Second Data Driven Collaborative Security Workshop for High Performance Networks

(DDCSW2)

Welcome, Housekeeping and Background/Introduction

Washington University in St LouisCharles F. Knight Executive Education Center

8:30-8:55 AM, August 17th, 2010

Joe St Sauver, Ph.D. (joe@internet2.edu or joe@uoregon.edu)Internet2 Nationwide Security Programs Manager

http://darkwing.uoregon.edu/~joe/ddcsw2-intro/

2

Welcome to DDCSW2!

• It’s our pleasure to welcome you to the Second Data Driven Collaborative Security Workshop for High Performance Networks, held here at the Charles F. Knight Center for Executive Education on the beautiful Washington University in St Louis campus. We’re delighted to be here today!

• This workshop brings together a fairly unique mix of participants from higher education, the private sector, and government/law enforcement, and I think you’ll find that this mix results in some very interesting presentations and discussions.

• We’d like to thank all of you for attending and participating, and we’d like to take just a minute or two to all those who have helped make this workshop a reality!

3

DDCSW2 Program Committee: Thank You!

• Brian Allen, Washington U. - St. Louis

• Renee Frost, Internet2

• Tom Grasso, FBI/NCFTA

• Ken Klingenstein, Internet2

• John Kristoff, Team Cymru

• Sultan Meghji, St Louis Infragard

• Jose Nazario, Arbor Networks

• Gunter Ollmann, Damballa

• Michael O'Reirdan, Comcast, MAAWG

• Doug Pearson, REN-ISAC

• Joe St Sauver, Internet2/U. Oregon (Chair)

• Beth Young, Missouri R&E Network (MOREnet)

4

Our Speakers, Panelists and Breakout Leaders:We Wouldn’t Have This Meeting Without You!

• Brian Allen

• Manos Antonakakis

• Nick Byers

• Bill Darte

• Patrick Finn

• Stefan Frei

• Tom Grasso

• Seth Hall

• Ken Klingenstein

• John Kristoff

• Jose Nazario

• John S. Quarterman

• Joe St Sauver

• Paul Tatarsky

• Beth Young

• Wes Young

• Eric Ziegast

THANK YOU!

5

WUSTL and Internet2 Staff: Thank You!

• Washington University:-- Brian Allen, Network Security Analyst-- Andrew Ortstadt, Assoc. VC for Info. Services & Technology -- Edward Welker, Director Network Services-- Julie Wibbenmeyer, Sales Manager, Knight Center-- Ted Wilkison, Conference Planning Manager

• Internet2:

-- Renee Frost, Director, Technology Transfer and Outreach-- Ken Klingenstein, Senior Director, Middleware and Security-- Marie Modrell, Asst Program Manager, Meeting Services-- Steve Olshansky, Middleware and Security Flywheel-- Joe St Sauver, Nationwide Security Programs Manager

Local Host Welcoming Remarks

It’s now my pleasure to introduce Andrew Ortstadt, Associate Vice Chancellor for Information Services and Technology at Washington University, who will now share some opening remarks as our local host.

Some Housekeeping Items

8

Terms of Engagement for This Workshop

• Workshop sessions are explicitly NOT confidential and presentations will be available (linked from the workshop agenda), so presenters are reminded to please NOT share any proprietary or “FOUO” information, nor any classified information, nor any information which might jeopardize ongoing investigations, prosecutions, or sources & methods

• Marketing-related presentations would be inappropriate

• There will be opportunities for participants to meet privately at the breaks or during meals, or in the evening

• No photography without the permission of those in the picture

• We’ll be audio recording the meeting solely for the purpose of faithfully capturing the content for a final report; the tapes will then be disposed of. It would be helpful if you’d identify yourself when commenting (unless you’d rather not be ID’d).

9

Wireless Access

• While attending DDCSW2, you’ll have access to WUSTL’s guest wireless access -- you should see it announced as “Guest WiFi-WUSTL” in your list of available wireless access points on your laptop. No authentication is required.

