SES - Security Event System

News

Objective

Improve timely local protection against cyber security threat, by sharing security event information, in near-real time, within a trusted federation, and among federations.

Simple Description

In an security information sharing federation, such as REN-ISAC, guided by policy and information sharing agreements, machine (aggregated) and human generated security event data, is normalized to standards-based data descriptions, and through various supported secure interfaces, is submitted to the SES repository.

In the REN-ISAC SES, data is received from participanting REN-ISAC members, information sharing relationships that REN-ISAC has established with other organizations, and public data sources.

Correlation is performed on the collected data, identifying "bad actors" and determining confidence.

High confidence bad actor data is formed into a "watch for these" feed, and analysts vet select high-confidence bad-actors into a "block these" feed.

Participating sites retrieve the "watch for these" and "block these" feeds and apply local protections against the bad actors.

Figure 1 illustrates the Discovery - Correlation - Protection cycle.

 

Figure 1

Supported Data Types

The data types supported within SES include:

• IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc.
• CIDR, either representing a miscreant-heavy address range, or as additional qualifying information
• ASN, as additional qualifying information
• DNS name, representing for example, a botnet C&C
• URL representing for example, a malware download site
• E-mail address, for example, a phishing Reply-To: address

Inside the Participant Site

Figure 2 illustrates some of the possible information flows (1) from SES to local protections, and (2) from local logs, collectors, and analysts, into SES.

 

Figure 2

Query and Manual Input Interface

A query and manual input interface permits security analysts to research specific threats, and submit research results to SES.

Figure 3

Inter-Federation Sharing

A community of participants act as a federation for sharing SES event information. The REN-ISAC federation represents a substantial portion of the U.S. research and education community. Other federations might represent commercial, government, or other national communities.

SES is designed to permit inter-federation sharing, with accomodation for policy contraints. Figure 3 illustrates inter-federation sharing, across policy boundaries.

 

Figure 4

The System

SES is loosely based on concepts of the Argonne National Labs Federated Model. SES makes use of IETF standard data structures, IDMEF and IODEF, for representing event and incident information. Extensions permit SES to understand sites (via ASN and CIDR), URIs, and federations. Request Tracker for Incident Response (RT+IR) is used to provide the user interface.

A Framework

SES is designed as a framework, permitting incorporation of additional correlation and analysis tools, interface with external systems, such as systems that notify abuse contacts regarding infected systems, interface with systems that treat incident information in a higher-level context, long-term intelligence storage, and SES serves as a platform for threat analysis.

Resources and Awards

Collective Intelligence Framework Project

Papers and Presentations

SDCI Sec: SESv3 - Federated Security Intelligence - proposal to the NSF (awarded)

Credits

SES is a project in the REN-ISAC community, with project funding from:

REN-ISAC members,

the U.S. Department of Justice,

the National Science Foundation,

and the cooperation and support of:

Indiana University,

Internet2 (via CSI2 wg),

Barely3am Solutions,

Carnegie Mellon University (relation to the EDDY project for SESv1) and

Argonne National Laboratory (relation to Federated Model project for SESv1).