SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

Similar documents
Federated Threat Data Sharing with the Collective Intelligence Framework (CIF)

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

SDCI Sec: SESv3 Federated Security Intelligence

Threat Intelligence UPDATE: Cymru EIS Report. cymru.com

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

The SIEM Evaluator s Guide

Know Your Foe. Threat Infrastructure Analysis Pitfalls

Active Response: Automated Risk Reduction or Manual Action?

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

WildFire. Preparing for Modern Network Attacks

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Network Security Deployment (NSD)

User Documentation Web Traffic Security. University of Stavanger

APPLICATION PROGRAMMING INTERFACE

Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform

Next Generation IPS and Reputation Services

Security Intelligence Blacklisting

Separating Signal from Noise: Taking Threat Intelligence to the Next Level


Scaling Big Data Mining Infrastructure: The Smart Protection Network Experience

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Accredited Reporter Program Introduction

Unified Security Management and Open Threat Exchange

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

ThreatSTOP Technology Overview

Analyzing HTTP/HTTPS Traffic Logs

OpenTPX 2015 LookingGlass Cyber Solutions Inc.

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Cyber Threat Intelligence: Has to Be a Better Way

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Can We Become Resilient to Cyber Attacks?

EITC Lessons Learned: Building Our Internal Security Intelligence Capability

Concierge SIEM Reporting Overview

NUIT Tech Talk. Peeking Behind the Curtain of Security. Jeff Holland Security Vulnerability Analyst Information & Systems Security/Compliance

Fighting Advanced Threats

Analysis of Network Beaconing Activity for Incident Response

24/7 Visibility into Advanced Malware on Networks and Endpoints

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

FAQ (Frequently Asked Questions)

Zscaler Internet Security Frequently Asked Questions

How To Create An Insight Analysis For Cyber Security

State of the Web 2015: Vulnerability Report. March Menlo Security Alright Reserved

A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Threat Intelligence is Dead. Long Live Threat Intelligence!

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Actionable information for security incident response

Use of Honeypots for Network Monitoring and Situational Awareness

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

US-CERT Year in Review. United States Computer Emergency Readiness Team

Into the cybersecurity breach

Evolving Threat Landscape

Spear Phishing Attacks Why They are Successful and How to Stop Them

REN-ISAC Research and Education Networking Information Sharing and Analysis Center

Corporate Security Intelligence Services

IBM: An Early Leader across the Big Data Security Analytics Continuum Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Performing Advanced Incident Response Interactive Exercise

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC)

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

CYBERSECURITY INESTIGATION AND ANALYSIS

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

10 Things Every Web Application Firewall Should Provide Share this ebook

Security Analytics for Smart Grid

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

The Hillstone and Trend Micro Joint Solution

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

Networks and Security Lab. Network Forensics

Modular Network Security. Tyler Carter, McAfee Network Security

Man, Machine and DDoS Mitigation

Coordinating Attack Response at Internet Scale (CARIS)

One Minute in Cyber Security

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

UNMASKCONTENT: THE CASE STUDY

An Empirical Analysis of Malware Blacklists

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi

A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS

Enabling Security Operations with RSA envision. August, 2009

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Open Source Threat Intelligence. Kyle R Maxwell (@kylemaxwell) Senior Researcher, Verizon RISK Team

Course Content: Session 1. Ethics & Hacking

Presented by: Aaron Bossert, Cray Inc. Network Security Analytics, HPC Platforms, Hadoop, and Graphs Oh, My

I N T E L L I G E N C E A S S E S S M E N T

How Shared Security Intelligence Can Better Stop Targeted Attacks

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Palo Alto Networks. October 6

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis

The Big Data Paradigm Shift. Insight Through Automation

Cisco Remote Management Services for Security

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Transcription:

SES / CIF Internet2 Combined Industry and Research Constituency Meeting April 24, 2012 Doug Pearson Technical Director, REN-ISAC dodpears@ren-isac.net

Background on REN-ISAC The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at large. REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships.

REN-ISAC Private information sharing community Restricted to full time information security professionals in higher education, teaching hospitals, and FFRDCs; generally limited to five eyes nations 340+ member institutions, represented by ~900 persons Private, commercial, and governmental information sharing relationships CSIRT for US.edu e.g. 12,000 notifications per month concerning infected machines) Hosted at Indiana University, and supported with the help of Louisiana State University, Internet2, EDUCAUSE, and nominal membership fees

Naming disentanglement SES and CIF Security Event System (SES) Collective Intelligence Framework (CIF) It all started out as SES, but around version 2 time, we evolved (broadened) our model to a framework for collective intelligence concerning malicious actors and reputation of Internet elements, hence CIF. The open source tool/framework is now CIF Our implementation in REN-ISAC is SES

