FAA DAIWatch Integration - Center for Software Engineering

Download Report

Transcript FAA DAIWatch Integration - Center for Software Engineering

AFRL / FAA Programs
Status Report
Lt. Matt Manger
Rome Research Site
6 May 2003
1
Overview
• CyberWolf
• Air Force Enterprise Defense (AFED)
• Distributed Agents for Information Warfare
(DAIWatch)
2
3
CyberWolf Outline
• Program Description
– Objective
– Problem Statement
– Architecture
– Implementation
– Device Experts (DE)
• Task Goals
• Progress
4
Cyberwolf Objective
• Objective
– Develop a versatile, scaleable, and extensible enterprise security
management and CND tool
– Utilizes expert system rule-based correlation of IDS and network
management events
• Goal
– Reduce the workload of network security personnel responsible for
maintaining security of the enterprise while at the same time
providing more accurate network situational assessment
information
5
CyberWolf Problem
Long-suffering,
overworked
Security Administrator
Millions of
Enterprise Security Events,
6
CyberWolf Architecture
CyberWolf
Manager
Just a Few Incidents
Worthy of Human Attention
Much happier
Security
Administrator
(only deals with
a few incidents).
Lower-Intensity Alert Stream from “Device Experts”
NT
Device
Experts
UNIX Log
Device
Experts
Router
Device
Experts
COTS IDS
Device
Experts
Firewall
Device
Experts
…
Many More
Device
Experts
Millions of Events, Some With Security Implications
7
CyberWolf Implementation
Events
Systems, IDS,
Network Elements &
Other Devices
CyberWolf Experts
Capture Event Data from
Enterprise Security Components
- Translate Events into
Cyberwolf Syntax
- Provide Analysis and Filtering
- Decentralized Intelligence for
Maximum Scalability
SafePath
Encrypted and
Authenticated
Socket-based
Communications
KnowledgeBase
Device-Specific Information
- Expert Analysis of Device Output
- Update Device Rules and Tables
- Controls Alert Stream Using
Expert-defined Thresholds
Alerts
CyberWolf Manager
SecurSite
Information Rich GUI
- Instant Visibility to Threats
- Simple English Descriptions
- Color-coded and Prioritized
Security Incident List
Incidents!
AutoAdvisor
Rule-based Correlation Engine
- Automatically Tracks Incidents
- Automates Analysis and Response
- Ships with build-in tracking tools
- Easily Add Custom Enterprise Rules
Learning Repository Database
- Cumulative Tracking of all
Events, Alerts, and Incidents
- Searchable for Creating Reports
and Audit trails
Automated
Trouble Ticket
Submission
Real-time
Email & Pager
Alerts
8
CyberWolf Device Experts
Each DE utilizes less than 3% of CPU during operation
• Gauntlet v4.5/5.5
Firewall DE
• SideWinder Firewall DE
• Raptor Firewall DE
• Pix Firewall DE
• Zone Alarm DE
• Black Ice DE
• RealSecure v6.0 IDS
DE
• NetRadar IDS DE
• Snort IDS DE
•
•
•
•
•
•
•
•
•
HP Openview NNM DE
SNMP DE
Nmap DE
Cisco Router DE
Ascend Router DE
Windows 95/98/NT/2000 DE
Solaris DE
Linux DE
ASIM/CIDDs
9
CyberWolf / FAA Goals
• Phase 1
– Demo of CyberWolf’s automated attack analytics capabilities for
the CSIRC
• Phase 2
– Input from ISS sensors not currently connected to the CSIRC (ISS
RealSecure). Removal of discrepancies of sensor input including
false positives, data reduction, cross correlation and integration.
10
CyberWolf / FAA Progress
• Money on contract in late February
• Beginning evaluation later this month
• Contract to be completed by September
11
Air Force Enterprise Defense
(AFED)
12
AFED Outline
• Program Description
– Quad Chart
– Components
– Architecture
– Capabilities
• Task Goals
• Progress
13
AFED Quad
Infrastructure
Interface
Approach
• Spiral tech exploration, development, validation,
and feedback process
– Automated Reporting for Containment and IO
Targeting
– Mission Situational Assessment
– Automated Courses of Action
Transition Agents: ESC/DIGC, ESC/DIW
End Users: MAJCOM NOSCs, AFNOSC, CAOC-x
Objectives
•Provide a Defense-in-Depth capability that
integrates existing event information:
– Policy Enforcement; Change/Configuration
Management; Threat & Vulnerability Assessment
with Countermeasure recommendations;
Intrusion Detection; Network Management
•Fuse Information Assurance (IA) and Network
Management data into a Common Enterprise
Picture
•Provide a consistent visual environment for
information portrayal
Payoffs
• Integrates existing enterprise sensors and
provides enhanced Information Assurance and
Enterprise Defense capabilities in support of
the AF Protect-Detect-React/Restore model.
• Assists in the automated detection and
reporting of information attacks, containment
and restoration of compromised systems, and
planning/protection of enterprise assets.
• Supports entire NOSC mission by
cross-sharing of data among NOSC crew
14
AFED Goals
• Merge network management and security tools and data to
provides a better enterprise picture
• Provide analysts with improved host, security, and course of
action information
– Simplify access to data via drill down menus from the same GUI
• Reduce the workload of analysts
– Provide data correlation capabilities
• Combines network and host based sensors
• Demonstrates R&D technology to operational units
15
