Cybersecurity informa1on security exchange framework (CYBEX): importance and current developments

Transcription

1 ISOG- J Seminar Tokyo 13 Oct 2010 V1.1 Cybersecurity informa1on security exchange framework (CYBEX): importance current developments Tony Rutkowski, tony@yaanatech.com Rapporteur for Cybersecurity Group, ITU- T Q4/17 Addi1onal roles include: global ewarrant Rapporteur, ETSI TCLI; U.S. NSTAC Cybersecurity Expert; Dis1nguished Senior Research Fellow, Georgia Ins1tute of Technology

2 Outline Why the CYBEX ini1a1ve is important Major developments shaping the work Specific capabili1es Systems Assurance Incident Response Cybersecurity Informa1on Exchange Framework Iden1ty Management Major implementa1on challenges Extent evolu1on of the stards Discovery trust capabili1es Achieving implementa1ons widespread use

3 CYBEX: origins A common realiza1on that Talking about cybersecurity accomplished nothing The incidents were scaling exponen1ally Trusted exchange of cybersecurity informa1on was essen1al to any/all capabili1es Many different communi1es were developing cybersecurity informa1on exchange schema No global framework consensus existed to bring together communi1es schema Ins1tu1onal triggers ITU- T began a new 4 year cycle with a mate to do something about cybersecurity Par1cipants found there were common global interests in tackling cybersecurity informa1on exchange challenges LAC, NICT, other Japanese experts organiza1ons Government industry en11es in APEC region, U.S., Europe

4 Agreement on a cybersecurity model: informa1on sharing dependencies Intergovernmental agreements coopera3on Tort & indemnifica3on Regulatory/ administra3ve law Contractual service agreements federa3ons Legal Remedies Criminal law Provide basis for legal remedies Inves3ga3on & measure ini3a3on Legal remedies may also ins3tute protec3ve measures Measures for threat detec3on Provide basis for ac3ons Reputa3on sanc3ons Patch development Forensics & heuris3cs analysis Measures for thwar3ng other remedies Real- 3me data availability Provide data for analysis Blacklists & whitelists Vulnerability no3ces Data reten3on audi3ng Deny resources Measures for protec3on Iden3ty Management Provide awareness of vulnerabili3es remedies Encryp3on/ VPNs esp. for signalling Resilient infrastructure Rou3ng & resource constraints Network/ applica3on state & integrity Informa3on exchanges

5 Pladorm coherency appeared possible

6 Providing outreach among stards bodies seemed possible ISO ITU- T CCDB ETSI 3GPP ITU- R OMA CAB forum IETF FIRST NIST MITRE APWG CNIS IEEE OASIS TCG APP Dev Forums WiFi Forum IMS forum Cable Labs

7 Major related ins1tu1onal developments U.N. 15 July document among 15 major powers on reducing ICT conflict (a/k/a cyberwar) Exercise of cybersecurity authority by regulatory bodies e.g., Korea, FCC in U.S. High Level Cybersecurity Strategies (USTIC, Japan, UK, China, Korea) Cybersecurity as an issue at ongoing ITU Plenipoten1ary Conference Enhanced Criteria Development Board (CCDB)/NATO ac1vity New real- 1me, data reten1on, mobile forensics mates offshore Judicial ediscovery mates (e.g., FRCP Rule 26) in US offshore

8 Major related infrastructure developments Applica1on based infrastructure Mobile pladorms driving a world of a million applica1ons Poses major challenges (what is a good applica1on versus malware) Locator/ID Separa1on Protocol (LISP) Re- architects IP based public infrastructures Should solve significant ICT security related challenges, especially alribu1on Asia- Pacific- centricity Region has world s largest fastest growing infrastructure strong economies Pursuing technology implementa1ons, network innova1ons, venue leadership Mobile/nomadic- centricity Stressing mobile stards/collabora1ve forums Include mul1ple IdM/cyber security challenges

