Ed Hammersla | Secure sharing of sensitive data

GCN Interview: Ed Hammersla, chief operating officer of Trusted Computer Solutions, talks about advances in the process of securing sensitive information across domains

• By Rutrell Yasin
• Dec 15, 2008

Ed Hammersla, chief operating officer at Trusted Computer Solutions (TCS), has talked about the need to share information across multiple security domains long before the issue gained widespread public attention. At TCS, he has been instrumental in providing security technology to government agencies, such as the Defense Intelligence Agency and the Coast Guard. He also played a key role in developing a trusted version of Linux, known as Red Hat Enterprise Linux 5.

Hammersla recently spoke to GCN about the state of crossdomain security.

GCN: Define cross-domain security.

ED HAMMERSLA: It’s helpful to point out that it is information sharing, but it is really focused on sharing sensitive or classified information. Sometimes the [phrase] “information sharing” gets thrown around to mean things like industry sharing with government what their vulnerabilities are. That’s a very broad term.

When we say cross-domain [at TCS], we’re talking about a security or network domain, meaning that one is top secret, one is sensitive or classified. The word “domain” can mean many different things to many people. When we [talk about] secure information sharing, we mean [securing] information that is of a classified or sensitive nature but not necessarily just top secret.

GCN: Many civilian agencies have been slow to adopt multilevel security because they don’t think they need the same level of security as the Defense Department. Are there other factors that are blocking widespread adoption of cross-domain security?

HAMMERSLA: The adoption of the technology is much greater than it has ever been in the past, but still, against the barometer of what we should be doing, it is very slow. A lot of the reasons are awareness and education. There are still a surprising number of folks who aren’t aware it can be done. For years, the pervasive thinking was you can’t connect two different networks of different classification levels to the same box because that’s the way it was for so long.

Then there’s the manageable but difficult challenge of getting these systems accredited and approved for use. I say manageable because clearly it can be done or there wouldn’t be any cross-domain solutions out there in operation today. But knowing how to do that correctly and in a timely [way] has been a real challenge for the vendor community and the government itself, [although] it’s improving.

Depending on whose numbers you feel comfortable using, estimates go between 100,000 to 200,000 people in the intelligence community who would want to use this technology. The best estimates now are 15,000 to 20,000 installed, and that’s probably a high number. Any way you look at it, we are maybe at 10 percent adoption in the intelligence community and probably less than 5 percent in the broader [DOD] warfighter community. We still have a long way to go. The most important thing for people to do is to become aware of this technology.

GCN: What role does the Unified Cross Domain Management Office play in creating greater awareness?

HAMMERSLA: The Unified Cross Domain Management Office out of the Office of the Director of National Intelligence [and DOD] is an important organization. They have done a lot of work to consolidate and identify the cross-domain solutions and mechanisms that are approved for use. As a result, they play a very important role in saving taxpayers’ money and [saving] government countless hours and dollars.

GCN: Does the office play a crucial part in certification and accreditation?

HAMMERSLA: They have jurisdiction over the process; that’s the word in the Intelligence Reform and Terrorism Prevention Act of 2004. But they don’t control it from the actual resource and execution point of view. The Unified Cross Domain Management Office has been excellent at reducing the number of cross-domain mechanisms in the community and saving government people a lot of time and money by [not] wasting their time pursuing things that are not on that list.

However, there is a real need to standardize on an objective and consistent set of requirements to meet certifications because when you get a couple dozen security guys in a room, you can imagine the varying degrees of opinion you get on what’s secure and what isn’t.

So in absence of a transparent and objective standard, if subjective opinions are applied to that process, then obviously it takes a lot longer and there are less predictable results. So a consistent, objective standard is an important piece to improve the [certification and accreditation] process.

GCN: TCS recently acquired a company called Counter- Storm. What does it add?

HAMMERSLA: The CounterStorm acquisition brings a technology to us that discovers threats, such as zero-day attacks, the first time you see something. We know how virus scans work: Once we understand how a virus works, we know its signature. We put it in our virus-scanning tool, and the tool scans and kicks [the virus] out.

But the first time something happens, we don’t know what its signature is. So the first time it happens, how do we find that? Also, how do we deploy technologies in our organizations that can find unusual behavior from trusted insiders? CounterStorm does that through an interesting set of technologies. Essentially, it is a machine learning technology. Counter- Storm will sit on an internal network, and within a two- or four-week time frame, it will learn what that network is all about. What kind of traffic goes on? Who talks to whom? How do they talk? How often do they talk? What kinds of IP addresses are being accessed outside the network? It does this with multiple intelligent engines that do everything from deep packet inspection to anomaly detection to behavior analysis to network analysis.

If someone who is an insider and has a password starts doing things they haven’t been doing for the past few years, Counter- Storm is smart enough to catch it very fast and alert the appropriate people.

Separate from CounterStorm, we’ve built a product that we now call Security Blanket. That’s a tool to allow organizations to add greater levels of security to operating systems. That’s important because operating systems are what sit on the inside of the network and guard the data. They’re sort of the last line of defense [for] the internal data.

What we found out through our own knowledge of the market and from analysts [such as] Gartner and Forrester [Research] is that a huge number of these servers are not locked down or secured at all. The ones that are secured and locked are done manually with very little documentation.

The thought behind the Security Blanket technology was to offer a tool to people [that allowed them to] take a server and bring it up to Defense Information Systems Agency security standards and feel more secure that anybody trying to attack that server would have a more difficult time doing so.

GCN: Would you say one of the security trends we’ll see next year is integration of deep packet inspection with crossdomain technology?

HAMMERSLA: The cross-domain side is trying to accelerate the adoption of this technology. Every place [cross-domain] technology has been deployed, it cuts costs, and it makes people more productive and enhances organizations’ ability to share information. On the cross-domain side, the objective in the year ahead is to continue streamlining and make the process of using this technology easier and quicker while enhancing its capabilities.

The priority on the insider threat [side] is to develop better capabilities to detect all manner of different kinds of threats out there.