cybersecurity+informa1on+security+ exchange+framework+ ... · cybersecurity+informa1on+security+...
TRANSCRIPT
Cybersecurity informa1on security exchange framework (CYBEX):
importance and current developments
Tony Rutkowski, [email protected] Rapporteur for Cybersecurity Group, ITU-‐T Q4/17
ISOG-‐J Seminar Tokyo 13 Oct 2010 V1.1
Addi1onal roles include: global eWarrant Rapporteur, ETSI TCLI; U.S. NSTAC Cybersecurity Expert; Dis1nguished Senior Research Fellow, Georgia Ins1tute of Technology
Outline
• Why the CYBEX ini1a1ve is important • Major developments shaping the work • Specific capabili1es
– Systems Assurance and Incident Response – Cybersecurity Informa1on Exchange Framework – Iden1ty Management
• Major implementa1on challenges – Extent and evolu1on of the standards – Discovery and trust capabili1es – Achieving implementa1ons and widespread use
CYBEX: origins • A common realiza1on that
– Talking about cybersecurity accomplished nothing – The incidents were scaling exponen1ally – Trusted exchange of cybersecurity informa1on was essen1al to any/all
capabili1es – Many different communi1es were developing cybersecurity
informa1on exchange schema – No global framework and consensus existed to bring together
communi1es and schema • Ins1tu1onal triggers
– ITU-‐T began a new 4 year cycle with a mandate to do something about cybersecurity
– Par1cipants found there were common global interests in tackling cybersecurity informa1on exchange challenges
• LAC, NICT, and other Japanese experts and organiza1ons • Government and industry en11es in APEC region, U.S., and Europe
Contractual service agreements and federa3ons
Deny resources
Intergovernmental agreements and coopera3on
Tort & indemnifica3on
Regulatory/ administra3ve law
Criminal law
Legal remedies may also ins3tute protec3ve measures
Data reten3on and audi3ng
Iden3ty Management
Forensics & heuris3cs analysis
Provide data for analysis
Encryp3on/ VPNs esp. for signalling
Resilient infrastructure
Rou3ng & resource constraints
Network/ applica3on
state & integrity
Real-‐3me data availability
Measures for protec3on
Measures for threat detec3on
Blacklists & whitelists
Vulnerability no3ces
Inves3ga3on & measure ini3a3on
Measures for thwar3ng and other remedies
Legal Remedies
Agreement on a cybersecurity model: informa1on sharing dependencies
Informa3on exchanges
Provide basis for legal remedies
Patch development
Provide basis for ac3ons
Reputa3on sanc3ons
Provide awareness of vulnerabili3es and remedies
Providing outreach among standards bodies seemed possible
ITU-‐R
ISO ETSI
IETF
OASIS
ITU-‐T
OMA
CAB forum TCG
3GPP
MITRE
NIST
APP Dev
Forums
IEEE WiFi Forum
IMS forum
Cable Labs
FIRST
CCDB
CNIS
APWG
Major related ins1tu1onal developments
• U.N. 15 July document among 15 major powers on reducing “ICT conflict” (a/k/a cyberwar)
• Exercise of cybersecurity authority by regulatory bodies – e.g., Korea, FCC in U.S.
