1 AFRL / FAA Programs Status Report Lt. Matt Manger Rome Research Site 6 May 2003.
-
date post
18-Dec-2015 -
Category
Documents
-
view
215 -
download
3
Transcript of 1 AFRL / FAA Programs Status Report Lt. Matt Manger Rome Research Site 6 May 2003.
1
AFRL / FAA Programs Status Report
Lt. Matt Manger
Rome Research Site
6 May 2003
2
Overview
• CyberWolf
• Air Force Enterprise Defense (AFED)
• Distributed Agents for Information Warfare (DAIWatch)
3
4
CyberWolf Outline
• Program Description
• Task Goals
• Progress
– Objective– Architecture– Device Experts (DE)
– Problem Statement– Implementation
5
Cyberwolf Objective
• Objective– Develop a versatile, scaleable, and extensible enterprise security
management and CND tool
– Utilizes expert system rule-based correlation of IDS and network management events
• Goal– Reduce the workload of network security personnel responsible for
maintaining security of the enterprise while at the same time providing more accurate network situational assessment information
6
CyberWolf Problem
Long-suffering, overworkedSecurity Administrator
Millions of Enterprise Security Events,
7
CyberWolf Architecture
CyberWolf
Manager
…
Lower-Intensity Alert Stream from “Device Experts”
NTDeviceExperts
UNIX Log DeviceExperts
Router DeviceExperts
COTS IDS DeviceExperts
Firewall DeviceExperts
Many More DeviceExperts
Much happierSecurity Administrator (only deals with a few incidents).
Millions of Events, Some With Security Implications
Just a Few Incidents Worthy of Human
Attention
8
CyberWolf Implementation
CyberWolf ExpertsCapture Event Data from Enterprise Security Components - Translate Events into Cyberwolf Syntax - Provide Analysis and Filtering- Decentralized Intelligence for Maximum Scalability
KnowledgeBaseDevice-Specific Information - Expert Analysis of Device Output - Update Device Rules and Tables - Controls Alert Stream Using Expert-defined Thresholds
Systems, IDS,Network Elements &
Other Devices
CyberWolf ManagerSecurSiteInformation Rich GUI - Instant Visibility to Threats - Simple English Descriptions - Color-coded and Prioritized Security Incident ListAutoAdvisorRule-based Correlation Engine - Automatically Tracks Incidents - Automates Analysis and Response - Ships with build-in tracking tools - Easily Add Custom Enterprise Rules
Learning Repository Database - Cumulative Tracking of all Events, Alerts, and Incidents - Searchable for Creating Reports and Audit trails
AutomatedTrouble Ticket
Submission
Real-timeEmail & Pager
Alerts
Events
Alerts
Incidents!
SafePathEncrypted and Authenticated Socket-based
Communications
9
CyberWolf Device Experts
• Gauntlet v4.5/5.5 Firewall DE
• SideWinder Firewall DE• Raptor Firewall DE• Pix Firewall DE• Zone Alarm DE• Black Ice DE• RealSecure v6.0 IDS DE• NetRadar IDS DE• Snort IDS DE• ASIMM/CIDDs DE (Gov’t
only)
Each DE utilizes less than 3% of CPU during operation
• HP Openview NNM DE
• SNMP DE
• Nmap DE
• Cisco Router DE
• Ascend Router DE
• Windows 95/98/NT/2000 DE
• Solaris DE
• Linux DE
• ASIM/CIDDs
10
CyberWolf / FAA Goals
• Phase 1– Demo of CyberWolf’s automated attack analytics capabilities for
the CSIRC
• Phase 2– Input from ISS sensors not currently connected to the CSIRC (ISS
RealSecure). Removal of discrepancies of sensor input including false positives, data reduction, cross correlation and integration.
