Afrl faa programs status report
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

AFRL / FAA Programs Status Report PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on
  • Presentation posted in: General

AFRL / FAA Programs Status Report. Lt. Matt Manger Rome Research Site 6 May 2003. Overview. CyberWolf Air Force Enterprise Defense (AFED) Distributed Agents for Information Warfare (DAIWatch). CyberWolf Outline. Program Description Task Goals Progress. Objective Architecture

Download Presentation

AFRL / FAA Programs Status Report

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Afrl faa programs status report

AFRL / FAA Programs Status Report

Lt. Matt Manger

Rome Research Site

6 May 2003


Overview

Overview

  • CyberWolf

  • Air Force Enterprise Defense (AFED)

  • Distributed Agents for Information Warfare (DAIWatch)


Cyberwolf outline

CyberWolf Outline

  • Program Description

  • Task Goals

  • Progress

  • Objective

  • Architecture

  • Device Experts (DE)

  • Problem Statement

  • Implementation


Cyberwolf objective

Cyberwolf Objective

  • Objective

    • Develop a versatile, scaleable, and extensible enterprise security management and CND tool

    • Utilizes expert system rule-based correlation of IDS and network management events

  • Goal

    • Reduce the workload of network security personnel responsible for maintaining security of the enterprise while at the same time providing more accurate network situational assessment information


Cyberwolf problem

CyberWolf Problem

Long-suffering, overworked

Security Administrator

Millions of

Enterprise Security Events,


Cyberwolf architecture

CyberWolf Architecture

Just a Few Incidents Worthy of Human Attention

Much happier

Security

Administrator

(only deals with

a few incidents).

CyberWolf

Manager

Lower-Intensity Alert Stream from “Device Experts”

NT

Device

Experts

UNIX Log

Device

Experts

Router

Device

Experts

COTS IDS

Device

Experts

Firewall

Device

Experts

Many More

Device

Experts

Millions of Events, Some With Security Implications


Cyberwolf implementation

CyberWolf Implementation

CyberWolf Manager

Systems, IDS,

Network Elements &

Other Devices

SecurSite

Information Rich GUI

- Instant Visibility to Threats

- Simple English Descriptions

- Color-coded and Prioritized

Security Incident List

CyberWolf Experts

  • Capture Event Data from

  • Enterprise Security Components

  • - Translate Events into

  • Cyberwolf Syntax

  • - Provide Analysis and Filtering

  • Decentralized Intelligence for

  • Maximum Scalability

AutoAdvisor

Rule-based Correlation Engine

- Automatically Tracks Incidents

- Automates Analysis and Response

- Ships with build-in tracking tools

- Easily Add Custom Enterprise Rules

Learning Repository Database

- Cumulative Tracking of all

Events, Alerts, and Incidents

- Searchable for Creating Reports

and Audit trails

KnowledgeBase

Device-Specific Information

- Expert Analysis of Device Output

- Update Device Rules and Tables

- Controls Alert Stream Using

Expert-defined Thresholds

Real-time

Email & Pager

Alerts

Automated

Trouble Ticket

Submission

Incidents!

Events

SafePath

Encrypted and

Authenticated

Socket-based

Communications

Alerts


Cyberwolf device experts

CyberWolf Device Experts

Each DE utilizes less than 3% of CPU during operation

  • Gauntlet v4.5/5.5 Firewall DE

  • SideWinder Firewall DE

  • Raptor Firewall DE

  • Pix Firewall DE

  • Zone Alarm DE

  • Black Ice DE

  • RealSecure v6.0 IDS DE

  • NetRadar IDS DE

  • Snort IDS DE

  • ASIMM/CIDDs DE (Gov’t only)

  • HP Openview NNM DE

  • SNMP DE

  • Nmap DE

  • Cisco Router DE

  • Ascend Router DE

  • Windows 95/98/NT/2000 DE

  • Solaris DE

  • Linux DE

  • ASIM/CIDDs


Cyberwolf faa goals

CyberWolf / FAA Goals

  • Phase 1

    • Demo of CyberWolf’s automated attack analytics capabilities for the CSIRC

  • Phase 2

    • Input from ISS sensors not currently connected to the CSIRC (ISS RealSecure). Removal of discrepancies of sensor input including false positives, data reduction, cross correlation and integration.


