SLIDE 1
TransPAC3 Community Security Doug Pearson REN-ISAC August 13, 2010 - - PowerPoint PPT Presentation
TransPAC3 Community Security Doug Pearson REN-ISAC August 13, 2010 - - PowerPoint PPT Presentation
TransPAC3 Community Security Doug Pearson REN-ISAC August 13, 2010 My Goals Communicate the community security objectives of the TransPAC3 (TP3) Project Execution Plan (PEP) Briefly describe the REN-ISAC, and our activities that relate
SLIDE 2
SLIDE 3
Project Execution Plans
TransPAC3 (TP3) and America Connects to Europe (ACE) project execution plans specify security components. Two security components were described:
infrastructure security, and community security
SLIDE 4
TP3 Project Execution Plans
Infrastructure security:
Concentrates on securing the network infrastructure itself and analyzing threat data across the network. Is accomplished through efforts of the TP3 engineering team.
Community security
Emphasizes linkage of US and Asian trusted information sharing Emphasizes linkage of US and Asian trusted information sharing communities and engagement with those communities to effectively address security threats and incidents. In the US, TP3 will engage with the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) to accomplish the community security objectives.
SLIDE 5
REN-ISAC Mission
The REN-ISAC mission is to aid and promote cyber security
- perational protection and response within the higher education
and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community, and in
- ther commercial, governmental, and private security
information sharing relationships.
SLIDE 6
REN-ISAC Information Sharing Activities
- Daily Watch Report provides situational awareness.
- Alerts provide critical and timely information concerning new or
increasing threat.
- Notifications, for the purpose of remediation, identify specific
sources and targets of active threat or incident involving R&E. Sent directly to contacts at involved sites. ~8000 notifications per month.
- Feeds provide information regarding known sources of threat;
- Feeds provide information regarding known sources of threat;
useful for IP and DNS block lists, sensor signatures, etc.
- Advisories inform regarding specific practices or approaches that
can improve security posture.
- TechBurst webcasts provide instruction on technical topics relevant
to security protection and response.
- Monitoring views provide summary views from sensor systems, e.g.
traffic patterns on Internet2, useful for situational awareness.
- Member information sharing in private mailing lists, IRC, wiki, etc.
SLIDE 7
Objectives for TP3 Community Security
PEP: Community Security Timeline Summary
Award plus six months 1. Linkage of operational security teams and personnel 2. Identification of incident response requirements 3. Exchange of respective team process information 4. Determination of reachable objectives for sharing of security event information Award plus one year 1. Operational incident communications 2. Roadmap for establishing security event information sharing capability, including definition of a pilot activity 3. Roadmap for further cooperation over the term of the grant
SLIDE 8
Objectives for TP3 Community Security
Summed
Cooperation in incident response Security event information sharing In a form useful for sites in local protection, e.g. IDS signatures, DNS sinkhole, etc.
SLIDE 9
Incident Response (IR)
Different levels, types, and participants, e.g.
Intensive hands-on in the event of DDoS NOCs must be involved for traceback Notifications regarding compromised machines Typically a CSIRT or CERT-like function
Sometimes the NOC security and community CSIRT functions are in the same entity, sometimes not.
REN-ISAC serves as a security center for the Internet2, TP3, and ACE networks, and performs as a CSIRT for U.S. R&E
SLIDE 10
Recent Example of Need for Coordinated IR
netflow analysis showed that the bulk of the increase in TCP/123 was from one or more hosts in a /21 on CERNET, scanning a half- dozen university networks, Aug 1-8; potential concern, e.g. "NTP mode 7 denial-of-service vulnerability" http://www.kb.cert.org/vuls/id/568372
SLIDE 11
Security Event Information Sharing
REN-ISAC is in early production use of its Security Event System (SES) The objective of SES is to support near real-time sharing of security event data that can be used by participating sites in local protections against identified and emerging threats. Event data collected at participating sites and from external Event data collected at participating sites and from external information sharing relationships is normalized in standards- based data structures. Correlation is performed on the data, identifying bad actors, and developing confidence. The resulting high-confidence, bad-actor information is fed back to the participating sites for application in local protections such as IDS, blocks, and sinkholes.
SLIDE 12
SES Discovery, Correlation, and Protection
SLIDE 13
SES Supported Data Types
IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc. CIDR, either representing a miscreant-heavy address range, e.g. RBN, or as additional qualifying information ASN, as additional qualifying information ASN, as additional qualifying information DNS name, representing for example, a botnet C&C URL representing for example, a malware download site E-mail address, for example, a phishing Reply-To: address
SLIDE 14
Inter-federation
The objective for TP3 Community Security : Sharing Event Information is linkage of the SES effort within the REN-ISAC trusted community to similar security event information sharing activities in APAN-area trusted communities. Greater sharing of protection data = better security.
SLIDE 15
TP3 PEP
The Project Execution Plan states:
Many benefits are derived from sharing security event data among institutions and organizations. Participating in a trusted information sharing community helps effectively address security issues. To this end we will adopt the Security Event System (SES) in cooperation with APAN JP and REN-ISAC. The System (SES) in cooperation with APAN JP and REN-ISAC. The SES project is a development effort of REN-ISAC, in cooperation with Internet2, and funded by a Department of Justice grant. The TransPAC3 project will engage in SES and establish trusted relationships with our partners in Asia.
SLIDE 16
Next Steps
Pearson and Kitamura to discuss and plan for APAN-JP and REN-ISAC cooperation Develop plan for broader AP / REN-ISAC engagement
dodpears@ren-isac.net williams@indiana.edu kita@jp.apan.net
SLIDE 17
My Goals
Communicate the community security objectives of the TransPAC3 (TP3) Project Execution Plan (PEP) Briefly describe the REN-ISAC, and our activities that relate to the TP3 PEP goals Stimulate interest in the community security activities Point people to Jim Williams, so that he can bring back engagement interests and plans
SLIDE 18