Modernizing Cyber Defense for the U.S. Navy
While there has been press recently on the U.S. Navy’s challenges across cyber mission areas, one success story deserves to be told. Namely, while the world toiled amidst the challenges of the global pandemic, the Navy quietly and boldly transformed itself to become a leader in defensive cyberspace operations for the U.S. Department of Defense.
From Suffolk, Virginia, the Navy’s center of gravity for cyber defense and global network operations, two commands dedicate themselves to continuously operate, monitor, protect, secure and defend the Navy’s global array of unclassified and classified networks. The Naval Network Warfare Command (NNWC) securely operates and maintains Navy enterprise networks, while the Navy Cyber Defense Operations Command (NCDOC) protects and defends all Navy networks from malicious and adversarial activity. Both commands work in tandem and operate together under the Fleet Cyber Command/U.S. Tenth Fleet as one fighting force to securely operate and defend the Navy’s networks and prevent them from being compromised by the nation’s adversaries.
This story began more than two years ago during the onset of COVID-19 and the global pandemic when the Navy was forced to reinvent its computing environment to enable telework. Fleet Cyber Command/U.S. Tenth Fleet, NNWC and NCDOC leadership realized that legacy tools and techniques would not be effective in securely operating and defending this new environment. So, as the pandemic pushed everyone into unprecedented situations, the sailors at the NNWC and NCDOC devised creative and innovative ways of protecting its networks in a massive telework environment, setting the Navy on a path to transform the way the U.S. Department of Defense views and conducts cyber defense and cybersecurity operations.
To enhance telework security, the NCDOC worked with representatives at the Fleet Cyber Command/U.S. Tenth Fleet to join a government-sponsored pilot to deploy an advanced cloud-based endpoint detection and response tool called Microsoft Defender for Endpoint (MDE). Leveraging their strategic partnership with the NNWC, the NCDOC tested MDE on its enterprise networks—ensuring that covered endpoints were monitored in real time regardless of whether they were connected to the Department of Defense Information Network through a virtual private network. This helped close a possible gap in coverage due to the surge in telework—but also provided significantly better tools to assess the state of these devices.
MDE rapidly demonstrated its worth, identifying misconfigurations, detecting multiple possible incidents and helping to block thousands of potential malicious events. Based on this success, the onboarding process escalated and expanded to hundreds of thousands of endpoints across the Navy’s globally dispersed ecosystem of networks. The Navy essentially used MDE to turn its endpoint devices into thousands of advanced cloud-connected sensors that provide NCDOC and NNWC analysts with enhanced network insight and detection capabilities.
The NCDOC now has access to enriched endpoint data sets, unprecedented asset awareness and the ability to take immediate response actions and maneuver Navy networks across hundreds of thousands of endpoints and hosts. Rather than simply monitoring activity, the NCDOC can proactively take action, pull memory, isolate suspicious activity, halt processes and, if necessary, completely quarantine a device.
These new capabilities dramatically increase the NCDOC’s ability to detect malicious activity and enhance the NNWC’s capacity to securely operate enterprise networks. In a mission space where time is measured in milliseconds, decreasing response time is essential to preventing nation-state adversaries from compromising a network. In addition, network owners now have the same view of their cybersecurity posture as the NCDOC—everyone works from a common baseline. Seeing the threat and the current state of networks and devices from the same lens is a game changer for non-enterprise Navy networks that once operated under a disparate and disconnected structure of cybersecurity service provider roles.
Secondary to the underlying security structure provided by MDE is the ability to provide Navy enterprise customers access to critical messaging and collaboration tools through Microsoft’s Office 365 platform, a program known as “Flank Speed.” The overarching vision behind Flank Speed from the beginning was to empower Navy customers by providing secure access to the information and tools they need to execute their mission from any device, on any network, at any time. While Flank Speed is commonly thought of as just “Office 365,” from the very beginning, it was designed to change how we operate, secure and defend Navy data to enable that vision.
MDE was just the first step on that journey, and as the MDE initiative continued to grow, the Navy made another bold and strategic move. As part of a separate 2021 Microsoft partnership with the White House, the Navy was granted access to Microsoft’s top-tier security and defensive tools.
So, in addition to MDE, the NCDOC and NNWC now began to leverage tools such as Defender for Identity, Defender for Office, Defender for Cloud Apps, Sentinel, Intune, Power BI and more. This strategic partnership built on the original design of Flank Speed continues to transform the platform into the centerpiece of the Navy’s security architecture, providing secure access to information and applications from any device anywhere. At the same time, it delivers fully integrated top-tier cyber detection and response capabilities across end users, identities and cloud applications.
Over the past two years, these initiatives have enabled the Navy to develop arguably the most robust cyber defense platform in the Department of Defense. The NCDOC now possesses an industry-leading extended detection and response platform and a cloud-based security information and event management/security orchestration, automation and response tool that processes over 2 billion events a day.
By processing billions of events through automated scripts and playbooks and enriching them with current threat intelligence, the NCDOC creates a series of high-fidelity and prioritized incidents for analysts to triage and investigate. Ultimately, these advancements have thrust the Navy’s cyber defense capabilities into the modern age and are enabling the Navy to implement its Information Superiority Vision Campaign Plan and the Department of Defense’s Zero Trust Strategy.
“The capabilities that NNWC and NCDOC have enabled are a testament to the broader capabilities of the cloud that the department has unlocked. Moving to a cloud-based network has allowed sailors, Marines and civilians the ability to work anywhere that IP [internet protocol] traffic flows while the information is defended anywhere in the world at a capability that far outstrips anything previously fielded by the DoD,” said Aaron Weis, chief information officer, Department of the Navy.
Through bold leadership, innovation and dedication, the Navy is successfully demonstrating how to employ and operationalize a cloud-native security and cyber defense architecture. As this journey continues, Navy teams are working with the Department of Defense to help inform and guide cybersecurity and cyber defense modernization efforts across the department to achieve a highly secure, zero-trust environment.
Capt. Christina Hicks is a Navy Information Professional officer, Certified Information Systems Security Professional and the commanding officer of Navy Cyber Defense Operations Command.
Cmdr. Brandon Campbell is a Navy Cryptologic Warfare officer, Certified Information Systems Security Professional and the former operations director at Navy Cyber Defense Operations Command.