CASCADE Joint Cyber Sensor Architecture CLASSIFICATION SECRET a COME-FT REL FTEY 3% Project Overview 3% Current Status 3% Proposed Architecture 33 Towards 2015 CLASSIFICATIUN TUP SECRET If CUEED-IT If REL 3% Alignment of passive cyber sensor capabilities and architecture in the SIGINT and ITS missions 4 3 r ill-l3 Project Overview anf' gar 23 oals Common sensor technology and architecture Address scalabilityr issues in sensor deployments 3% Scope a 3% %8 Passive sensors and supporting infrastructure are in scope Analytic tools are out of scope Host based capability is out of scope caveat passive messaging is in scope CLASSIFICATICIN TOP SECRET If REL FTEY Our Sensors SIGINT ITS MSWCATIDN TOP SECRET I If REL FTEY f i i 3'53 Monitoring of GE Hens-Grits Inctudes Full-Take Packet Cagture Signature Based Detection Jtncumah' Based Discos-er - Analytic Environment Hi Oversight Cempliance Tue-is EQLUE Hankering in Passive SEEINT Includes 3E Pull-Take est speci c accesses 3% Signature Based st Anomaly Based Discovery Additienal Functiens are o ieaded and exist further dc-ts'itsueam Analytic Environment Data cuss' Tathting Dearsight and Cempiiance Teeis CLASSIFICATION TOP SECRET I REL DELHEimea- u-Im -Traddng fnismvew INDUCTION Wed Processing Cm-d - TSHSI Hones-sing - Trading I Elm CRUCIBLE CLASSIFICATIDN SECRET R171 Special Source ii Ioo a INDUCTION coverage of main 530 sites metadata production as metadata production at select new sites CRUCIBLE deployments to newly emerging sites environment survey Increase in link speeds 1it lfarranted Collection sensor deployment full take collection FORNSAT Recently upgraded to current EUNBLUE code base leyeraging SCI-IQ CHOKEPOINT solution to integrate with environment Virtualised Working on SMO CHUKEPUINT system enroute to CASSIDPEIA 2 Ho presence as of yet plans to leverage CHOKEPDIHT capability CLASSEICATIUN TOP SECRET If REL Current Status IT Security Deployments 3% Deployment at 3 edge gateway GC departments Dynamic defence is enabled at two of these sites 3% Deployment at the main government backbone 7' a Dual lUGbps links 3Gbps loading Data volumes continue to increase due to Internet Access Point aggregation El ti lit 36 Currently performing full take and storage of all monitored traf c System performance issues overall analyst usability issues TOP SECRET COEED-FT ff REL FTEY Divergence Sensor Deployments While both ITS SIGINT currently leverage EONBLUE sofhvare The architectures are not aligned Con guration differs greatly Software versions are not standard across programs The full capabiliw of EONBLUE is not being leveraged equally across programs TOP SECRET If ff REL Proposal CASCADE A Way Forward 3E Divergence Sensor architectures have diverged between ITSK SIGINT Withm each area versions are not standardized 313 Management and Scalability 1 Some con gurations will not scale Difficult to manage current sensor environment High cost to grow existing solution people HWISW costs I'll a 3% Duplication of Effort Divergence creates duplication of effort Limited resources are not focused on innovation and new challenges CLASSIFICATION TUP SECRET If CDMIHT REL FTET Sen ll m' ed Renal-Jr Inn mprrability F i n mm cm Extend Na ve' Shared Mission Space Lines Ensure thatSlGINT 3' DEE-flop Implement Single Interconnect d ITS approach to - - tratfg to bemar d0 Sensm Tracking 3 Metadata Producti are aligned Simpli Hus Hum-nth h-lanagement I21533111perahilizj TDP SECRET REL Ensure EONBLUE is deployed in a standard fashion across all environments Upgrade SCN ET to 10Gbps Update all SIGINT collection EONBLUE sites to latest code release Produce Standard Metadata DNS Response HTTP Client li'losrnir Harvesting Server Headers Summarizations CLASSIFICATION TGP SECRET REL FVEY Address SCNET Scalability Recon guration Design of Storage Improved Enforced data indexing and Solution quering 7 - Leverage hird-Eye Architecture Dismibuted cdueqdon Grid Queries are Federated and Eff i ge at n1u1t1ple chents Centrally Managed Firewall Logs - CLASSEICATIUN TOP SECRET ff CUEED-TT If REL FTEY Full-Take Strategy 3% Bene ts Improye Performance Better data indenting techniques Federated queries across multiple systems Reduced Cost Storage local to client departments per client Re-use of back-end