IP address Security Threat Indicators representing just about any type of compromised host or source of threat, e.g. a botnet command and control (C&C) host or drone, a distributed denial-of-service (DDoS) attack source, a host scanning the Internet for vulnerable machines, etc. Fully Qualified Domain Name (FQDN) e.g. botnet C&C, suspicious name server, other botnet infrastructure Domain name consistently malicious domains URL representing for example, a malware download or phishing sites Classless Inter-Domain Routing (CIDR) block representing a miscreant-heavy address range (e.g. Russian Business Network), and as descriptive information for IPv4 address-based records E-Mail address for example, a phishing Reply-To address Malware hashes

SES v1 (2008-10) Removes the human interrupt from the observe protect cycle Machine-to-machine capabilities rather than e-mail or web-based information sharing portals passing around PDF and XLS files. Automated and manual submission of threat indicators Data derived from participating members, plus incorporation of data from high-value information sharing partners Generates intelligence feeds (block lists, watch lists, etc.) Supports query (via RT) Simple correlation (e.g. this site scanned 10 universities) Built on open source components and lots of glue Best Practical s Request Tracker for Incident Response (RTIR) for basic human interface and correlated event repository, Prelude Technologies Prelude Manager for raw event repository and correlation, and libprelude API for automated client submission Lowered the barriers to entry for data-sharing We got something working in 18-months for ~$120k, a substantial component of that being a DoJ grant through Internet2; no tools, just developed the process and glue-code.

SES v2 (2010-12): Collective Intelligence Better support for analysts (incident investigations, reputation query, etc.) Improved and more flexible interfaces sophisticated API, CLI client, browser plugin, integrate with tools Improved underlying repository architecture for scaling and performance (no SQL and big data concepts) Became a comprehensive threat intelligence repository through the incorporation of LOTS of external data* 18-24 months, ~$350k

SES v2 : Collective Intelligence *External data, such as: Spamhaus DROP list (hijacked networks) Malwaredomains.com feed (malware hashes, malware domains, malware ip infrastructure) Malwaredomainlist.com feed (malware urls, malware domains) DShield List(s) (scanning ip-infrastructure) Phishtank Data (phishing urls, phishing ip-infrastructure) Zeustracker data (binary urls, config urls, domains, ip-infrastructure) Private information sharing relationships Whitelists (alexa top 10, 100, 1000, 10000, mirc servers.ini, etc) And, as data in ingested, additional discovery, such as: AS, domain, whois record, network block information From each domain, the name-servers involved supporting that domain; yields very useful intelligence concerning the criminal infrastructure

SESv3 (2011-14) : Inter-federation and more Objectives: Inter-federation Technical frameworks, policies, and legal agreements for information sharing among disparate trust communities Incorporate additional data types (e.g. BGP and passive DNS), to Increase the reputational knowledge and forensic history Provide capabilities to identify complete pictures of criminal infrastructure Incorporate and correlate unstructured human intelligence (e.g. mailing lists, IRC conversations, blog posts, etc.) along with the structured event data. Solve the scaling problem once and for all (hadoop, hbase (fingers-crossed)) Incorporate API access into common incident handler and responder tools, e.g. ticketing systems, Improve the process framework and communications (Apache Thrift, 0MQ) SESv3 work funded by the National Science Foundation, NSF under SDCI Sec: SESv3, award OCI-1127425.

Summation What we have A security tool and service that

Removes the human interrupt from the observe protect cycle S E S & C I F Provides collection, storage, and access to security event information within a trust community (e.g. the REN-ISAC membership) Incorporates observations sourced from within the trust community, and from external public sources, and private, commercial, and governmental information sharing partners Works with a wide variety of indicators (IP addresses, domains, URLs, e- mail addresses, hashes, etc.) Correlates and weights observations to develop confidence in the identification of malicious actors, and reputation of Internet elements Provides query access (supporting analysts), and feeds (supporting local protection systems, e.g. IDS, firewalls, sinkholes, etc.) Utilizes advanced, standard, and evolving practices for storage, access, and data sharing (e.g. hadoop, hbase, IODEF, protocol buffers, etc.) Supports inter-federated sharing between trust communities via data marking (e.g. share w/trusted partners, share w/le ), and policy controls Is being used and further developed in the REN-ISAC community. Is being deployed in communities external to REN-ISAC

Why am I presenting here? Seek to explore relationship of this tool to the research and industrial partner communities. Is there value for instance(s) of the tool stood up by and for academic researchers, to normalize and facilitate research access to security data? Value in commercial security setting? We ve seen adoption already! (see community at google code) Value of integrating (API) query into security tools commonly used by security incident handlers and analysts. Value of security threat information sharing relationship with industrial partners. Stimulate interest in contributing to the project. Deploy, test, and feedback Code $$$ (always welcome)

SES project: http://www.ren-isac.net/ses/ Open source CIF: References and Contact http://code.google.com/p/collective-intelligence-framework/ REN-ISAC http://www.ren-isac.net Doug Pearson Technical Director, REN-ISAC dodpears@ren-isac.net 812-855-3847

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information