In an effort to jump-start various bedraggled security information-sharing efforts in the IT industry, the CERT Coordination Center and several universities this week will announce a project that will allow for real-time data sharing and analysis among remote organizations.
If the project is successful, it could be used as a model for data-sharing initiatives in the government and private sector.
Known as the Cyber Security Information Sharing Project, the new collaboration is a sharp departure from the way unaffiliated organizations now share information.
Currently, businesses or individuals wanting to inform CERT of a security incident or vulnerability have to fill out a form on the centers Web site or call an 800-number and then wait for an answer. This can lead to slow responses to situations that require urgent action. CERT officials said they hope that will all soon change.
“Were trying to move beyond talking and do something that identifies what the issues are and provides solutions to problems,” said Richard Pethia, manager of the Software Engineering Institutes Survivable Systems Initiative and director of the CERT CC. “We want to promote the use of standards to share data. The future of widespread information sharing will depend on this.”
A key part of the project is ArcSight Inc.s namesake security event management software, which will be installed at each participating site. Which universities will participate in the CSISP has yet to be determined, CERT officials said.
The ArcSight softwares new distributed architecture will enable each participating school to act as a data-collection end point and funnel attack data directly to the CERT CC at Carnegie Mellon University, in Pittsburgh.
CERT specialists will then be able to dissect and analyze the data. The CERT team will also have the advantage of being able to correlate information coming from all three end points, giving team members the ability to look for similar attacks or other patterns across the participating organizations. That data can then go into the CERT database and be made available to other organizations.
Page Two
ArcSights software will support two proposed Internet Engineering Task Force message standards for exchanging security messages—IDMEF (Intrusion Detection Message Exchange Format) and IODEF (Incident Object Description and Exchange Format)—which are designed for applications such as sharing attack data among organizations.
“With the correlation, CERT can look for patterns outside of just what the [individual organizations] rules see,” said Hugh Njemanze, chief technology officer and senior vice president of research and development at ArcSight, based in Sunnyvale, Calif.
The increased efficiency that Pethia hopes to get out of the CSISP would help the center respond more quickly to large-scale events such as the recent disclosure of a critical vulnerability in the software that runs most of Cisco Systems Inc.s routers and switches.
And, thanks to a special feature in the ArcSight software, the organizations that contribute data to CERT will be able to strip out identifying data. This should help overcome one of the main objections that enterprises and other organizations raise to information sharing.
The aversion to sharing sensitive data has been a key stumbling block for Information Sharing and Analysis Centers as well. ISACs, which are specific to industries such as IT or banking, were set up to encourage cooperation among members of each industry. But they have often been hampered by a lack of timely data because enterprises shy away from divulging sensitive data about attacks and other incidents.
“We have to have this technology under the project if were going to have information sharing in any real way,” Pethia said. “There needs to be continuous progress on tools and tactics.”