Securing Military Devices

August 2012
By Rita Boland, SIGNAL Magazine


The Defense Information Systems Agency’s Host-Based Security System helps network defenders thwart threats at the device level. Enhanced capabilities and better training are rolling out to cyberpersonnel in response to new threats and technologies.

The U.S. Defense Department is advancing computer protection while extending safeguards to smartphones.

The Defense Information Systems Agency’s Host-Based Security System is evolving to handle today’s wide range and high number of cyberthreats as well as to accommodate the prevalence of emerging mobile platforms. With a new contract in place, the experts who employ the system to keep networks safe will train more often in realistic scenarios, preparing them for attacks that would disrupt operations.

Personnel involved with the program—from both the public and private sectors—will continue to leverage the Host-Based Security System (HBSS) to provide more capabilities in various scenarios and operational environments. The HBSS is not a single commercial product but rather a system of off-the-shelf technologies used to protect hosts. The main focus for the future of the capability is ensuring the right training program that goes well beyond learning to implement the system and instead emphasizes more how to operate it, especially in a contested environment. “The community will see some major steps forward in that area,” states Mark Orndorff, program executive officer for mission assurance and network operations at the Defense Information Systems Agency (DISA). Network defenders who use the technology as part of their toolkits to protect and defend the networks will spend more time in cyber ranges to practice integrating the HBSS into cyber operations.

Don Jenkins, chief of the strategic planning branch, Program Executive Office of Mission Assurance and Network Operations Directorate, DISA, explains further: “The value of getting the cyber operational community into the cyber ranges and leveraging those as training environments is so that we can have simulated adversary activity on the network with the operators engaging with the adversary and learning how to fully use HBSS in a stressful, contested environment. Using HBSS every day on a production network will give you a level of expertise and familiarity and everything, but that’s not the target that we are trying to train for.”

Even as many new aspects of the system begin to roll out, Jenkins believes, some users may not fully comprehend its existing capabilities. He specifically points out that more focus needs to be on leadership rather than on operators, and that the system is intricate. “If you’re familiar with antivirus and think of the HBSS as the next generation of antivirus, you have completely missed the complexity of ... HBSS,” Jenkins states. The system is a powerful but complicated capability that requires a dedicated staff of experts to tune it and leverage its full potential. Some members of the community believed they could install it, run it and forget about it, yet still benefit from all its capability. In reality, users must finesse the system and pay attention to the provided information to derive total value from the HBSS, Jenkins explains.

Part of the work to optimize the HBSS will take place through a recent contract to Northrop Grumman Corporation and its partner McAfee. The companies plan to apply the system contextually to what operators require. So the training will be specific to the context of the mission of various groups. The influence of U.S. Cyber Command will affect the efforts as it provides input on the knowledge, skills and abilities that operators and analysts require. Though DISA leads the HBSS program, the military services and Cyber Command are integral partners that have committed resources and energy to the system. The organizations work together on the software, releases, training products and documentation.

Industry also plays a key role, as made evident by the recent contract award. Orndorff explains that by using commercial products from the beginning, the military has been able to add both commercial and government advances over the years. “I think industry is doing lots of innovative work in the area of cybersecurity, and we want to leverage that and get the benefits of the commercial marketplace,” he says. “I think there are other things that need to be done over and above what industry is doing, and of course you know there is plenty of focus within the Department of Defense to augment industry capabilities with advanced capabilities that are developed by the department.”

Mike Papay, vice president, Cyber Initiatives, Northrop Grumman Information Systems, stresses the importance of the HBSS in its ability to initiate new technology to combat the latest threats as they arise. “What we’re seeing is a real change in the complexity of the threats and their persistence,” he explains, adding that adversaries take every opportunity to break into target systems. An evolving security posture is important as leaders look ahead over the life of the recent contract, which has a base period of three years with two one-year options. If the future contains both positive and negative disruptions similar to those that emerged over the last five years—including the iPad, the Stuxnet virus and Cyber Command—quick reactions will be essential to survival.

Since the HBSS first came online for the nonsecure and secret Internet protocol routing networks, or NIPRNET and SIPRNET, in 2006, the software baseline has become stable enough to tune signatures dynamically to address emerging threats. Originally, users spent more time testing and updating software products. The release schedule also has been adjusted. Baseline releases come out biannually—a result of the user community requesting less frequent releases than under the original schedule that called for them to go out quarterly or even more often. With the tuning capabilities, operators can leverage products as needed for emerging threats.

Initially the program was designed to improve the security of endpoints, but it since has transferred into an enterprise-level campaign to strengthen situational awareness and reinforce the command and control of networks throughout the U.S. Defense Department. When it began, the HBSS was intended to improve military computing platforms, recognizing the gap that existed when an off-the-shelf computer system was placed on the network.

DISA and its partners continually search for ways to make the network more defendable, sometimes even through measures that could be considered as at the expense of the HBSS. Orndorff says the military wants to become less dependent on device-level security such as that provided by the system through building security into the infrastructure. In addition, the department examines tools such as virtualization that enable network operators to control, update and manage the actual end-user working environment better.

The nature of host-based security makes the HBSS more difficult to command and control globally than some of the other security capabilities in place on the network. Those solutions enable defenders to achieve instant worldwide coverage through centrally implemented countermeasures. Because the HBSS is deployed on individual devices, operators have less ability to respond to threats in real time than they do in cases where the defense capabilities are built into the enterprise infrastructure.

Another key piece of the cybersecurity future, as pertains to efforts such as the HBSS in particular, is the explosion of mobile devices. DISA already covers antivirus and antispyware to the BlackBerry desk server, and Jenkins says that, “We certainly are leaning forward in the mobile arena.” However, the efforts are acquisition-sensitive, and officials decline to mention specifics, though Jenkins emphasizes that the organization has a charge to advance security within the mobile arena.

As security expands to include more mobile devices, the HBSS offers an opportunity to find the best coverage available in the commercial marketplace, integrating it into the host- and device-level system. Moving forward, DISA has a large focus to evolve the HBSS by bringing in the best technology, a feat enhanced by the fact that the system is not tied to a single vendor.

To ensure that the security matures in accordance with threats in the defense and intelligence communities, HBSS personnel are undertaking several innovation pilots to address areas where they believe gaps in the architecture might exist. The efforts take place in laboratory environments where experts can search for additional technology available through the commercial marketplace that they may want to plug in to the current baseline. “We have some idea of things that are looking pretty promising in the lab that we expect to roll out into some limited operational evaluations here in the next few months,” Jenkins says. The HBSS is benefiting from congressional support of cyber innovation pilots. Program officials are leveraging that language to mature the HBSS and other security architecture.

Northrop Grumman Information Systems:


Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.