• Access to the WUSTL guest wireless network is subject to WUSTL’s Computer Use Policy, please seehttp://www.wustl.edu/policies/compolcy.html

• As always, it is a good idea to use end-to-end encryption or a VPN when transmitting sensitive information such as passwords via any wireless (or wired!) connection.

• If you’re using a system (such as a “travel only” laptop) that you don’t routinely use, please double check that it is patched up to date and running current antivirus software -- we want everyone to have a productive and problem free experience.

10

Session Locations, Meals, Coffee/Bio Breaks

• Most of our sessions will be here in room 210; breakouts will be here and/or Breakout Room 240, Breakout Room 255, or the Reed Courtyard, first come first served/weather permitting

• Continental breakfasts and coffee breaks will be in the 2nd Floor Break Area. Coffee and snacks should be available more or less continually during the meeting, although we also have a few formally scheduled break times you’ll see noted on the agenda.

• The lunch buffets will be in the Anheuser-Busch Main room

• Dinner will be on your own with colleagues tonight; as mentioned in the last minute information letter you were sent, you may want to check out the Delmar Loop, see http://www.ucityloop.com/

11

Structure of the Meeting• The meeting will have a mixture of plenary presentations,

breakout sessions, opportunities for discussion, plus a panel, as shown on the agenda. We’ll also have “lightning talks,” a “data flea market,” and evening BoFs.

-- Breakouts: there will be two breakout sessions, one today, and one tomorrow, with two different topics each time. We know you’ll be curious about what both groups come up with, so each breakout leader will satisfy your curiosity by briefly summarizing their group’s findings back in plenary session.-- Lightning talks: these are quick five minute talks offered by participants on a topic related to the workshop. If you’re interested in doing a lightning talk, please send a note to ddcsw@internet2.edu with a title and brief abstract as soon as possible. We’ll look over what you send in tonight and notify the six folks selected for tomorrow.

12

Structure of the Meeting (2)

-- Data Fleamarket: An opportunity for attendees to quickly introduce themselves and talk about data they have that may be of interest: "I have data about X, which we collect via Y, and deliver to users via Z” and the collaboration they'd like to encourage: "We're looking for more data of this sort" or "We'd like to invite additional people to use this data" or whatever.

-- PGP Key Signing: 5:10-5:30 at the end of today’s presentations. See the agenda for info on how to upload your keyand participate.

-- Evening Birds of a Feather Sessions: 7-9 PM tonight. List your BoF topic or sign up for a BoF during the break this morning and/or this afternoon!

-- Time Management: As you may have noticed, we’ve got a full agenda, so I’m going to do my best to keep us on time. It’s nothing personal when I give you the hook. :-)

DDCSW Introduction/Background

14

A Little Workshop Background

• This is actually our second Internet2 Data Driven Collaborative Security Workshop -- the first one was at the University of Maryland Baltimore County last May, and reports from participants indicated that it went pretty well.

• Some have asked that we take just a few minutes to explain the premise for today’s workshop and to help set the stage for the next couple of days.

• One way to think about our workshop’s focus is as a “recipe card” for security.

15

A (Hokey) Metaphor: A “Recipe” For Security

SECURITY

Within the high performance networking community,combine all four key ingredients:

-- Data-- Analysis-- Collaboration-- Action

Mix well, seasoning according to local taste and budget.

Makes one batch. Repeat daily.

16

Ingredient #1: Data

• As mentioned in the workshop announcement, today's systems and networks are subject to continual attacks including, inter alia, scans and intrusion attempts; spam, phishing and other unwanted email; viruses, trojan horses, worms, rootkits, spyware and other malware; distributed denial of service attacks; and attacks on critical protocols such as DNS, BGP and even IP itself.

• Successfully combating those attacks and other cyber threats requires hard data.

• Data may come from a variety of sources, including: honeypots and dark space telescopes; deep packet inspection appliances; netflow/sflow data collectors; intrusion detection systems; passive DNS monitoring; BGP route monitoring systems; system logs and SNMP data; or even abuse complaints and other human intelligence sources.

