Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/1136584
32 JUNE/JULY 2019 www.vanguardcanada.com CYBER actions. Lastly, the process for authorizing changes within a system should be adapt- ed to account for and facilitate DCO/ITS actions within the existing change man- agement framework while accounting for highly limited timelines. One special exception to strong DCO/ ITS and ISS coordination on actions ex- ists. The overall process must account for the rare possibility where, with only the amount of coordination and planning that is available, a suitably informed oper- ational commander can take a near-term set of immediate actions in the face of ad- versary cyber attacks threatening lives or a mission. With deliberate planning and preparation, the need to take this kind of action should be minimized and used only as a last resort. Within any deployed military system, de- cisions regarding the management of the system should be made through a collabora- tive and mutually supportive consultation process with DCO/ITS capability and op- erational planners. Security and defence tools should be used by in-service support teams to support general network health and hygiene Defining a technical tool as being ISS or DCO/ITS 'tools' is not useful as this pre-supposes how they will be used and can limit the extent to which useful tools are leveraged within a system. Yet in most organizations, the idea of pro- viding ISS teams access to a DCO/ITS 'tool' like a network intrusion detection system (NIDS) may seem odd. Someone may ask, "Why would ISS need to moni- tor for intrusions?" Framed this way, that question would appear to be reasonable. Instead, the question should be framed around what the tool does mechanically and how it can be used, such as: "Why would ISS need a way to understand traf- fic to and from devices that they manage, or why would they need to detect traf- fic anomalies?" As the entity responsible for the configuration and health of the network, ISS could use NIDS to moni- tor for deviations from expected network traffic in and out of server farms, verify traffic across protected network bound- aries, replay network communications to troubleshoot a problem, or monitor for anomalies that are based on accidental configuration changes. If ISS were giv- en access to the entire Security Incident Event Manager (SIEM), they could set up monitoring for privileged accounts, policy compliance, and other best prac- tices so that they themselves can recog- nize issues and take action. Any proactive actions taken in this way allows DCO/ ITS teams to focus elsewhere. Using a NIDS and/or the SIEM to sup- port network health and hygiene could be extremely valuable as they could: (1) re- duce the effort required to monitor some elements of network health and hygiene; (2) reduce the response time for resolving non-security incidents; and, (3) ensure that the NIDS/SIEM is constantly tuned to the operating environment. Tuning is enormously important for the efficiency and effectiveness of any monitoring tools. NIDS/SIEM implementations that are not tuned to the network are highly in- effective as they generate false positives while real attacks become further buried by a sea of low-value noise. In the case of vulnerability management (VM), the examination of how ISS could use DCO/ITS tools leads to the realiza- tion that VM, as a function, should ac- tually be the responsibility of ISS rather than DCO/ITS. Fundamentally, a vul- nerability is a configuration issue, as it is a condition derived from what is in- stalled on a system and how it is config- ured. The vast majority of the solutions to IT vulnerabilities require that someone with knowledge of and sufficient permis- sions on a system make a configuration change. As a result, VM should be seen organizationally as a subset of configura- tion management that is conducted by in- service support organizations and system life-cycle product managers, and whose timelines can be influenced or directed by DCO/ITS teams. As long as DCO/ITS organizations maintain an oversight role, have access to the VM status information, and can drive timelines when a vulner- OrganizatiOns respOnsible fOr iss shOuld take full advantage Of the dCO/its tOOls On their netwOrks tO suppOrt their Own tasks and tO help maintain the tuning Of thOse tOOls in relatiOn the netwOrk.