Defense Information Systems Agency, DITCO-NCR, 701 South Court House Road, Arlington, VA 22204-2199

B -- SPECIAL STUDIES AND ANALYSIS -- NOT R&D DUE 090799 POC Dr. Anita Goel, (703) 681-7927 The Defense Information Systems Agency (DISA), Joint Interoperability and Engineering Organizations (JIEO) is releasing an RFI for a potential pilot Defensive Information Operations (DIO) Enterprise Management System (EMS). This RFI is released to private industry for interested parties to comment. Interested parties should respond with comments within 45 days of the RFI release. All respondents are cautioned that this RFI is for information and planning purposes only, does not constitute and Invitation to Bid or a Request for Proposal, and is not to be construed as a commitment by DISA. DISA is tasked to provide technical support for the Joint Task Force, Computer Network Defense (JTF-CND). Part of this tasking includes the development of a collaborative decision support environment that will improve current processes to: Share a common understanding of network status, the impact of anomalous events on military missions and DIO among Commanders, decision-makers, and DIO technical analysts. Additionally this collaborative environment will support the development, analysis, selection and execution DIO courses of action within an acceptable threat-reaction cycle. A collateral part of this task includes the development of a collaborative analysis support environment that will improve current processes to: Collect, aggregate, analyze, and share intrusion detection, vulnerability, and other anomalous event data locally, regionally, and globally. Correlate/fuse intrusion, vulnerability, and event data with other intelligence and operational data to facilitate information attack characterization and attribution. Determine actual and potential effects of intrusions and vulnerabilities on mission critical systems' mission readiness, and current or planned military operations. Currently DISA is conducting this effort through a combination of government development initiatives integrated with Commercial of the Shelf (COTS) products. The purpose of this RFI is to query commercial industry for recommended procedures, techniques, and technologies that will achieve the desired capabilities listed above. Additionally, DISA will use the responses generated by this RFI to assess the potential for private industry to deliver enterprise level solutions to the desired DIO EMS capabilities listed. 1. Some fundamental challenges of DoD enterprise level DIO include: a. How to manage the vast quantities of data produced by automated intrusion detection, anomalous event, and vulnerability assessment systems. An important issue here is not to be able to identify intrusions, but rather, how to identify significant information attacks or events in the presence of many normal events, intrusions, and intrusion attempts. b. How to combine or fuse this automated data with other information, e.g. intelligence, law enforcement, military operational information, and how to analyze the resulting combined information resource in order to predict or detect attacks and develop courses of action to effectively respond to those attacks within an acceptable threat-reaction cycle. c. How to manage a DoD-level, global information enterprise in such a manner that DIO courses of action can be successfully executed. 2. The employment of a three-tiered hierarchy is a critical component of our current DIO concept of operation. Tier 1 of this hierarchy is the global layer, which includes such organizations as the DISA Global Network Operations and Security Center (GNOSC) and the JTF-CND. Tier 2 is the regional layer, which includes the military service Computer Emergency Response Teams (CERTs), the DISA regional CERTs, and the Commanders in Chief of Supported and Supporting Commands. Tier 3 is the local layer, which include base, posts, camps, stations, Agency campus LANs, MANs, and the deployed JTF. 3. A well-organized and instrumented three-tiered hierarchy contributes to solving the data management challenge. From this perspective each layer must perform its own data reduction and correlation functions prior to sharing relevant DIO information up, down and laterally. The operational objective is to confine raw data to the layer that collects it, while feeding all layers with highly significant information and knowledge. 4. A well-organized and instrumented three-tiered hierarchy supports human analysts and decision makers to develop and share a common understanding of the DIO situation and facilitates the development and execution of DIO courses of action. The operational objective is to provide automated decision support, expert systems support, contingency modeling support and human factors engineering, e.g. optimal display formats, audio/visual information processing, etc., in order to enhance the ability of humans to conduct DIO. Desired System Capabilities: 1. The system will have the capability to collect, aggregate, reduce, store, analyze and share intrusion detection, vulnerability and anomalous event data at three functional levels. i.e. locally, regionally, and at the global level. In addition, information and data must be retained for forensic purposes in a manner that satisfies rules of evidence, and supports prosecution of criminal misconduct. 