Welcome
Partnership Promotes Coordinated Security Response
The REN-ISAC [1.1] in partnership with the Internet2 SALSA CSI2 [1.2]
working group has identified clear benefit in the sharing and
correlation of security event data among
institutions and organizations participating in a trusted information
sharing community. Correlation on a large base of data from across a
community would identify sources,
characteristics, and trends of threat. Data sharing, conducted in real-
time, in standard automated formats, would provide protection from
identified and emerging threats.
Development of a Security Event System is proposed to meet these
objectives.
In this context, "event data" is data derived from collectors
distributed throughout the participating member networks. Collectors
include, but are not limited to, intrusion
detection system logs, firewall logs, application logs such as dns,
httpd and sshd, darknet sensors, spam filters, etc. Raw event data is
low-level information, such as IP addresses, source and destination
ports, domain name requests, access control identifiers, e-mail
addresses, etc. Event data can be filtered at the owning-institution
to SES-share only, that which is relevant for community protection and
response, and to protect privacy. In the SES context "event" data is
differentiated from "incident" information, in that incident
information is a higher-level and broader aggregation of information,
including event data, which is used to initiate, facilitate, and track
actions of response to an actual or attempted security breach.
This system will extensively take advantage of RFC4765 [1.3], the
Intrusion Detection Message Exchange Format (“IDMEF”) and RFC 5070
[1.4], The Incident Object Description Exchange Format ("IODEF").
This system will also provide a framework for generating key metrics
and predictive statistics derived from the datasets being warehoused.
Currently most security event handling is communicated via non-
standard taxonomies and verbose written language. The ultimate goal of
this project is to create a framework where common business process,
workflow, standardization practices and automation can be applied to
ad-hoc global security communities and their variety of taxonomies/
standards.
This project gears to apply existing IETF standards to this process in
an effort to move vetted information through global communities within
minutes rather than days (if the information moves at all). As this
project has progressed into 2009, there has been clear interest from
the global community in utilizing this framework to advance our
strategic ability to identify, prioritize and mitigate network threats
on that [global] stage. This project will be moving into a pilot stage
mid-summer 2009.
1.1 http://www.ren-isac.net
1.2 http://security.internet2.edu/csi2
1.3 http://www.ietf.org/rfc/rfc4765.txt
1.4 http://www.ietf.org/rfc/rfc5070.txt
1.5 http://tinyurl.com/cst8fj -- Educause Presentation, Security
Professionals 2009
For more information: Contact Wesley Young, Network Security Analyst, wcyoung@buffalo.edu.