Lockheed Martin Develops “Intelligence Driven” Cyber Security
Lockheed Martin, the world’s largest defense contractor, has steadily been targeted with cyber attacks by malevolent parties (particularly nation-state actors from Russia, China, and North Korea) since 2003. As an enterprise that “interacts with the internet 20 billion times a day” in carrying out its roughly 8,500 programs, there is vast opportunity for attackers to exploit weaknesses in Lockheed Martin’s systems and extract classified information. In an effort to combat these threats, the company has combined its intelligence function with its ability to track big data and invested in creating its Threat Intelligence Platform (TIP) called “Palisade”: a “centralized platform” which integrates their Security Information & Event Management (SIEM) systems “to provide enterprise wide alerting capability and manage all threat
intelligence.” Palisade is aligned with Lockheed’s trademarked “Cyber Kill Chain” framework of threat analysis; this framework applies the military terminology of “kill chain” – an outline of all events from reconnaissance activities to battle damage assessments that need to take place in order to execute a mission – to the analysis of attempted cyber attacks.
Understanding that cyber attacks are constantly evolving to better breach targeted entities, Lockheed Martin reasons that the “seven distinct steps” to a cyber attack’s kill chain are an excellent way to determine patterns in attacks and mitigate future ones. This is because adversaries, while likely aware of the need to change their techniques, are unlikely to change all seven of these techniques at once simply due to time/cost constraints. What this means is that even minor elements of past attacks, such as “a scrap of code”, can be tracked and stored into a database that Palisade can then assess in terms of the Cyber Kill Chain framework. Lockheed’s intent here is for Palisade to improve its overall network defense posture, incorporate big data into cyber security (a field that is still largely reliant on human driven analysis), empower analysts with a more comprehensive view of threats using historical data, and identify and respond to threats in a proactive, rather than reactive, manner.
I find this incredibly intriguing as it is the combination of my top two professional interests: big data and intelligence analysis. This initiative certainly innovates the company’s cyber security operations, placing less of a burden on analysts and providing new tools for Lockheed’s defense teams, but I have concerns about its efficacy. What happens if the platform inappropriately raises a red flag on an interaction between internal and external actors because it matched one element of that interaction to a previous attack’s kill chain? What happens when an attack is attempted and Lockheed’s framework fails to identify that breach because of Palisade’s algorithm? Obviously the need for human-level analysis is still very much needed even with this platform, so how much business value is Lockheed Martin actually enjoying from this development? Could this platform be marketed to outside clients to transform Palisade from being a cost center to a profit center? If they could market it as a solution, what impact would it have on the project’s Net Present Value – negative or positive? There is much to consider here for the company, but this development of “Intelligence Driven” cyber security is nonetheless thought-provoking and offers new potential to organizations in protecting their information.