11
CyberWolf / FAA Progress
• Money on contract in late February
• Beginning evaluation later this month
• Contract to be completed by September
12
Air Force Enterprise Defense (AFED)
13
AFED Outline
• Program Description
• Task Goals
• Progress
– Quad Chart– Components
– Architecture– Capabilities
14
AFED Quad
Payoffs• Integrates existing enterprise sensors and provides enhanced Information Assurance and Enterprise Defense capabilities in support of the AF Protect-Detect-React/Restore model. • Assists in the automated detection and reporting of information attacks, containment and restoration of compromised systems, and planning/protection of enterprise assets.• Supports entire NOSC mission bycross-sharing of data among NOSC crew
Objectives •Provide a Defense-in-Depth capability that integrates existing event information:
– Policy Enforcement; Change/Configuration Management; Threat & Vulnerability Assessment with Countermeasure recommendations; Intrusion Detection; Network Management
•Fuse Information Assurance (IA) and Network Management data into a Common Enterprise Picture•Provide a consistent visual environment for information portrayal
Approach
•Spiral tech exploration, development, validation, and feedback process
Infrastructure
Interface
– Automated Reporting for Containment and IO Targeting
– Mission Situational Assessment
– Automated Courses of Action
Transition Agents: ESC/DIGC, ESC/DIWEnd Users: MAJCOM NOSCs, AFNOSC, CAOC-x
Oracle Database
Preemptive Preemptive Measures Measures
&&
Courses of Courses of ActionAction
VulnerabilitiesRisk AnalysisVulnerabilitiesRisk Analysis
Host/NetworkIntrusion Detection
Host/NetworkIntrusion Detection
•Data Reduction•Fusion•Correlation•Data Mining•Trend Analysis•Knowledge Base•Advanced Intrusion Detection
•Security Policies
•Complex Attack Methodologies
•INFOCON Rules
•Reporting Rules
•Courses of Action
•Analysts GUI Screens
•System Operation/ Control (WEB)
Algorithms/KB
Action/Protection
Open Source(DNS, Whois)Open Source(DNS, Whois)
Network Control(Firewalls, Routers)Network Control
(Firewalls, Routers)
Software Bridges
< 100 Lines of Code
InformationOperationsInformationOperations
EnterpriseManagementEnterprise
Management SituationalAssessment
ALPHA
BRAVO
CHARLIE
DELTA
SituationalAssessmentSituationalAssessment
ALPHA
BRAVO
CHARLIE
DELTA
Analyst/Organization Rules
Visualization
•Schema/Tables•Access Policies•Peer-to-Peer Sharing
Reporting
Network/LinkManagementNetwork/LinkManagement
Normalization,Normalization,Correlation &Correlation &Data StorageData Storage
Existing Existing EnterpriseEnterprise
Sensors/FeedsSensors/Feeds(Inputs & Outputs)(Inputs & Outputs)COTS & GOTSCOTS & GOTS
15
AFED Goals
• Merge network management and security tools and data to provides a better enterprise picture
• Provide analysts with improved host, security, and course of action information– Simplify access to data via drill down menus from the same GUI
• Reduce the workload of analysts– Provide data correlation capabilities
• Combines network and host based sensors• Demonstrates R&D technology to operational units
16
AFED Architecture
Oracle Database
Preemptive Measures
&
Courses of Action
VulnerabilitiesRisk Analysis
Host/NetworkIntrusion Detection
•Data Reduction•Fusion•Correlation•Data Mining•Trend Analysis•Knowledge Base•Advanced Intrusion Detection
•Security Policies
•Complex Attack Methodologies
•INFOCON Rules
•Reporting Rules
•Courses of Action
•Analysts GUI Screens
•System Operation/ Control (WEB)
Algorithms/KB
Action/Protection
Open Source(DNS, Whois)
Network Control(Firewalls, Routers)
Software Bridges
< 100 Lines of Code
InformationOperations
EnterpriseManagement Situational
AssessmentALPHA
BRAVO
CHARLIE
DELTA
Analyst/Organization Rules
Visualization
•Schema/Tables•Access Policies•Peer-to-Peer Sharing
Reporting
Network/LinkManagement
SensorInput
Data Storage
&
Analysis
17
AFED Components
AFEDTrend DB
AFED/AIDERT DB
Web SrvCmd/Config
DB Data Direct
App App SvrsSvrsApp App SvrsSvrsApp App SvrsSvrs
Other Data
BridgeBridge
ARS
Hierarchy
Incident Report
ReportingReportingWeb
Avi
Java GUI
Visualization/ControlVisualization/Control
DAIWF
Host Based AgentsHost Based Agents
Outpost
Sidewinder
RaptorRaptor
ASIM/CIDD
NetRadar
JIDSJIDS
ITAITA
Real SecureReal Secure CiscoCisco NetRangerNetRanger
IntrusionIntrusion DetectionDetection
Sidewinder
AIA
ASIM
Automated ResponseAutomated Response
AFSSI 5027
CMU
NetFlare
Policy EnforcementPolicy Enforcement
TVC
Vulnerability Vulnerability AssessmentAssessment
ISS
Correlation Correlation
& &
Data MiningData Mining
CyberWolf
Network MgmtNetwork Mgmt
HPOV
Decision Support/COADecision Support/COA
NetFlare
18
AFED Capabilities
• Intrusion Detection– Merges event and session data from COTS/GOTS sensors (e.g., ASIM/CIDDS, Netradar,
Real Secure, …)
– Translates outputs into standard categories
