Concept System for Intelligence & Securitysesam.smart-lab.se/seminarier/Hostsem16/161124AL.pdf · Palantir Gotham Report management

WWW.FORSVARSMAKTEN.SE

Maj Alexandra Larsson, Tech Lead Concept System for Intelligence & Security

Swedish Armed Forces - Headquarters

@macgirlsweden

[email protected]

Concept System for Intelligence & Security Konceptsystem Underrättelse- och Säkerhetstjänst (KSUS)

Gathering requirements, inspiring the end user and driving business development

UNCLASSIFIED REL INTERNET

Focus: System used in “Office Spaces”Cable-based connectivity

Camp Marmal,AfghanistanCamp Bondsteel, Kosovo

Fokus för KSUS

FörbandStaber

(CC/Op/Strat)

RealtidsdataLångsam info

(dokument)

Sensorer & mtrl

(prylar)Informations

hantering

Epost

Servrar

Nätverk

Länkar

SOA-arkitektur

(stabs)Processer

Analysverktyg

Visualisering

Rapporter

(enstaka data)

Kvalificerade

analyser

(sammanställd info)

Vanligt fokus för projekt inom

Ledningsområdet

$$$ $


Att hantera en ny

Strategisk/Operativ Ledningsmetod

Ny typer av konflikter - irreguljära aktörer

Militära maktmedlet i ett civilt sammanhang (comprehensive)

Nytt militärt tänkande ställer krav på infohantering & undtjänst

Multinational Experiment Series (MNE)Försvarsmakten ska delta i Multinational Experiment

Series (MNE) som syftar till att utveckla och demonstrera

ledningskoncept för multinationell och multifunktionell

krishantering.

(Regleringsbrev för 2008, s .35)


Fastställ

kunskapsbehoven

Planera & inrikta

Inhämta

information

Bearbeta &

Analysera

Delge kunskapKunskaps

-basen

Figur 7


Eget ÖvrigtNeutraltLEDS analys ur ett

samarbetsperspektiv

Figur 6

Cheforganisationsenhet

Krigsförbandschef


Krigsförbandschef


Krigsförbandschef

C HKVHKV-avdelning

Chef för ledningsstabChefsjurist

EkonomidirektörPersonaldirektör

KommunikationsdirektörLedningsstab

ProduktionschefProduktionsledningen

InsatsschefInsatsledningen

Insatsstaben

Taktiska cheferArmé, Marin och Flyg

C MUSTMil und- o säktjänsten

C InternrevisionRev-avdelning

C InternrevisionRev-avdelning

GeneralläkarenGL-avdelning

FlygsäkinspektörMil flyginspektion

ÖverbefälhavareGeneraldirektör

1)

1) Generalläkaren och flygsäkerhetsinspektören är inte underställda överbefälhavaren vid utövande av tillsyn.

2) Chefer för organisationsenheter och krigsförbandschefer lyder under insatschefen avseende operationer och territoriell verksamhet.

3) I organisationsenheterna I 19, LG, P4 och P7 ingår regionala staber för bl.a. civil samverkan och territoriell verksamhet inom militärregion.

För Försvarsmaktens specialförband gäller särskilda lydnadsförhållanden.

2)


Krigsförbandschef

34 organisationsenheter utgörs avregementen, flottiljer,

skolor och centrum

3)

Försvarsmaktens organisationoch lydnadsförhållanden

Militärstrategiskledningsnivå

Figur 1Högkvarteret

Taktiskledningsnivå

Operativledningsnivå


Underrättelsetjänst


ÖvrigtNeutraltFientligtMUST analys ur ett

hot- och risk-perspektiv

Figur 5

“Analysts must absorb information with the thoroughness of historians, organize it with the skill of librarians, and disseminate it with the zeal of journalists.”

”American intelligence and fortune-telling” JAN 7, 2010

Bernd Debusmann, Reuters columnist.

http://blogs.reuters.com/great-debate/2010/01/07/american-intelligence-and-fortune-telling/

SWEDISH ARMED FORCES

Joint Concept Development & Experimentation Centre

Processing

Intelligence

Staff

Methods

and

Procedures

Software

Repository(existing information)

Intelligence

Processing & Production

Data about

foreign

entities

Data about

foreign

entities

Data about

foreign

entities

Collection

ResultsS

ou

rce

s Intelligence

Product

Dissemination

Swedish Armed ForcesStrategic Directive 2015

• Increase the national and military

intelligence capability.

