1 / 17

Federated Defenses and Watching Each Other’s Back

Federated Defenses and Watching Each Other’s Back. Scott Pinkerton (pinkerton@anl.gov) Argonne National Laboratory National Laboratory Information Technology Summit 2009 June 2, 2009. Diverse population: 3,000 employees 10,000+ visitors annually Off-site computer users

gino
Download Presentation

Federated Defenses and Watching Each Other’s Back

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Defenses and Watching Each Other’s Back Scott Pinkerton (pinkerton@anl.gov) Argonne National Laboratory National Laboratory Information Technology Summit 2009 June 2, 2009

  2. Diverse population: 3,000 employees 10,000+ visitors annually Off-site computer users Foreign national employees, users, and collaborators Diverse funding: Not every computer is a DOE computer. IT is funded in many ways. Every program is working in an increasingly distributed computing model. Our goal: a consistent and comprehensively secure environment that effectively balances science and cyber security requirements. Argonne National Laboratory IT Environment Challenges Argonne is managed by the UChicago Argonne LLC for the Department of Energy.

  3. Emphasis on the Synergies of Multi-Program Science, Engineering & Applications FundamentalPhysics AcceleratorResearch InfrastructureAnalysis ComputationalScience MaterialsCharacterization Catalysis Science TransportationScience NuclearFuel Cycle User Facilities StructuralBiology ... and much more.

  4. A Comprehensive Cyber Security Program

  5. A Risk Based Approach to Cyber Security

  6. What is the Federated Model for Cyber Security ? • Framework for sharing actionable information about threats and hostilities occurring right now • Virtual neighborhood watch • Collection of software tools allowing a site to: • Learn about active hostilities from other sites in near real-time • Do something about it – E.g. block an IP address, block outbound access to a web URL, block or copy in-bound e-mails, interrupt DNS look-ups • Requires a foundation of TRUST

  7. What is it – For the Techies • Set of XML schemas (based on IDMEF standards – RFC 4765) • IP address • DNS domain name • Revocation (unblock an IP address) • E-mail address (coming soon) • URL (coming soon) • Set of Perl scripts that support: • Upload and download of encrypted XML files • Block an IP address in a FW • Block an IP address with a BGP null route (requires a router), etc • Web Portal to support coordination • Sharing pgp keys • Sharing local detection algorithms & tools • Sharing white list info, etc

  8. Maps nicely into NIST controls and Best Practices

  9. Cyber Defenses – Business as Usual • Local detection methods apply • Local response actions apply • Every single site learns via “school of hard knocks”

  10. Cyber Defenses – Using the Federated Model • Local & distributed detection methods apply • Local response decisions apply • Only one site learns via “school of hard knocks” (ideally) • Based on an assumption that hostilities occur across related sites

  11. How much data ?

  12. Overlap

  13. Value Proposition of Participating • Note: Not a silver bullet – just one piece of a successful cyber security program • Neighborhood watch programs requires only one site to experience the pain of an attempted exploit • Access to variety of software tools that assist with the automation of actions • Sites still retain local controls – share your information with sites you choose; information shared is merely advice; local decision still on what to do with the intel • This infrastructure prepares us for future response strategies & techniques – bad guys are adapting -- we better be • Improves OODA loop

  14. Unique Challenges and Mitigations • Sharing data has potential for Federated (group) response – double edged sword • Great when stopping “bad guy” • Greater risk against legit science work • False positives – oops are magnified (a lot) • Revocation: used to rewind reported data • Due to false positive; typo – whatever • Important legit site for some members • Adding QA functions to notify on local and global white lists • Integration into varied local systems and processes • When to take action locally based on Federated data, how severe, weighted approach

  15. How to Get Involved • Think about how you would like to speed up your OODA loop • Observe, orient, decide, act • Automate OODA loop where possible • Create a federation - even if it is with just one other organization • Start with already trusted friends • Think about what you have automated to date • What can you/should you automate in the future • Get involved • Come as you are, using your already defined IDS analysis methodologies • To inquire or join send email to federated-admins@anl.gov • For additional info: • https://www.anl.gov/it/federated

  16. Next Steps • Moving beyond IP addresses • DNS domain names (starting right now) • E-mail address handling (soon) • URL (soon) • XML schemas are extensible – easy to adapt to new problems • Important that you start building some level of automation in now • Federations of federations

  17. Questions ?

More Related