1 / 21

REN-ISAC Security Event System (SES)

REN-ISAC Security Event System (SES). APAN Future Internet Testbed Workshop January 2010. REN-ISAC Mission.

phuong
Download Presentation

REN-ISAC Security Event System (SES)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. REN-ISACSecurity Event System(SES) APAN Future Internet Testbed Workshop January 2010

  2. REN-ISAC Mission The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships.

  3. Membership • Membership is open to colleges and universities, teaching hospitals, R&E network providers, and government-funded research organizations. • The institution is the “member”, and is represented by a management representative who nominates one or more member representatives. • Very specific job responsibility requirements define who is eligible to become a member representative. • Membership is tiered (General and XSec). The tiers differ in criteria for membership, the degree of trust vetting, types of information shared within the tier, services, and the commitment-level of the institution.

  4. Benefits of Membership • Receive and share practical defense information in a private community of trusted members • Establish relationships with known and trusted peers • Have access to direct security services • Benefit from information sharing relationships in the broad security community • Benefit from vendor relationships, such as the REN-ISAC and Microsoft Security Cooperation Program relationship • Participate in technical educational security webinars • Participate in REN-ISAC meetings, workshops, & training • Have access to the 24x7 REN-ISAC Watch Desk • Have access to threat information resources ("data feeds") that can be used to identify local compromised machines, and to block known threats

  5. Information Products • Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or increasing threat. • Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites. ~4000 notifications sent per month. • Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc. • Advisories inform regarding specific practices or approaches that can improve security posture. • TechBurst webcasts provide instruction on technical topics relevant to security protection and response. • Monitoring views provide summary views from sensor systems, e.g. traffic patterns on Internet2, useful for situational awareness.

  6. Relationships • Internet2 • Internet2 SALSA • Internet2 CSI2 Working Group • Global Research NOC at IU • EDUCAUSE • Higher Education Information Security Council • Private threat analysis and mitigation efforts • Other sector ISACs • National ISAC Council • DHS/US-CERT and other national CERTs and CSIRTs • Vendors

  7. Security Event System (SES)

  8. Credits • SES is a project in the REN-ISAC community, inception was funded by a U.S. Department of Justice grant, and with the cooperation and support of: • Internet2, • Internet2 CSI2 WG, • Barely3am Solutions, • Indiana University, • Carnegie Mellon University (relation to the EDDY project), • Argonne National Laboratory (relation to Federated Model), and • REN-ISAC members.

  9. Idea • Improve timely local protection against cyber security threat, by means of real-time sharing of security event information within a trusted federation, and among federations. • At its root, not a new idea. Security event information is being shared now, in private and semi-private communities, and some public sources. But there are issues…

  10. Issues with Current Methods • Current methods are cumbersome • Much reliance on e-mail • Not easily automated, often requires the “human interrupt” signal • Not structured for correlation • Multiple non-standard data representations • Not easily consistently parsed or acted on • Hard to determine confidence • Long-term intelligence is difficult to obtain • Data is hostage to our inboxes • Difficulty of correlation • Difficulty of coordinated or cooperative analysis • Multiple Federations • Trust relationships • Political and organizational boundaries • Yields disincentives for sharing, and difficulty acting on shared intel

  11. SES – In Its Simplest • In a security information sharing federation, such as REN-ISAC, • guided by policy and information sharing agreements, • machine (aggregated) and human generated security event data, • is normalized to standards-based data description, and • through various supported secure interfaces, • is submitted to the SES repository. • Correlation is performed on the collected data, • identifying “bad actors” and determining confidence. • High confidence bad actor data • is formed into a "detect these" feed, and • analysts vet high-confidence bad-actors into a "block these" feed. • Participating sites pull down the "detect these" and "block these" feeds and apply local protections against the bad actors.

  12. Discovery, Correlation, and Protection

  13. Supported Data Types • IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc. • CIDR, either representing a miscreant-heavy address range, e.g. RBN, or as additional qualifying information • ASN, as additional qualifying information • DNS name, representing for example, a botnet C&C • URL representing for example, a malware download site • E-mail address, for example, a phishing Reply-To: address

  14. Inside the Participating Site Optional uses of SES data, and submissions to SES

  15. Query/Submit Interface for the Security Analyst

  16. Inter-Federation Sharing Across Policy Boundaries

  17. Building a Solution • Loosely based on concepts started with the ANL “Federated Model” • Standards-based • IETF IDMEF standard for representing security event messages in XML • IETF IODEF standard for representing incidents in XML • Extensions • Understanding "Sites" (via ASN, CIDR) • Understanding URIs • Understanding "Federations“ • Open source; developed code, and integration/use of other tools • Prelude SIM API and Prelude Manager for automated event submission and first-level data correlation • Request Tracker for Incident Response (RT+IR) for incident (first-level correlated events, and human submitted) data, second-level correlation, security analyst interface, long-term tracking • Interoperation with CMU EDDY (End-to-End Diagnostic Discovery) • As option for local event aggregation and transport

  18. Phase I Solution • Context of REN-ISAC trust federation • Pilot deployment in REN-ISAC • 6 sites currently submitting, primarily scanner type data, e.g. ssh, vnc honeypot, darknet, etc. • Beta production in REN-ISAC, beginning 18-Feb • Roll-up pilot sites to production • Accept “incident” level manual submissions by REN-ISAC members • Begin accepting additional sites and types of automated submissions • Work with members for use of the Block/Watch feeds

  19. Building a Framework • A framework for • Intra and inter-federation cooperation • Incorporation of additional correlation and analysis tools • Interface with systems that notify abuse contacts regarding infected systems, e.g. the REN-ISAC notification system • Interface with systems that treat higher-level collections of incident information in a federated context • Extending the framework • Long term intelligence storage • Threat analysis platform

  20. What’s the meaning for the APAN FIT attendee? • Similar event system implementations within national, regional, or collaboration-based federations? • Inter-federation of the systems for global threat information sharing? • Exploration of these ideas are defined in the TransPAC3 and ACE proposals to the U.S. National Science Foundation

  21. Contacts and References • Doug Pearson • dodpears@ren-isac.net • Wes Young • wes@barely3am.com • SES public web page • http://www.ren-isac.net/ses

More Related