Bringing Knowledge to Network Defense L. Flagg G. Streeter A. Potter Sentar, Inc. 4900 University Square, Suite 8 Huntsville, AL USA +1 256.430.0860 {lflagg , gstreeter , apotter }@sentar.com Abstract Security managers must scan through multiple continuous data streams issuing from diverse sources in an effort to defend computer networks from attack. However, manual aggregation of this information is not achievable for vital decision-making within a narrow timeframe if security managers are not well- educated in current attack vectors. Thus, extensive and periodic training in attack methods, situation awareness and decision-making strategy should be required. However, it is challenging to provide training environments that can properly simulate multi-stage attacks effectively. Security managers are also impeded by the lack of dynamic feedback afforded by traditional training. This can result in false positive or negative readings of their preparedness. In this paper we discuss strategies to provide effective simulation and training of computer network defense for security managers through the integration of knowledge, intelligent agents, and proven network defense technologies. Keywords Network-centric warfare, Situational Awareness, Decision Support, Cyber Defense Training 1 Introduction As computer network systems used by military, government, and business organizations become ever more vital to the organizational mission, they also grow larger, faster, more complex, more heterogeneous, and more difficult to protect [4]. Nowhere is the nation’s reliance on network systems more critical than in network-centric warfare (NCW). As a well established military doctrine, NCW translates information advantage into warfighting advantage through robust networking of sensors, decision makers, and shooters to achieve shared situation awareness, increased speed of command, increased pace of operations, greater lethality, increased survivability, and self-synchronization. Successful conduct of NCW requires constant vigilance and an almost predictive awareness of the security posture of the Network Battlespace. For a security manager to be properly prepared to conduct NCW, several broad requirements must be met: • They must understand the actual state of the network. • They must understand the policies that define the desired state of the network • They must have the necessary reasoning capability for determining what actions would be required to maintain actual conditions as closely as possible to the desired state of the network Among the many challenges to successful NCW providing for these requirements necessitates the integration of many varied network defense technologies to provide all the correct network posture information. However, currently available network defense technologies provide security managers with more information than can be assimilated in a time-critical environment. They must scan through multiple, continuous data streams issuing from heterogeneous network defense, monitoring and management tools in an attempt to dynamically gauge the current security posture of their organization’s network. High-stress conditions compound the difficulty of situation awareness. Aggregation of time-sensitive information may not be achievable for vital decision- making within a narrow timeframe. Additionally, latency in human processing will easily exceed acceptable limits for effective response. A structure of (and a prior understanding of) what those data streams indicate is imperative to maintain a level of acceptable risk for large-scale, complex, critical information systems. In order to prepare system administrators for security manager positions, extensive and periodic training in attack methods, situation awareness and decision- making strategy is essential. It is those decisions that