Federated Defenses and Watching Each Other’s Back

Scott Pinkerton (pinkerton@anl.gov)

Argonne National Laboratory

National Laboratory Information Technology Summit 2009

June 2, 2009

2

Argonne National Laboratory

Diverse population:– 3,000 employees– 10,000+ visitors annually– Off-site computer users– Foreign national employees, users,

and collaborators

Diverse funding: – Not every computer is a DOE

computer.– IT is funded in many ways.

Every program is working in an increasingly distributed computing model.

Our goal: a consistent and comprehensively secure environment that effectively balances science and cyber security requirements.

Argonne is managed by the UChicago Argonne LLC for the Department of Energy.

IT Environment Challenges

3

Emphasis on the Synergies of Multi-Program Science, Engineering & Applications

AcceleratorResearch

Catalysis Science

NuclearFuel Cycle

TransportationScience

ComputationalScience

MaterialsCharacterization

StructuralBiology

FundamentalPhysics

User Facilities

InfrastructureAnalysis

... and much more.

A Comprehensive Cyber Security Program

4

A Risk Based Approach to Cyber Security

5

What is the Federated Model for Cyber Security ?

Framework for sharing actionable information about threats and hostilities occurring right now

Virtual neighborhood watch

Collection of software tools allowing a site to:

– Learn about active hostilities from other sites in near real-time

– Do something about it – E.g. block an IP address, block outbound access to a web URL, block or copy in-bound e-mails, interrupt DNS look-ups

Requires a foundation of TRUST

6

What is it – For the Techies

Set of XML schemas (based on IDMEF standards – RFC 4765)

– IP address

– DNS domain name

– Revocation (unblock an IP address)

– E-mail address (coming soon)

– URL (coming soon) Set of Perl scripts that support:

– Upload and download of encrypted XML files

– Block an IP address in a FW

– Block an IP address with a BGP null route (requires a router), etc Web Portal to support coordination

– Sharing pgp keys

– Sharing local detection algorithms & tools

– Sharing white list info, etc

7

Maps nicely into NIST controls and Best Practices

8

NIST Control Federated Model

IR-3 Incident Response Testing

IR-4 Incident Handling

IR-5 Incident Monitoring

IR-6 Incident Reports

Federated model aids in supporting and background information on malicious behavior to aide in response, handling, and reporting incidents.

AC-17 Remote Access Remote access to repository monitored and controlled.

RA-3 Risk Assessment Information shared include severity of event.

RA-4 Risk Assessment Update Information shared includes history of bad actor.

SI-4 Information System Monitoring Tools and Techniques

Federated model is a conglomerate of results from system monitoring tools and techniques across federated sites.

SI-5 Security Alerts and Advisories Federated model designed to distribute security alerts and advisories.

Cyber Defenses – Business as Usual

Local detection methods apply

Local response actions apply

Every single site learns via “school of hard knocks”

9

Cyber Defenses – Using the Federated Model

Local & distributed detection methods apply

Local response decisions apply

Only one site learns via “school of hard knocks” (ideally)

Based on an assumption that hostilities occur across related sites

10

How much data ?

11

Overlap

12

Value Proposition of Participating

Note: Not a silver bullet – just one piece of a successful cyber security program

Neighborhood watch programs requires only one site to experience the pain of an attempted exploit

Access to variety of software tools that assist with the automation of actions

Sites still retain local controls – share your information with sites you choose; information shared is merely advice; local decision still on what to do with the intel

This infrastructure prepares us for future response strategies & techniques – bad guys are adapting -- we better be

Improves OODA loop

13

Unique Challenges and Mitigations

Sharing data has potential for Federated (group) response – double edged sword– Great when stopping “bad guy”– Greater risk against legit science work

False positives – oops are magnified (a lot)– Revocation: used to rewind reported data– Due to false positive; typo – whatever– Important legit site for some members

Adding QA functions to notify on local and global white lists

Integration into varied local systems and processes

When to take action locally based on Federated data, how severe, weighted approach

14

How to Get Involved

Think about how you would like to speed up your OODA loop

– Observe, orient, decide, act

– Automate OODA loop where possible

Create a federation - even if it is with just one other organization

– Start with already trusted friends

Think about what you have automated to date

– What can you/should you automate in the future

Get involved

– Come as you are, using your already defined IDS analysis methodologies

– To inquire or join send email to federated-admins@anl.gov

For additional info: – https://www.anl.gov/it/federated

15

Next Steps

Moving beyond IP addresses

– DNS domain names (starting right now)

– E-mail address handling (soon)

– URL (soon)

XML schemas are extensible – easy to adapt to new problems

Important that you start building some level of automation in now

Federations of federations

16

Questions ?

17