Försvarsmaktens Underrättelsereglemente

FM UndR

Samordnat system

av underrättelse-

system.

Grundsyn Underrättelsetjänst

Products created

with internal

resources.

Data created

by external

organisations.

Data organised

with internal

resources.

Government

data

Commercial

data

Data from

Intl. orgs

Contracts & Agreements of delivery/subscription of data

Data collected

with internal

resources.HUMINT DB OSINT DB IMINT DB SIGINT DB MASINT DB

Finished All-Source Fused Analytical Products (Combining data from different sources and classification levels to produced finished intelligence products)

Ingest serviceData cleansing, format Conversion, translation, normalization, caching, indexing & service enablement.

Single-source products

+ datasets.

Sensors Sensors Sensors Sensors Sensors

Foundational Data Services (support data for analytics)Geodata – Airspace Data – Equipment Data – Country Data – Image Libraries - Symbols

Generella utmaningar för

underrättelstjänst

1

Mängden information ökar

It is not about information overload

It is a FILTER failure!

2

Komplexa konflikter

”Förhållandet människa, historia, geografi, klimat,

kultur, religion, etnicitet, lokala makt- och

ledarstrukturer samt en utbredd fattigdom och

korruption samt brist på läskunnighet, gör att

omfattningen på komplexiteten ibland inte har några

gränser.”

Rickard Johansson Chef FS21

Command & Control by Cut and Paste in Powerpoint

CCCP2

3

Re

su

rse

r

SEK

Mängden personal minskar

Mängden personal

minskarMängden info

ökar

Komplexa

konflikter

Digitalisering(Verksamhetsutveckling)

Digital oreda...


FM processhandbok IT-processen

”Försvarsmaktens verksamhet ska vara säker och effektiv

med en hög kvalité på resultatet. Information ska

tillgängliggöras för organisationens behov och stödja

användare och beslutsfattare. Metodisk

informationsbehovsanalys, inkluderande riskanalys,

kontroll, uppföljning och dokumentation, ska utgöra grund

vid framtagning av lösningar för informationshantering med

tillhörande stödsystem.”


Fastställ

kunskapsbehoven

Planera & inrikta

Inhämta

information

Bearbeta &

Analysera

Delge kunskapKunskaps

-basen

Figur 7


FM Handbok Målsättningsarbete Tekniska system

2015 och ISO/IEC 15288

• Begreppet system: ”en sammansättning av samverkande element organiserade för att uppnå ett eller flera uttalade syften”.

• En förutsättning för tillämpning av en vidare syn på begreppet system är förståelse och insikt om olika påverkansområden. Begreppet påverkansområden syftar till att belysa behov och kostnader för hela system. Påverkansområden har inga tydliga gränser; de påverkar, överlappar och har beroenden till varandra. Behov och krav från eller på samtliga påverkansområden måste beaktas vid en definition av ett system.


FM Studie- och konceptutvecklingsplan 2016

”Konceptutveckling är ett specialfall av studier och utgör

första steget i förmågeutveckling. Ett koncept utvecklas i

syfte att beskriva framtida operationsmiljöer, militära

problemområden, användning av nya tekniker och

metoder, förmågebehov och tillhörande lösningsförslag.”

Challenges in IT...

Unclear Requirements

Cost and Time Overruns because of

What to Build

IT has lots of bricks but does not know

Possible Today

Business Users do not know what is

The Next (-Gen) SystemBusiness Users are unprepared for


RISK

MANAGE-MENT

COST ($)

BUSINESS

BENEFITS

Verksamhetsnytta

Effektivitet Säkerhet

Skydd


Concept Development System

• Room

• Location

• System

• Software

• Activities

• External partners


Close to the business user


T100 Setup


The System

• Unclassified

• Commercial or Open Source software as building blocks

• Most resources spent on ”Integration glue”

• It is a business prototype – not a technical prototype.