Storage Enable departmental security officers I operators Capability of Third-Eye exceeds what is commercially available 3% Cons Requires network connections to each SC Department Requires footprint within each departments datacenter Complexity of distributed processing CLASSIFICATIDN TDP SECRET If REL T Targeting selectors for Cyber Threats will be uni ed CLASSIFICATIDN TOP SECRET If C l'lrf 'fl If REL FTEY EIBIT Outputs should be common to enable a common analyst platform 13 4- 8 access to data collected by SIGINT sensors Sensor environment should be seamlesst integrated $3 Capability remains at cutting-edge o-F ill Fri- 5E Single release for all collection programs in SIGINI all points of presence and across both missions Management is simplified for operators focusing on sensor expansions Standardized OS Versions and Optimizations CLASSIFICATION TOP SECRET If COMB-FT REL FTEY All Cyber Sensors form a complete eon-system MWEMIMW Extend Messaging to Host Based Capabilities Cyber Processing and analytic environments converge mmnm adf lridlmimmt nopum I f ngf ni CLASSIFICATION TOP SECRET a REL - 7 G- A Deployment Strategy 3% Where do you deployr sensors to maximize detection capabilities for Foreign Intelligence collection and Network Defence 3% Coverage-based deployment considerations what are the gaps 3 3 Threat based deployment considerations what are the gaps Based on EPRs r- 31 a Threat trends and forecasting reports Adversary TTPs CLASSIFICATION TDP SECRET REL Canadian Cyber - -- - Defensive Monitoring FDFIHSAT CautionlmemetSpaoe Special Source ISpeoLel Amess Wenented Recess CLASSIFICATIDN TOP SECRET a a CEMENT REL FTEY Towards 2015 Beyond sensor uni cation CSEC 2015 Strategic Priorities for CSEC Strengthen Team and Prepare for Our New Facility 2 Adept Innevative and Agile Business Solutions Expand Our Access Analytic Tradecraft #2 Automate Manual Processes s the Enterprise for Cyber Securiti N ssion Enable Effects for Threat Mitigatinn TOP SECRET COME-TI If REL Cyber Sensor in 2015 3% Expand Our Access Footprint r We will increase SPECIAL SOURCE access to include all international gateways accessible from Canada- Elf We will deployr a sensor system that creates a protective grid at multiple layers over Government operations in Canada and at all classi cation levels 3% Improve Analytic Tradecraft We will equip SIGINT and cyber defence with tools for exible manipulation and customized analysis of large scale data sets We will build analytic tradecraft that understands anticipates and exploits the methodology of threat agents to provide comprehensive cyber- situational awareness based on multiple sources of data CLASSIFICATIDN TOP SECRET i 3 a r REL FYET Cyber Sensor in 2015 the Enterprise for the Cyber Security Mission Eli We will improve how we anticipate identify track and mitigate cyber threats on government systems through new concepts of joint operations We will design and develop joint SIGINT-ITS systems including common data repositories joint tasking and analytic systems We will increase operational capacity by ensuring SIG-INT and partner sensors interoperate seamlessly We will and use ITS and capabilities and complementary analyses to thwart cyber threats able Effects for Threat NIitigation Elf 3t fit We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates le will build the technical infrastructure policy architecture and tradecraft necessary to conduct Effects operations We will further integrate ITS and SIGINT authorities and operations to leverage common sensors systems and capabilities necessary for active and expanded dynamic cyber defence measures TCIP SECRET If REL FVEY The Network Is The Sensor Principles Security neecEs tn be transparent as the user in order to be effective If Sec-unn- as a right Eur a Carla-deans- F1211 than - hang-G1 5 - Cm - Ia-rm threats as they f Enter our nat'tenal End-Users shcnuld networks not at the mm'jmms m Ratl na securityr 1 1 Identify Ex ltratitm r 1 Command and IT ts ho Id Centre anywhere in l Ass - distributed L 01' auunal we kt th Gat 'af Device 3' End Ra 'ter than pinging DEE l ad Page Node pmtuiim t is not 1101 at a time build better 3 The I limb-S 1mm Ease-nus yes layered defence 1 I defence for all 1 Access is mandate 1 mm