DOD, NSA team with company to build an advanced network intrusion detection tool
To create better protection for the nation's computer networks, the National Security Agency and the Defense Department have signed an agreement with Lancope Inc. to build Therminator, an advanced information security tool.
Therminator will produce a graphical representation of network traffic that allows information security workers and network administrators to recognize the impact of cyberattacks in real time.
This data will help government agencies and private businesses provide more proactive protection of sensitive and classified data, said John Copeland, Lancope's founder and chairman.
One of Therminator's main components is Lancope's flagship product, StealthWatch, a behavior-based intrusion detection system that features:
* Intelligent alarming.
* Network surveillance.
* Gigabit operating speeds.
* Recognition of unknown threats.
* A forensic trail of network activity.
"The Therminator technology has many fathers, but none of them want anything more than to see it in place in time to mitigate a nation-scale cyberattack, when and if one should occur," Copeland said. "There is pressure to move quickly because of the uncertainty over how much time is left before it's needed."
Army Maj. Gen. James Bryan, commander of the Joint Task Force for Computer Network Operations (JTF-CNO), agreed and said threats to computerized networks are growing and script-based intrusion detection systems are effective and will continue to be used, but "the problem is that we must also expect the threat to know this and to do the unexpected."
"We must carefully script our systems to look for the unexpected because [our enemies] are going to camouflage their malicious activity as otherwise normal activity," Bryan said. "Therminator is one very promising approach to this challenge."
The JTF-CNO is in charge of defending all DOD networks from attack and also can initiate cyberattacks when instructed by the president or Defense secretary.
Therminator will integrate StealthWatch's high-speed data flow architecture with NSA and DOD's data reduction and data visualization technology, Copeland said.
Therminator technology watches the data stream and illustrates categories of data as colored bars that are proportional in height to the quantity of data at a given time. The process is repeated to form a stacked bar graph that moves across a computer screen to show current and past data traffic composition. The tool then goes one step further to represent the many possible states of a data stream by selected variables, and those parameters are displayed on a multicolored stacked bar chart.
"Currently, StealthWatch already stores available local information on the attacking host, Copeland said. "Since IP addresses can be spoofed, actual 'tracking down' requires investigating log information from routers and switches along the path of the attack. Once StealthWatch is combined with the Therminator technology, an attack would be seen all along its path throughout the network."
The technology transfer licensing and cooperative research and development agreement was signed Nov. 12, and all three stakeholders are making investments in the project in terms of time and resources. Financial terms were not disclosed. The project is under way and the government and vendor project teams are meeting this week at Lancope's Alpharetta, Ga., headquarters to map out the Therminator development schedule.
The tool is expected to be ready in about six months, and Lancope will offer the Therminator technology as part of its commercial product line.