Addressing Secure Cross Domain Log Data Aggregation for DCO & CSfC

Data Field Anomaly Detection

Addressing Secure Cross Domain Log Data Aggregation for DCO & CSfC

The latest version of the Raise the Bar (RTB) initiative introduced by the National Cross Domain Strategy & Management Office (NCDSMO) requires that all U.S. government entities which utilize cross domain solutions (CDS) deliver CDS (and other device) log data to a Defensive Cyber Operations (DCO) enclave. As defined by RTB, the DCO is a secure enclave that collects and evaluates log data, including dirty or malicious data, for analysis and forensics.

There is a similar requirement in effect for Commercial Systems for Classified (CSfC) Continuous Monitoring (CM) of network segments and other high-security architectures in which activity logs from different networks with progressively higher security levels – i.e., Black, Gray, Red – is sent to SIEMs in isolated “Management Service” nodes for collection, and analysis. Analysts can also validate the operational status of encryption components by observing network activity both before and after encryption points and within management networks.

However, when data sources from different security domains are connected, or in this case reporting to the same secure DCO enclave or Management Service node, an approved hardware-enforced OWT mechanism, such as a data diode, is required to keep the domains physically separate and prevent potential contamination or unauthorized access. Content filtering is usually not required as RTB states that if log content is filtered, then critical data might not be delivered or the data might be altered in such a way (e.g., due to the filtering technique used) that its intelligence or defensive value is reduced or eliminated.

So then, for DCO and CSfC, each CDS (or other device) will require its own OWT device to connect to the monitoring enclave/node. Conventional OWT solutions are 19” 1U appliances designed to fit in a standard server rack. For large-scale deployments of tens or even hundreds of devices, this can result in a massive concentration of OWT devices, which quickly gets out of hand for the size, weight, power, and cost (SWaP-C) requirements of even the most well-funded programs. This can also create an administrative nightmare for network operators who need to configure and manage an individual OWT appliance for every connection. What’s needed is a single, compact solution that can aggregate multiple source data flows while also enforcing a hardware-based OWT separation.

What then, could this potential data aggregation solution look like?

  • First and foremost, the SWaP-C of the solution must be dramatically reduced such that it could fit and operate within existing infrastructure.

The necessity of independent, hardware-segregated connections makes this first point quite difficult for most of the current mass-market OWT solutions to meet. However, new hardware-based FPGA data diode devices offer a possible avenue to a far more compact, economical solution. By enforcing one-way data flow through FPGA logic and other hardware-based flow enforcement mechanisms, all of the SWaP-C requirements for multiple solutions could be slashed to the point that multiple devices could be reasonably implemented within a single, highly secure 1U platform.

  • Second, the solution must be able to not just pass multiple independent streams, but provide a scalable means to consolidate them into aggregated data flows for ingestion into fewer destination connection points.

If multiple solutions can be implemented within a single platform, they would need to be configured such that the data flows can be aggregated in a many-to-one, or similar, architecture. In order to be scalable, the solution should offer a straightforward means to increase connection points without the need for another platform whenever additional capacity is needed.

  • Third, the solution must be hardened and include security features on par with other defense-grade network security devices.

A truly hardened solution should include both logic- and hardware-based data flow security features, such as white listing and flow enforcement. These functional security features should be complimented by an ultra-secure platform management capability that includes Trusted Hardware Components (THC), a Trusted Operating System (TOS) and Trusted Software Components (TSC) similar to that used in Owl’s cross domain solutions (CDS).

  • And finally, the solution must provide high-speed throughput with extremely low latency to enable real-time monitoring and data flow analysis.

Hardware-based FPGA processing enables vastly superior speed and lower latency compared to CPU-based appliances. Parallel processing enables FPGAs to evaluate many bytes on a single clock, vs. CPU sequentially parses frames byte by byte. FPGAs can also process entire Ethernet frames at once, vs. CPUs which must parse and process each layer of the IP stack. These FPGA hardware-based processing advantages reduce latency down to less than 1% of average CPU-based solutions.

Owl has a lengthy history in designing and bringing innovative security solutions to market in conjunction with our partners in the U.S. Department of Defense. When members of the DoD community raised this data aggregation use case, Owl’s recently launched embedded product line introduced an entirely new paradigm in what could be achieved in a much more compact, economical form factor with vastly increased performance.

Based on an innovative FPGA-based embedded cross domain security device, XD Matrix is a hardware-enforced data aggregating OWT solution. This 1U device features a scalable, block-based configuration of FPGA-based OWT connectors. Each block can aggregate up to 8 input data flows (up to 1 GbE each) into 1 or 2 output data flows (up to 10 GbE each), and each XD Matrix device can house up to 4 blocks. This means a single device can aggregate up to 32 individual hardware-enforced OWT connections.

XD Matrix

Owl XD Matrix

XD Matrix is a unique, unmatched solution for organizations looking to meet current RTB and CSfC device monitoring security requirements. The unique combination of hardware-based flow enforcement and packet filtering satisfies the DoD requirement to aggregate multiple distinct data flows while also meeting MITRE’s D3FEND Network Isolation tactics through Broadcast Domain Isolation and Outbound Filtering techniques.

Leverage next-generation, multi-port, scalable hardware-based OWT data aggregation and proven secure platform management capabilities in a single 1U device, all from the world’s leading cross domain security company. To learn more about this innovative, hardware-based data aggregation solution, click here to see XD Matrix.

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Best Practices for OT-to-Cloud Connectivity

Cloud connectivity offers a wealth of benefits for energy providers and other critical infrastructure operators. Sending data from operational technology devices to the cloud allows asset...
August 9, 2021

Cross Domain Solution Assessment & Authorization: Part 2 – Acronyms, Assessments, and Everything in Between

In our previous post, we discussed the purpose and goals of Assessment & Authorization (A&A) processes for various technologies, specifically with regard to U.S. Government testin...
June 30, 2021

Reliable Cybersecurity for Oil and Gas Pipelines

No one wants to repeat the week-long Colonial Pipeline shutdown, or—even worse—see a critical infrastructure cyber attack that manages to infiltrate a pipeline’s operational technol...
June 28, 2021