agnostic aka- - If I Goals CLASSIFICATION TOP SECRET REL FTET Principles Explained 3% Security is Transparent If security inhibits functionality or interferes with user experience it will be bypassed 3 3 Security is a right Attempting to protect everybody with end node gateway defenses is not feasible 3% 1T Assets should be distributed We run an open market network providers will compete to provide access Consolidated gateways creates single points of failure Cost Redundancy considerations CLASSIFICATIBN TOP SECRET I 335th r REL FTET 3 3 Detection before attack hits target If we wish to enable defence we must have intelligence to know when attacks enter our national infrastructure #3 Identify Enfiltration 2 Command and Control Some attacks will slip through or can t be seen ie shaping h i 1 3 Lil Exploit our temporal advantage - aggressively pursue these implants as they will communicate home for instruction 3 6 The Network 18 your Defence In some cases in cooperation with our partners we can affect change at the CORE of the Internet on detection Modify traf c routes Silently discard malicious traffic hygiene ltering Insert payload to disrupt adversaries CLASSIFICATION TOP SECRET CGEIDTI REL FVEY Rationale mix Keeping pace with the Adversary 2-73 From the time a malicious PDF is opened till SEEDSPHERE has interactive control of a workstation is 3 minutes 1 There are countless malicious actors state crime generic malware Gateway r End Node Defence by itself is insufficient It is only one part of the problem i Over 600 000 Apps in the iTunes Appstore How do vou secure that 1 Defence in Depth includes network monitoring and network interaction Build better Defence a 2 Our current MCI is to resolve one incident at a time 1 t Automate the defence through a robust network capable of not onlv detection but manipulation of malicious traffic CLASSIFICATION TOP SECRET CIDEIIXT REL What does it Mean 3% EONBLUE will be integrated into the Network a Monitoring Government of Canada Monitoring Core Infrastructure Special Source extending the reach to View national infrastructure Monitoring foreign Internet Space 3% EONBLUE will enable defensive operations Through robust communication with host-based capabilities Through direct manipulation of network communications Through interaction with Teleco infrastructure to affect change CLASSIFICATION TOP SECRET ILEL Food for Thought Changing the way we think Changing the way we think 313 Tipping and Cueing If the purpose is to enable defence of national infrastructure it becomes unnecessary in a S-eyes context We have full visibility of our national infrastructure The chance of beating the internet for latency of an attack is minimal The network will perform the ltering What if instead enables intelligence collection C'yber Session Collection 3E Targeting and Tasking W e all share common targets and we will all target using our national capability the cyber threats we know about 2H No need for 2m1 party tasking r targeting requests Instead expose cyber information across the community lWhat if instead we focus on analytic collaboration and knowledge transfer TEHPRU information federated repositories etc TOP SECRET C h j If REL Changing the way we think - 313 Foreign SIGINT Intercept A a Becomes the hunting ground for discovery of new threats Enables attribution and counter-intelligence reporting Defence is taken care of by The Network Mobile Platforms are the neat frontier what is their implication on Cyber 38 Domestic Defence We will exhaust the treasury r deploying network appliances to perform dynamic defence The same capabilities will be integrated into the CORE of the Internet Defence in Depth through complimentary capabilities on end- nodes at the gateway and in the core of the Internet CLASSIFICATION TDP SECRET I CD MINT a I REL FEET Conclusion - 318 CASCADE The harmonization of SIGINT Sensor capabilities Lays the foundation for long term integration of Cyber within the Enterprise 3% Towards 2015 The Network is the Sensor Defence Mitigation Intelligence all formed from a single comprehensive network creating a perimeter around Canada Extending our reach through S ejres partnerships to ensure mutual defence of national assets CLASSIFICATION TOP SECRET COILIEHT If REL