• High Level Cybersecurity Strategies (USTIC, Japan, UK, China, Korea) • Cybersecurity as an issue at ongoing ITU Plenipoten1ary Conference • Enhanced Common Criteria Development Board (CCDB)/NATO
ac1vity • New real-‐1me, data reten1on, and mobile forensics mandates
offshore • Judicial eDiscovery mandates (e.g., FRCP Rule 26) in US and
offshore
Major related infrastructure developments
• Applica1on based infrastructure – Mobile pladorms driving a world of a million applica1ons – Poses major challenges (what is a good applica1on versus malware)
• Locator/ID Separa1on Protocol (LISP) – Re-‐architects IP based public infrastructures – Should solve significant ICT security related challenges, especially
alribu1on • Asia-‐Pacific-‐centricity
– Region has world’s largest and fastest growing infrastructure and strong economies
– Pursuing technology implementa1ons, network innova1ons, venue leadership
• Mobile/nomadic-‐centricity – Stressing mobile standards/collabora1ve forums – Include mul1ple IdM/cyber security challenges
CYBEX is a substan1ve ongoing global Cyber/ICT security ini1a1ve
• Aimed at achieving meaningful security – "lock down" the integrity of ICT systems, – watch for undesired incidents, and – capture, analyze, and process the forensics from those incidents to reduce vulnerabili1es,
thwart alacks, and ins1tute legal ac1on if appropriate
• The trusted exchange of informa1on is essen1al to accomplish these three tasks. • The Cybersecurity Informa1on Exchange Framework (CYBEX) ini1a1ve aimed at
iden1fying the emerging set of specifica1ons for the global pladorms for achieving these trusted exchanges
• Most of the work has been accomplished within exis1ng systems assurance, incident response, and intelligence/surveillance communi1es
• Pro-‐ac1ve outreach is part of the ini1a1ve – Constant alempt to survey what is occurring in all other forums and bringing important
capabili1es into the framework – Constant analysis of what is missing or needed
• Unique – no comparable ac1vity exists
Cybersecurity Informa1on acquisi1on
(out of scope*)
Cybersecurity Informa1on
use (out of scope*)
structuring cybersecurity informa3on for exchange purposes
iden3fying and discovering cybersecurity informa3on and en33es
reques3ng and responding with cybersecurity informa3on
exchanging of cybersecurity informa3on over networks
assuring cybersecurity informa3on exchanges
Cybersecurity En11es
Cybersecurity En11es
* Some specialized cybersecurity exchange implementa1ons may require applica1on specific frameworks specifying acquisi1on and use capabili1es
CYBEX Exchange Model
CYBEX Ontology
Coordinator
Response Team
Administrator
Network Operator
Incident Handling Domain
IT Asset Management Domain
Knowledge Accumula3on Domain
Asset Database Product KB
Assessment Rule
Internal Asset DB
External Asset DB Version KB
Configura1on KB
Cyber Risk KB Vulnerability KB
Threat KB Alack KB Mis-‐use KB
Researcher
Vendor
Registrar
Countermeasure KB
Detec1on / Protec1on Rule
Incident Database
Event Incident Alack
Warning Database
Vulnerability/State Exchange Cluster Event/Incident/Heuristics Exchange Cluster
Informa1on Exchange Structuring
Evidence Exchange Cluster
Handover of real time forensics
Handover of retained
data forensics
Event Expressions
Extensions for: DPI
Traceback Smartgrid Phishing
Malware Patterns
Incident and
Attack Patterns
Electronic Evidence Discovery
Knowledge Base
Weaknesses Vulnerabilities
and Exposures
Platforms
State
Assessment Results
Security State
Measurement
Configuration Checklists
Terms and conditions
OVAL Open Vulnerability and Assessment Language
CWE Common Weakness
Enumeration
CVE Common
Vulnerabilities and
Exposures
CPE Common Platform
Enumeration
CVSS Common
Vulnerability Scoring System
CWSS Common Weakness Scoring System
CCE Common
Configuration Enumeration
XCCDF eXensible
Configuration Checklist
Description Format
ARF Assessment
Result Format
CEE Common
Event Expression
IODEF Incident Object
Description Exchange Format
CAPEC Common
Attack Pattern Enumeration
and Classification
Application Specific
Extensions
Informa1on Exchange Schema
OVAL Open Vulnerability and Assessment Language
CWE Common Weakness
Enumeration
CVE Common
Vulnerabilities and
Exposures
CPE Common Platform
Enumeration
CVSS Common
Vulnerability Scoring System
CWSS Common Weakness Scoring System
CCE Common
Configuration Enumeration
XCCDF eXensible
Configuration Checklist
Description Format
ARF Assessment
Result Format
CEE Common
Event Expression
IODEF Incident Object
Description Exchange Format
CAPEC Common
Attack Pattern Enumeration
and Classification
Application Specific
Extensions
MAEC Malware
Attribution Enumeration
and Characterization
Informa1on Exchange Schema -‐ Malware
OVAL Open Vulnerability and Assessment Language
CWE Common Weakness
Enumeration
CVE Common
Vulnerabilities and
Exposures
CPE Common Platform
Enumeration
CVSS Common
Vulnerability Scoring System