2. The system will have a technical and procedural schema to mitigate the massive data scalability issues that will be faced by a DIO/EMS operating at multiple functional levels. 3. This system will collect intrusion detection, vulnerability, system management and other event data from a heterogeneous set of sensors that will vary both by collection criteria and vendor. 4. The system must be able to accept data from multiple sources both automated and manual. 5. The system must be able to interface with the current DISA trouble ticketing system. i.e. Remedy to generate, update, or close trouble tickets. 6. The system must include a self-discovery network mapping capability and able to model the critical information infrastructure of the DOD and provide analysis of actual or potential effects of the intrusions on mission critical systems and current or planned military missions. The rules, methods, heuristics and other knowledge engineering inputs to the system must be loadable in an extemporaneous, dynamic manner, without recompiling or rebooting the system. The system should provide a graphic user-friendly interface to facilitate the operator's ability to add, modify, define, or delete system rules, methods, heuristics and other knowledge engineering inputs rapidly and commensurate with the knowledge and skill level of a typical LAN system administrator. 7. The system will perform data normalization and translation from proprietary alert message protocols to a standard language to permit correlation and analysis of data across sensors, including normalization or aggregation of messages across multiple sensors. i.e., two different sensors report a login failure on the same host for the same user, this data would be minimized to one report. 8. The system will have the capability to do escalation, which will allow attack reporting through appropriate channels, vertically and horizontally, while retaining the identity of the event, e.g. date/time stamping, event included in rollup of other events, etc. 9. The system will have the capability for graphical data visualization and will support a common visualization data source and engine to create appropriate views for decision-makers at the three functional levels. 10. The system will have an attack reaction and recovery decision support capability for countermeasure and recovery that delivers response options weighted by (a) confidence level that the response will be sufficient for recovery (b) advisory of any adverse impact of implementing option. 11. The system will have permanent data storage to store all desired events in a permanent database(s) for future trending, reporting, and analysis and forensic requirements, including all attributes necessary for evidentiary considerations and prosecution of criminal misconduct. 12. The system will constitute a prime target for potential adversaries and as such must incorporate significant network and host security features to include support for the DOD, Class 3, medium assurance PKI that utilizes the X.509 version 3 Certificates and version 2 Certificate Revocation Lists (CRL). 13. The system must not conflict with leading products in the commercial market. It must employ standard protocols capable of securely crossing cyber security perimeters. 15. The system will be Y2K Compliant. Questions to Industry: 1. Will the hypothetical concept of operations outlined in section III above yield the desired capabilities and mitigate the fundamental challenges outlined in that section? If not why? Are there more effective and or efficient operational concepts? 2. What mathematical equations could be postulated to model the performance and effectiveness of systems collecting, processing, correlating and sharing information based on the hypothetical concept of operations outlined in section III above? 3. DISA's current correlation techniques use backwards and forward chaining. Balancing correlation effectiveness with resource efficiencies are there better correlation techniques currently available? If so, what are they and how are they more effective and/or efficient? 4. Visualization of the DIO situation is considered a significant human factors support for decision-makers and annalists. What should such a DIO situational picture look like? How should it evolve and respond to changes in the DIO situation? What other human factor supports would be useful to this effort. 5. What techniques, technologies, protocols should be employed to achieve secure interoperability throughout the DIO enterprise? 6. What data reduction techniques and technologies are available to reduce to massive volumes of data generated by DIO while retaining critical information content? For more detailed information contact Dr. Anita Goel at (703) 681-7927 or e-mail her at goela@ncr.disa.mil. Send responses to Dr. Anita Goel, 5113 Leesburg Pike, Suite 400, Information Assurance Program Office, Falls Church, Virginia 22041-3230. Posted 07/20/99 (W-SN356298). (0201)

Loren Data Corp. http://www.ld.com (SYN# 0024 19990722\B-0009.SOL)