SES - Security Event System
News
August 3, 2011 REN-ISAC has been awarded a grant from the National Science Foundation to further our work on the Security Event System and Collective Intelligence Framework. The project, "SDCI Sec: SESv3 - Federated Security Intelligence" . . .
read more
Objective
Improve timely local protection against cyber security threat, by sharing security event information, in near-real time, within a trusted federation, and among federations.
Simple Description
In an security information sharing federation, such as REN-ISAC, guided by policy and information sharing agreements, machine (aggregated) and human generated security event data, is normalized to standards-based data descriptions, and through various supported secure interfaces, is submitted to the SES repository.
In the REN-ISAC SES, data is received from participanting REN-ISAC members, information sharing relationships that REN-ISAC has established with other organizations, and public data sources.
Correlation is performed on the collected data, identifying "bad actors" and determining confidence.
High confidence bad actor data is formed into a "watch for these" feed, and analysts vet select high-confidence bad-actors into a "block these" feed.
Participating sites retrieve the "watch for these" and "block these" feeds and apply local protections against the bad actors.
Figure 1 illustrates the Discovery - Correlation - Protection cycle.
Figure 1
Supported Data Types
The data types supported within SES include:
- IP address, representing just about any type of compromised host or source of threat, e.g. botnet C&C or drone, DDoS source, scanner, etc.
- CIDR, either representing a miscreant-heavy address range, or as additional qualifying information
- ASN, as additional qualifying information
- DNS name, representing for example, a botnet C&C
- URL representing for example, a malware download site
- E-mail address, for example, a phishing Reply-To: address
Inside the Participant Site
Figure 2 illustrates some of the possible information flows (1) from SES to local protections, and (2) from local logs, collectors, and analysts, into SES.
Figure 2
Query and Manual Input Interface
A query and manual input interface permits security analysts to research specific threats, and submit research results to SES.
Figure 3
Inter-Federation Sharing
A community of participants act as a federation for sharing SES event information. The REN-ISAC federation represents a substantial portion of the U.S. research and education community. Other federations might represent commercial, government, or other national communities.
SES is designed to permit inter-federation sharing, with accomodation for policy contraints. Figure 3 illustrates inter-federation sharing, across policy boundaries.
Figure 4
The System
SES is loosely based on concepts of the Argonne National Labs Federated Model. SES makes use of IETF standard data structures, IDMEF and IODEF, for representing event and incident information. Extensions permit SES to understand sites (via ASN and CIDR), URIs, and federations. Request Tracker for Incident Response (RT+IR) is used to provide the user interface.
A Framework
SES is designed as a framework, permitting incorporation of additional correlation and analysis tools, interface with external systems, such as systems that notify abuse contacts regarding infected systems, interface with systems that treat incident information in a higher-level context, long-term intelligence storage, and SES serves as a platform for threat analysis.
Project Code
SES
| component | project page | code |
|---|---|---|
| IODEF module for RT | perl-rt-iodef | RT-IODEF |
| XML::IODEF Perl module for manipulating IODEF with Perl | perl-xml-iodef | XML::IODEF |
| Perl extension for representing malware in XML | perl-xml-malware | XML-Malware |
| Python framework for representing malware in XML | python-xml-malware | |
| Perl extension for extending XML::IODEF to use with Phishing Extensions | xml-iodef-phraudreport | XML-IODEF-PhraudReport |
| Perl module to convert ArcSight XML to a standardized IODEF message | perl-arcsight-iodef |
SES Collective Intelligence Framework
| component | project page | code |
|---|---|---|
| Overall project | collective-intelligence-framework | CIF |
| Perl client | CIF-Client | |
| Python client | cif |
Resources
in reverse chronological order
Security Message Standardization - the beginning of the end
April 2011, presentation to the 5th Annual REN-ISAC Member Meeting
REN-ISAC and SES Overview
September 2010
Collective Intelligence: Security intelligence is living, social data
August 2010, presentation to the Collaborative Data-Driven Security for High Performance Networks 2010 workshop
REN-ISAC SES Project
July 2009, presentation to the ESCC/Internet2 Joint Techs Conference
(23 minute video, SES starts at minute 6; no sound on first 45 seconds)
Security Message Standardization (moving security messages throughout "the ether")
May 2009, presentation to the Collaborative Data-Driven Security for High Performance Networks workshop
REN-ISAC and CSI2 - The Security Event System
April 2009, presentation to the 2009 EDUCAUSE Security Professionals Conference
Credits
SES is a project in the REN-ISAC community, with project funding from:
the National Science Foundation,
the U.S. Department of Justice,
REN-ISAC members,
and the cooperation and support of:
Internet2,
Internet2 CSI2 WG,
Barely3am Solutions,
Indiana University,
Carnegie Mellon University (relation to the EDDY project), and
Argonne National Laboratory (relation to Federated Model project).
 |
 |
 |
 |