sharing intelligence is our best defense
play

Sharing Intelligence is our Best Defense: Incentives That Work - PDF document

Sep 11, 2022 •265 likes •393 views

Sharing Intelligence is our Best Defense: Incentives That Work versus Disincentives That Can Be Solved William Yurcik* Adam Slagell Jun Wang NCSA Security Research National Center for Supercomputing Applications (NCSA) University of Illinois

  1. Sharing Intelligence is our Best Defense: Incentives That Work versus Disincentives That Can Be Solved William Yurcik* Adam Slagell Jun Wang NCSA Security Research National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign Data Sharing Panel FloCon 2004 National Center for Supercomputing Applications Cyber Security Today Is “a bit” Like the Keystone Cops National Center for Supercomputing Applications 1

  2. Cyber Security Today Is “a bit” Like the Keystone Cops They do something really bad! National Center for Supercomputing Applications Cyber Security Today Is “a bit” Like the Keystone Cops They do Then we chase something them to the really bad! border. National Center for Supercomputing Applications 2

  3. Security Information Sharing Need to share information on attacks. • – Fingerprints and attack profiles – Individual events Identify individuals • We cannot continue to stop at the border, we need to • cooperate with law enforcement and each other. – Security event repository – Event correlation across administrative domains “unfortunately, this country takes body bags and • requires body bags sometimes to make really tough decisions about money and about governmental arrangements” - Richard Clarke 9/11 Testimony National Center for Supercomputing Applications The World is Rapidly Changing Greater Dependency on Collaborations and Technology National Center for Supercomputing Applications 3

  4. Cooperation is Voluntary The vast majority of incidents are never reported National Center for Supercomputing Applications Cooperation is Voluntary Caveat - except in California! Only state mandatory disclosure law currently on the books at state level. Effective as of July 2003 National Center for Supercomputing Applications 4

  5. Cooperation is Voluntary Caveat - except in California! Only state mandatory disclosure law currently on the books at state level. Effective as of July 2003 California Law has national effects : California is home to many of the biggest technology companies in the country. Law applies to all who “conduct business” in the state. Of course many companies route their information through servers housed in California. Potential for litigation in California - many times companies will have no way of knowing whether a person is resident of California or not. National Center for Supercomputing Applications Computer Emergency Response Teams CERTs http://www.first.org/team-info/ National Center for Supercomputing Applications 5

  6. Information Sharing and Analysis (ISACs) • Gathering, analysis • Operational ISACs and sharing of – Electric power – Telecommunications information related – Information technology to actual or – Financial services unsuccessful – Water supply attempts at computer – Surface transportation security breeches. – Oil & gas • Presidential Decision – Emergency fire services Directive (PDD)-63 – Food – Chemicals industry • Fee base – Emergency law membership enforcement National Center for Supercomputing Applications Question: Question: Can we share? Can we share? National Center for Supercomputing Applications 6

  7. (1) SANS National Center for Supercomputing Applications (2) DShield.org Distributed Intrusion Detection System Services registered for this port Vulnerabilities for this port …. … National Center for Supercomputing Applications 7

  8. <http://www.first.org/> (3) Forum of Incident Response and Security Teams (4) CIC-SWG Committee on Institutional Cooperation - IT Security Working Group (Big Ten Universities plus the University of Chicago) <http://www.cic.uiuc.edu/groups/ITSecurityWorkingGroup/> National Center for Supercomputing Applications Incentives Incentives / / Disincentives Disincentives National Center for Supercomputing Applications 8

