Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Collaborative Threat Mitigation
or
(Collective Self Defense)
	
  
DOE’s	
  Cyber	
  Fed	
  Model	
  (CFM)	
  
	
  
	
  Sco...
Agenda
§  What	
  is	
  DOE’s	
  Cyber	
  Fed	
  
Model	
  
§  SubscripHon	
  vs.	
  parHcipaHon	
  
§  Relevance	
  &	...
Cyber Fed Model (CFM) is …
§  A	
  near	
  real-­‐Hme	
  exchange	
  
of	
  cyber	
  threat	
  informaHon	
  
focused	
  ...
Structured Threat Information
§  InformaHon	
  shared	
  uses	
  an	
  
XML	
  syntax	
  
–  Based	
  upon	
  IODEF	
  (R...
How Cyber Fed Model (CFM) Works
§  High	
  Level:	
  Client-­‐server	
  data	
  exchange	
  
§  Reality:	
  Central	
  r...
High Level Architecture
Tech	
  for	
  Security	
  Summit	
  
6	
  
Cyber Fed Model (CFM) maximizes local
resources
§  Premise	
  based	
  on	
  the	
  idea	
  
of	
  local	
  detecHon	
  a...
Effective Cyber Security Defense for an Enterprise
§  It	
  conHnues	
  to	
  be	
  a	
  hard	
  job	
  
	
  
§  Doubly	...
DOE’s Cyber Fed Model is not …
§  OpHmized	
  for	
  analysis	
  (the	
  transfer	
  of	
  “raw”	
  data)	
  
§  Focused...
Subscription vs. Active Participation
§  Can	
  you	
  just	
  subscribe	
  to	
  a	
  “feed”	
  of	
  hosHle	
  IP	
  ad...
Volume of Information
Tech	
  for	
  Security	
  Summit	
  
11	
  
Benefit: Relevance & ROI
Tech	
  for	
  Security	
  Summit	
  
12	
  
We know collaboration is hard
§  Every	
  organizaHon	
  is	
  a	
  snow	
  flake	
  
–  B2B/collaboraHons	
  vary	
  
–  ...
Why are we here ?
§  We	
  believe	
  ...	
  
–  Cyber	
  threats	
  to	
  criHcal	
  infrastructure	
  exist	
  
–  Coll...
Conclusions & Takeaways
§  Common	
  adversaries	
  exist	
  
and	
  are	
  acHve	
  
§  CollaboraHon	
  will	
  be	
  k...
Questions ??
Tech	
  for	
  Security	
  Summit	
  
www.anl.gov/it/cfm	
  
Upcoming SlideShare
Loading in …5
×

Collaborative Threat Mitigation or (Collective Self Defense) by Scott Pinkerton, Argonne National Lab

882 views

Published on

DOE’s Cyber Fed Model (CFM)
www.anl.gov/it/cfm

Published in: Technology
  • Be the first to comment

Collaborative Threat Mitigation or (Collective Self Defense) by Scott Pinkerton, Argonne National Lab