Unclassified/ficticiousA detailed scenario which is


Concept

Development

System

Data Software

Best Practice

External Skills

Influence on methods New Skills

Requirements & Business DevelopmentNeed for Data


Document-based

Requirements Management

Model-based

Requirements Management





Konceptutveckling/Konceptsystem


FM Studie- och konceptutvecklingsplan 2016

”Konceptutveckling är ett specialfall av studier och utgör

första steget i förmågeutveckling. Ett koncept utvecklas i

syfte att beskriva framtida operationsmiljöer, militära

problemområden, användning av nya tekniker och

metoder, förmågebehov och tillhörande lösningsförslag.”


Innovation

”Kombinera saker på

ett nytt sätt”

Integrate different COTS/OS piecesOur approach

ESRI ArcGIS

EMC Documentum

Palantir

EMC InfoArchive

IBM i2

Solr Search

Carmenta Server

IBM Connections IBM SameTime

Instoremedia

RSA Archer

IBM Watson

RSAVia L&G




Verksamhetsproblem

Förmågebehov

Erfarenhetshantering(Vad är vi dåliga på?)

FM Styrdokument

& Inriktningar(Vad vill andra vi ska bli bättre på?)

Initiering av

nytt konceptKunskaps-

uppbyggnad inom

ett visst område

Problembeskrivning

”hantverksnivå”

Kunskap från

Studier & FoT

Erfarenhetshantering(Vad tycker vi är svårt/tar tid?)

Urval av leverantör

och produkt

Analys av produkter

& leverantörer

KSUS Designprinciper

Funktionell bredd

Kommersiell positionering

Leverantörsdialog

Prisindikation

Konceptuell lösning av

verksamhetsproblem

Demonstration för vht

Workshop med vht

Iteration

tillsammans

med vht

Installation & Konfiguering

av produkt stand-alone

Datamodellering

Verksamhetskonfigurering

Behörighetskonfigurering

Integration i KSUS-

plattformen

Anslutning till integrationsplattform

Anslutning till säkerhetsplattform

Beställning

Teckna avtal

FMV Marknad & Inköp

FM MSK Ledsyst Licence Manager

Avtalsgranskning

FMV Marknad & Inköp

FM MSK Ledsyst Licence Manager

Leverantörsdialog

Förhandling

Erbjuda plats i ”skyltfönster”

Ej produktionssystem

Samtal på Executive-nivå

Leverantörsdialog

Tjänsteinsats

Grundinstallation

Verksamhetskonfigurering

Integration med KSUS

Leverantörsdialog

Integration

Går att köra på KSUS Infrastruktur?

Stödjer standarder & protokoil för

Integration och säkerhetsfunktioner.

Leverantörsdialog

Funktionalitet

Detaljerade genomgång av

tekniska funktioner och

tänkt arbetssätt.

Gartner/Forrester/Ovum

Deltagande i konferenser och seminarier

Omvärldsanalys IT(Vilken teknik finns på

marknaden?)

Identifiering av

branschområde

Omvärldsanalys Metod(Hur borde vi arbeta?)

Militära org, underrättelsemyndigheter,

Think-Tanks, Akademisk forskning

ArbO, Reglementen,

Handböcker, Instruktioner(Hur har vi beslutat att arbeta?)

Verksamhetsarkitektur

Modellering av

Organisation & Process

Resultat från

konceptutveckling

Metodutvecklingsfabriken KSUS• Verksamhetsmässigt realiserbara krav

• Kommersiellt realiserbara krav

• Koncept för metod/teknik/org/kompetens/anläggning

• Datamodeller


Informationshantering

Digitalisering - Modeller - Data

KSUS 2016 - Alexandra

70


Finished product (data + container)

71


Data

72


Container (System component)

73


Commercial data in large quantities

(Jane´s data)

74

Industrial production of refill packages of strawberry jam.


