Federated defenses and watching each other s back l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Federated Defenses and Watching Each Other’s Back PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on
  • Presentation posted in: General

Federated Defenses and Watching Each Other’s Back. Scott Pinkerton ([email protected]) Argonne National Laboratory National Laboratory Information Technology Summit 2009 June 2, 2009. Diverse population: 3,000 employees 10,000+ visitors annually Off-site computer users

Download Presentation

Federated Defenses and Watching Each Other’s Back

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Federated defenses and watching each other s back l.jpg

Federated Defenses and Watching Each Other’s Back

Scott Pinkerton ([email protected])

Argonne National Laboratory

National Laboratory Information Technology Summit 2009

June 2, 2009


Argonne national laboratory l.jpg

Diverse population:

3,000 employees

10,000+ visitors annually

Off-site computer users

Foreign national employees, users, and collaborators

Diverse funding:

Not every computer is a DOE computer.

IT is funded in many ways.

Every program is working in an increasingly distributed computing model.

Our goal: a consistent and comprehensively secure environment that effectively balances science and cyber security requirements.

Argonne National Laboratory

IT Environment Challenges

Argonne is managed by the UChicago Argonne LLC for the Department of Energy.


Emphasis on the synergies of multi program science engineering applications l.jpg

Emphasis on the Synergies of Multi-Program Science, Engineering & Applications

FundamentalPhysics

AcceleratorResearch

InfrastructureAnalysis

ComputationalScience

MaterialsCharacterization

Catalysis Science

TransportationScience

NuclearFuel Cycle

User Facilities

StructuralBiology

... and much more.


A comprehensive cyber security program l.jpg

A Comprehensive Cyber Security Program


A risk based approach to cyber security l.jpg

A Risk Based Approach to Cyber Security


What is the federated model for cyber security l.jpg

What is the Federated Model for Cyber Security ?

  • Framework for sharing actionable information about threats and hostilities occurring right now

  • Virtual neighborhood watch

  • Collection of software tools allowing a site to:

    • Learn about active hostilities from other sites in near real-time

    • Do something about it – E.g. block an IP address, block outbound access to a web URL, block or copy in-bound e-mails, interrupt DNS look-ups

  • Requires a foundation of TRUST


What is it for the techies l.jpg

What is it – For the Techies

  • Set of XML schemas (based on IDMEF standards – RFC 4765)

    • IP address

    • DNS domain name

    • Revocation (unblock an IP address)

    • E-mail address (coming soon)

    • URL (coming soon)

  • Set of Perl scripts that support:

    • Upload and download of encrypted XML files

    • Block an IP address in a FW

    • Block an IP address with a BGP null route (requires a router), etc

  • Web Portal to support coordination

    • Sharing pgp keys

    • Sharing local detection algorithms & tools

    • Sharing white list info, etc


Maps nicely into nist controls and best practices l.jpg

Maps nicely into NIST controls and Best Practices


Cyber defenses business as usual l.jpg

Cyber Defenses – Business as Usual

  • Local detection methods apply

  • Local response actions apply

  • Every single site learns via “school of hard knocks”


Cyber defenses using the federated model l.jpg

Cyber Defenses – Using the Federated Model

  • Local & distributed detection methods apply

  • Local response decisions apply

  • Only one site learns via “school of hard knocks” (ideally)

  • Based on an assumption that hostilities occur across related sites


How much data l.jpg

How much data ?


Overlap l.jpg

Overlap


Value proposition of participating l.jpg

Value Proposition of Participating

  • Note: Not a silver bullet – just one piece of a successful cyber security program

  • Neighborhood watch programs requires only one site to experience the pain of an attempted exploit

  • Access to variety of software tools that assist with the automation of actions

  • Sites still retain local controls – share your information with sites you choose; information shared is merely advice; local decision still on what to do with the intel

  • This infrastructure prepares us for future response strategies & techniques – bad guys are adapting -- we better be

  • Improves OODA loop


Unique challenges and mitigations l.jpg

Unique Challenges and Mitigations

  • Sharing data has potential for Federated (group) response – double edged sword

    • Great when stopping “bad guy”

    • Greater risk against legit science work

  • False positives – oops are magnified (a lot)

    • Revocation: used to rewind reported data

    • Due to false positive; typo – whatever

    • Important legit site for some members

  • Adding QA functions to notify on local and global white lists

  • Integration into varied local systems and processes

  • When to take action locally based on Federated data, how severe, weighted approach


How to get involved l.jpg

How to Get Involved

  • Think about how you would like to speed up your OODA loop

    • Observe, orient, decide, act

    • Automate OODA loop where possible

  • Create a federation - even if it is with just one other organization

    • Start with already trusted friends

  • Think about what you have automated to date

    • What can you/should you automate in the future

  • Get involved

    • Come as you are, using your already defined IDS analysis methodologies

    • To inquire or join send email to [email protected]

  • For additional info:

    • https://www.anl.gov/it/federated


Next steps l.jpg

Next Steps

  • Moving beyond IP addresses

    • DNS domain names (starting right now)

    • E-mail address handling (soon)

    • URL (soon)

  • XML schemas are extensible – easy to adapt to new problems

  • Important that you start building some level of automation in now

  • Federations of federations


Questions l.jpg

Questions ?


  • Login