  1. 1. Collaborative Threat Mitigation or (Collective Self Defense)   DOE’s  Cyber  Fed  Model  (CFM)      Sco5  Pinkerton   pinkerton@anl.gov   www.anl.gov/it/cfm  
  2. 2. Agenda §  What  is  DOE’s  Cyber  Fed   Model   §  SubscripHon  vs.  parHcipaHon   §  Relevance  &  ROI   §  Why  are  we  here  ?   §  Conclusions  &  Takeaways   §  QuesHons   2   Tech  for  Security  Summit  
  3. 3. Cyber Fed Model (CFM) is … §  A  near  real-­‐Hme  exchange   of  cyber  threat  informaHon   focused  on  the  reduc&on   and  mi&ga&on  of  cyber   security  risk  across  large   enterprises   –  Typically  every  300  second   –  AcHonable  –  blocking   –  Autonomic   –  Highly  Scalable     3   Tech  for  Security  Summit  
  4. 4. Structured Threat Information §  InformaHon  shared  uses  an   XML  syntax   –  Based  upon  IODEF  (RFC   5070)   –  Looking  to  support   OpenIOC  formats  in  the   future  for  sharing  malware   informaHon   §  InformaHon  focuses  on  IP,   DNS,  URL,  e-­‐mail,  hash   strings   4   Tech  for  Security  Summit  
  5. 5. How Cyber Fed Model (CFM) Works §  High  Level:  Client-­‐server  data  exchange   §  Reality:  Central  repositories  providing  access  via  web  service   –  Sites  control  who  can  see  the  data  they  upload  (by  PGP  key)   –  Sites  decide  how  to  use  data  they  download   §  Repository  accepts  encrypted  files  on  upload   –  Contents  may  be  any  format     –  Simply  export  from  a  third  party  tool,  encrypt,  and  upload   §  Output  comes  in  standardized  XML  format   –  Allows  for  predictability   –  Converters  can  translate  to  another  format   –  Scripts  can  convert  and  send  to  other  tools  inline   Tech  for  Security  Summit   5  
  6. 6. High Level Architecture Tech  for  Security  Summit   6  
  7. 7. Cyber Fed Model (CFM) maximizes local resources §  Premise  based  on  the  idea   of  local  detecHon  and  global   response   §  Enables  an  enterprise  to   focus  their  limited   resources  on  their  most   pressing  problems   –  A5acks  that  are  occurring   on  their  infrastructure  and   no  where  else   7   Tech  for  Security  Summit  
  8. 8. Effective Cyber Security Defense for an Enterprise §  It  conHnues  to  be  a  hard  job     §  Doubly  so  for  those  supporHng  criHcal  infrastructure   §  Doesn’t  appear  to  be  gefng  any  easier;  mostly  harder     §  Increasing  skill  &  sophisHcaHon  of  the  bad  guys;  commodity   hacking  tools   Tech  for  Security  Summit   8  
  9. 9. DOE’s Cyber Fed Model is not … §  OpHmized  for  analysis  (the  transfer  of  “raw”  data)   §  Focused  on  OS  or  ApplicaHon   advisories  (vulnerabiliHes)   §  Sandboxing  or  other     §  Shared  alerts  require  someone   to  first  detect  the  threat   Tech  for  Security  Summit   9  
  10. 10. Subscription vs. Active Participation §  Can  you  just  subscribe  to  a  “feed”  of  hosHle  IP  addresses  and   just  download  them  ?   –  Sure,  there  are  a  growing  number  of  “reputaHonal”  subscripHon   services   –  But  will  they  be  RELEVANT  to  you  –  assuming  none  of  the   energy  owner/operators  are  contributors   10   Tech  for  Security  Summit   IP’s exploiting MS problem dujour IP’s exploiting Adobe problem dujour IP’s sending spam e-mail farming for username/PW IP’s sending spam e-mail farming for bank account IP’s probing for ssh servers IP’s looking to attack the Energy Infra.
  11. 11. Volume of Information Tech  for  Security  Summit   11  
  12. 12. Benefit: Relevance & ROI Tech  for  Security  Summit   12  
  13. 13. We know collaboration is hard §  Every  organizaHon  is  a  snow  flake   –  B2B/collaboraHons  vary   –  Blocking  the  wrong  thing  can  be  highly  disrupHve   §  Legal  agreements  are  tricky   –  DefiniHons  of  terms  can  vary   •  What  does  MOU  mean  to  you?  ISA?  ToS?  etc.   §  A5ribuHon  and  disclosure  concerns   §  A5ack  vectors  change   Tech  for  Security  Summit   13  
  14. 14. Why are we here ? §  We  believe  ...   –  Cyber  threats  to  criHcal  infrastructure  exist   –  CollaboraHon  and  collecHve  defense  are  essenHal   –  DOE  Cyber  Fed  Model  (CFM)  can  be  part  of  the  soluHon   §  We  want  to  ...   –  Help  protect  our  country’s  criHcal  infrastructure   –  Begin  a  pilot  to  assess  efficacy  in  electric  sector   –  See  threat  overlap  between  electric  sector  and  DOE   §  We  have  ...   –  DOE  labs  willing  to  share  –  public-­‐private  sector  partnership   –  Electric  sector  enHHes  which  have  expressed  interest   –  Experience  in  collecHve  defense   Tech  for  Security  Summit   14  
  15. 15. Conclusions & Takeaways §  Common  adversaries  exist   and  are  acHve   §  CollaboraHon  will  be  key  to   future  cyber  defense   §  The  DOE  Cyber  Fed  Model   (CFM)  provides  collecHve   defense  in  a  flexible,  site-­‐ controlled  manner   §  CFM  can  help  maximize   your  cyber  security   resources   15   Tech  for  Security  Summit  
  16. 16. Questions ?? Tech  for  Security  Summit   www.anl.gov/it/cfm  

×