges. They can be costly to implement and time-consuming and difficult to monitor effectively, which can be to the detriment of agencies’ cybersecurity efforts.
Transferring data from one DCO enclave to another so that it can be securely analyzed and monitored can alleviate many of these challenges and help security teams keep an eye on their security postures. A good cybersecurity practice like JAL—complemented with modern cybersecurity tools like data guards and data diodes—can help agencies bolster their cybersecurity initiatives, making them both stronger and more efficient.
George Kamis is CTO for Global Governments & Critical Infrastructure at Forcepoint, a software company headquartered in Austin, Texas, that develops computer security, data protection, cloud access security broker, firewall and cross-domain products and services.
Have an Opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET Senior Managing Editor Cary O’Reilly.