federated defenses and watching each other’s back scott pinkerton ([email protected]) argonne...
TRANSCRIPT
Federated Defenses and Watching Each Other’s Back
Scott Pinkerton ([email protected])
Argonne National Laboratory
National Laboratory Information Technology Summit 2009
June 2, 2009
2
Argonne National Laboratory
Diverse population:– 3,000 employees– 10,000+ visitors annually– Off-site computer users– Foreign national employees, users,
and collaborators
Diverse funding: – Not every computer is a DOE
computer.– IT is funded in many ways.
Every program is working in an increasingly distributed computing model.
Our goal: a consistent and comprehensively secure environment that effectively balances science and cyber security requirements.
Argonne is managed by the UChicago Argonne LLC for the Department of Energy.
IT Environment Challenges
3
Emphasis on the Synergies of Multi-Program Science, Engineering & Applications
AcceleratorResearch
Catalysis Science
NuclearFuel Cycle
TransportationScience
ComputationalScience
MaterialsCharacterization
StructuralBiology
FundamentalPhysics
User Facilities
InfrastructureAnalysis
... and much more.
What is the Federated Model for Cyber Security ?
Framework for sharing actionable information about threats and hostilities occurring right now
Virtual neighborhood watch
Collection of software tools allowing a site to:
– Learn about active hostilities from other sites in near real-time
– Do something about it – E.g. block an IP address, block outbound access to a web URL, block or copy in-bound e-mails, interrupt DNS look-ups
Requires a foundation of TRUST
6
What is it – For the Techies
Set of XML schemas (based on IDMEF standards – RFC 4765)
– IP address
– DNS domain name
– Revocation (unblock an IP address)
– E-mail address (coming soon)
– URL (coming soon) Set of Perl scripts that support:
– Upload and download of encrypted XML files
– Block an IP address in a FW
– Block an IP address with a BGP null route (requires a router), etc Web Portal to support coordination
– Sharing pgp keys
– Sharing local detection algorithms & tools
– Sharing white list info, etc
7
Maps nicely into NIST controls and Best Practices
8
NIST Control Federated Model
IR-3 Incident Response Testing
IR-4 Incident Handling
IR-5 Incident Monitoring
IR-6 Incident Reports
Federated model aids in supporting and background information on malicious behavior to aide in response, handling, and reporting incidents.
AC-17 Remote Access Remote access to repository monitored and controlled.
RA-3 Risk Assessment Information shared include severity of event.
RA-4 Risk Assessment Update Information shared includes history of bad actor.
SI-4 Information System Monitoring Tools and Techniques
Federated model is a conglomerate of results from system monitoring tools and techniques across federated sites.
SI-5 Security Alerts and Advisories Federated model designed to distribute security alerts and advisories.
Cyber Defenses – Business as Usual
Local detection methods apply
Local response actions apply
Every single site learns via “school of hard knocks”
9
Cyber Defenses – Using the Federated Model
Local & distributed detection methods apply
Local response decisions apply
Only one site learns via “school of hard knocks” (ideally)
Based on an assumption that hostilities occur across related sites
10
Value Proposition of Participating
Note: Not a silver bullet – just one piece of a successful cyber security program
Neighborhood watch programs requires only one site to experience the pain of an attempted exploit
Access to variety of software tools that assist with the automation of actions
Sites still retain local controls – share your information with sites you choose; information shared is merely advice; local decision still on what to do with the intel
This infrastructure prepares us for future response strategies & techniques – bad guys are adapting -- we better be
Improves OODA loop
13
Unique Challenges and Mitigations
Sharing data has potential for Federated (group) response – double edged sword– Great when stopping “bad guy”– Greater risk against legit science work
False positives – oops are magnified (a lot)– Revocation: used to rewind reported data– Due to false positive; typo – whatever– Important legit site for some members
Adding QA functions to notify on local and global white lists
Integration into varied local systems and processes
When to take action locally based on Federated data, how severe, weighted approach
14
How to Get Involved
Think about how you would like to speed up your OODA loop
– Observe, orient, decide, act
– Automate OODA loop where possible
Create a federation - even if it is with just one other organization
– Start with already trusted friends
Think about what you have automated to date
– What can you/should you automate in the future
Get involved
– Come as you are, using your already defined IDS analysis methodologies
– To inquire or join send email to [email protected]
For additional info: – https://www.anl.gov/it/federated
15
Next Steps
Moving beyond IP addresses
– DNS domain names (starting right now)
– E-mail address handling (soon)
– URL (soon)
XML schemas are extensible – easy to adapt to new problems
Important that you start building some level of automation in now
Federations of federations
16