LIGHTS is intended to provide its members maximum visibility into and control of their cyber systems with the lightest possible budgetary and operational footprint. The program uses Open Source tools to provide members the lowest cost option which meets operational needs. Product and service providers work with the program to make their commercial offerings affordable and effective for LIGHTS members.
The LIGHTS architecture is built on a common capabilities model implemented at member facilities. One or more Open Source LIGHTS Sensors are installed at member sites to provide the cybersecurity capabilities included in this common model. Members can chose to use commercial versions of the LIGHTS Sensor or compatible toolsets which meet the requirements of the capability model.
Major areas of functionality of the LIGHTS Common Capabilities Model include:
- Network Monitoring
- Packet Capture
- Information Correlation
- Intrusion Detection
- Asset Inventory
- Policy Reporting
- Policy Enforcement
LIGHTS members can choose to operate their LIGHTS Sensor independently, or to have a LIGHTS Certified Managed Security Services Provider (MSSP) manage daily operations for them. LIGHTS MSSPs offer subscription services a fraction of the cost of adding operational staff and bring other benefits to the member organizations. LIGHTS MSSPs maintain 7×24 Security Operation Centers (SOCs) where analysts monitor the security of client facilities. These MSSPs bring expertise gained managing multiple sites as well as interconnection with regional, national and global centers of expertise.
LIGHTS members have the option of engaging with private and/or public Tactical Analysis Centers (TACs). Best practices, incident information, coordination of response to active threats and other benefits to member organizations are aggregated by LIGHTS MSSPs and applied to the active defense of member facilities.
Members can choose to allow appropriate anonymized metadata representing cybersecurity metrics observed at their facilities to be shared with some, all, or none of these TACs. Where members are able to share some amount of their real world experience the ability of their sector and the broader community to defeat cyber attacks and improve operational efficiencies benefits.