Click here to load reader

CYBEX - The Cybersecurity Information Exchange Framework Tony Rutkowski, [email protected] @yaanatech.com Rapporteur, ITU-T Cybersecurity Rapporteur

  • View
    218

  • Download
    3

Embed Size (px)

Text of CYBEX - The Cybersecurity Information Exchange Framework Tony Rutkowski, [email protected] @yaanatech.com...

  • Slide 1
  • CYBEX - The Cybersecurity Information Exchange Framework Tony Rutkowski, [email protected]@yaanatech.com Rapporteur, ITU-T Cybersecurity Rapporteur Group EVP, Yaana Technologies Senior Fellow, Georgia Tech, Sam Nunn School, Center for International Strategy, Technology, and Policy (CISTP) 2.1
  • Slide 2
  • What is the Cybersecurity Information Exchange Framework (CYBEX) ? A global initiative to identify a set of platform specifications to facilitate the trusted exchange of information among responsible parties worldwide supporting cybersecurity for Infrastructure protection Incident analysis and response Law enforcement and judicial forensics Enhance the availability, interoperability, and usefulness of these platforms Extensible use of best-of-breed open cyber security information exchange platforms Facilitated by the Cybersecurity Rapporteur Group of ITU-T (Q.4/17) ITU-T Recommendations during 2010-2011, with continuing evolution to current user community versions and needs
  • Slide 3
  • What is cybersecurity? Contractual service agreements and federations Deny resources Intergovernmental agreements and cooperation Tort & indemnification Regulatory/ administrative law Criminal law Reputation sanctions Provide basis for actions Legal remedies may also institute protective measures Provide awareness of vulnerabilities and remedies Data retention and auditing Identity Management 4. Legal Remedies Forensics & heuristics analysis Provide data for analysis Encryption/ VPNs esp. for signalling Resilient infrastructure Routing & resource constraints Network/ application state & integrity Real-time data availability = information exchange for analysis 1. Measures for protection 2. Measures for threat detection = information exchange for actions Blacklists & whitelists Vulnerability notices Patch development Investigation & measure initiation 3. Measures for thwarting and other remedies
  • Slide 4
  • The CYBEX Initiative: basic model for information exchange Cybersecurity Information acquisition (out of scope) Cybersecurity Organization Cybersecurity Information use (out of scope) Cybersecurity Organization Structure information Identify & discover cyber security information and organizations requesting & responding with cybersecurity information Trusted exchange of cyber security information Structure information Identify & discover cyber security information and organizations requesting & responding with cybersecurity information Trusted exchange of cyber security information CYBEX Focus
  • Slide 5
  • Vulnerability/State Exchange ClusterEvent/Incident/Heuristics Exchange Cluster Structured Information CWE CWE Common Weakness Enumeration CWE CWE Common Weakness Enumeration CCE CCE Common Configuration Enumeration CCE CCE Common Configuration Enumeration ARF Assessment Results Format ARF Assessment Results Format CVE CVE Common Vulnerabilities and Exposures CVE CVE Common Vulnerabilities and Exposures CVSS Common Vulnerability Scoring System CVSS Common Vulnerability Scoring System SCAP SP800-126 Security Content Automation Protocol SCAP SP800-126 Security Content Automation Protocol CWSS CWSS Common Weakness Scoring System CWSS CWSS Common Weakness Scoring System XCCDF eXtensible Configuration Checklist Description Format XCCDF eXtensible Configuration Checklist Description Format OVAL OVAL Open Vulnerability and Assessment Language OVAL OVAL Open Vulnerability and Assessment Language CPE CPE Common Platform Enumeration CPE CPE Common Platform Enumeration LEA/Evidence Exchange Cluster TS102232 Handover Interface and Service- Specific Details (SSD) for IP delivery TS102232 Handover Interface and Service- Specific Details (SSD) for IP delivery TS102657 Handover interface for the request and delivery of retained data RFC3924 Architecture for Lawful Intercept in IP Networks TS23.271 Handover for Location Services X.dexf Digital Evidence Exchange File Format ERDM Electronic Discovery Reference Model Exchange Terms and Conditions X.cybex-tc Cyber information terms and condition exchange format X.cybex-tc Cyber information terms and condition exchange format = imported = new = referenced CEE CEE Common Event Expression CEE CEE Common Event Expression Specific Events X.gridf SmartGrid Incident Exchange Format X.gridf SmartGrid Incident Exchange Format MAEC Malware Attribution Enumeration and Characterization Black/Whitelist Exchange Format PFOC Phishing, Fraud, and Other Non-Network Layer Reports CAPEC CAPEC Common Attack Pattern Enumeration and Classification CAPEC CAPEC Common Attack Pattern Enumeration and Classification IODEF IODEF RFC5070 Incident Object Description Exchange Format IODEF IODEF RFC5070 Incident Object Description Exchange Format CEE CEE Common Event Expression CEE CEE Common Event Expression CEE CEE Common Event Expression CEE CEE Common Event Expression CEE CEE Common Event Expression CEE CEE Common Event Expression