Cyberwolf faa progress

CyberWolf / FAA Progress

  • Money on contract in late February

  • Beginning evaluation later this month

  • Contract to be completed by September


Afrl faa programs status report

Air Force Enterprise Defense (AFED)


Afed outline

AFED Outline

  • Program Description

  • Task Goals

  • Progress

  • Quad Chart

  • Components

  • Architecture

  • Capabilities


Afed quad

AFED Quad

  • Objectives

  • Provide a Defense-in-Depth capability that integrates existing event information:

    • Policy Enforcement; Change/Configuration Management; Threat & Vulnerability Assessment with Countermeasure recommendations; Intrusion Detection; Network Management

  • Fuse Information Assurance (IA) and Network Management data into a Common Enterprise Picture

  • Provide a consistent visual environment for information portrayal

  • Infrastructure

    Interface

    • Approach

    • Spiral tech exploration, development, validation, and feedback process

    • Payoffs

    • Integrates existing enterprise sensors and provides enhanced Information Assurance and Enterprise Defense capabilities in support of the AF Protect-Detect-React/Restore model.

    • Assists in the automated detection and reporting of information attacks, containment and restoration of compromised systems, and planning/protection of enterprise assets.

    • Supports entire NOSC mission bycross-sharing of data among NOSC crew

    • Automated Reporting for Containment and IO Targeting

    • Mission Situational Assessment

    • Automated Courses of Action

    Transition Agents: ESC/DIGC, ESC/DIW

    End Users: MAJCOM NOSCs, AFNOSC, CAOC-x


    Afed goals

    AFED Goals

    • Merge network management and security tools and data to provides a better enterprise picture

    • Provide analysts with improved host, security, and course of action information

      • Simplify access to data via drill down menus from the same GUI

    • Reduce the workload of analysts

      • Provide data correlation capabilities

    • Combines network and host based sensors

    • Demonstrates R&D technology to operational units


    Afed architecture

    AFED Architecture

    Enterprise

    Management

    Situational

    Assessment

    ALPHA

    CHARLIE

    BRAVO

    DELTA

    Information

    Operations

    Vulnerabilities

    Risk Analysis

    Open Source

    (DNS, Whois)

    Network Control

    (Firewalls, Routers)

    Host/Network

    Intrusion Detection

    Network/Link

    Management

    Action/Protection

    Preemptive

    Measures

    &

    Courses of

    Action

    Reporting

    Analyst/Organization Rules

    • Security Policies

    • Complex Attack Methodologies

    • INFOCON Rules

    • Reporting Rules

    • Courses of Action

    Oracle Database

    Algorithms/KB

    • Schema/Tables

    • Access Policies

    • Peer-to-Peer Sharing

    Data Storage

    &

    Analysis

    Visualization

    • Data Reduction

    • Fusion

    • Correlation

    • Data Mining

    • Trend Analysis

    • Knowledge Base

    • Advanced Intrusion Detection

    • Analysts GUI Screens

    • System Operation/ Control (WEB)

    Sensor

    Input


    Afed components

    AFED Components

    Visualization/Control

    Decision Support/COA

    Reporting

    Java GUI

    Web

    Incident

    Report

    ARS

    NetFlare

    Policy Enforcement

    Avi

    Hierarchy

    AFSSI 5027

    CMU

    NetFlare

    Vulnerability Assessment

    TVC

    Host Based Agents

    ISS

    DAIWF

    Outpost

    Network Mgmt

    CyberWolf

    HPOV

    IntrusionDetection

    Sidewinder

    ASIM/CIDD

    JIDS

    Sidewinder

    Raptor

    NetRadar

    ITA

    AIA

    Correlation

    &

    Data Mining

    Real Secure

    Cisco

    NetRanger

    ASIM

    DB Data Direct

    Other Data

    Web Srv

    Cmd/Config

    App

    Svrs

    AFED/AIDE

    RT DB

    AFED

    Trend DB

    App

    Svrs

    App

    Svrs

    Bridge

    Automated Response


    Afed capabilities

    AFED Capabilities

    • Intrusion Detection

      • Merges event and session data from COTS/GOTS sensors (e.g., ASIM/CIDDS, Netradar, Real Secure, …)

      • Translates outputs into standard categories

    • Visualization

      • Provide a consistent visual environment

      • Data views customized for crew positions

    • Policy Enforcement

      • Allows users to define and alert on site policies

      • Allows sites to map network and monitors changes in host OS and services

    • DAA/CTO

      • Automates DAA and CTO processes

      • Verify and update CTO information via monitoring


    Afed capabilities1

    AFED Capabilities

    • Vulnerability Assessment

      • Commercial Network scanner integrated

      • Host based checks performed

    • Network Management

      • Provides correlation between network events and intrusion events

      • Provides access to host software and hardware inventories to assist identifying vulnerabilities, and security compliance

