Through the Department of Homeland Security’s Transition to Practice (TTP) program, Sandia’s cybersecurity technologies — and those of the other DOE labs — now stand a better chance than ever of finding their way into the real world.

DHS’s TTP, spearheaded by the department’s Science and Technology Directorate, is an innovative program specifically created to assist in moving federally funded cybersecurity technologies into broader use. Getting technologies and research discoveries over the so-called “valley of death” — the wide area that lives between early, promising research on one side and technology that’s actually being implemented on the other — is something that Steve Hurd (8958) readily admits is a dire need in the national lab community.

 “Moving technologies from the laboratory into actual practice is difficult,” Steve says. One of the main reasons, he says, is that technologies that seem to work in the lab may need fine-tuning or further upgrades to work in the field.

 “So TTP is an inventive attempt to help all the labs improve in this area,” Steve continues. “It’s paying dividends already by opening doors that will get new innovative cyber defense technologies from Sandia and other laboratories into the hands of industry, academia, and other research institutions that can really use them.”

TTP’s methodology is straightforward. DHS’s Mike Pozmantier, the program manager for TTP in the department’s Cyber Security Division, conducts events across the country each year that feature cyber technologies developed at DOE and DoD laboratories and selected for evaluation by DHS. The events are targeted to specific sectors and audiences; one, for instance, has been held in Washington, D.C., for potential users in the federal government, while another was held in northern California’s Silicon Valley for high-tech audiences. Other events target users in critical infrastructure, including an event last year in New York for the financial sector and another this year in Houston focused on energy.

The goal is to create buzz, generate interest, initiate conversations, and enable relationship-building that will forge business partnerships and ultimately put important cyber technologies, including some developed at Sandia, into practice. That could be accomplished through pilot programs with industry, licensing, or spinning off of technologies into startup companies through venture capital funding, but the first order of business is to identify, test, and evaluate the usability and overall viability of the technologies.

Sandia serving key testing and evaluation role

In addition to considering Sandia-developed cyber technologies for transition, DHS is leveraging Sandia’s cybersecurity expertise to test and evaluate (T&E) TTP technologies developed by other DOE and DoD labs. Steve is leading the effort, with key contributions coming from centers 8900, 5600, and 9000.

 “Our main goal is to help make the technologies easier and more cost-effective for end users to adopt, ultimately leading to more effective protection of digital systems,” says Steve. “We try to discover the areas in the technology that need improvement, then provide specific feedback to the developers.”

The team does this, he says, by testing in realistic environments and using a wide range of tools, including dynamic testing of executable files in software and the adversarial-based red-teaming that Sandia has excelled at for years. (“Red teaming” refers to assessments that help customers acquire an independent, objective view of their weaknesses from a range of adversaries’ perspectives.)

Sandia is employing two unique capabilities as part of the TTP test and evaluation effort, says Susanna Gordon (8966), Sandia’s TTP project manager. 

 “FARM, our Forensics Analysis Repository for Malware, provides a large number of analyzed malware samples that we are using to test technologies intended for enhanced malware analysis,” says Susanna. For technologies intended to run on enterprise-scale networks, Sandia’s researchers are conducting tests using the Labs’ Emulytics™ platforms, which are capable of efficiently emulating and analyzing representative enterprise-scale networks, greatly reducing the cost of running at-scale testing.

 “An additional benefit to the TTP test and evaluation work is that we’ve actually learned some things that can improve our own processes here at the Labs,” Steve adds. “We now realize that we need to start at the very beginning when looking at the commercial feasibility of technologies — including those developed at Sandia.

 “Though it might seem obvious, we’ve learned that even the simple question of whether a cyber invention works or can be easily installed by an end user needs to be evaluated,” Steve says. “Someone who is developing a technology should be able to hand it to a smart technical colleague with the assurance that he or she will be able to easily and efficiently set it up and use it. If the program is too complicated or complex for that to occur, then it’s probably a non-starter. That’s a lesson for Sandia as well as the other labs involved in the TTP initiative.”