9 CYBEX is a substan1ve ongoing global Cyber/ICT security ini1a1ve Aimed at achieving meaningful security "lock down" the integrity of ICT systems, watch for undesired incidents, capture, analyze, process the forensics from those incidents to reduce vulnerabili1es, thwart alacks, ins1tute legal ac1on if appropriate The trusted exchange of informa1on is essen1al to accomplish these three tasks. The Cybersecurity Informa1on Exchange Framework (CYBEX) ini1a1ve aimed at iden1fying the emerging set of specifica1ons for the global pladorms for achieving these trusted exchanges Most of the work has been accomplished within exis1ng systems assurance, incident response, intelligence/surveillance communi1es Pro- ac1ve outreach is part of the ini1a1ve Constant alempt to survey what is occurring in all other forums bringing important capabili1es into the framework Constant analysis of what is missing or needed Unique no comparable ac1vity exists

10 CYBEX Exchange Model Cybersecurity En11es Cybersecurity Informa1on acquisi1on (out of scope*) structuring cybersecurity informa3on for exchange purposes iden3fying discovering cybersecurity informa3on en33es reques3ng responding with cybersecurity informa3on exchanging of cybersecurity informa3on over networks assuring cybersecurity informa3on exchanges Cybersecurity En11es Cybersecurity Informa1on use (out of scope*) * Some specialized cybersecurity exchange implementa1ons may require applica1on specific frameworks specifying acquisi1on use capabili1es

11 CYBEX Ontology Incident Hling Domain Knowledge Accumula3on Domain Warning Database Cyber Risk KB Coordinator Incident Database Vulnerability KB Threat KB Alack KB Mis- use KB Researcher Response Team Event Incident Alack Countermeasure KB IT Asset Management Domain Assessment Rule Detec1on / Protec1on Rule Registrar Administrator Network Operator Asset Database Internal Asset DB External Asset DB Product KB Version KB Configura1on KB Vendor

12 Informa1on Exchange Structuring Vulnerability/State Exchange Cluster Knowledge Base Event/Incident/Heuristics Exchange Cluster Platforms Weaknesses Vulnerabilities Exposures Event Expressions Malware Patterns Security State Measurement State Configuration Checklists Assessment Results Incident Attack Patterns Extensions for: DPI Traceback Smartgrid Phishing Evidence Exchange Cluster Terms conditions Hover of real time forensics Hover of retained data forensics Electronic Evidence Discovery

13 OVAL Open Vulnerability Assessment Language CWE Weakness CVE Vulnerabilities Exposures CPE Platform CVSS Vulnerability Scoring System CWSS Weakness Scoring System CCE Configuration XCCDF exensible Configuration Checklist Description Format ARF Assessment Result Format CEE Event Expression IODEF Incident Object Description Exchange Format CAPEC Attack Pattern Classification Application Specific Extensions Informa1on Exchange Schema

14 XCCDF exensible Configuration Checklist Description Format OVAL Open Vulnerability Assessment Language CVSS Vulnerability Scoring System CWSS Weakness Scoring System CPE Platform CCE Configuration ARF Assessment Result Format CVE Vulnerabilities Exposures CWE Weakness IODEF Incident Object Description Exchange Format CAPEC Attack Pattern Classification CEE Event Expression Informa1on Exchange Schema - Malware MAEC Malware Attribution Characterization Application Specific Extensions

15 XCCDF exensible Configuration Checklist Description Format OVAL Open Vulnerability Assessment Language CVSS Vulnerability Scoring System CWSS Weakness Scoring System SCAP Security Automation Tools CPE Platform CCE Configuration ARF Assessment Result Format CVE Vulnerabilities Exposures CWE Weakness Informa1on Exchange Schema SCAP Applica1on IODEF Incident Object Description Exchange Format Application Specific Extensions CAPEC Attack Pattern Classification CEE Event Expression

16 Informa1on Exchange Trust capabili1es Discovery of parties, stards, schema, enumerations, instances other objects Namespace Discovery enabling mechanisms Request distribution mechanisms Identity Assurance Cluster Exchange Cluster Trusted Platforms Authentication Assurance Methods Authentication Assurance Levels Trusted Network Connect Interaction Security Transport Security

