210 likes | 334 Views
REN-ISAC Security Event System (SES). APAN Future Internet Testbed Workshop January 2010. REN-ISAC Mission.
E N D
REN-ISACSecurity Event System(SES) APAN Future Internet Testbed Workshop January 2010
REN-ISAC Mission The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships.
Membership • Membership is open to colleges and universities, teaching hospitals, R&E network providers, and government-funded research organizations. • The institution is the “member”, and is represented by a management representative who nominates one or more member representatives. • Very specific job responsibility requirements define who is eligible to become a member representative. • Membership is tiered (General and XSec). The tiers differ in criteria for membership, the degree of trust vetting, types of information shared within the tier, services, and the commitment-level of the institution.
Benefits of Membership • Receive and share practical defense information in a private community of trusted members • Establish relationships with known and trusted peers • Have access to direct security services • Benefit from information sharing relationships in the broad security community • Benefit from vendor relationships, such as the REN-ISAC and Microsoft Security Cooperation Program relationship • Participate in technical educational security webinars • Participate in REN-ISAC meetings, workshops, & training • Have access to the 24x7 REN-ISAC Watch Desk • Have access to threat information resources ("data feeds") that can be used to identify local compromised machines, and to block known threats
Information Products • Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or increasing threat. • Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites. ~4000 notifications sent per month. • Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc. • Advisories inform regarding specific practices or approaches that can improve security posture. • TechBurst webcasts provide instruction on technical topics relevant to security protection and response. • Monitoring views provide summary views from sensor systems, e.g. traffic patterns on Internet2, useful for situational awareness.
Relationships • Internet2 • Internet2 SALSA • Internet2 CSI2 Working Group • Global Research NOC at IU • EDUCAUSE • Higher Education Information Security Council • Private threat analysis and mitigation efforts • Other sector ISACs • National ISAC Council • DHS/US-CERT and other national CERTs and CSIRTs • Vendors
Security Event System (SES)
Credits • SES is a project in the REN-ISAC community, inception was funded by a U.S. Department of Justice grant, and with the cooperation and support of: • Internet2, • Internet2 CSI2 WG, • Barely3am Solutions, • Indiana University, • Carnegie Mellon University (relation to the EDDY project), • Argonne National Laboratory (relation to Federated Model), and • REN-ISAC members.
Idea • Improve timely local protection against cyber security threat, by means of real-time sharing of security event information within a trusted federation, and among federations. • At its root, not a new idea. Security event information is being shared now, in private and semi-private communities, and some public sources. But there are issues…
Issues with Current Methods • Current methods are cumbersome • Much reliance on e-mail • Not easily automated, often requires the “human interrupt” signal • Not structured for correlation • Multiple non-standard data representations • Not easily consistently parsed or acted on • Hard to determine confidence • Long-term intelligence is difficult to obtain • Data is hostage to our inboxes • Difficulty of correlation • Difficulty of coordinated or cooperative analysis • Multiple Federations • Trust relationships • Political and organizational boundaries • Yields disincentives for sharing, and difficulty acting on shared intel
SES – In Its Simplest • In a security information sharing federation, such as REN-ISAC, • guided by policy and information sharing agreements, • machine (aggregated) and human generated security event data, • is normalized to standards-based data description, and • through various supported secure interfaces, • is submitted to the SES repository. • Correlation is performed on the collected data, • identifying “bad actors” and determining confidence. • High confidence bad actor data • is formed into a "detect these" feed, and • analysts vet high-confidence bad-actors into a "block these" feed. • Participating sites pull down the "detect these" and "block these" feeds and apply local protections against the bad actors.
Supported Data Types • IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc. • CIDR, either representing a miscreant-heavy address range, e.g. RBN, or as additional qualifying information • ASN, as additional qualifying information • DNS name, representing for example, a botnet C&C • URL representing for example, a malware download site • E-mail address, for example, a phishing Reply-To: address
Inside the Participating Site Optional uses of SES data, and submissions to SES
Building a Solution • Loosely based on concepts started with the ANL “Federated Model” • Standards-based • IETF IDMEF standard for representing security event messages in XML • IETF IODEF standard for representing incidents in XML • Extensions • Understanding "Sites" (via ASN, CIDR) • Understanding URIs • Understanding "Federations“ • Open source; developed code, and integration/use of other tools • Prelude SIM API and Prelude Manager for automated event submission and first-level data correlation • Request Tracker for Incident Response (RT+IR) for incident (first-level correlated events, and human submitted) data, second-level correlation, security analyst interface, long-term tracking • Interoperation with CMU EDDY (End-to-End Diagnostic Discovery) • As option for local event aggregation and transport
Phase I Solution • Context of REN-ISAC trust federation • Pilot deployment in REN-ISAC • 6 sites currently submitting, primarily scanner type data, e.g. ssh, vnc honeypot, darknet, etc. • Beta production in REN-ISAC, beginning 18-Feb • Roll-up pilot sites to production • Accept “incident” level manual submissions by REN-ISAC members • Begin accepting additional sites and types of automated submissions • Work with members for use of the Block/Watch feeds
Building a Framework • A framework for • Intra and inter-federation cooperation • Incorporation of additional correlation and analysis tools • Interface with systems that notify abuse contacts regarding infected systems, e.g. the REN-ISAC notification system • Interface with systems that treat higher-level collections of incident information in a federated context • Extending the framework • Long term intelligence storage • Threat analysis platform
What’s the meaning for the APAN FIT attendee? • Similar event system implementations within national, regional, or collaboration-based federations? • Inter-federation of the systems for global threat information sharing? • Exploration of these ideas are defined in the TransPAC3 and ACE proposals to the U.S. National Science Foundation
Contacts and References • Doug Pearson • dodpears@ren-isac.net • Wes Young • wes@barely3am.com • SES public web page • http://www.ren-isac.net/ses