  • Slide 6
  • Exchange Cluster Discovery and Trusted Exchange Identity Trust Cluster X.evcert Extended Validation Certificate X.evcert Extended Validation Certificate TS102042 V.2.0 Policy requirements for certification authorities issuing public key certificates TS102042 V.2.0 Policy requirements for certification authorities issuing public key certificates X.eaa Entity authentication assurance X.eaa Entity authentication assurance Discovery Cluster X.cybex.1 An OID arc for cybersecurity information exchange X. cybex- disc OID-based discovery mechanisms in the exchange of cybersecurity information X. cybex.2 XML namespace in the Exchange of Cybersecurity Information X. cybex.2 XML namespace in the Exchange of Cybersecurity Information X. chirp Cybersecurity Heuristics and Information Request Protocol X. chirp Cybersecurity Heuristics and Information Request Protocol X.cybex- beep BEEP Profile for Cybersecurity Information Exchange Framework X.cybex- tp Transport protocols supporting cybersecurity information exchange LEA/Evidence Exchange TS102232-1 Handover Interface and Service-Specific Details (SSD) for IP delivery TS102232-1 Handover Interface and Service-Specific Details (SSD) for IP delivery = imported = new = referenced
  • Slide 7
  • A Cybersecurity Namespace Trusted global cybersecurity information exchange requires identifiers for The parties and other objects involved in the exchanges The information exchanged The terms and conditions associated with the exchanged information A global cyber security namespace is part of CYBEX and described in draft Rec. ITU-T X.cybex.1 The OID namespace 2.48 has been reserved for this purpose by joint ISO|IEC JTC1 SC6 and ITU SG17 action OID namespaces Are hierarchical and enable autonomous distributed management Were developed for and have been used for these kinds of purposes for the past 30 years Can also be used to meet new ETSI TC LI Dynamic Triggering requirement for a global identifier for warrants and related needs
  • Slide 8
  • Architecture TBD A Global Cybersecurity Namespace 1 1 [each country, organization, subdivision allocates namespaces and levels as desired] 48 = cybersecurity... 48 USA 840 4 4 Afghanistan 756 Suisse 250... France... Every country has a numeric identifier automatically reserved in the OID 2.48 cybersecurity namespace nnn FIRST... Non-country organizations can also be allocated identifiers 4 4 ISO ITU-T|ITU-R 0 0 1 1 2 2 3 3 Joint ITU-T & ISO [jointly allocated by ITU-T SG17 and ISO|IEC JTC1 SC6] [Allocated by ITU-T SG17] [Allocated by ISO|IEC JTC1 SC6] 0 0 1 1 2 2
  • Slide 9
  • Use of the OID cybersecurity namespace: an example 2.48.1.756.3 [hypothetical Swiss agency ] 2.48.1.756.3 [hypothetical Swiss agency ] Cybersecurity Organization 2.48.1.250.2 [hypothetical French agency] Cybersecurity Organization Incident 2.48.1.756.3.1.[local identifier] Terms & conditions 2.48.1.756.3.2.[local identifier] Incident 2.48.1.756.3.1.[local identifier] Terms & conditions 2.48.1.756.3.2.[local identifier] The namespace identifiers need not be publicly exposed only unique and consistent within the namespace Local agency and community identifiers can continue to be used Ensures coherent ability to know who is involved, specific identification of the information, and expected treatment policies
  • Slide 10
  • The cybersecurity problems are about to get much worse Cloud Services and SmartGrids create potential significant new cybersecurity threats with far reaching consequences Public services are being pushed into the marketplace with No regulation No standards Availability of massive network data center resources With little understanding of the cybersecurity dimensions, much less effective solutions No international agreements
  • Slide 11
  • Will history repeat itself? Similar kinds of cyber security challenges were faced a hundred years ago Fast-paced new network technology emerged Networks became global in scope Harmful incidents were rapidly scaling Governments did not intervene to avoid harm to innovation Sinking of the Titanic in 1912 finally motivated global action Every new network technology has faced similar challenges The 1980s OSI Internet had public infrastructure security solutions, but lacked innovation The 1990s TCP/IP academic Internet had no public infrastructure security solutions, but was great for innovation Criminals, hackers, terrorists, miscreants are also innovative and have many incentives CYBEX assembles open, extensible, technology-neutral capabilities essential for public network infrastructure/service cybersecurity in different forms over the past hundred years
  • Slide 12