CWSS Common Weakness Scoring System
CCE Common
Configuration Enumeration
XCCDF eXensible
Configuration Checklist
Description Format
ARF Assessment
Result Format
CEE Common
Event Expression
IODEF Incident Object
Description Exchange Format
CAPEC Common
Attack Pattern Enumeration
and Classification
Application Specific
Extensions
SCAP Security
Automation Tools
Informa1on Exchange Schema –
SCAP Applica1on
Exchange Cluster
Informa1on Exchange Trust capabili1es
Identity Assurance Cluster
Authentication Assurance Methods
Authentication Assurance
Levels
Discovery of parties, standards, schema, enumerations, instances and
other objects
Common Namespace
Discovery enabling
mechanisms
Request and
distribution mechanisms
Interaction Security
Transport Security
Trusted Platforms
Trusted Network Connect
Events, Incidents, & Heuristics
Information
Weaknesses, Vulnerabilities &
State Information
Incident Detection Schema
Software, systems, services, networks
Security Automation
Schema
Tools
Evidence Information
Exchange Policies
Exchange Requests
Exchange Policies
Exchange Requests
+ +
CYBEX Implementa1on
Trusted Platform Modules
Trusted Network Connect
Tools
So where do we go from here: the challenges
• An en1re ITU-‐T Recom-‐ menda1on X-‐series has been allocated
• Recs. X.cybex, X.cve, X.cvss should be approved in December
• Future of IODEF remains a ques1on mark • Many addi1onal CYBEX pieces are in various stages of prepara1on for adop1on during 2011-‐2013 and subsequent maintenance
• A global structured website of cybersecurity organiza1ons has been created on ITU-‐T website
• Substan1al challenges remain…
Challenge: Extent and evolu1on of CYBEX Recommenda1on
• Is the framework currently complete? • What standards should be included in the framework? What are the
criteria for inclusion? • Which standards get published as ITU-‐T Recommenda1ons and
which do not? • How do ITU-‐T published versions maintain “sync” with authorita1ve
community versions? • How do regional and na1onal variants/schemas become included? • How should Security Content Automa1on Protocol (SCAP) schema
be treated? – Presently included in an appendix as examples
• How does CYBEX deal with “sou” standards, e.g., other ITU-‐T, ITU-‐D, ISO SC27 – Presently referenced in an appendix
Challenge: Discovery and trust capabili1es • Cybersecurity object discovery, trust, and related exchange policy mechanisms are compartmentalized, incoherent, and frequently primi1ve
• Iden1ty Management for cybersecurity has complex assurance rela1onships
Ongoing relevant cybersecurity IdM developments
• eDiscovery – Trusted discovery of iden1fier meta informa1on is essen1al in distributed systems – Bob Kahn has been leading effort in ITU-‐T to develop a X.discovery specifica1on
• Resolvers – New joint ISO ITU-‐T specifica1on ITU-‐T X.673 | ISO/IEC 29168-‐2 provides for DNS based ability to resolve
OIDs to informa1on addresses – Handles system proceeding in ITU-‐T
• Trust interoperability – Joint ITU-‐T and ISO X.eaa specifica1on currently being discussed – ENISA trust interoperability protocol may be underway in OASIS
• Cloud/Smartgrid Iden1ty – Mul1ple global ini1a1ves underway to develop specifica1ons for cloud and Smartgrid Iden1ty (ITU-‐T, OASIS,
3GPP, CEN, ISO, NIST, etc) • Pladorm trust
– Trusted Pladorm Module and Trusted Network Connect now included in CYBEX standard • Should Virtual TPMs be included?
– Distribu1on channel trust • OID based NID standards emerging as a major object ID pladorm for distribu1on chain trust • Handles based DOIs a second order choice • What others exist?
• No apparent consensus on use of cyber security object iden1fiers • NICT contribu1ons have been seminal in exploring naming and discovery op1ons • CNIS (Cyber-‐security Naming and Informa1on Structures Group) is emerging as a significant new
forum for trea1ng CYBEX informa1on iden1fiers
Challenge: Achieving implementa1on and widespread use • Much public and industry dialogue is primi1ve, frac1ous, and poli1cally
conten1ous at best – especially in the West – See, e.g., FCC Cybersecurity Roadmap proceeding in Docket 10-‐146
• Meaningful pladorms (e.g., CYBEX), like the systems involved, are complex • Best ini1al implementa1on avenues are within coherent bounded
communi1es – ISOG-‐J – Na1onal government networks – Common Criteria Control Board – NATO
• SCAP implementa1ons should proliferate – How to enumerate and discover?
• Analy1cal “bridging” pladorms are emerging – Deep Packet Inspec1on – Applica1on/pladorm behavior signature enumera1ons
• Ul1mately carefully designed mandates by na1onal regulatory authori1es seem likely to emerge
Exemplar: 6th IT Security Automa1on Conference, Bal1more, 27-‐29 Sep 2010*
Credit: Overview by Paul Cichonski, BAH-‐NIST *See: hlp://scap.nist.gov/events/2010/itsac/presenta1ons/index.html
A familiar ensemble Emerging NIST view of CYBEX as SCAP
A significant dependency