managing network threat information n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Managing Network Threat Information PowerPoint Presentation
Download Presentation
Managing Network Threat Information

Loading in 2 Seconds...

play fullscreen
1 / 15

Managing Network Threat Information - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

Managing Network Threat Information. Giri Raichur, Network Services Team Jim Clifford, TL, Network Services Team Current implementation, future directions and opportunities for inter-laboratory collaboration. Managing Network Threat Information.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Managing Network Threat Information' - frederick


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
managing network threat information

Managing Network Threat Information

Giri Raichur, Network Services Team

Jim Clifford, TL, Network Services Team

Current implementation, future directions and opportunities for inter-laboratory collaboration.

managing network threat information1

Managing Network Threat Information

Network threats - viruses, phishing attacks, malware etc.

Availability of alert information

Incorporating information into network control points

how csirt manages threat information
How CSIRT manages threat information
  • Uses mySQL database with a web front end.
  • Host IP addresses and domains names of attack sites are propagated to DNS servers, firewalls and proxies and blocked within minutes.
  • The central repository and automatic updates allow CSIRT staff to manage blocking information without relying on system and network administration experts
  • Web requests to blocked sites are redirected to an informative web page.
  • The database helps support staff troubleshoot connectivity problems.
sources of threat information
Sources of threat information
  • US-CERT, DOE-CIRC
  • Local intelligence
  • http://malwaredomains.com
  • http://isc.sans.org
  • http://shadowserver.org/wiki
  • http://blog.trendmicro.com
  • http://www.dynamoo.com/blog
  • http://www.f-secure.com
  • http://www.threatexpert.com
  • http://safeweb.norton.com
black hole interface
Black Hole Interface
  • Uses a python API written to be shared by several different blocking mechanisms.
  • The API tracks the change history.
  • History Reads of the rule list can be done without the API .
  • Blocks automatically expire.
advantages of using lanl s approach
Advantages of using LANL’s approach
  • The authoritative data resides in one central database
  • The access control lists are pushed/pulled into various control points
  • Access information is “standardized”
  • Easy to use user interface
  • Authorized user can add/delete without knowing formats for specific applications like DNS and IPtables
  • Changes are near real time
  • New control points can be added easily to use existing access information
  • Access information is available to help desks and other support staff
  • Access information can be audited and tested
future direction
Future direction
  • Federated access policies using "TNC IF-MAP protocol"
what is if map
What is IF-MAP?
  • IF-MAP describes a database that contains metadata about systems and users currently connected to a network.
  • Uses a publish/subscribe model, where all the network and security applications can participate in updating and querying the IF-MAP server
  • XML-based protocol that uses SOAP (Simple Object Access Protocol) specification as defined ty the W3C
  • Published in May 2008 by the Trusted Computing Group
  • Freely available for anyone to implement
  • Growing base of vendor and product support
  • Aggregates real-time information from various sources. Uses both standard data types and vendor-specific extensions
further discussions
Further discussions
  • Fast response to immediate threats is not unique to LANL
  • What do other sites do?
  • How can we minimize redundant access lists based on inter-site intelligence instead of each site maintaining that list?
  • How can we share data that is useful and timely?
  • Any interest in a collaborative effort?