Objective

This User and Entity Behavioral Analysis will streamline authentication to the network and services while transparently securing mission-critical services, such as warfighting applications, through granular, role-based access controls. This UEBA solution may enable the implementation of the Army’s Zero Trust Architecture while improving the tactical network’s cybersecurity posture.

Description

The Army requires a novel UEBA capability that serves as, or feeds, a Policy Decision Point  in the Tactical ZTA. A behavior analysis is the process of collecting activity data on people and other entities, applying advanced analytics, and comparing the results to accepted baselines and peer activities.

This UEBA will leverage data collected and normalized by the Elastic Stack. This data includes Active Directory Domain, Active Directory Certificate Services, Windows Endpoint, Linux Endpoint, Palo Alto Firewall, Suricata Intrusion Detection System, Zeek Network Sensor, Netflow and Cisco IOS events. It will also incorporate Nessus Security Center vulnerability and asset scan reports.

This capability can execute within the Elastic Stack as a collection of detection engine rules, entity analytics or a Machine Learning model, or it can execute as a stand-alone virtual machine or container. The UEBA should include a well-documented and flexible REST API that enables Policy Enforcement Points  to obtain necessary telemetry and enforce authorization decisions.

Phase I

A proof-of-concept showing technical maturity and feasibility for User and Identity Behavioral analysis solutions.

The government seeks a proof of concept, in the form of a whitepaper, that details the feasibility of developing a novel User and Entity Behavioral Analysis capability that serves as a policy decision point. The proof of concept will assume the ability to utilize data already collected by systems in the Program Executive Office Command, Control and Communications-Tactical portfolio and normalized by the Elastic Stack implementation deployed on the tactical network. The model shall determine a user’s normal battle rhythm and be able to alert a human in the loop of a change in the user’s risk score. The authoritative human in the loop can terminate the user’s session or elevate for further analysis.

Phase II

A prototype development and demonstration/evaluation.

The vendor will develop the prototype and demonstrate it to the UEBA, highlighting its ability to collect and interpret data. The demonstration shall also show the ability to display a user’s risk-score change based on behavioral anomalies while enabling the human in the loop to decide on access based on that alert.

Phase III

• UEBA seeks to embed AI/ML pattern recognition into cybersecurity operations to automatically detect anomalous behavior in digital environments. ​ 
• Regarding zero trust requirements, corporate research underscores that UEBA architecture inherently gives users a ZT solution, as it provides maximum network visibility into all users, devices, assets and entities. 
• Corporations and investors forecast that start-ups will augment current UEBA technology to include predictive analytics, creating “contextually aware” multimodal algorithms, and more robust interoperable and API infrastructure.
• Current market applications, including start-up usage, for UEBA are:​ 
  • Internet of Things (IoT) – UEBA can monitor both human activity on devices as well as anomalous behavior on connected devices.​ 
  • Healthcare – Like IoT, the healthcare use case includes patient portals and securing hardware.​ 
  • Finance – track and flag suspicious behavior across a myriad of devices. ​ 

Submission Information

All eligible businesses must submit proposals by 12 PM, Eastern Time.

To view full solicitation details, click here.

For more information, and to submit your full proposal package, visit the DSIP Portal.

Applied SBIR Help Desk: usarmy.pentagon.hqda-asa-alt.mbx.army-applied-sbir-program@army.mil