17 CYBEX Implementa1on Exchange Policies Exchange Requests Exchange Policies Exchange Requests Weaknesses, Vulnerabilities & State Information + + Events, Incidents, & Heuristics Information Evidence Information Security Automation Schema Incident Detection Schema Trusted Network Connect Trusted Platform Modules Tools Software, systems, services, networks Tools

18 So where do we go from here: the challenges An en1re ITU- T Recom- menda1on X- series has been allocated Recs. X.cybex, X.cve, X.cvss should be approved in December Future of IODEF remains a ques1on mark Many addi1onal CYBEX pieces are in various stages of prepara1on for adop1on during subsequent maintenance A global structured website of cybersecurity organiza1ons has been created on ITU- T website Substan1al challenges remain

19 Challenge: Extent evolu1on of CYBEX Recommenda1on Is the framework currently complete? What stards should be included in the framework? What are the criteria for inclusion? Which stards get published as ITU- T Recommenda1ons which do not? How do ITU- T published versions maintain sync with authorita1ve community versions? How do regional na1onal variants/schemas become included? How should Security Content Automa1on Protocol (SCAP) schema be treated? Presently included in an appendix as examples How does CYBEX deal with sou stards, e.g., other ITU- T, ITU- D, ISO SC27 Presently referenced in an appendix

20 Challenge: Discovery trust capabili1es Cybersecurity object discovery, trust, related exchange policy mechanisms are compartmentalized, incoherent, frequently primi1ve Iden1ty Management for cybersecurity has complex assurance rela1onships

21 Ongoing relevant cybersecurity IdM developments ediscovery Trusted discovery of iden1fier meta informa1on is essen1al in distributed systems Bob Kahn has been leading effort in ITU- T to develop a X.discovery specifica1on Resolvers New joint ISO ITU- T specifica1on ITU- T X.673 ISO/IEC provides for DNS based ability to resolve OIDs to informa1on addresses Hles system proceeding in ITU- T Trust interoperability Joint ITU- T ISO X.eaa specifica1on currently being discussed ENISA trust interoperability protocol may be underway in OASIS Cloud/Smartgrid Iden1ty Mul1ple global ini1a1ves underway to develop specifica1ons for cloud Smartgrid Iden1ty (ITU- T, OASIS, 3GPP, CEN, ISO, NIST, etc) Pladorm trust Trusted Pladorm Module Trusted Network Connect now included in CYBEX stard Should Virtual TPMs be included? Distribu1on channel trust OID based NID stards emerging as a major object ID pladorm for distribu1on chain trust Hles based DOIs a second order choice What others exist? No apparent consensus on use of cyber security object iden1fiers NICT contribu1ons have been seminal in exploring naming discovery op1ons CNIS (Cyber- security Naming Informa1on Structures Group) is emerging as a significant new forum for trea1ng CYBEX informa1on iden1fiers

22 Challenge: Achieving implementa1on widespread use Much public industry dialogue is primi1ve, frac1ous, poli1cally conten1ous at best especially in the West See, e.g., FCC Cybersecurity Roadmap proceeding in Docket Meaningful pladorms (e.g., CYBEX), like the systems involved, are complex Best ini1al implementa1on avenues are within coherent bounded communi1es ISOG- J Na1onal government networks Criteria Control Board NATO SCAP implementa1ons should proliferate How to enumerate discover? Analy1cal bridging pladorms are emerging Deep Packet Inspec1on Applica1on/pladorm behavior signature enumera1ons Ul1mately carefully designed mates by na1onal regulatory authori1es seem likely to emerge

23 Exemplar: 6 th IT Security Automa1on Conference, Bal1more, Sep 2010* Emerging NIST view of CYBEX as SCAP A familiar ensemble A significant dependency Credit: Overview by Paul Cichonski, BAH- NIST *See: hlp://scap.nist.gov/events/2010/itsac/presenta1ons/index.html

24 Exemplar: Japan Vulnerability Notes