The test and evaluation team also examines the cost of implementation and whether there are new problems or risks associated with each technology it evaluates.

 “Maybe the product successfully addresses some problem. But, to use an analogy, Sandia knows from experience that adding new computer security is not like building another fence,” Susanna says. “What is intended to add additional security to a computer can actually be counterproductive and break the existing security system. Those things have to be considered very carefully.”

Long-lasting value

In TTP’s kickoff year, three cyber technologies were selected from Oak Ridge, two came out of Pacific Northwest National Laboratory, and one each was selected from Sandia, Lawrence Livermore, and Los Alamos labs. This past year, when TTP expanded its reach to DoD labs as well as the DOE labs, two Sandia technologies were selected.

 “The TTP initiative is really helping Sandia get its cyber technologies to those organizations that need them to better protect their assets,” says Steve.

 “And we also see it as a way to leverage our testing and evaluation capability, since we truly believe no one else is as good at this particular job,” he continues. “It’s somewhat under-the-radar and not very visible, and it has been a learning experience to apply our processes to developmental rather than operational technologies. But many of these cyber technologies around the national lab complex will be stronger and more mature due to our test and evaluation support. Ours is a vital role.”

The hope, Steve says, is that Sandia’s value becomes so clear and recognized by other national labs that they’ll begin to approach us, independent of the TTP program, and ask us to provide test and evaluation services. Though that will likely be a challenge due to natural rivalries or perhaps even distrust from other organizations, he and others at Sandia are confident it can happen.

 “We go to great lengths to avoid conflicts of interest. We offer an unbiased, third-party assessment of technologies, and we do so in way that incorporates both technical skill and an objective, fair mind-set,” says Steve.

To further avoid conflict-of-interest issues, says Steve, Sandia intends to have other independent parties conduct testing and evaluation of Sandia-developed technologies while still employing the same approach and methodology being used throughout the program. For instance, Exelis, a technology company that provides mission-critical, next-generation solutions for the command, control, communications, computers, intelligence, surveillance, and reconnaissance markets, led the T&E activities around Sandia’s CodeSeal software.

A third party would also likely be used in cases where Sandia is faced with evaluating a technology that competes directly with one of its own.

 “As an FFRDC [Federally Funded Research and Development Center], our main objective is to partner with DHS to improve the nation’s cyber security posture in whatever capacity we can best serve,” Steve says. “We know that any good cyber technology will benefit the entire community, no matter which lab has developed it, and we are pleased to draw on Sandia’s broad and deep cybersecurity expertise to develop new technologies and also to make those of the entire community stronger.”

Early successes offer optimism

The TTP program is only in its second year, but several promising projects have already emerged.

An Oak Ridge National Laboratory cyber system known as Hyperion, selected through the TTP process last year, is designed to compute the behavior of software as a means to gain understanding of software functionality and security properties. Largely as a result of TTP, Oak Ridge is now collaborating with the Defense Intelligence Agency and the US Computer Emergency Readiness Team (US-CERT) on evaluation and deployment of Hyperion.

 Sandia’s own CodeSeal, also a year-one TTP-selected technology, is a program that protects critical software from malware and a variety of security gaps. CodeSeal is gaining industry traction itself with Vir2us, a Bay Area computer security company, and may soon be piloted in a real-world use case scenario at the DOE GridSTAR Center in Philadelphia. The plan, says Craig Smith (8539), is to bring CodeSeal to GridSTAR — embedded into Vir2us’s security suite program, Citadel — to execute on the grid, an activity expected to lead to useful validation data for CodeSeal.

 “With successful validation of CodeSeal, we see the opportunity to integrate CodeSeal into Citadel, enhancing Vir2us’s already-impressive lineup of security systems,” says Craig, who was recently named a Distinguished Fellow of the Licensing Executives Society International (see story on page 2).

Sandia and Vir2us, he says, will then work toward turning CodeSeal into a product as an embedded security solution.