Home-cooked high quality data(Collected by classified means i.e. HUMINT/SIGINT)

75


Multiple types of containers (system components)

76

Solr Search

EMC Documentum

Enterprise Content Management

Palantir (Pattern-Link-Analysis)

IBM i2 (Pattern-Link-Analysis)


Platform for all containers = KSUS

77

Basic

perspectives

on information

Taxonomy/Ontology

Space

Relation

Time

User Interaction

Solr + Documentum + Carmenta + ESRI + OpenNLP


Oracle Fusion MiddlewareOracle SOA Suite 12c, Oracle Service Bus

EMC Documentum Platform

Enterprise Content Management

Solr Enterprise Search

Search Services (“Google”)

Beata GIS/Space+Time

Intelligence Analysis Geospatial Analysis

IBM i2

Pattern-Link Analysis with GIS and Text Analytics

IBM SameTime

Real-time Collaboration

Interactive displays for group collaboration

IBM Connections

Social Collaboration

Intelligence Analysis Platform

Virtual Meeting Room Presence/Chat

QlikSense

Web-based Office

Profile – Status - Bookmarks

Search Profiles – Synonyms - Banners

ESRI ArcGIS

Geospatial Analysis for

Intelligence & Security

Carmenta Server

Interoperable GIS Data

Analyst´s Notebook Premium

Vricon Explorer

Intelligence data in 3D

IBM Watson Content Analytics

Text Analytics Platform

Palantir Gotham

Report management –

Pattern-Link-Analysis

InstoremediaRSA Security Platform

Data Visual./Statistics/Big Data

Integration Platform

SOA Orchestration Layer

Enterprise Service Bus

Queue system


Principles and key requirements

• KSUS consists of several systems– Rationale: multiple systems are required to fulfil all business requirements, no single system can do that.

• Systems should be implemented by COTS, MOTS or OS products which should be kept as “standard” as possible

– Rationale: the cost, time and risk of building and maintaining systems in-house is unacceptable as compared to acquiring, integrating and maintaining COTS/MOTS/OS products.

– Rationale: deviating from “standard” means that the cost, time and risk of building and maintaining the system will increase and the benefits of using standard products supported by vendors or open source organizations will decrease.

• It must be possible to replace the COTS/MOTS/OS products used to implement the systems– Rationale: COTS/MOTS/OS products change over time, business requirements change over time, products reach their

end-of-life, and new products appear which have new / better capabilities which are a better fit to the business requirements.

– Implication: the dependencies between the COTS/MOTS/OS products used must be kept to a minimum.

COTS = Commercial Off-The-Shelf

MOTS = Military Off-The-Shelf

OS = Open Source 84


Principles and key requirements

• End-users must be able to work on the same information using different systems– Rationale: different systems provide different functions and fulfil different business requirements, but the

information managed by the business is the same regardless of systems used. We want to avoid “information silos”.

– Rationale: the information is the main asset of the business and the systems are the “tools” used to manage this asset. Business processes, methods and systems will change over time, and these changes will be smoother if the same information can be managed by different systems.

– Rationale: end-users should be given the freedom to choose the best-tool-for-the-job (in their own opinion) among the available alternatives, for the tasks allocated to them.

– Derived requirement: there will be a need for information governance across systems.

• When information is added, modified, deleted or purged in one system, this must be reflected in all other systems with minimal time delay

– Rationale: this requirement is a pre-requisite to enabling users to work on the same information using different systems.

• No system should be considered “master” for a particular type of information, rather all systems capable of managing a particular type of information should be considered equals

– Rationale: classifying some systems as masters will tend to create stronger dependencies to these systems, making it harder to replace these systems’ implementations with new / better COTS/MOTS/OS products.

– Rationale: if a master system is down, updates to information for which it is master will not be possible.

Information

System

System

System

System

System

85


Principles and key requirementsThe principles and key requirements on the previous slides imply the following technical principles and key requirements:

• KSUS must have the technical capability to synchronize information between heterogeneous COTS/MOTS/OS systems with high reliability and high performance, while still maintaining loose couplings between the COTS/MOTS/OS products used.

– Rationale: virtually all COTS/MOTS/OS products manage their data in their own data stores, and it is rarely possible to “re-direct” them to another data store (e.g. a hypothetical “KSUS Main Data Store”). It is much more common that COTS/MOTS/OS products have APIs or other ways of getting data in and out of the product, making an architecture based on information synchronization much more feasible than an architecture based on connecting systems to a single shared data store.

