Army CISO wants greater, automated network visibility and ‘triggers’ to get ahead of threats

Maj. Gen. Jan Norris called for a cybersecurity model where "we don't detect, respond, recover; we detect, respond, correct and continue operations."
Army CISO Maj. Gen. Jan Norris delivers a keynote address at the Swish Data GIST Summit. (FedScoop)

It seems to be everywhere for Army Chief Information Security Officer Maj. Gen. Jan Norris looks: “Detect, respond, recover.”

The three elements comprise most of the core functions in the National Institute of Standards and Technology’s Cybersecurity Framework, which aims to “identify, protect, detect, respond and recover” against cyber threats.

“Everything in my experience in the last two months, it’s always: detect, respond, recover,” Norris said Wednesday at the Swish Data GIST 2023 Summit.

But that model, Norris said, falls short of the cybersecurity maturity level he wants for the Army — one where “we don’t detect, respond, recover; we detect, respond, correct and continue operations.”


In essence, Norris wants to move the Army’s ability to detect “left” — to come before an intrusion — by introducing greater visibility and automation into its networks, systems and data.

“The only way we can do that is with visibility and some analytics that can, you know, take log data, whatever it is, and we can analyze it left and reach left of an event to trigger some corrective action, which then allows us not to have to recover but to continue to operate,” he said.

Norris said he’s challenged the Army’s Enterprise Cloud Management Agency and others to “ingest this data into a tool” to perform such a function. This is especially difficult across the Army’s existing 40 networks, Norris explained, though the service is working actively to consolidate that down to a single unified network.

“It’s really hard to see and analyze across the enterprise when you have so many different domains — we’re trying to collapse those. I mean, even if you have a single tool running on all 40, it’s still hard to kind of collude all that together and have the optimal visibility you’d like to have,” he said.

Norris continued: “Is there another tool out there anyone has that can do it better, that will give us those analytics we need that we can go, ‘We’ve got some anomalies in these logs and we need to correct something right now,’ before you know I’m getting a call and we have a breach?”


There are great tools the commercial industry has provided, Norris acknowledged, but “are these tools mature to the point of triggering alerts and notifications to prompt corrective action?” That would be ideal, he said.

Similarly, Norris said such an automated trigger based on enhanced visibility in the network to monitor anomalies in user behavior could have helped in preventing the recent leak of classified national security documents that appeared on social media.

“Is there a tool that’s monitoring that activity to say that this individual has violated the rules for which the account was granted?” he said. “You know, one, to alert the human to have a discussion about what are you doing every month in the National Guard center downloading all this classified information. But even beyond that … automate a tool that will do analytics and shut that individual down automatically without the human involvement.”

Norris called that idea “utopian” but believes “we can get there.”

“I think we have the tools,” he said. “It’s maturing them, though, inside of organizations” that will get the Army closer to that ideal state, he added.

Latest Podcasts