17

Ingredient #2: Analysis

• Once we have data available, we can analyze and better understand the phenomena we're experiencing.

• For instance, with data we may be able to:

-- identify botnet command and control hosts; -- understand who's actually behind the spam that's flooding our users' accounts; -- use one bad domain to find other, related, equally bad domains; -- determine who's injecting more specific routes and hijacking our network prefixes; make decisions about problematic network ranges, including the potential consequences of filtering traffic to/from those problematic ranges.

• Analysis presumes the availability of suitable tools and methods.

18

Ingredient #3: Collaboration

• But none of us can collect all the data that we'd like to have, nor that we need to have. We need to collaborate with each other by sharing data and other resources.

• Collaboration can be hard: data availability is often a matter of "feast or famine" -- we're either trying to "drink from the firehose" without drowning, or we can find ourself in a position where getting access to any data at all, or at least the right data, can be quite difficult.

• Data management can also be daunting -- storing, searching, and effectively using terabytes of data is a non-trivial undertaking.

• Simply deciding on a format to use to store or share data can sometimes be more of a problem than one might think: should we use IETF-standardized formats? What then if a major provider may use their own proprietary format, instead?

19

Ingredient #4: Action

• Data, analysis and collaboration ultimately enables action:

-- firewall administrators can filter attack traffic;-- block list operators can list problematic IPs or domains; -- law enforcement can initiate investigations;-- wronged parties can file civil law suits; -- ISPs can terminate problematic customers for cause; or -- the community can even develop new protocols to address pressing concerns.

• And there are probably many other actions which the creative among you could also imagine.

20

What Happens If We Take Away An Ingredient?• If we omit data, we're just guessing about what's going on. I may

be getting DDoSd, but I don't know how or from from where.

• If we omit analysis, we may have data, but raw data is like raw pancake batter, it's hard to tell what to do with it. Data needs to be analyzed, or processed, to be made useful.

• If we omit collaboration, you and I may have wonderful discoveries, but collectively we may be repeatedly rediscovering fire while never figuring out how to use fire to melt metal to make tools and weapons. Information, correctly shared, increases its value. Information mis-shared can ruin irreplaceable sources and methods. So we must share, but we must do so very carefully.

• If we omit action, we may have done a glorious job collecting data and analyzing it, and sharing it, but to no effect. If nothing happens as a result of our work we should just have “slept in!”

• We need all the ingredients for the recipe.

21

Why Might “An Ingredient” Be Missing?• Ingredients are at risk of being missing because of obstacles. For

example, let’s consider just one fundamental ingredient, data:-- “I’d love to have visibility into my IPv6 traffic, but I’m running Netflow v5, not V9, and V5 doesn’t know how to do IPv6.”-- “I’d like to analyze the conficker P2P channel, but it uses strong encryption which we haven’t yet been able to crack.”-- “I tried to lookup the netblocks associated with IPs attacking my server, but my queries were blocked after the first <N>.”We’d like to better understand all those sort of obstacles, and the tools and techiques and collaborations and actions that are currently missing (or which may exist but need further work).

• In other cases, folks may not know about the work that others in the security community are already doing, or others who might be interested in the work that they’re doing. That’s one reason why we wanted to bring multiple communities together here today.

22

So Hopefully That Gives You Some Sense…

• …of what this workshop's about, and the fundamental challenge we'd like to address:

How can we better work together sharing data and analytical

approaches, and thus make a difference when dealing with operational cyber security issues?

We believe that attendees will gain valuable new insights from the workshop, make useful professional contacts, and contribute to recommendations meant to facilitate future data-driven collaborative security initiatives.

• Ultimately, the workshop will result in a final report with findings and recommendations.

23

Are There Any Questions At This Point?

• If not, let’s dive into our first presentation.

• Please join me in welcoming Stefan Frei who will give us an introduction to the work that Secunia has been doing with PSI, the Secunia Personal Software Inspector.