  9. Framing the Data Sharing Issues Both an Internal / External Issue (within before between) • Who should share externally? • – at what organizational levels (more/less bureaucracy) – flat or hierarchical (scalability) What should be shared? • – raw data, processed data, known answers How should it be shared? • – phone calls/Emails, reports, automation Significant time and effort to share – payback? none/long-term real-time Does technology exist to share securely – Will information I share come back to bite me? National Center for Supercomputing Applications Commonly Available Logs 12) Vulnerability Scan Logs 1) NetFlows Logs 13) Nameserver DNS Cache 2) Packet Traces - tcpdump 14) SNMP Logs 3) Network IDS- BRO,Snort, etc. 15) BGP Tables 4) Host IDS – Tripwire, etc. 16) Dial-Up Server Logs 5) Syslogs (general) 17) ARP Cache 6) Authentication Logs 18) Workstation Logs 7) DHCP Server Logs 19) Process Accounting Logs 8) Firewall logs 20) Trace Route Logs 9) Mail Server Logs 21) “Homegrown” Logs 10) Backup Logs ….. 11) AntiVirus Logs National Center for Supercomputing Applications 9

  10. Attributes Across Logs National Center for Supercomputing Applications Log Anonymization Log Multiple Anonymizing Levels of Requirements Engine Anonymized Logs (e.g., different internal/external requirements) Algorithms National Center for Supercomputing Applications 10

  11. Known Statistical Plain-Text Inference Attacks Anonymized Anonymized Prefix-Preserving Prefix-Preserving IDS Log Syslog Log unique scan of IP X at time T 1 unique ssh attempt on IP X at time T 1 IP X with port activity at Time T 2 IP X unique syslog messages at time T 2 National Center for Supercomputing Applications National Center for Supercomputing Applications 11

  12. NCSA SIFT Project NCSA SIFT Project http://www.ncassr.org/projects/sift/ http://www.ncassr.org/projects/sift/ VizSEC VizSEC Workshop Oct 29, 2004 Workshop Oct 29, 2004 ACM Computer and Communications ACM Computer and Communications Security Washington DC Security Washington DC http://www. http://www.cs cs.fit. .fit.edu edu/~ /~pkc pkc/vizdmsec04/ /vizdmsec04/ National Center for Supercomputing Applications Discussion No one-size-fits-all solution exists for log sharing • Solutions depend on the application • three major problems – 1) huge distributed data volumes • visualization is part of the solution here – next workshop 2) security must be considered • CIA • may require re-design/re-architecture (I hope not!) 3) Incentives Operational incentives may be the key • We have a counter-intuitive example that actually works: – sharing between very selfish sysadmins with very sensitive security • information (go figure) “only cooperation will make us less vulnerable” – National Center for Supercomputing Applications 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern

Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern

Modern Defense Tooling Artificial intelligence as a defense platform Ameen Altajer Modern Defense Tooling A drastic change in the modern AI landscape The work of both DeepMind and OpenAI is a testament of how things drastically changed Modern

700 views • 15 slides
(U) Modernizing Defense Intelligence: Object Based Production and Activity Based Intelligence

(U) Modernizing Defense Intelligence: Object Based Production and Activity Based Intelligence

UNCLASSIFIED (U) Modernizing Defense Intelligence: Object Based Production and Activity Based Intelligence Cathy Johnston Director for Analysis 27 JUNE 2013 UNCLASSIFIED (U) Modernizing Defense Analysis (U) Imperative to change (U) Growing

532 views • 11 slides
Cyber Security &amp; Intelligence Sharing in Our Schools By Steve Palmer &amp; Anthony

Cyber Security &amp; Intelligence Sharing in Our Schools By Steve Palmer &amp; Anthony

Cyber Security &amp; Intelligence Sharing in Our Schools By Steve Palmer &amp; Anthony Aukland Todays Topics Digital Citizenship EduTech O365 Security Pages Physical School Access Intelligence Sharing &amp; North Dakota

828 views • 31 slides
Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network Defense

Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network Defense

The U.S. Cybersecurity Information Sharing Act of 2015: Joel Benge Risk Evangelist Emergent Network Defense joel@ENDsecurity.com Points to cover Overview History, Provisions, Challenges Implementation Application to reality

