Activities undertaken in the SESv3 Federated Security Intelligence project will develop significant new capabilities supporting the collection and sharing of cybersecurity threat data and intelligence, and a rich analytic knowledge of the reputation and forensic history of Internet elements. Work will be based on the existing open source REN-ISAC Security Event System (SES) and sister system, the Collective Intelligence Framework (CIF). Developed capabilities will be transitioned to operational practice in the REN-ISAC community, supporting security protection and response in the higher education and research communities, and will support the sharing of security event and incident intelligence among other discrete trust federations.
In 2008-9, REN-ISAC developed SESv1 with funding from the US Department of Justice through Internet2. A production service in the REN-ISAC community, SESv1 collects aggregated security event information from participating sites and information sharing partners, correlates the data to develop confidence in the identification of bad actors, and provides resulting high-confidence threat intelligence back to participating sites for use in local protections. SESv2, to be deployed summer 2011, advances SES with the addition of the "Collective Intelligence Framework". CIF integrates a vast array of data from private partners, public sources, and mining, to provide intelligence supporting reputational knowledge and forensic history of Internet elements, including IP address, URL, domain name, CIDR, AS, and email addresses.
SDCI Sec: SESv3 will substantially increase the reputational knowledgebase and forensic history by incorporating additional data types, such as BGP and passive DNS. These data types will permit analytic identification of miscreant cyber infrastructures. Free form data types such as e-mail, IRC, tweets, etc. will be incorporated to enrich threat understanding by correlating human conversations with the structured security event information. The underlying repository and system architectures will be redesigned in order to support massive scaling required by the additional data types and historical record. Leveraging the flexible SES/CIF v2 RESTful API, access and submission to SES and CIF will be incorporated into common incident analyst and responder tools. And importantly, methods will be implemented permitting unique and discrete information sharing trust communities to share event and incident intelligence, mediated by policy. SESv3 will be transitioned to operational status in the REN-ISAC community, providing direct support to the higher education and research communities, will be open source published, and the SESv3 team will continue with their strong advocacy for standards-based security information interchange, and SES/CIF technologies in the security community at-large.
Intellectual Merit: SDCI Sec: SESv3 will lead development and deployment of inter-community security event and incident information sharing (addressing technical and policy issues), will significantly reduce human interrupt in the discovery, analysis, and protect cycle, and will develop advanced correlations among threat data types. SESv3 will provide novel integration of federation-based intelligence and data collection into the workflow of the security incident responder and analyst, and novel correlation of human conversations to structured data regarding Internet elements.
Broader Impact: SDCI Sec: SESv3 will provide fundamental improvement to national and international capabilities concerning the protection of critical cyberinfrastructure. Intelligence developed and shared in SES is actionable, and is a resource for understanding threat and criminal operations. Advanced new capabilities and information sharing relationships with industry, government, and law enforcement will be established in REN-ISAC, supporting the research and education sector. Outside R&E, national capabilities and information sharing practice will be stimulated by SESv3 concepts, open source code, data standards advocacy, and the technical and policy information sharing frameworks.