• Visualization– Provide a consistent visual environment
– Data views customized for crew positions
• Policy Enforcement– Allows users to define and alert on site policies
– Allows sites to map network and monitors changes in host OS and services
• DAA/CTO– Automates DAA and CTO processes
– Verify and update CTO information via monitoring
19
AFED Capabilities
• Vulnerability Assessment– Commercial Network scanner integrated
– Host based checks performed
• Network Management– Provides correlation between network events and intrusion events
– Provides access to host software and hardware inventories to assist identifying vulnerabilities, and security compliance
• Modeling & Simulation– Allows decision makers to perform tradeoff analysis of course-of-actions
• Reporting– Automate the reporting process
20
AFED / FAA Goals
• Optimization of IDS rule sets– Using AFED, operator reduced daily events by 60% at AFRL
site
• Cross site/sensor correlation– Hierarchical reporting capability
• Comparison of different sensors
21
AFED / FAA Progress
• Funds contracted in late February
• Received 1 months worth of sensor data– Awaiting additional sensor’s data
• Data loaded into AFED database and appropriate data views created
• Administrator beginning to examine/optimize rule set
22
Distributed Agents for Information Warfare (DAIWatch)
23
DAIWatch Outline
• Program Description
• Task Goals
• Progress
– Discriminators– Architecture
– Technology– Benefits
24
DAIWatch Discriminators
• Firewalls and related layered products cannot protect the network from internal activities: DAIWatch approach is host based.
• Current technologies are signature based: DAIWatch uses activity recognition
• Existing Systems are stovepiped: DAIWatch integrates across existing information system monitors
• Current Software is static: DAIWatch uses smart dynamic agents.
DAIWatchTM provides information security protection against
the most sophisticated attackers including the Cyber Terrorist
vs. the current emphasis of commercial products on hackers
25
DAIWatch Technology
1
Sensor Agents–Login Times–Files accessed –Programs Executed–Physical Configuration (e.g. modem)
Fusion Agent Functions•Profile User Activity
•Individual•Role-based (engineer, accountant, etc)
•Identify Anomalies•Recognize Network Abuse/Attacks
26
DAIWatch Architecture
Existing information security systems are designed to prevent remote entry from casual hackers. Professionals gain entry by stealing, buying or guessing
passwords; or through casual employees such as maintenance staff. DAIWF integrates data from conventional security systems with internally deployed
sensors to find these most sophisticated attackers.
DAIWatch ComponentsMobile Sensor AgentWandering Sensor AgentBroker AgentDistribution ManagerFusion AgentControl/Management
Firewall
Router
IDS
Internet
750+ computers per various hubs and subnets
Wireless Devices
Wandering agent roams the network looking for malicious code and other configuration issues.
Mobile agents are automatically deployed where needed based on risk.
Broker agents collect data from existing devices (e.g. firewalls) and DAIWatch Sensors.
DAIWatch maintains database and fuses information from all over network to find sophisticated threats and reduce false alarms from simple traffic analysis..
27
DAIWatch Benefits
Next Generation Network Security Manager Focused on Sophisticated Attacks
• Protects the Network - Recognizes Network Attacks, Especially Sophisticated Ones (Eg. Man-in-the-middle) Including Insider/Masquerader Threats
• Reduces Liability Exposure - Improves Compliance With New Government Mandates (E.G. GLB, Unauthorized Access)
• Saves Money (H/W) - Identifies Network Abuse (Webservers, Login Anomalies, Software Install, Policy Violations, Etc.)
• Saves Money (Staff) - Reduces System Administration Time Via Reasoning, Presentation and Drilldown of Data From Other Security Products
• Improves Effectiveness of Security System - Identifies Intentional and Inadvertent Security Holes (Eg. Mis-configured Firewall)
28
DAIWatch / FAA Goals
• Provide real time insider and outsider threat analysis for all network areas including health status of the network.
• Phase 1– Deploy to limited number of machines and receive accreditation to
progress
• Phase 2– Initial deployment of approximately 40-50 hosts would provide an
opportunity for demonstrating the assessment and value of this tool in a controlled network environment.
29
DAIWatch / FAA Progress
• Funds contracted on 12 March 2003• FAA received DAIWatch Server• ORINCON/FAA set up the server and configured DAIWatch• 1 Windows 2000 client installed and running• Undergoing 1 week evaluation• Waiting for approval software evaluation board• Status / User Meeting on 15 May - ORINCON/FAA
30
Summary
• CyberWolf
• Air Force Enterprise Defense (AFED)
• Distributed Agents for Information Warfare (DAIWatch)