754 views • 18 slides
Agent-Based Information Sharing for Ambient Intelligence

Agent-Based Information Sharing for Ambient Intelligence

Agent-Based Information Sharing for Ambient Intelligence Andrei Olaru AI-MAS Group, University Politehnica Bucharest LIP6,

784 views • 43 slides
Agent-Based Information Sharing for Ambient Intelligence

Agent-Based Information Sharing for Ambient Intelligence

Agent-Based Information Sharing for Ambient Intelligence Andrei Olaru and Cristian Gratie AI-MAS Group, University Politehnica,

853 views • 53 slides
Efficient Techniques for Sharing On-chip Resources in CMPs Ruisheng Wang PhD Oral Defense

Efficient Techniques for Sharing On-chip Resources in CMPs Ruisheng Wang PhD Oral Defense

Efficient Techniques for Sharing On-chip Resources in CMPs Ruisheng Wang PhD Oral Defense 2017-05-09 Overall cloud workloads will more than triple from 2015 to 2020. Cisco Global Cloud Index CRM as a Service Storage as Maching

1.12k views • 82 slides
DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence

DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence

PROTOTYPE WARFARE: DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence (Warfighter Support) 1 November 2017 Information Processing Techniques Office (1962) Perceptron (1958) IARPA (2006) MINOS

517 views • 30 slides
the evolution of collective intelligence adventures in information sharing wesyoung.me Monday,

the evolution of collective intelligence adventures in information sharing wesyoung.me Monday,

the evolution of collective intelligence adventures in information sharing wesyoung.me Monday, May 21, 12 zombie hunting, the survival guide What is the REN-ISAC? Who do we work with? Why should I care? Challenges the

506 views • 24 slides
Dr. Paul Krasley, CPLP Defense Intelligence Agency John Ippolito, CISSP, PMP Allied Technology

Dr. Paul Krasley, CPLP Defense Intelligence Agency John Ippolito, CISSP, PMP Allied Technology

24 th Annual Conference Bridging to the Future Emerging Trends in Cybersecurity Dr. Paul Krasley, CPLP Defense Intelligence Agency John Ippolito, CISSP, PMP Allied Technology Group, Inc. How soon should we add new tec echnologies or new

540 views • 20 slides
Continuous Intelligence Through Computation Sharing With Arcon Paris Carbone Senior Researcher @

Continuous Intelligence Through Computation Sharing With Arcon Paris Carbone Senior Researcher @

Continuous Intelligence Through Computation Sharing With Arcon Paris Carbone Senior Researcher @ RISE Committer @ Apache Flink &lt;paris.carbone@ri.se&gt; Castor Software Days E n Data g i n Science e e r i n g Tech Business A

545 views • 33 slides
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti)

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti)

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) AlexandreSieira Alex Pinto CTO Chief Data Scientist Niddel MLSec Project @AlexandreSieira @alexcpsec @NiddelCorp @MLSecProject Agenda Cyber

585 views • 57 slides
Managing Conflict and Instability in Africa Jack May Jack.May@dia.mil Defense Intelligence

Managing Conflict and Instability in Africa Jack May Jack.May@dia.mil Defense Intelligence

Managing Conflict and Instability in Africa Jack May Jack.May@dia.mil Defense Intelligence Agency 15 April 2013 Directorate for Analysis Managing Conflict and Instability in Africa Overview Underlying Causes of Instability Methods

501 views • 22 slides
Intelligence, and Human Factors John Bryk Downstream Natural Gas Information Sharing and

Intelligence, and Human Factors John Bryk Downstream Natural Gas Information Sharing and

Information, Intelligence, and Human Factors John Bryk Downstream Natural Gas Information Sharing and Analysis Center DNG-ISAC Washington, DC Information Sharing and Analysis Center (ISAC) John Bryk, Cyber and Physical Threat

511 views • 16 slides
Improving Intelligence Community MISP as an enabler for intelligence analysis MISP Project

