Federated defenses and watching each other s back
1 / 17

Federated Defenses and Watching Each Other s Back - PowerPoint PPT Presentation

  • Uploaded on

Federated Defenses and Watching Each Other’s Back. Scott Pinkerton ([email protected]) Argonne National Laboratory National Laboratory Information Technology Summit 2009 June 2, 2009. Diverse population: 3,000 employees 10,000+ visitors annually Off-site computer users

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Federated Defenses and Watching Each Other s Back' - gino

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Federated defenses and watching each other s back l.jpg

Federated Defenses and Watching Each Other’s Back

Scott Pinkerton ([email protected])

Argonne National Laboratory

National Laboratory Information Technology Summit 2009

June 2, 2009

Argonne national laboratory l.jpg

Diverse population:

3,000 employees

10,000+ visitors annually

Off-site computer users

Foreign national employees, users, and collaborators

Diverse funding:

Not every computer is a DOE computer.

IT is funded in many ways.

Every program is working in an increasingly distributed computing model.

Our goal: a consistent and comprehensively secure environment that effectively balances science and cyber security requirements.

Argonne National Laboratory

IT Environment Challenges

Argonne is managed by the UChicago Argonne LLC for the Department of Energy.

Emphasis on the synergies of multi program science engineering applications l.jpg
Emphasis on the Synergies of Multi-Program Science, Engineering & Applications






Catalysis Science


NuclearFuel Cycle

User Facilities


... and much more.

A comprehensive cyber security program l.jpg
A Comprehensive Cyber Security Program Engineering & Applications

A risk based approach to cyber security l.jpg
A Risk Based Approach to Cyber Security Engineering & Applications

What is the federated model for cyber security l.jpg
What is the Federated Model for Cyber Security ? Engineering & Applications

  • Framework for sharing actionable information about threats and hostilities occurring right now

  • Virtual neighborhood watch

  • Collection of software tools allowing a site to:

    • Learn about active hostilities from other sites in near real-time

    • Do something about it – E.g. block an IP address, block outbound access to a web URL, block or copy in-bound e-mails, interrupt DNS look-ups

  • Requires a foundation of TRUST

What is it for the techies l.jpg
What is it – For the Techies Engineering & Applications

  • Set of XML schemas (based on IDMEF standards – RFC 4765)

    • IP address

    • DNS domain name

    • Revocation (unblock an IP address)

    • E-mail address (coming soon)

    • URL (coming soon)

  • Set of Perl scripts that support:

    • Upload and download of encrypted XML files

    • Block an IP address in a FW

    • Block an IP address with a BGP null route (requires a router), etc

  • Web Portal to support coordination

    • Sharing pgp keys

    • Sharing local detection algorithms & tools

    • Sharing white list info, etc

Cyber defenses business as usual l.jpg
Cyber Defenses – Business as Usual Engineering & Applications

  • Local detection methods apply

  • Local response actions apply

  • Every single site learns via “school of hard knocks”

Cyber defenses using the federated model l.jpg
Cyber Defenses – Using the Federated Model Engineering & Applications

  • Local & distributed detection methods apply

  • Local response decisions apply

  • Only one site learns via “school of hard knocks” (ideally)

  • Based on an assumption that hostilities occur across related sites

How much data l.jpg
How much data ? Engineering & Applications

Overlap l.jpg
Overlap Engineering & Applications

Value proposition of participating l.jpg
Value Proposition of Participating Engineering & Applications

  • Note: Not a silver bullet – just one piece of a successful cyber security program

  • Neighborhood watch programs requires only one site to experience the pain of an attempted exploit

  • Access to variety of software tools that assist with the automation of actions

  • Sites still retain local controls – share your information with sites you choose; information shared is merely advice; local decision still on what to do with the intel

  • This infrastructure prepares us for future response strategies & techniques – bad guys are adapting -- we better be

  • Improves OODA loop

Unique challenges and mitigations l.jpg
Unique Challenges and Mitigations Engineering & Applications

  • Sharing data has potential for Federated (group) response – double edged sword

    • Great when stopping “bad guy”

    • Greater risk against legit science work

  • False positives – oops are magnified (a lot)

    • Revocation: used to rewind reported data

    • Due to false positive; typo – whatever

    • Important legit site for some members

  • Adding QA functions to notify on local and global white lists

  • Integration into varied local systems and processes

  • When to take action locally based on Federated data, how severe, weighted approach

How to get involved l.jpg
How to Get Involved Engineering & Applications

  • Think about how you would like to speed up your OODA loop

    • Observe, orient, decide, act

    • Automate OODA loop where possible

  • Create a federation - even if it is with just one other organization

    • Start with already trusted friends

  • Think about what you have automated to date

    • What can you/should you automate in the future

  • Get involved

    • Come as you are, using your already defined IDS analysis methodologies

    • To inquire or join send email to [email protected]

  • For additional info:

    • https://www.anl.gov/it/federated

Next steps l.jpg
Next Steps Engineering & Applications

  • Moving beyond IP addresses

    • DNS domain names (starting right now)

    • E-mail address handling (soon)

    • URL (soon)

  • XML schemas are extensible – easy to adapt to new problems

  • Important that you start building some level of automation in now

  • Federations of federations

Questions l.jpg
Questions ? Engineering & Applications