Showing results for 
Search instead for 
Did you mean: 
Create Post

DOD to Reduce Defense Network Security Threats and Cyberattacks

Level 12

By Joe Kim, SolarWinds EVP, Engineering and Global CTO

Through its significant investment in networked systems and smart devices, the DOD has created an enormously effective—yet highly vulnerable—approach to national network security threats. The department has begun investing more in the Internet of Things (IoT), which has gone a long way toward making ships, planes, tanks, and other weapon systems far more lethal and effective. Unfortunately, the IoT's pervasive connectivity also has increased the vulnerability of defense networks and the potential for cyberattacks.

That attack surface only continues to grow and evolve, with new cyberthreats against the government coming in a regular cadence. DOD must adapt to this rapidly changing threat landscape by embracing a two-phase plan to make network security more agile and automated.

Phase One: Speeding Up Tech Procurement

The government first must accelerate its technology procurement process. Agencies must quickly deploy easily customizable and highly adaptable tools that effectively address changing network security threat vectors. These tools must be simple to install and maintain, with frequent updates to ensure that networks remain well fortified against the latest viruses or hacker strategies.

There is hope. In recent years, the government has made it easier for agencies to buy software through a handful of measures, such as the General Services Administration Schedule and the Department of Defense Enterprise Software Initiative. All have been carefully vetted to work within government regulations and certifications.

Phase Two: Automating Network Security

Automated network security solutions to alert agency administrators to possible threats are also important. The government should implement these types of solutions to monitor activity from the myriad devices using Defense Department networks. Administrators can be alerted to potential security breaches and software vulnerabilities to provide real-time threat response capabilities.

The SolarWinds® Log & Event Manager (LEM) lets administrators gain real-time intelligence about the activity happening on their networks, alerting them to suspicious behavior. Administrators can trace questionable activity back to its source and set up automated responses—including blocking IPs, disabling users, and more— to prevent potentially hazardous and malicious intrusions.

The number of connected devices operating on government networks makes a comprehensive User Device Tracker (UDT) a necessary counterpart to LEM. UDTs have gained a significant amount of traction over the past couple of years, particularly since the workforce began using personal mobile devices over government networks.

Today, federal administrators must deploy solutions that automatically detect who and what are using the network at all times. Solutions should easily locate the devices through various means, so administrators quickly can prevent major breaches that have become all too common.

Prevention is more about implementing network security measures quickly and automatically than it is about who has the better firewall. For the Defense Department, which has become so dependent on connected devices and the information they provide, there’s simply no time for that type of old-school thinking. Federal administrators must act now and invest in automated, agile, and efficient solutions to keep their networks safe from cyberattacks.

Find the full article on Signal.


I love UDT--it saves me time & effort every day.

But I don't love IoT, and I'm curious how the military is using it to make "ships, planes, tanks, and other weapon systems far more lethal and effective."

All I've seen so far is how it provides new (unnecessary) convenience while increasing risks and vulnerabilities.I don't yet find the convenience worth the vulnerabilities and expense.

Do you have any examples of military things that are "better" because of IoT?

Level 20

We use ACAS and HBSS to monitor our infrastructure for vulnerabilities and lock down endpoints on DoD networks.  Also SolarWinds software can be approved for use on DoD networks.  I've seen Orion on some very "controlled" networks.


Good article

Level 11

SolarWinds is approved and has a NETCOM Certificate of Networthiness. this means it is approved for use on the Army Network. This approval has been leveraged by others for use on DoD networks from what I know.

We also use ACAS and HBSS to to scan for vulnerabilities and monitor the end points.

LEM has been a wonderful tool for rooting out issues and underlying problems that always find their way to the surface. We have millions of failed logins a week sue to service accounts, old credentials on mobile devices sitting in desk drawers, etc. These superfluous failed accounts flood our logs and delay troubleshooting significantly. By drawing this to the surface it has caused us to go after these failed accounts and establish policies on service accounts and mobile devices. We are much better for it.

I am currently playing with UDT. Right out of the box it has already shown to us that our DHCP is a mess. We need to clean that up before I can take UDT much further.

As my fellow Thwackers have already mentioned, DoD is heavily invested in ACAS and HBSS.  They have also invested into Splunk which is another issue to discuss at a later time.  We have specialized teams to handle these applications and systems, but at the end of the day we have to rely on the different DoD Cyber Commands to allow us to move forward.  These commands make the rules and force us to follow those rules despite mission critical status. 

The latest issue I have been dealing with is that a DoD Cyber Organization has taken upon themselves to start the following actions without asking questions or investigating issues:

1. Disable Administrative accounts

2. Not notifying the command of their action

3. Placing alerts on Security Clearances

For what you ask:

Logging into Solarwinds Web console with an Administrative account authenticated through AD and authorized by admin account creation process.

I have folks that will no longer log in due to these drastic measures taken by this DoD Cyber Organization.