• Configuration is preferred over coding– Rationale: configuration in this sense means adjusting the behavior of COTS/MOTS/OS products according

to the guidelines and techniques supported by the vendors, while coding increases the risk of deviating from ”standard” as well as increases the cost and risk

• KSUS must provide the technical capabilities to minimize dependencies between COTS/MOTS/OS systems

– Derived principle: Service-Oriented Architecture (SOA) is chosen as a main architectural foundation for achieving loose couplings between systems.

• KSUS integrates systems – not data sources– Rationale: systems, implemented by COTS/MOTS/OS products, typically have supported ways of integrating

through APIs. Data sources used by COTS/MOTS/OS products are often not supported for integration. Directly integrating data sources would risk creating strong couplings and would not be compliant with fundamental SOA principles.

System

System

System

System

System

Information

Synchronization

86


Import external source data (this

example from IHS Jane’s).


IHS Jane´s data in XML-format


What do we want to do with the data?

• Process to extract-transform-load (ETL) from external data into our own information model Make data searchable.

• Make data editable.

• Make data explorable.

• Make data available for computation (i.e. GIS threat domes)

• Autogenerate Reports (Fartygskort) from data into PDF.

89


Type of Information Models

• There is a Canonical Platform Independent Model (PIM) that identifies a set ofbusiness objects which is needed to support a specific set of tasks and processes.– PIM business objects are relatively stable over time (eg. intelligence requirement)

– PIMs embody the best practice of a certain line of business.

– In KSUS-system this is the canonical model with mappings running on the Oracle Integration Platform (Weblogic, Service Bus and SOA Suite).

• Each COTS-vendor has a Platform Specific Model (PSM) that implements the Canonical PIM based on:– Technical Capabilities

– Legacy context based on initial customers and their primary business needs.

– Marketing/branding aspects (same technical function has different names)

– Granularity varies based on which parts are considered ”core features” to each vendor.


Platform Independent ModelSparx Systems Enterprise Architect

91

Outputs:

- XSD Schemas

- Word report

- Graphs for PPT


92


93


94


95


96


97


98



DocSci xPresso for Word

• EMC Document

Science xPression

is used to generate

various publications

upon request by the

user

100


Custom information products (Rendered with EMC DocSci xPression Server)


Ships

objects (with

correct line

drawing as icon)

from Jane´s

data with links to

images (with

thumbnails) in i2

Analyst’s

Notebook

102


103


Interactive Visualisation


105


106


107


108


109


110


111


112


113


114


115


116


Automated Document References

• Generates an appended last page with bibliography

– Based on a custom relationship type in DellEMC Documentum D2

• Specify document references in DellEMC Documentum D2

• References can be edited directly in DellEMC Documentum D2

– Implemented using DellEMC Documentum C2, XSL, and DQL

– Formatted to mimic standard bibliography formats using title, author,

and publishing year as metadata

• Currently modified to fit the KSUS object model, but could be more generic

using only standard DellEMC Documentum attributes.


Customizations – Document References

Säkerhetskoncept

Verksamhetens informationsmodell Verksamhetens behörighetsmodell

Vilken information har användaren tagit del av? Vilken behörighet har användaren i systemet?

Identity & Access ManagementVilka behörigheter behöver användaren för att utföra sitt arbete?

Loggström

Verksamhetsarkitektur (modell)Vilken information behöver användaren för att utföra sitt arbete?

Information (object) context Context around the user

2016-11-10:10:30:35 097323878567232 alelar

Metadata om loggade objektAccesslogg / Audit trail

Authentication

Management

Identity & Access

Management

Users

joining/moving/leaving

Entitlements to resources

and information

Key/

Token

Manage-

mentNetwork Monitoring and Analysis – Event Stream Analytics

(Rule and alert definition)

S O U R C E S & S E N S O R S I N T H E N E T W O R K E N V I R O N M E N T

NetflowNetwork

Packet CaptureLog Capture

DLP Network

(Payload – files)Endpoint Agent

(Malware)

Anti-MalwareData Loss

Prevention

Policy

Rules

Intrusion

Detection

Devices

Security Analytics (Data-driven fused analytics of all available data)

Data Correlation, Data Enrichment, Normalization – Storage

Governance – Risk - Compliance

Security Investigation & Response

Endpoint Agent

(DLP Client)

