Around 10 years ago in the early days of national cyber protection very few organisations were protecting themselves against cyber threats, indeed many were not even aware they were at risk.
In fact, the threat was real and active, but generally focused directly towards the obvious – such as government departments and critical national infrastructure organisations. It was therefore relatively straightforward to decide where to invest finite budgets: focussed monitoring and response in support of these obvious organisations. However, the cyber threat does not stand still.
Although government budgets remain restricted, the cyber threat is now spread across all types of organisations, attacking for a wider array of reasons such as intellectual property theft, money, Intelligence, and via supply chain or partner organisations.
As a result, the cyber protection industry is awash with vendors pushing their particular tool or angle on the problem – “you need threat intelligence”, “you need a Security Operations Centre (SOC)”, “over-hyped analytics”, and so on. Yes, you probably do need all of these but which should take precedence and how will you know if it’s had the desired impact? Fortunately, this is where it gets a bit easier.
Doing more with less
Being under threat on many unknown fronts and countering this with finite resources and budget is not a new problem. Military and security agencies have been doing this successfully for a long time and the cyber threat landscape is no different.
With the right national cyber situational awareness you can invest in building capability in the right places first and independently measure the impact. You can even check up on those already protecting themselves to give those doing a poor job a kick up the backside and reward those getting it right!
Achieving national cyber situational awareness can come from a number of places:
- Although open source Threat Intelligence (TI) can give you a general awareness of threats, on its own it is typically too abstract to drive investment as you don’t know specifically and comprehensively who and where these threats are in your nation.
- Gathering TI from existing SOCs and other cyber measures in place in your nation is another option. This can be useful information, but it’s sporadic, of unknown quality, an integration nightmare, and only covering organisations who already have some level of protection.
- Fully monitoring your entire national Communication Service Provider (CSP, aka telco) networks for known and unknown threats all the time and in near real time. This gives you nationwide situational awareness from one capability with resolution down to who is being attacked, who is attacking and how it is changing (for better or worse) over time. This approach is sometimes referred to as ‘mid space cyber’.
BAE Systems Applied Intelligence has proven that national, nationwide situational awareness of a quality to correctly inform further large scale investment comes from taking (1) and applying it nationwide with (3). And this is exactly what our National Network Cyber Centre (NNCC) capability does.
Mid space matters
So what exactly is mid space? The ‘mid space’ is the middle area of the internet, i.e. the national CSPs. The ‘near space’ in organisational networks is more detailed, but simply too large at nationwide scale and hard to obtain, the ‘far space’ of global backbones and other countries is legally and logistically beyond the reach of most and only really accessible in summarised form indirectly via Government to Government TI sharing.
As a nation, the mid space is the one place you can viably access the entire cyber space. But it’s really hard – there's a colossal volume of data, significant coverage is needed, and you don’t have the detailed resolution of data you get in an organisational SOC. You don’t often hear about mid space monitoring in the cyber industry – few solution providers have the people, knowledge of the mission or technology. It is not as simple as just scaling up SOC technology to national scale – we’ve seen some try this and all have failed.
National Networks Cyber Center (NNCC)
BAE Systems is uniquely placed as one of the world’s largest engineering companies with unique unbeatable footprint multi terabit nation scale technologies and national security mission heritage to crack mid space – and with the NNCC solution we’ve done it.
NNCC is specifically designed for the cyber mid space at national scale in support of national agencies situational awareness and nationwide monitoring. Typically deployed in phases, it provides real national cyber situational awareness even from the first implementation, which we call NNCC stage one. This applies up to 2 million cyber indicators to many 100Gbps of national data continuously, concurrently and in near real time, with results displayed in easy-to-analyse aggregated form as well as being accessible individually to the analyst. We train users not only in the system operation, but also cyber awareness and cyber analysis tradecraft.
An NNCC stage one system on day one of operation will support national cyber situational awareness:
- Provide near real time comprehensive cyber threat alerts for two million cyber indicators, including the entire BAE Systems Threat Intelligence indicator set, and updated continuously in near real time, against 100 per cent of multi terabits of data continuously. This means it is not sampled and there is no performance tail off under load. Now all your TI is exploited on an actual and fact based basis for your nation. No more guessing or relying on third party conjecture on how the TI applies to you.
- Present the many alerts generated in configurable and filterable dashboard form for situational awareness, showing threats across the whole nation, identifying who is under attack. National cyber roadmaps and strategic investment decisions are now easier to make based on indisputable evidence and fact.
Example – the situational awareness shows that a huge percentage of consumer users are infected with botnets, which caused your country to appear bottom of the global cyber reputation lists. This would not have been spotted by SOCs monitoring a few commercial organisations. This could contribute to a decision for the national agency to compel CSPs to operate an automatic ‘bad URL’ blocking across all users.
- Show trends over time, confirming the outcome of the spending.
Example – a CSP implements auto blocking known bad URLs, and reports back they are blocking 20,000 accesses per day. Is this good or bad? Have they done a good job? Sounds like they are. You check NNCC, filtered to focus on that CSP. This shows their blocking is working, but only for known bad URLs indicators six weeks and older, with the recent URLs getting through. This shows they are only doing a partial job. The national agency can now encourage the CSP to update faster, or invest in their TI sharing capability to feed the CSP with the latest bad URLs.
NNCC can then be built on to stage two by introducing behavioural analytic threat detection, at scale, and written specifically for mid space. Stage three provides efficient colossal scale metadata retention for retrospective cyber analysis and investigation, essentially a cyber time machine. And stage four is reserved for the most advanced features that provide further capability to those with exert analysts backed by mature processes. All stages come with skills training and processes to operate the mid space mission and integrate effectively with the wider national cyber agency.
NNCC goes beyond situational awareness. Nationwide monitoring ensures a level of protection for those that cannot justify their own SOC, and an independent second layer for those that can. This level of protection can be deployed and operational faster than even one SOC on one organisation. This applies for domestic users too – while it may not be a national cyber agency’s core mission to protect individuals, they do play a part (knowingly or not) in many cyber attack vectors.
NNCC can also be used to find specific threats. The metadata and cyber alert data created is comprehensive, allowing the analyst to rapidly delve down from the situational awareness views to groups and individual alerts. BAE Systems Applied Intelligence trains analysts to use this to find new specific threats as well as additional details about known threats.