US Marines with Naval Air Special Forces Intended for 19.2 Crisis Response Command Element prepares networks of on-site crisis response centers in Kuwait. (Photo by U.S. Marine Corps by Sgt. Robert Gavaldon)

As data spreads and attack surfaces expand, the Department of Defense continues to have a fundamental need to detect, understand, track, and manage its data and the intellectual property that is exposed online.

The House Armed Services Committee noted the need to manage this process in an integrated manner from side to side in noting the National Defense Authorization Act for Fiscal Year 2021.

“The Department of Defense (DoD) lacks a similarly comprehensive understanding of Internet-related assets and the area of ​​attack across the DoD; the Committee notes that the DOJ only recently found that it had twice as many connections. managed internet than he thought – connections created and maintained by components that were not protected like other sanctioned Internet Access Points managed by the Information Systems Protection Agency.

“Despite the steps taken by the Joint Forces Headquarters-Departments of the Defense Information Network (JFHQ-DODIN) in improving the visibility of DoD networks throughout their enterprise, DoD networks are controlled by individual components, with JFHQ-DODIN being “Receives most of the situation awareness from the reporting component. The committee believes it is critical for JFHQ-DODIN to achieve real-time visibility across all DoD networks.”

This complexity makes DoD networks particularly mature for the application of what is known as Internet Operations Management (IOM). IOM’s capabilities enable organizations to:

  • Understand what their cloud-based and real-time attack surfaces look like, how their network elements behave from the outside; AND
  • Discover previously unknown compromises, illegal connections, wrong configurations, vulnerabilities and threatening activities.

“When we look at Internet Operations Management from a military network perspective, it is easy to see the applicability of IOM, not just to the military, but to federal agencies, large government networks, and commercial clients,” said Joseph Lin. vice president of product management for Cortex, Palo Alto Networks. “They all have these basic problems.”

An IOM platform collects all this data in a single, secure data lake, using machine learning algorithms and data analytics to detect anomalies and extract knowledge. Decision makers can then use this information to make, implement, and verify IT and security policies and orders in a workable, scalable, and automated manner across the enterprise.

What is a data lake? Lin explains.

“At a very basic level, a data lake is an environment that holds a large amount of data, as well as highly heterogeneous data, which are collected together, integrated and made mutually interpretable so that the data is at the end of the day, you are not only collecting data for the sake of data, but you are collecting it so that you can run analytics on that data. machine learning in order to draw knowledge from the many data you are able to gather from your entire system. “

IOM is suitable for military networks

Military networks are, in general, very large. They can be very federated in nature, which makes it much more difficult to manage all their assets online.

Due to the large, scattered, highly federated, and sometimes expeditious nature of military networks, managing / commanding and controlling their assets over the Internet is difficult and complex.

They are inefficient and insecure in other ways, too – especially in six areas.

  1. Self-reporting: In most cases, network operators have no independent way to verify reports from individual components. If a component does not react or makes a mistake in its response, the operator would not be aware.
  2. Lack of common source of truth: Network managers and the components themselves do not have a common understanding of which IP strings and Internet assets belong to which component. Many IP domains are claimed by multiple components, others by none at all. Existing inventory databases that should be the comprehensive source of truth about the enterprise IP range are usually outdated and incomplete. If there are vulnerabilities in the IP space for which no organization is directly responsible, they will never appear in self-reported lists.
  3. Lots of loud receptions and third parties as extended attack surfaces: Enterprise assets housed by commercial Cloud Service Providers and Internet Service Providers are often insufficiently monitored or not fully managed. As the risks posed by these assets vary, a meaningful subset of this attack area periodically includes the potential loss of Unclassified Controlled Information (CUIs) or other assets of high value enterprises.
  4. Difficult to identify contact points: Even for those parts of the network that both the network manager and the relevant component are following, there is a lack of awareness of who is the relevant contact point to find and fix a vulnerability in a given IP range.
  5. Potential for human error: The current process relies on emails and spreadsheets. The potential for errors after being copied, emailed and compiled into larger spreadsheets is high. Accidental omissions leave the network manager blind to potential problems.
  6. Slow response and recovery: Even in ideal circumstances, it may take at least 24 hours from the moment a network manager becomes aware of a new vulnerability and when there is a full calculation of the problem area and recovery can begin.

IOM addresses those issues

It is those inefficiencies that lead to uncertainty that are driving the need for security enforcement across enterprises among armies around the world.

Cyber ​​security and IT operations are most effective when there is centralized visibility and operational control over the entire network. DoD owns some of the largest and most complex networks in the world, with millions of IP addresses and endpoints in multilevel enclaves. However, they continue to lack network visibility across enterprises and rely on the latest technologies of the 20th century for tasks as direct as developing, disseminating and implementing new IT policies.

DOJ service organizations and members deserve the best in-breed technology and processes, such as those found near IOM, to centralize and manage their network security and operations. The good news is that these technologies already exist commercially and are widely distributed in older networks, particularly in the private sector and a handful of government agencies.

“A big part of managing legacy network systems is that they are properly secured behind firewalls and are not exposed to the public internet because of vulnerabilities associated with their software that are simply unavailable, or unsupported. more from their original manufacturer, “Lin said. “Because these weaknesses can be easily exploited by opponents, it is much more important to ensure that they are properly secured.

“What IOM enables owners of older systems to do is, first and foremost, to ensure that they are not exposed to the public Internet, that they are not detected by adversaries, and that they are properly configured and secured.”


DoD and the U.S. government’s broader capabilities in cyber defense, detection, response, and recovery are inadequate. This problem is mainly due to the lack of centralized visibility and operational control over federal information technology.

In addition, there is a large gap between the mandate to secure, protect and monitor networks across government and the very diverse technologies and processes in the country. Solving this problem is not only possible, it is happening now with existing technologies and processes in the private sector and within several individual federal agencies.

IOM products such as the Palo Alto Networks Cortex systems group, including Cortex Xpanse and XSOAR, enable JFHQ-DODIN to meet detailed requirements from the FDA21 NDAA through the development of IOM procedures that provide real-time visibility. JFHQ-DODIN on all DOD Me networks

Situational awareness is a basic requirement in all forms of conflict, and with the Cortex IOM Department of Defense organizations can continuously detect, manage, and monitor all Internet assets located globally in the DoD through daily surface scanning. attack and regular drafting.

Awareness and comprehensive visibility across all of its networks will allow DoD network managers to confidently answer direct questions such as: “What are all my IPs?”, “How many endpoints or servers do I have?” ? ” and “What is the software running on them?” Without IOM, they would be hard-pressed to do so.