Vulnerabiliy

Scan/StatusDirectory

Service

Threat

Intelligence

Vulnerabilties Database

Next-gen Security Operations Centre (SOC)

Provisioning of

Users

Context

Around

Users

Vulnerability

Scanner

Risk-based

User entitlements

IDS

Platform

User

Enrichment

RSA

Authentication

Manager

RSA Aveksa/IMG

Identity Management &

Governanance

RSA

Data

Protection

ManagerRSA Security Analytics

(Rule and alert definition)

S O U R C E S & S E N S O R S I N T H E N E T W O R K E N V I R O N M E N T

RSA Security

Analytics

Netflow

RSA Security

Analytics

Network

Packet Capture

RSA Security

Analytics Log

Capture

RSA DLP

Network

(Payload – files)

RSA ECAT

Endpoint Agent

(Malware)

RSA

ECAT

Anti-Malware

RSA Data Loss

Prevention

Policy

Rules

Intrusion

Detection

Devices

RSA Security Analytics (Data-driven fused analytics of all available data)

RSA Pivotal/Greenplum Database - HadoopStorage

RSA Archer - Governance – Risk - Compliance

RSA Archer - Security Investigation & Response

RSA DLP

Server/Client

Qualys

ScannerDirectory

Service

RSA

Live

Vulnerabilties Database

NDV CVE

NVD CPE

US-CERT

Next-gen Security Operations Centre (SOC)

Provisioning of

Users

Context

Around

Users

Qualys

Private Cloud

Platform

Risk-based

User entitlements

Cisco

Sourcefire

NGIS

User

Enrichment

Storage hardware layer

Compute hardware layer

Network hardware layer

Virtualization layer

Common

Service-

Enabled

Platform

Services

(Server)

Composited

Business

Applications

(Intelligence)

Common

Business

Applications

for Intel

Sec & Log (Server)

Data Loss Preventation

Authentication

Management

Intrusion Detection

System

Identity & Access

Management

Key Management

Anti-virus/Anti-malware

Log capture and

storage

Composited

Business

Applications

(Security)

Governance,

Risk

Compliance

Security Incident

and Event

Managementt

Security

Investigation

Servers

Switch - Firewall

Block SAN Storage Backup software and hardware

Network Monitoring

and Analysis

Virtualised Compute (vSphere), Virtualised Network (NSX)

Provisioning, Management, Load Balancing

Geospatial Analysis Text Analytics

Workflow/Case Management Enterprise Content Management

Social Collaboration Real-time Collaboration

Archiving Services

Big Data Analytics

Interactive group collaboration

Pattern-Link-Analysis Tools

Intelligence Report Production

DevOps Layer Source code and configuration repository

Requirement Mgmt & Information Modeling

Build and automation server

IT Asset ManagementIssue tracking system

Artifact Repository

Big Data File Storage


RSA portfolioVia L&G Security

analytics

Archer ECAT


Governs interaction between entities and information


• Som en POC, importerades en

access-logg från Documentum till

Neo4j

• Syftet var att visa att vi kan relatera

datakällor till informationsmodellen,

och sedan använda verktyg för att

utreda informationen

126


127

Vilken access har en person haft vid en viss tid

Person


Temporal vy över access visualiserat med

IBM i2

128

GRC

Securityoperation

IAM

SOC

• Define Policy• Map Policy• Measure Policy

• Identity Access Management• Identity Admin & Provisioning• Identity & Access Governance

• IT-security• Detect Potential Threats• Respond to Attacks• Investigate Attacks

GISCarmenta

ESRI

ECMEnterprise content

ELPIBM I2

Palantir

CollaborationSametime

Connections

Oracle integration platform

Use of underlying platformcomponents In security Service e.g. (IBM I2 for processing and analyze) (Documentum for reporting)


Maj Alexandra Larsson, Tech Lead Concept System for Intelligence & Security

Swedish Armed Forces - Headquarters

@macgirlsweden

[email protected]

UNCLASSIFIED REL INTERNET

Documents

Concept System for Intelligence & Securitysesam.smart-lab.se/seminarier/Hostsem16/161124AL.pdf · Palantir Gotham Report management