21
REN-ISAC Security Event System (SES) APAN Future Internet Testbed Workshop January 2010

REN-ISAC Security Event System (SES)

  • Upload
    phuong

  • View
    40

  • Download
    0

Embed Size (px)

DESCRIPTION

REN-ISAC Security Event System (SES). APAN Future Internet Testbed Workshop January 2010. REN-ISAC Mission. - PowerPoint PPT Presentation

Citation preview

Page 1: REN-ISAC Security Event System (SES)

REN-ISACSecurity Event System

(SES)

APAN Future Internet Testbed WorkshopJanuary 2010

Page 2: REN-ISAC Security Event System (SES)

REN-ISAC Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education

and research (R&E) communities. The mission is conducted within the context of a private community of trusted

representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted

partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security

information sharing relationships.

Page 3: REN-ISAC Security Event System (SES)

Membership

• Membership is open to colleges and universities, teaching hospitals, R&E network providers, and government-funded research organizations.

• The institution is the “member”, and is represented by a management representative who nominates one or more member representatives.

• Very specific job responsibility requirements define who is eligible to become a member representative.

• Membership is tiered (General and XSec). The tiers differ in criteria for membership, the degree of trust vetting, types of information shared within the tier, services, and the commitment-level of the institution.

Page 4: REN-ISAC Security Event System (SES)

Benefits of Membership• Receive and share practical defense information in a private community

of trusted members• Establish relationships with known and trusted peers• Have access to direct security services• Benefit from information sharing relationships in the broad security

community• Benefit from vendor relationships, such as the REN-ISAC and Microsoft

Security Cooperation Program relationship• Participate in technical educational security webinars• Participate in REN-ISAC meetings, workshops, & training• Have access to the 24x7 REN-ISAC Watch Desk• Have access to threat information resources ("data feeds") that can be

used to identify local compromised machines, and to block known threats

Page 5: REN-ISAC Security Event System (SES)

Information Products• Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or

increasing threat.• Notifications identify specific sources and targets of active threat

or incident involving R&E. Sent directly to contacts at involved sites. ~4000 notifications sent per month.

• Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc.

• Advisories inform regarding specific practices or approaches that can improve security posture.

• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.

• Monitoring views provide summary views from sensor systems, e.g. traffic patterns on Internet2, useful for situational awareness.

Page 6: REN-ISAC Security Event System (SES)

Relationships

• Internet2 • Internet2 SALSA• Internet2 CSI2 Working Group • Global Research NOC at IU• EDUCAUSE• Higher Education Information Security Council• Private threat analysis and mitigation efforts• Other sector ISACs• National ISAC Council• DHS/US-CERT and other national CERTs and CSIRTs• Vendors

Page 7: REN-ISAC Security Event System (SES)

Security Event System(SES)

Page 8: REN-ISAC Security Event System (SES)

Credits

• SES is a project in the REN-ISAC community, inception was funded by a U.S. Department of Justice grant,and with the cooperation and support of:– Internet2,– Internet2 CSI2 WG,– Barely3am Solutions,– Indiana University,– Carnegie Mellon University (relation to the EDDY project), – Argonne National Laboratory (relation to Federated Model), and– REN-ISAC members.

Page 9: REN-ISAC Security Event System (SES)

Idea

• Improve timely local protection against cyber security threat, by means of real-time sharing of security event information within a trusted federation, and among federations.

• At its root, not a new idea. Security event information is being shared now, in private and semi-private communities, and some public sources. But there are issues…

Page 10: REN-ISAC Security Event System (SES)

Issues with Current Methods• Current methods are cumbersome

– Much reliance on e-mail– Not easily automated, often requires the “human interrupt” signal– Not structured for correlation

• Multiple non-standard data representations– Not easily consistently parsed or acted on– Hard to determine confidence

• Long-term intelligence is difficult to obtain– Data is hostage to our inboxes– Difficulty of correlation– Difficulty of coordinated or cooperative analysis

• Multiple Federations– Trust relationships– Political and organizational boundaries

• Yields disincentives for sharing, and difficulty acting on shared intel

Page 11: REN-ISAC Security Event System (SES)

SES – In Its Simplest

• In a security information sharing federation, such as REN-ISAC,– guided by policy and information sharing agreements,– machine (aggregated) and human generated security event data, – is normalized to standards-based data description, and– through various supported secure interfaces, – is submitted to the SES repository.

• Correlation is performed on the collected data,– identifying “bad actors” and determining confidence.

• High confidence bad actor data– is formed into a "detect these" feed, and– analysts vet high-confidence bad-actors into a "block these" feed.

• Participating sites pull down the "detect these" and "block these" feeds and apply local protections against the bad actors.

Page 12: REN-ISAC Security Event System (SES)

Discovery, Correlation, and Protection

Page 13: REN-ISAC Security Event System (SES)

Supported Data Types

• IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc.

• CIDR, either representing a miscreant-heavy address range, e.g. RBN, or as additional qualifying information

• ASN, as additional qualifying information• DNS name, representing for example, a botnet C&C• URL representing for example, a malware download site• E-mail address, for example, a phishing Reply-To: address

Page 14: REN-ISAC Security Event System (SES)

Inside the Participating SiteOptional uses of SES data, and submissions to SES

Page 15: REN-ISAC Security Event System (SES)

Query/Submit Interface for the Security Analyst

Page 16: REN-ISAC Security Event System (SES)

Inter-Federation Sharing Across Policy Boundaries

Page 17: REN-ISAC Security Event System (SES)

Building a Solution• Loosely based on concepts started with the ANL “Federated Model”• Standards-based

– IETF IDMEF standard for representing security event messages in XML– IETF IODEF standard for representing incidents in XML

• Extensions– Understanding "Sites" (via ASN, CIDR)– Understanding URIs– Understanding "Federations“

• Open source; developed code, and integration/use of other tools• Prelude SIM API and Prelude Manager for automated event submission

and first-level data correlation• Request Tracker for Incident Response (RT+IR) for incident (first-level

correlated events, and human submitted) data, second-level correlation, security analyst interface, long-term tracking

• Interoperation with CMU EDDY (End-to-End Diagnostic Discovery)– As option for local event aggregation and transport

Page 18: REN-ISAC Security Event System (SES)

Phase I Solution

• Context of REN-ISAC trust federation• Pilot deployment in REN-ISAC

– 6 sites currently submitting, primarily scanner type data, e.g. ssh, vnc honeypot, darknet, etc.

• Beta production in REN-ISAC, beginning 18-Feb– Roll-up pilot sites to production– Accept “incident” level manual submissions by REN-ISAC members– Begin accepting additional sites and types of automated submissions– Work with members for use of the Block/Watch feeds

Page 19: REN-ISAC Security Event System (SES)

Building a Framework

• A framework for– Intra and inter-federation cooperation– Incorporation of additional correlation and analysis tools– Interface with systems that notify abuse contacts regarding infected

systems, e.g. the REN-ISAC notification system– Interface with systems that treat higher-level collections of incident

information in a federated context• Extending the framework

– Long term intelligence storage– Threat analysis platform

Page 20: REN-ISAC Security Event System (SES)

What’s the meaning for the APAN FIT attendee?

• Similar event system implementations within national, regional, or collaboration-based federations?

• Inter-federation of the systems for global threat information sharing?

• Exploration of these ideas are defined in the TransPAC3 and ACE proposals to the U.S. National Science Foundation

Page 21: REN-ISAC Security Event System (SES)

Contacts and References

• Doug Pearson– [email protected]

• Wes Young– [email protected]

• SES public web page– http://www.ren-isac.net/ses