CASCADE Joint Cyber Sensor Architecture CLASSIFICATION: TOP SECRET COMINT REL FVEY 3?3 Project Overview 33 Current Status 3?3 Proposed Architecture 333 Towards 2015 CLASSIFICATION: TOP SECRET REL FVEY 3% Alignment of passive cyber sensor capabilities and architecture in the SIGINT and ITS missions 3:3 Goals 333 Common sensor technology and architecture 333 Address scalability issues in sensor deployments 3?3 Scope 3-3 Passive sensors and supporting infrastructure are in scope 353 Analytic tools are out of scope 3% Host based capability is out of scope (caveat: passive messaging is in scope) CLASSIFICATION: TOP SECRET COMINT REL FVEY CLASSIFICATION: TOP SECRET COMINT REL FVEY Photomc Prism Monitoring of GC Networks 3? Includes: if 33 Full-Take Packet Capture Signature Based Detection Our Sensors Oversight Compliance Tools 3 A I ECONBLUE Monitoring in Passive SIG-INT 38 3% Anomaly Based Discovery 3% Analytic Environment 3A ?g Includes: 3% Full-Take (on speci?c accesses) 3% Signature Based Detection 3'3 Anomaly Based Discovery 375 Additional Functions are of?oaded and exist further Analytic Environment 3* Data?ow Targeting 3g Oversight and Compliance Tools CLASSIFICATION: TOP SECRET COMINT REL FVEY Shades of Blue DELL RG10 1U Platform - Processing - Tracking I Discovery ""?iiwmimos? Distributed Processing (Cloud) - Processing - Tracking Discovery Multiple 1OGbps - PXE Boot Infresinicjurgfr_ "3"?"1Metadata Processor - UNCLASSIFIED Processing - Metadata Production .ym- RUCIBLE Secure Sensor - Derived (in UNCLASS - Tracking Metadata Metadata CLASSIFICATION: TOP SECRET CONIINT REL FVEY Special Source 100% INDUCTION coverage of main 880 sites metadata production 34? metadata production at select new sites #5 CRUCIBLE deployments to newly emerging sites environment (survey) 3% Increase in link speeds Warranted Collection 3?33 EONBLUE sensor deployment full take collection FORNSAT Recently upgraded to current EONBLUE code base, leveraging GCHQ CHOKEPOINT solution to integrate with environment (Virtualized) Working on SUNWHEEL SMO 3?3 CHOKEPOINT system enroute to CASSIOPEIA 333 No SUNWHEEL presence as of yet, plans to leverage CHOKEPOINT capability CLASSIFICATION: TOP SECRET COMINT REL FVEY 3?3 Deployment at 3 edge gateway GC departments Dynamic defence is enabled at two of these sites #3 Deployment at the main government backbone 34?? Dual lOGbps links (~3Gbps loading) Data volumes continue to increase due to Internet Access Point aggregation 3?3 Currently performing full take and storage of all monitored traf?c 3% System performance issues, overall analyst usability issues CLASSIFICATION: TOP SECRET COMINT REL VEY While both ITS SIGINT currently leverage EONBLUE software: The architectures are not aligned Configuration differs greatly Software versions are not standard across programs The full capability of EONBLUE is not being leveraged equally across programs CLASSIFICATION: TOP SECRET REL FVEY Proposal CASCADE: A Way Forward 3?3 Divergence 3?43 Sensor architectures have diverged between SIGINT 3?3 Within each area, versions are not standardized 3% Management and Scalability Some con?gurations will not scale a Difficult to manage current sensor environment 535% High cost to grow existing solution (people, SW costs) 333 Duplication of Effort 3% Divergence creates duplication of effort Limited resources are not focused on innovation and new challenges CLASSIFICATION: TOP SECRET COMINT REL VEY Sensor Uni?ed Sensor Aliem Interoperability Environment Messa' Shared Mission Space 'v Bilsiness Line's: Ensr?i?r; DEVEIOP Iglplemgm . 5 Single Interconnected Tracking Metadata Strategy?OT in? 0 . Uni?eng Sensor Productionarealigncd a - Simplify Version Host Network Management Interoperability CLASSIFICATION: TOP SECRET COMINT REL FVEY Ensure EONBLUE is deployed in a standard fashion across all environments Upgrade SCNET to 10Gbps Update all SIGINT collection EONBLUE sites to latest code release ?1 l; K: Produce Standard Metadata DNS Response HTTP Client Harvesting Server Headers CLASSIFICATION: TOP SECRET COMINT REL FVEY Address SCNET Scalability Recon?guration Design of Storage Improved Enforced data indexing and Solution quering Leverage hird-Eye Architecture Distributed Collection Grid Queries are Federated and t1? iggst (at multiple chents) Centrally Managed Firewall Logs) CLASSIFICATION: TOP SECRET COMINT REL FVEY Full-Take Strategy a. 9'92? 3% Bene?ts Improve Performance Better data indexing techniques Federated queries across multiple systems 3+3 Reduced Cost (Storage local to client departments) 10,000$ 25,000$ per client Re?use of back-end Storage 3?3 Enable departmental security of?cers operators Capability of Third?Eye exceeds what is commercially available 3?3 Cons $3 Requires network connections to each GC Department 3% Requires footprint Within each departments datacenter 33 Complexity of distributed processing CLASSIFICATION: TOP SECRET COMINT REL FVEY 5 a ?(s'i- Mamas: amt?: my 1% 9- {sets 9 5 "a w; a: I .tszt. est a Messages should be automatically exchanged between SIGINT The sensor environment will be connected to enable seamless and . message ?ows .. . . .- ?as w- - . ~1wd