Improving Intelligence Community MISP as an enabler for intelligence analysis MISP Project

Improving Intelligence Community MISP as an enabler for intelligence analysis MISP Project https://www.misp-project.org/ 20181117 Threat Sharing Alexandre Dulaunoy @adulau @MISPProject MISP and CIRCL CIRCL is mandated by the Ministry of

348 views • 23 slides
Challenges of Implementing Fair Defense Act Requirements &amp; Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements &amp; Indigent Defense Grant

Challenges of Implementing Fair Defense Act Requirements &amp; Indigent Defense Grant Opportunities Effective Post-Arrest and Indigent Defense Practices Longview, TX August 10, 2018 Scott Ehlers, Special Counsel T exas Indigent Defense

676 views • 30 slides
Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide

Linux Memory Analysis Workshop Session 1 Andrew Case Who Am I? Security Analyst at Digital Forensics Solutions Also perform wide ranging forensics investigations Volatility Developer Former Blackhat, SOURCE, and DFRWS speaker

1.64k views • 162 slides
Patrik Fltstrm Head of Engineering, Research &amp; Development Netnod 1 www.netnod.se

Patrik Fltstrm Head of Engineering, Research &amp; Development Netnod 1 www.netnod.se

www.netnod.se PAPER SERIES: NO. 33 MAY 2016 Market-driven Challenges to Open Internet Standards Patrik Fltstrm Patrik Fltstrm Head of Engineering, Research &amp; Development Netnod 1 www.netnod.se Patrik Fltstrm -

535 views • 37 slides
Founders ISA Board of Directors J. Michael Hickey, 2nd Vice Chair Ken Silva, Chairman VP

Founders ISA Board of Directors J. Michael Hickey, 2nd Vice Chair Ken Silva, Chairman VP

The Evolving Cyber Threat and what businesses can do about it Larry Clinton, President Direct 703/907-7028 lclinton@isalliance.org Founders ISA Board of Directors J. Michael Hickey, 2nd Vice Chair Ken Silva, Chairman VP Government Affairs,

520 views • 50 slides
Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come

Embracing Cloud Ian Apperley Agenda A little about me What is Cloud and where did it come from? Why Cloud? Cloud for small, medium, enterprise, and government Barriers to adoption Embracing Cloud Social Mobile Cloud

972 views • 45 slides
1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino, Managing Director, Systems Engineering Dr. Kaustubh Phanse, Principal Wireless Architect Md. Sohail Ahmad, Senior Security Researcher Moderator: Della

314 views • 29 slides
Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor:

Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor:

Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor: Prof. Nirmalya Roy Introduction The paper is from 2010 Second International Conference on Communication Software and Networks; Basic

517 views • 15 slides
Software Defined Security Reloaded Open Infrastructure Summit, Shanghai Nov 4, 2019 Ash

Software Defined Security Reloaded Open Infrastructure Summit, Shanghai Nov 4, 2019 Ash

Software Defined Security Reloaded Open Infrastructure Summit, Shanghai Nov 4, 2019 Ash Bhalgat (Sr. Director, Cloud Marketing, Mellanox Technologies) Yossef Efraim (Director, Software Development, Mellanox Technologies) Zhike Wang (JD

487 views • 38 slides
New Networking Features in FreeBSD 6.0 Andr Oppermann &lt;andre@FreeBSD.org&gt; EuroBSDCon 05

New Networking Features in FreeBSD 6.0 Andr Oppermann &lt;andre@FreeBSD.org&gt; EuroBSDCon 05

New Networking Features in FreeBSD 6.0 Andr Oppermann &lt;andre@FreeBSD.org&gt; EuroBSDCon 05 Basel, 27. November 2005 New Networking Features in FreeBSD 6.0 - EuroBSDCon 05 - 27. November 2005 - &lt;andre@FreeBSD.org&gt; Page 1 of 23

455 views • 23 slides

More recommend