Critical Infrastructure Protection and Resilience, North America2018-10-05 10:04:09
DISA’s Acropolis fortifies DOD’s Information Network, adapts to ever-changing adversaries
It’s hard to imagine a day when concerns about cybersecurity aren’t a topic of discussion on American news channels. What isn’t normally reported is these cyber battles have been raging on for years, and, just as in kinetic battles, it takes constant innovation to ensure America stays well ahead of the bad guy in the ever-changing information environment.
Acropolis, formerly known as the Community Data Center (CDC), stands vigil as the centralized cyber defense environment that provides situational awareness of the Department of Defense’s (DOD) Information Network (DODIN).
Acropolis collects, stores, and analyzes network traffic on the Non-classified Internet Protocol Router Network (NIPRNet), Secret Internet Protocol Router Network (SIPRNet), and DOD enterprise services in an effort to detect and deter America’s enemies.
The environment runs on an infrastructure called CENTAUR. CENTAUR is a repository of detailed NIPRNet traffic data that enables analysts to visualize cyber activity over the past 18 months.
DISA’s cyber analysts continuously monitor data within Acropolis to detect threats, perform data exploration and analysis, search for adversaries, and develop countermeasures to eliminate any threat — at any time.
Matthew Matzer, Acropolis program manager and CENTAUR operations chief, explained how Acropolis consolidates the data, tools, and capabilities cyber analysts need to protect and defend the DODIN against attacks.
“Acropolis provides a global view of data on the NIPRNet and SIPRNet, allowing analysts to protect and defend the DODIN against the rapidly increasing number of cyberattacks against the department,” said Matzer. “It also provides information assurance for the warfighter.”
More than 5,000 defensive cyber operations analysts have access to the environment.
“DOD cyber analysts around the world use it every day to track adversarial movements across the entire DODIN,” said Matzer.
Acropolis’ building blocks
The Acropolis environment currently houses more than 100 unique data types, including NetFlow, packet capture, intrusion detection system logs, web content filtering logs, access control list and router logs, email logs, and firewall logs.
Additionally, the infrastructure supports several programs within its network enclaves and hosts numerous tools and capabilities:
- A commercial tool for data correlation and real time data analysis.
- A commercial tool for security event management and workflow.
- A commercial full packet capture.
- Big Data Platform/Cyber Situational Awareness Analytical Cloud: big data analytic cloud.
- Continuous Monitoring and Risk Scoring (CMRS) system: a cybersecurity risk visualization tool based on data from the Host-Based Security System, the digital policy management system, and the assured compliance assessment solution.
- Digital Policy Management System: a database containing data from information assurance vulnerability management and cyber operational attribute system that feeds the CMRS.
- Enterprise Engineering tools: DODIN tools for data modeling and capacity planning.
- Data brokering service: collects, transports, enriches, translates, and delivers defensive cyber operations data to subscribers.
The data brokering service handles the transport and ingestion of data into the environment, and due to its flexibility, it can switch data quickly, improving efficiency and productivity for cyber analysts.
“In the past, when we needed information or logs, we had to create a solution for each request to get the data,” said Matzer. “We realized that we needed a program apart from Acropolis that did nothing but data.”
Innovation never ends
The Acropolis Program Management Office recently launched Where We Fight (WWF), a new initiative to improve the operational value and effectiveness of the Acropolis environment by redesigning its architecture around an updated, validated set of DISA operational requirements.
“WWF started in early 2017 with requirements gathering through DISA’s Requirements and Analysis Office, DISA’s Operations Directorate, and the Acropolis Program Management Office,” said Matzer. “We are now in the implementation phase where we’re updating the Acropolis architecture to meet the newly validated set of requirements.”
The redesign will incorporate non-classified and classified cloud environments to store and protect data.
Matzer explained that cloud environments save money, increase efficiency for cyber analysts, and support the DOD chief information officer’s effort to adopt cloud-computing technologies.
“Conducting a cloud migration at the same time will help us meet DOD requirements, reduce operating costs, and speed up the availability of services for analysts,” he said.
The redesign improves the Acropolis architecture by adding a new, private secret-level network and full utilization of the data brokering service as a separate program for all enclaves. This will provide analysts with quick access to tools and services within Acropolis environment.
Additional improvements include regionalized data collection with cross query capabilities and direct virtual desktop infrastructure access to Acropolis workstations for cyber analysts.
The Where We Fight initiative is scheduled for completion by fiscal year 2021.