Instructor: Aleksi Aaltonen, Section 002

Lockheed Martin Develops “Intelligence Driven” Cyber Security

Lockheed Martin, the world’s largest defense contractor, has steadily been targeted with cyber attacks by malevolent parties (particularly nation-state actors from Russia, China, and North Korea) since 2003. As an enterprise that “interacts with the internet 20 billion times a day” in carrying out its roughly 8,500 programs, there is vast opportunity for attackers to exploit weaknesses in Lockheed Martin’s systems and extract classified information. In an effort to combat these threats, the company has combined its intelligence function with its ability to track big data and invested in creating its Threat Intelligence Platform (TIP) called “Palisade”: a “centralized platform” which integrates their Security Information & Event Management (SIEM) systems “to provide enterprise wide alerting capability and manage all threat
intelligence.” Palisade is aligned with Lockheed’s trademarked “Cyber Kill Chain” framework of threat analysis; this framework applies the military terminology of “kill chain” – an outline of all events from reconnaissance activities to battle damage assessments that need to take place in order to execute a mission – to the analysis of attempted cyber attacks.

Understanding that cyber attacks are constantly evolving to better breach targeted entities, Lockheed Martin reasons that the “seven distinct steps” to a cyber attack’s kill chain are an excellent way to determine patterns in attacks and mitigate future ones. This is because adversaries, while likely aware of the need to change their techniques, are unlikely to change all seven of these techniques at once simply due to time/cost constraints. What this means is that even minor elements of past attacks, such as “a scrap of code”, can be tracked and stored into a database that Palisade can then assess in terms of the Cyber Kill Chain framework. Lockheed’s intent here is for Palisade to improve its overall network defense posture, incorporate big data into cyber security (a field that is still largely reliant on human driven analysis), empower analysts with a more comprehensive view of threats using historical data, and identify and respond to threats in a proactive, rather than reactive, manner.

I find this incredibly intriguing as it is the combination of my top two professional interests: big data and intelligence analysis. This initiative certainly innovates the company’s cyber security operations, placing less of a burden on analysts and providing new tools for Lockheed’s defense teams, but I have concerns about its efficacy. What happens if the platform inappropriately raises a red flag on an interaction between internal and external actors because it matched one element of that interaction to a previous attack’s kill chain? What happens when an attack is attempted and Lockheed’s framework fails to identify that breach because of Palisade’s algorithm? Obviously the need for human-level analysis is still very much needed even with this platform, so how much business value is Lockheed Martin actually enjoying from this development? Could this platform be marketed to outside clients to transform Palisade from being a cost center to a profit center? If they could market it as a solution, what impact would it have on the project’s Net Present Value – negative or positive? There is much to consider here for the company, but this development of “Intelligence Driven” cyber security is nonetheless thought-provoking and offers new potential to organizations in protecting their information.

2 Responses to Lockheed Martin Develops “Intelligence Driven” Cyber Security

  • Your views point to critical issue in almost any real-life machine learning application: what is its tolerance for false positives and false negatives. Note, that the importance of these may different (and not be the same) from application to application. A false positive would block a legitimate service while a false negative would allow attacker in – which one is more detrimental to the business? E.g. in airport security you probably err on the side of false positives and give a few more people than it would be necessary a full pat down search – I minor cost for eventually catching that one guy with a gun.

  • That Lockheed refers to the CyberKill Chain as a “framework” alludes to the fact that even destructive forces, like hackers, can be part of an organized and predictable if evolving, system. To take input and transform it to output there needs to be consistent processes and frameworks, which is why hackers face a Catch-22, as the article states- they don’t reinvent the wheel and this makes them more susceptible to being identified by Lockheed intelligence. The “positive feedback loops” that result from the interaction between Lockheed and hackers further illustrates the systematic nature of cyber warfare. As Lockheed makes more connections between the methods and agents of cyber warfare, the more useful data the company has to make more connections. This type of technology will force hackers to choose their targets and actions more wisely so they don’t needlessly provide more “ammunition” (data) to Lockheed.

Leave a Reply

Your email address will not be published. Required fields are marked *