Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Security information sharing: Can we share data on live Internet attacks?

CERT and ArcSight have teamed up for security information sharing in the hopes of establishing threat alerts on live Internet attacks.

Two draft IDS information exchange standards could move closer to widespread acceptance if they pass muster within the new Cyber Security Information Sharing Project (CSISP), which is scheduled to launch later this year.

CSISP is a joint venture of Carnegie Mellon University's CERT Coordination Center, security event management vendor ArcSight and three yet-to-be-determined universities to exchange real-time infosecurity data for analysis. Each school will install ArcSight's Distributed Security Architecture software, which will be used to report events directly to CERT/CC for consolidation and analysis. In theory, CERT will be able to produce global security threat reports and forecast events.

CSISP will incorporate two IETF draft standards that allow diverse IDSes to share data on attacks in progress. The better known is the Intrusion Detection Message Ex-change Format (IDMEF), which defines data formats and exchange procedures of interest to IDSes and response systems. Incident Object Description and Exchange Format (IODEF) focuses on case information, capturing a richer set of data from multiple events and computer security incident response teams.

"We will start with these foundational message exchange protocols and determine whether they are robust enough and complete enough in terms of their definition to facilitate the effective sharing of security information," says Larry Lunetta, VP of marketing and business development at ArcSight.

Key to the project's success is determining how much refinement the two IDS-based formats require to work with a wider range of data sources. If these standards can be enhanced, enterprises could use them to transmit sensitive data among established and future Information Sharing and Analysis Centers (ISACs) or similar organizations.

Suzanne Gorman, chair the Financial Services ISAC, questions the project's goals. "I think ISACs are doing a good job as it is," she says.

ISACs have been heavily promoted by the federal government and are part of the Bush administration's National Strategy to Secure Cyberspace. However, many companies have steered clear of such data exchanges because of confidentiality issues.

CERT's partnering with universities poses both opportunities and challenges. Most college networks are "open" to a wide range of users -- on and off campus, which makes them prime hacker targets. At the same time, administrators are legally obligated to protect the privacy of users.

"We expect these standards to also be impacted by the balance between confidentiality via obfuscation and the value associated with having a full set of incident and event information," says Lunetta. "We don't know where that line is, and this will be the perfect environment to investigate that."

Article 16 of 17
This was last published in September 2003

Dig Deeper on Information Security Incident Response-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All