Countering cyber threats with Elastic Cloud Enterprise at CERDEC/ARL


The Communications-Electronics Research, Development and Engineering Center / Army Research Laboratory (CERDEC/ARL) performs network and system monitoring as one of 23 cyber defense entities within the U.S. Department of Defense (DoD). By leveraging real-time operational data through the application of new technologies and advanced analytics, CERDEC/ARL conducts defensive cyber operations and research against the most sophisticated and damaging cyber threats of today. Its scope of coverage spans across any and all services, personnel, and networks within the DoD — the world’s largest employer by number of employees.

CERDEC/ARL’s Chief of the Sustaining Base Network Assurance Branch, Curtis Arnold, had the unique challenge of overseeing a multifunctional department whose defensive cyber operations were reputed to be a couple years ahead of others in the DoD. Arnold’s team needed a scalable, resilient, reliable platform that could perform equally well in supporting massive amounts of data and enabling nimble threat hunting capabilities. Elastic Cloud Enterprise (ECE) proved to be the solution they needed.

As the DoD’s Cybersecurity Service Provider (CSSP), CERDEC/ARL leads the department in “solving the hard problems that nobody else wants to tackle.” As the DoD continued to refine its cloud infrastructure, the need for distributed search became apparent to Arnold and his team. Traditional network-based sensors were losing their visibility with increasing encryption, the ever-expanding application space was requiring unachievable growth in network data normalization, and defense in depth against back doors in the network was not being adequately covered.

Implementing ECE

To address these concerns, Arnold and his team tackled a major revamp in infrastructure. One of the larger reconstructs was in streamlining their data ingest architecture. Data would now be streamed from multiple log sources — flow, API, and application logs — to a central location. From there it would be distributed to cloud storage and an ECE cluster.

Elastic Cloud Enterprise brought immediate results. Policy enforcement, anomaly detection, threat hunting, search visualization, and programmatic access functions were all drastically enhanced. In a cloud access monitoring use case, a team analyst was able to pull data on cloud usage and effectively monitor potentially compromising user access points within one hour of using Elastic.

ECE “[g]ives us a lot more information on our data,” Arnold explains. “We’re a big player within the big data platform … Elastic is one of those capabilities that we’ve been bringing to bear. We’ve provided training for all the defensive cyber operators in Elastic … so we’re really pushing hard on making sure [it’s] part of the toolkit for everybody.”

Cyber threat hunting

In case CERDEC/ARL didn’t already have its work cut out for it, it also leads the DoD’s joint cyber threat program — an initiative focused on improving insider threat detection. This critical security exercise requires the ingestion of vast amounts of data from a variety of different sources to establish a regular “pattern of life” among users. When a user’s activity deviates from their normal day-to-day functions, CERDEC/ARL may have an insider threat on their hands. ECE provided the team with comprehensive data sourcing, while Elastic security analytics enabled rapid response speeds in a setting where every second can mean sensitive documents are being infiltrated.

In addition to enhanced search and indexing capabilities, Arnold’s team was also empowered through Kibana visualizations. Showcasing data and incidents in a universal, visually digestible format helps with overall understanding, but it’s also been proven to greatly improve analysts’ retention rate for incident reports. “The fact that this type of search and visualization is so quick and easy to render allows our analysts to express and convey the state of security easily to those that are in the position to remediate,” Arnold writes in a use case on detecting policy violations.


Whether restructuring the ingest architecture for the DoD’s vast stores of data or quickly drilling down on insider threats, ECE has proven to be a dynamic and effective tool in helping CERDEC/ARL take on challenges of all types. Learn how Arnold’s team is utilizing Elastic Cloud Enterprise to defend the DoD’s networks in this recap video from Elastic{ON} Tour Washington, D.C.

Watch the Elasticon talk: Countering Threads with the Elastic Stack at CERDEC/ARL