We have some work to do and we are handling it as it comes down the tracks.  It will take some time, but as we further display and provide value added functionality through Solarwinds, we can show that Solarwinds is not just a network management tool, but a Security Administrative Platform and a fully functional SIEM Solution.

How do we get there?

All you valued Thwackers, posting questions, comments, how-to-guides, unique configurations, development data, and plain awesome sauce that we Thwackers are.

If you are a DoD, and interested in a DoD users group, let me know.  PM me and we can authenticate from there.

I'm continually impressed by your work and your contributions.  And I learn something interesting every time you post.

Double plus 1's to you!

Level 20

On top of what you mentioned about the DoD Cyber Org... after this year ends all new information systems must go through the RMF (Risk Management Framework) process.  I'm in the process now of trying to get some new IS's re-certified under NISPOM before time runs out so I can avoid the RMF process.  For larger networks like my largest moving from NISPOM to RMF is a real BEAR!

Eric can't you have them log in with regular user account instead of admin ones?  I know from my recent experience we're not even allowed to login to many machines with an admin accounts.  Also the STIG's now say any user-admin account logins aren't allowed to browse with browser any longer... it's all a real pain.  On one small IS I have even though there are only a couple machines and a server that we have four different accounts depending on what role we're doing... I know you're familiar with what that's like now.


Air drop Alexa's to all the enemies. Set it to repeat back everything you say, or set to ask why every time you say anything (like kids do) It'll drive them nuts and they will willingly surrender.

Level 11

Eric and ecklerw1

I feel for what you are going through. I have run into similar issues with privilege levels as well as other things that cause difficulty in doing my job. As an example, if my SolarWinds server is not in HBSS' patches folder, I have more issues than I care to imagine. Latency becomes a big problem because HBSS is extremely intrusive by nature and scans every thing that is done or touched by the application. I had to request that the server be kept in the patches folder until we can figure out exactly what needs to be excluded from HBSS prying eyes. HBSS is mandated and is set to a high heuristic level. ecklerw1 brings up a good point about the STIGS for the logins. Browsers can't be launched by an admin (with the exception of edge), however a user can launch a browser by running as an admin. Very cumbersome indeed.

Oh well, these are examples of knee jerk reactions to networks that are insecure to begin with and when they are "hacked" they slap on the maximum security and then later have to peel back the unnecessary stuff that prevents administrators from doing their job of protecting servers and network devices.

Level 12


Excellent.  Also configure it to place online orders.  Soon the opposition will have so much credit card debt that they won't be able to pay their people.

Level 13

Nice Article.  Sure makes you not want to be a Federal Administrator.

Level 11

I am not saying that it is not a rewarding job or position, just sometimes we are giving directives that we scratch our head and wonder who in the world thought this up. We ask, didn't they think of the ramifications of their reaction? What it comes down to is that it is directed, it is policy and we must comply and look for solutions. That is where the greatest reward comes from, when we are able to come up with solutions that meet the requirements no matter how difficult it looks without impacting how we do our jobs or creating major chaos and maybe in the process we can show how their directives need to be rolled back. As we all know if you apply too much security, no one can work, so there has to be a middle ground with all the security that is needed to protect the network and keep the data safe. This is when being a Federal Administrator is the most rewarding.

Level 21

I for one would love to know how the Splunk thing has gone.  I have just started to get my feet wet with that and it's such a huge beast to try and wrangle, even for a small environment; I can't imagine what it would be like for a large environment.

Level 11

Not sure if you saw, but DISA issued an ACS RFI earlier this year (Assured Compliance Assessment Solution (ACAS) - Federal Business Opportunities: Opportunities). One thing that was interesting from a back and forth I had with them, was that they didn't know how to address a multi-vendor offering. Given the information in there, it'll be tough for one single solution to cover all bases (as written).

Level 11

What can we say???? We must do, but they don't know how to do it. It's up to us in the field to figure it out and share.

About the Author
Joseph is a software executive with a track record of successfully running strategic and execution-focused organizations with multi-million dollar budgets and globally distributed teams. He has demonstrated the ability to bring together disparate organizations through his leadership, vision and technical expertise to deliver on common business objectives. As an expert in process and technology standards and various industry verticals, Joseph brings a unique 360-degree perspective to help the business create successful strategies and connect the “Big Picture” to execution. Currently, Joseph services as the EVP, Engineering and Global CTO for SolarWinds and is responsible for the technology strategy, direction and execution for SolarWinds products and systems. Working directly for the CEO and partnering across the executive staff in product strategy, marketing and sales, he and his team is tasked to provide overall technology strategy, product architecture, platform advancement and engineering execution for Core IT, Cloud and MSP business units. Joseph is also responsible for leading the internal business application and information technology activities to ensure that all SolarWinds functions, such as HR, Marketing, Finance, Sales, Product, Support, Renewals, etc. are aligned from a systems perspective; and that we use the company's products to continuously improve their functionality and performance, which ensures success and expansion for both SolarWinds and customers.