Joint Regional Security Stacks: Increased network visibility, shared data, stronger defense

The importance and complexities of enabling seamless data sharing through the Joint Regional Security Stack (JRSS) platform was the subject of discussion among experts from the Defense Information Systems Agency (DISA) and Joint Forces Headquarters - Department of Defense Information Network (JFHQ- DODIN) during the Armed Forces Communications and Electronics Association’s Defensive Cyber Operations Symposium in Baltimore May 17.

The JRSS platform is a DOD-wide initiative to enable military services, combatant commands, and defense agencies to see more network activity, defend networks more efficiently, and share information seamlessly both within their own organizations and with DOD mission partners.

“JRSS will deliver to the greater DOD community the ability to act uniformly with predictable outcomes through a centralized, standardized, and modernized infrastructure,” said Army Col. Greg Griffin, JRSS program manager.

The typical unclassified “stack” is comprised of 20 equipment racks that manage and defend traffic flows; perform firewall functions, intrusion detection and prevention, enterprise management, and virtual routing and forwarding; and enable the ingest of large sets of data, and provide the platforms to process that data and the mechanisms to help cyber operators analyze the data.

Fourteen unclassified Joint Regional Security Stacks are currently operational, and 20 will protect the DOD unclassified network by the end of fiscal year 2019: 11 are in the continental United States, two in Europe, two in the U.S. Central Command area of responsibility (AOR), and five in the U.S. Pacific Command AOR. The classified set of networks will require 25 stacks.

Griffin said in the not-too-distant-future, a JRSS platform fielded with standardized suites of equipment, complete with defined syntaxes and procedures, will enable the military services, combatant commands, and agencies to share tips and cues from within a common platform without having to recreate or reformat data for different devices.

DISA assembled a JRSS Defensive Cyber Operations working group to build toward that future. The group is made up of members from various JRSS stakeholder organizations charged with defining the tactics, techniques and procedures that govern JRSS best practices, to include information sharing between organizations.

“The big thing for us is accessibility for everybody … not keeping (data) stove-piped … which is what we have now,” said Army Col. Darlene Straub, chief of DISA’s Defensive Cyber Operations (DCO) Division and chair of the JRSS DCO working group.

“One of the things we’ve come to agreement on recently is we want to make sure we use the JRSS as a data source, not only having the data available on our site within the Joint Management System (JMS), but also being able to share it,” Straub said.

“How can we use that data to become more powerful and more [knowledgeable] about what’s on the network?” she asked.

Straub’s team works closely with the DISA Global Operations Command (DISA Global), which is responsible for operating and maintaining JRSS.

The DISA Global commander, Army Col. Lisa Whittaker, also emphasized the value of looking across organizational boundaries to understand network operations.

“I’m looking forward to JRSS stabilization, followed by data consolidation, so that we can start looking at the analytics to more rapidly identify nefarious behavior and counter it,” she said.

According to the 2015 DOD Cyber Strategy, building an architecture that transcends individual branches will enable a robust network defense and shift focus from protecting service-specific networks and systems to securing the DOD enterprise in a unified manner.

“As JRSS matures, and we better understand the ability to share that information, one of the key constructs of this is that we know what ‘right’ looks like and what ‘good’ looks like so we can better share the tactics, techniques, and procedures (TTPs) and indicators of compromise that cause fault points, regardless of where they are,” said Air Force Col. Jordan Cochran, Future Operations Division chief for JFHQ- DODIN. “I think we ought to do that at speed. We obviously want to get ahead of reacting to an adversary’s maneuvers, to be more proactive, so that we’re less concerned about the big data problem and more concerned about mission assurance for all the components to be able to do mission essential tasks and functions.”

As DISA works to procure and deliver the remaining systems and define TTPs for leveraging the capability, JFHQ DODIN is defining procedures for a JRSS Operational Board (JOB) it stood up less than two months ago. JOB’s role is to provide consistency, guidance and direction for establishing a sound foundational basis across JRSS mission partners, Cochran said. This promises to be very useful as the DCO working group and DISA Global offer up best practices based on input from across the military services and from lessons learned from day-to-day operations.

“Right now in DCO, there are pockets of excellence throughout DOD, what JRSS is going to be able to do is bring all that together” Straub said. “We’re going to be able to share our threats, and it is not going have to be through the IT community or through some stove-piped channel or through a memo or an email. It’s actually going be through the data source. And we’re going to be faster, more flexible, more agile in being able to thwart our enemies and what they are trying to do within our networks. For me, from a DCO perspective, I’m ready to get there because I think it’s going to help immensely.”

Posted May 30, 2018