TransPAC3 Community Security Doug Pearson REN-ISAC August 13, 2010 - PowerPoint PPT Presentation

TransPAC3 Community Security Doug Pearson REN-ISAC August 13, 2010

My Goals � Communicate the community security objectives of the TransPAC3 (TP3) Project Execution Plan (PEP) � Briefly describe the REN-ISAC, and our activities that relate to the TP3 PEP goals � Stimulate interest in the community security activities � Point people to Jim Williams, so that he can bring back engagement interests and plans

Project Execution Plans � TransPAC3 (TP3) and America Connects to Europe (ACE) project execution plans specify security components. Two security components were described: � infrastructure security, and � community security

TP3 Project Execution Plans � Infrastructure security: � Concentrates on securing the network infrastructure itself and analyzing threat data across the network. � Is accomplished through efforts of the TP3 engineering team. � Community security � Emphasizes linkage of US and Asian trusted information sharing Emphasizes linkage of US and Asian trusted information sharing communities and engagement with those communities to effectively address security threats and incidents. � In the US, TP3 will engage with the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) to accomplish the community security objectives.

REN-ISAC Mission The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. The mission is conducted within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted R&E community at-large. REN-ISAC serves as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships.

REN-ISAC Information Sharing Activities � Daily Watch Report provides situational awareness. � Alerts provide critical and timely information concerning new or increasing threat. � Notifications, for the purpose of remediation, identify specific sources and targets of active threat or incident involving R&E. Sent directly to contacts at involved sites. ~8000 notifications per month. � � Feeds provide information regarding known sources of threat; Feeds provide information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc. � Advisories inform regarding specific practices or approaches that can improve security posture. � TechBurst webcasts provide instruction on technical topics relevant to security protection and response. � Monitoring views provide summary views from sensor systems, e.g. traffic patterns on Internet2, useful for situational awareness. � Member information sharing in private mailing lists, IRC, wiki, etc.

Objectives for TP3 Community Security � PEP: Community Security Timeline Summary � Award plus six months 1. Linkage of operational security teams and personnel 2. Identification of incident response requirements 3. Exchange of respective team process information 4. Determination of reachable objectives for sharing of security event information � Award plus one year 1. Operational incident communications 2. Roadmap for establishing security event information sharing capability, including definition of a pilot activity 3. Roadmap for further cooperation over the term of the grant

Objectives for TP3 Community Security � Summed � Cooperation in incident response � Security event information sharing � In a form useful for sites in local protection, e.g. IDS signatures, DNS sinkhole, etc.

Incident Response (IR) � Different levels, types, and participants, e.g. � Intensive hands-on in the event of DDoS � NOCs must be involved for traceback � Notifications regarding compromised machines � Typically a CSIRT or CERT-like function � Sometimes the NOC security and community CSIRT functions are in the same entity, sometimes not. � REN-ISAC serves as a security center for the Internet2, TP3, and ACE networks, and performs as a CSIRT for U.S. R&E

Recent Example of Need for Coordinated IR netflow analysis showed that the bulk of the increase in TCP/123 was from one or more hosts in a /21 on CERNET, scanning a half- dozen university networks, Aug 1-8; potential concern, e.g. "NTP mode 7 denial-of-service vulnerability" http://www.kb.cert.org/vuls/id/568372

Security Event Information Sharing � REN-ISAC is in early production use of its Security Event System (SES) � The objective of SES is to support near real-time sharing of security event data that can be used by participating sites in local protections against identified and emerging threats. � Event data collected at participating sites and from external � Event data collected at participating sites and from external information sharing relationships is normalized in standards- based data structures. Correlation is performed on the data, identifying bad actors, and developing confidence. The resulting high-confidence, bad-actor information is fed back to the participating sites for application in local protections such as IDS, blocks, and sinkholes.

SES Discovery, Correlation, and Protection

SES Supported Data Types � IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc. � CIDR, either representing a miscreant-heavy address range, e.g. RBN, or as additional qualifying information � ASN, as additional qualifying information � ASN, as additional qualifying information � DNS name, representing for example, a botnet C&C � URL representing for example, a malware download site � E-mail address, for example, a phishing Reply-To: address

Inter-federation � The objective for TP3 Community Security : Sharing Event Information is linkage of the SES effort within the REN-ISAC trusted community to similar security event information sharing activities in APAN-area trusted communities. � Greater sharing of protection data = better security.

TP3 PEP � The Project Execution Plan states: � Many benefits are derived from sharing security event data among institutions and organizations. Participating in a trusted information sharing community helps effectively address security issues. To this end we will adopt the Security Event System (SES) in cooperation with APAN JP and REN-ISAC. The System (SES) in cooperation with APAN JP and REN-ISAC. The SES project is a development effort of REN-ISAC, in cooperation with Internet2, and funded by a Department of Justice grant. The TransPAC3 project will engage in SES and establish trusted relationships with our partners in Asia.

Next Steps � Pearson and Kitamura to discuss and plan for APAN-JP and REN-ISAC cooperation � Develop plan for broader AP / REN-ISAC engagement � dodpears@ren-isac.net � williams@indiana.edu � kita@jp.apan.net

My Goals � Communicate the community security objectives of the TransPAC3 (TP3) Project Execution Plan (PEP) � Briefly describe the REN-ISAC, and our activities that relate to the TP3 PEP goals � Stimulate interest in the community security activities � Point people to Jim Williams, so that he can bring back engagement interests and plans

Contacts and References � Doug Pearson Technical Director, REN-ISAC dodpears@ren-isac.net � REN-ISAC http://www.ren-isac.net http://www.ren-isac.net � REN-ISAC SES Project http://www.ren-isac.net/ses/