From 2000-2014 global Internet usage increased 741%, up  from 360 million to almost 3.5 billion people .  The security and effective operation of the  U.S. critical infrastructure rely on cyberspace industrial control systems and  information technology that may be vulnerable to disruption or exploitation.  DoD and the nation as a whole rely on a  secure and dependable cyberspace that protects fundamental freedoms, privacy,  and the free flow of information.

Our networks and data are subject to continuous  cybersecurity attacks from a wide range of threats.  Effective defense against these adversaries  requires near real-time orchestration of thousands of end components and  network systems, multiple organizational processes, and the selection,  de-confliction, and execution of complex response actions within and across  diverse domains.  Today, such  orchestration is primarily a manual, human-in-the-loop, process to correlate  multiple inputs and direct an array of responses.  This current process does not provide the  speed, agility and control necessary to ensure operational mission success in  the presence of sophisticated cyber threats.  Through the introduction of ACD constructs, secure orchestration will  provide an automated, human-in-the-loop capability to select, direct, and track  responses to network and cybersecurity events.

A comprehensive ACD solution would have characteristics  that include the ability to operate with dialable levels of automated decision-making that enable the detection and  mitigation of threats at cyber-relevant speed; it must be scalable to operate  in any size enterprise, and work in an integrated manner with other network  defense and hardening capabilities while creating and consuming shared  situational awareness.  Finally these  capabilities must be available soon and be designed in a manner that allows  them to be built and operated by both the private sector and USG.

The ACD Framework, depicted here, describes the set of  five high-level conceptual capabilities necessary to perform ACD anywhere in cyberspace.  A foundational messaging  fabric must exist to enable real-time communications using standard protocols,  interfaces and schema among the other four components.  Then there must be sensors that report data  on the current state of the network, sense-making analytics to understand  current state, automated decision -making to decide how to react to current  state information, and capabilities to act on those decisions to defend the  network.  Although not a unique part of  the ACD framework, Shared Situational Awareness is a critical provider and  consumer of actionable ACD information.

ACD is far more than just the enhancement of defensive  cybersecurity capabilities for the DoD and the Intelligence Community.  ACD-defined capabilities and processes can be  employed to support federal, state, and local government agencies and  organizations, defense contractors, critical infrastructure segments, and  industry.  The ability to rapidly and  automatically share and understand threat information and analysis, cyber  activity alerts, and response action is critical to enabling unity of effort in  successfully detecting and defending against advanced cyber-attacks.

Today, even the best within-network cybersecurity is  achieved by products/services that operate independently of each other (e.g.,  virus checkers, remote configuration management), do not benefit from full  situational awareness (e.g., on threats and mitigations), and often rely on  human-in-the-loop process.

The state of cybersecurity within networks can and should  be advance by the development and use of commercially-produced, multi-sourced,  standards-enabled solutions that can interact and share situational awareness.

When deployed as a comprehensive integrated set of  solutions across the interior and at the boundary of a network enterprise, ACD  can provide mitigation of zero day attacks and enable hardening of allied  networks against such attaks in cyber relevant time through a shared messaging  fabric.  Using the ACD Framework as a  guide, enterprises can rapidly deploy ACD solutions and leverage cybersecurity  capabilities already deployed on their networks.  The automation inherent in an ACD solution  also holds the promise of efficiencies and scalability that will lead to cost  savings in network management.

Internetworldstates.com
Journal of Information Warfare, April 2014 Active  Cyber Defense: A Vision for Real-Time Cyber Defense