Upload
phuong
View
40
Download
0
Tags:
Embed Size (px)
DESCRIPTION
REN-ISAC Security Event System (SES). APAN Future Internet Testbed Workshop January 2010. REN-ISAC Mission. - PowerPoint PPT Presentation
Citation preview
REN-ISACSecurity Event System
(SES)
APAN Future Internet Testbed WorkshopJanuary 2010
REN-ISAC Mission
The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education
and research (R&E) communities. The mission is conducted within the context of a private community of trusted
representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted
partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security
information sharing relationships.
Membership
• Membership is open to colleges and universities, teaching hospitals, R&E network providers, and government-funded research organizations.
• The institution is the “member”, and is represented by a management representative who nominates one or more member representatives.
• Very specific job responsibility requirements define who is eligible to become a member representative.
• Membership is tiered (General and XSec). The tiers differ in criteria for membership, the degree of trust vetting, types of information shared within the tier, services, and the commitment-level of the institution.
Benefits of Membership• Receive and share practical defense information in a private community
of trusted members• Establish relationships with known and trusted peers• Have access to direct security services• Benefit from information sharing relationships in the broad security
community• Benefit from vendor relationships, such as the REN-ISAC and Microsoft
Security Cooperation Program relationship• Participate in technical educational security webinars• Participate in REN-ISAC meetings, workshops, & training• Have access to the 24x7 REN-ISAC Watch Desk• Have access to threat information resources ("data feeds") that can be
used to identify local compromised machines, and to block known threats
Information Products• Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or
increasing threat.• Notifications identify specific sources and targets of active threat
or incident involving R&E. Sent directly to contacts at involved sites. ~4000 notifications sent per month.
• Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc.
• Advisories inform regarding specific practices or approaches that can improve security posture.
• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.
• Monitoring views provide summary views from sensor systems, e.g. traffic patterns on Internet2, useful for situational awareness.
Relationships
• Internet2 • Internet2 SALSA• Internet2 CSI2 Working Group • Global Research NOC at IU• EDUCAUSE• Higher Education Information Security Council• Private threat analysis and mitigation efforts• Other sector ISACs• National ISAC Council• DHS/US-CERT and other national CERTs and CSIRTs• Vendors
Security Event System(SES)
Credits
• SES is a project in the REN-ISAC community, inception was funded by a U.S. Department of Justice grant,and with the cooperation and support of:– Internet2,– Internet2 CSI2 WG,– Barely3am Solutions,– Indiana University,– Carnegie Mellon University (relation to the EDDY project), – Argonne National Laboratory (relation to Federated Model), and– REN-ISAC members.
Idea
• Improve timely local protection against cyber security threat, by means of real-time sharing of security event information within a trusted federation, and among federations.
• At its root, not a new idea. Security event information is being shared now, in private and semi-private communities, and some public sources. But there are issues…
Issues with Current Methods• Current methods are cumbersome
– Much reliance on e-mail– Not easily automated, often requires the “human interrupt” signal– Not structured for correlation
• Multiple non-standard data representations– Not easily consistently parsed or acted on– Hard to determine confidence
• Long-term intelligence is difficult to obtain– Data is hostage to our inboxes– Difficulty of correlation– Difficulty of coordinated or cooperative analysis
• Multiple Federations– Trust relationships– Political and organizational boundaries
• Yields disincentives for sharing, and difficulty acting on shared intel
SES – In Its Simplest
• In a security information sharing federation, such as REN-ISAC,– guided by policy and information sharing agreements,– machine (aggregated) and human generated security event data, – is normalized to standards-based data description, and– through various supported secure interfaces, – is submitted to the SES repository.
• Correlation is performed on the collected data,– identifying “bad actors” and determining confidence.
• High confidence bad actor data– is formed into a "detect these" feed, and– analysts vet high-confidence bad-actors into a "block these" feed.
• Participating sites pull down the "detect these" and "block these" feeds and apply local protections against the bad actors.
Discovery, Correlation, and Protection
Supported Data Types
• IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc.
• CIDR, either representing a miscreant-heavy address range, e.g. RBN, or as additional qualifying information
• ASN, as additional qualifying information• DNS name, representing for example, a botnet C&C• URL representing for example, a malware download site• E-mail address, for example, a phishing Reply-To: address
Inside the Participating SiteOptional uses of SES data, and submissions to SES
Query/Submit Interface for the Security Analyst
Inter-Federation Sharing Across Policy Boundaries
Building a Solution• Loosely based on concepts started with the ANL “Federated Model”• Standards-based
– IETF IDMEF standard for representing security event messages in XML– IETF IODEF standard for representing incidents in XML
• Extensions– Understanding "Sites" (via ASN, CIDR)– Understanding URIs– Understanding "Federations“
• Open source; developed code, and integration/use of other tools• Prelude SIM API and Prelude Manager for automated event submission
and first-level data correlation• Request Tracker for Incident Response (RT+IR) for incident (first-level
correlated events, and human submitted) data, second-level correlation, security analyst interface, long-term tracking
• Interoperation with CMU EDDY (End-to-End Diagnostic Discovery)– As option for local event aggregation and transport
Phase I Solution
• Context of REN-ISAC trust federation• Pilot deployment in REN-ISAC
– 6 sites currently submitting, primarily scanner type data, e.g. ssh, vnc honeypot, darknet, etc.
• Beta production in REN-ISAC, beginning 18-Feb– Roll-up pilot sites to production– Accept “incident” level manual submissions by REN-ISAC members– Begin accepting additional sites and types of automated submissions– Work with members for use of the Block/Watch feeds
Building a Framework
• A framework for– Intra and inter-federation cooperation– Incorporation of additional correlation and analysis tools– Interface with systems that notify abuse contacts regarding infected
systems, e.g. the REN-ISAC notification system– Interface with systems that treat higher-level collections of incident
information in a federated context• Extending the framework
– Long term intelligence storage– Threat analysis platform
What’s the meaning for the APAN FIT attendee?
• Similar event system implementations within national, regional, or collaboration-based federations?
• Inter-federation of the systems for global threat information sharing?
• Exploration of these ideas are defined in the TransPAC3 and ACE proposals to the U.S. National Science Foundation
Contacts and References
• Doug Pearson– [email protected]
• Wes Young– [email protected]
• SES public web page– http://www.ren-isac.net/ses