REN-ISAC logo
Public Home   >   SES
print-formated version
Member Login >>
About REN-ISAC
Membership
Contact Us
24x7 Watch Desk
Alerts
Monitoring
Projects
Events
Contributors
Links

SES - Security Event System

Objective

Improve timely local protection against cyber security threat, by sharing security event information, in near-real time, within a trusted federation, and among federations.

 

Simple Description

In an security information sharing federation, such as REN-ISAC, guided by policy and information sharing agreements, machine (aggregated) and human generated security event data, is normalized to standards-based data descriptions, and through various supported secure interfaces, is submitted to the SES repository.

In the REN-ISAC SES, data is received from participanting REN-ISAC members, information sharing relationships that REN-ISAC has established with other organizations, and public data sources.

Correlation is performed on the collected data, identifying "bad actors" and determining confidence.

High confidence bad actor data is formed into a "watch for these" feed, and analysts vet select high-confidence bad-actors into a "block these" feed.

Participating sites retrieve the "watch for these" and "block these" feeds and apply local protections against the bad actors.

Figure 1 illustrates the Discovery - Correlation - Protection cycle.

 

Figure 1

 

Supported Data Types

The data types supported within SES include:

 

Inside the Participant Site

Figure 2 illustrates some of the possible information flows (1) from SES to local protections, and (2) from local logs, collectors, and analysts, into SES.

 

Figure 2

 

Query and Manual Input Interface

A query and manual input interface permits security analysts to research specific threats, and submit research results to SES.

Figure 3

 

Inter-Federation Sharing

A community of participants act as a federation for sharing SES event information. The REN-ISAC federation represents a substantial portion of the U.S. research and education community. Other federations might represent commercial, government, or other national communities.

SES is designed to permit inter-federation sharing, with accomodation for policy contraints. Figure 3 illustrates inter-federation sharing, across policy boundaries.

 

Figure 4

 

The System

SES is loosely based on concepts of the Argonne National Labs Federated Model. SES makes use of IETF standard data structures, IDMEF and IODEF, for representing event and incident information. Extensions permit SES to understand sites (via ASN and CIDR), URIs, and federations. Request Tracker for Incident Response (RT+IR) is used to provide the user interface.

 

A Framework

SES is designed as a framework, permitting incorporation of additional correlation and analysis tools, interface with external systems, such as systems that notify abuse contacts regarding infected systems, interface with systems that treat incident information in a higher-level context, long-term intelligence storage, and SES serves as a platform for threat analysis.

 

Resources

REN-ISAC SES Project
July 2009, presentation to the ESCC/Internet2 Joint Techs Conference
(23 minute video, SES starts at minute 6; no sound on first 45 seconds)

REN-ISAC and CSI2 - The Security Event System
April 2009, presentation to the 2009 EDUCAUSE Security Professionals Conference

Security Message Standardization (moving security messages throughout "the ether")
May 2009, presentation to the Collaborative Data-Driven Security for High Performance Networks workshop

 

 

Credits

SES is a project in the REN-ISAC community, with project funding from:

the U.S. Department of Justice,

and the cooperation and support of:

Internet2,

Internet2 CSI2 WG,

Barely3am Solutions,

Indiana University,

Carnegie Mellon University (relation to the EDDY project), and

Argonne National Laboratory (relation to Federated Model project).


 

Copyright © 2008-2010, Research and Education Networking Information Sharing and Analysis Center
All rights reserved.