    • Modeling & Simulation

      • Allows decision makers to perform tradeoff analysis of course-of-actions

    • Reporting

      • Automate the reporting process


    Afed faa goals

    AFED / FAA Goals

    • Optimization of IDS rule sets

      • Using AFED, operator reduced daily events by 60% at AFRL site

    • Cross site/sensor correlation

      • Hierarchical reporting capability

    • Comparison of different sensors


    Afed faa progress

    AFED / FAA Progress

    • Funds contracted in late February

    • Received 1 months worth of sensor data

      • Awaiting additional sensor’s data

    • Data loaded into AFED database and appropriate data views created

    • Administrator beginning to examine/optimize rule set


    Afrl faa programs status report

    an ISO 9000 Certified Company

    Distributed Agents for Information Warfare (DAIWatch)


    Daiwatch outline

    DAIWatch Outline

    • Program Description

    • Task Goals

    • Progress

    • Discriminators

    • Architecture

    • Technology

    • Benefits


    Daiwatch discriminators

    DAIWatch Discriminators

    DAIWatchTM provides information security protection against the most sophisticated attackers including the Cyber Terrorist vs. the current emphasis of commercial products on hackers

    • Firewalls and related layered products cannot protect the network from internal activities: DAIWatch approach is host based.

    • Current technologies are signature based: DAIWatch uses activity recognition

    • Existing Systems are stovepiped: DAIWatch integrates across existing information system monitors

    • Current Software is static: DAIWatch uses smart dynamic agents.


    Daiwatch technology

    DAIWatch Technology

    1

    • Sensor Agents

    • Login Times

    • Files accessed

    • Programs Executed

    • Physical Configuration (e.g. modem)

    • Fusion Agent Functions

    • Profile User Activity

      • Individual

      • Role-based

      • (engineer, accountant, etc)

    • Identify Anomalies

    • Recognize Network Abuse/Attacks


    Daiwatch architecture

    DAIWatch Architecture

    Existing information security systems are designed to prevent remote entry from casual hackers. Professionals gain entry by stealing, buying or guessing passwords; or through casual employees such as maintenance staff. DAIWF integrates data from conventional security systems with internally deployed sensors to find these most sophisticated attackers.

    750+ computers per various hubs and subnets

    Wandering agent roams the network looking for malicious code and other configuration issues.

    Wireless Devices

    DAIWatch Components

    Mobile Sensor Agent

    Wandering Sensor Agent

    Broker Agent

    Distribution Manager

    Fusion Agent

    Control/Management

    Mobile agents are automatically deployed where needed based on risk.

    DAIWatch maintains database and fuses information from all over network to find sophisticated threats and reduce false alarms from simple traffic analysis..

    IDS

    Router

    Broker agents collect data from existing devices (e.g. firewalls) and DAIWatch Sensors.

    Internet

    Firewall


    Daiwatch benefits

    DAIWatch Benefits

    Next Generation Network Security Manager Focused on Sophisticated Attacks

    • Protects the Network - Recognizes Network Attacks, Especially Sophisticated Ones (Eg. Man-in-the-middle) Including Insider/Masquerader Threats

    • Reduces Liability Exposure - Improves Compliance With New Government Mandates (E.G. GLB, Unauthorized Access)

    • Saves Money (H/W) - Identifies Network Abuse (Webservers, Login Anomalies, Software Install, Policy Violations, Etc.)

    • Saves Money (Staff) - Reduces System Administration Time Via Reasoning, Presentation and Drilldown of Data From Other Security Products

    • Improves Effectiveness of Security System - Identifies Intentional and Inadvertent Security Holes (Eg. Mis-configured Firewall)


    Daiwatch faa goals

    DAIWatch / FAA Goals

    • Provide real time insider and outsider threat analysis for all network areas including health status of the network.

    • Phase 1

      • Deploy to limited number of machines and receive accreditation to progress

    • Phase 2

      • Initial deployment of approximately 40-50 hosts would provide an opportunity for demonstrating the assessment and value of this tool in a controlled network environment.


    Daiwatch faa progress

    DAIWatch / FAA Progress

    • Funds contracted on 12 March 2003

    • FAA received DAIWatch Server

    • ORINCON/FAA set up the server and configured DAIWatch

    • 1 Windows 2000 client installed and running

    • Undergoing 1 week evaluation

    • Waiting for approval software evaluation board

    • Status / User Meeting on 15 May - ORINCON/FAA


    Summary

    Summary

    • CyberWolf

    • Air Force Enterprise Defense (AFED)

    • Distributed Agents for Information Warfare (DAIWatch)


    Questions

    Questions??

    Lt. Matt Manger

    Rome Research Site

    [email protected]

    (315) 330-1874

    6 May 2003


  • Login