AFED Architecture
Preemptive
Measures
&
Courses of
Action
Action/Protection
Analyst/Organization
Rules
•Security Policies
Enterprise
Management
Reporting
Situational
Assessment
•Complex Attack
Methodologies
•INFOCON Rules
ALPHA CHARLIE
BRAVO DELTA
Information
Operations
•Reporting Rules
•Courses of Action
Oracle Database
Data Storage
&
Analysis
Sensor
Input
•Schema/Tables
•Access Policies
•Peer-to-Peer Sharing
Algorithms/KB
Visualization
•Data Reduction
•Fusion
•Correlation
•Data Mining
•Trend Analysis
•Knowledge Base
•Advanced Intrusion Detection
•Analysts GUI Screens
•System Operation/
Control (WEB)
Open Source
(DNS, Whois)
Vulnerabilities
Risk Analysis
Host/Network
Intrusion Detection
Network/Link
Management
Network Control
(Firewalls, Routers)
16
AFED Components
Visualization/Control
Decision Support/COA
Reporting
Java GUI
Policy Enforcement
NetFlare
Web
Avi
ARS
Hierarchy
AFSSI 5027
CMU
Incident
Report
DB Data Direct
Other Data
NetFlare
Web Srv
Cmd/Config
Vulnerability
Assessment
TVC
Host Based Agents
DAIWF
App
App
Svrs
App
Svrs
Svrs
AFED/AIDE
RT DB
AFED
Trend DB
Outpost
ISS
Network Mgmt
Bridge
CyberWolf
Automated Response
Sidewinder
Intrusion Detection
Sidewinder ASIM/CIDD
HPOV
JIDS
AIA
Raptor
NetRadar
ITA
ASIM
Real Secure
Cisco
NetRanger
Correlation
&
Data Mining
17
AFED Capabilities
• Intrusion Detection
– Merges event and session data from COTS/GOTS sensors (e.g., ASIM/CIDDS, Netradar,
Real Secure, …)
– Translates outputs into standard categories
• Visualization
– Provide a consistent visual environment
– Data views customized for crew positions
• Policy Enforcement
– Allows users to define and alert on site policies
– Allows sites to map network and monitors changes in host OS and services
• DAA/CTO
– Automates DAA and CTO processes
– Verify and update CTO information via monitoring
18
AFED Capabilities
• Vulnerability Assessment
– Commercial Network scanner integrated
– Host based checks performed
• Network Management
– Provides correlation between network events and intrusion events
– Provides access to host software and hardware inventories to assist identifying
vulnerabilities, and security compliance
• Modeling & Simulation
– Allows decision makers to perform tradeoff analysis of course-of-actions
• Reporting
– Automate the reporting process
19
AFED / FAA Goals
• Optimization of IDS rule sets
– Using AFED, operator reduced daily events by 60% at AFRL
site
• Cross site/sensor correlation
– Hierarchical reporting capability
• Comparison of different sensors
20
AFED / FAA Progress
• Funds contracted in late February
• Received 1 months worth of sensor data
– Awaiting additional sensor’s data
• Data loaded into AFED database and appropriate data views
created
• Administrator beginning to examine/optimize rule set
21
Distributed Agents for Information
Warfare (DAIWatch)
22
DAIWatch Outline
• Program Description
– Discriminators
– Architecture
– Technology
– Benefits
• Task Goals
• Progress
23
DAIWatch Discriminators
DAIWatchTM provides information security protection against
the most sophisticated attackers including the Cyber Terrorist
vs. the current emphasis of commercial products on hackers
• Firewalls and related layered products cannot protect the network
from internal activities: DAIWatch approach is host based.
• Current technologies are signature based: DAIWatch uses activity
recognition
• Existing Systems are stovepiped: DAIWatch integrates across
existing information system monitors
• Current Software is static: DAIWatch uses smart dynamic agents.
24
DAIWatch Technology
Sensor Agents
–Login Times
–Files accessed
–Programs1Executed
–Physical Configuration
(e.g. modem)
Fusion Agent Functions
•Profile User Activity
•Individual
•Role-based
(engineer, accountant, etc)
•Identify Anomalies
•Recognize Network
Abuse/Attacks
25
DAIWatch Architecture
Existing information security systems are designed to prevent remote entry from
casual hackers. Professionals gain entry by stealing, buying or guessing
passwords; or through casual employees such as maintenance staff. DAIWF
integrates data from conventional security systems with internally deployed
sensors to find these most sophisticated attackers.
750+ computers per various hubs and subnets
Wandering agent roams the network looking for
malicious code and other configuration issues.
Wireless Devices
DAIWatch Components
Mobile Sensor Agent
Wandering Sensor Agent
Broker Agent
Distribution Manager
Fusion Agent
Control/Management
Mobile agents are automatically deployed
where needed based on risk.
IDS
DAIWatch maintains database and fuses
information from all over network to find
sophisticated threats and reduce false alarms
from simple traffic analysis..
Router
Broker agents collect data
from existing devices (e.g.
firewalls) and DAIWatch
Sensors.
Firewall
Internet
26
DAIWatch Benefits
Next Generation Network Security Manager
Focused on Sophisticated Attacks
• Protects the Network - Recognizes Network Attacks, Especially Sophisticated
Ones (Eg. Man-in-the-middle) Including Insider/Masquerader Threats
• Reduces Liability Exposure - Improves Compliance With New Government
Mandates (E.G. GLB, Unauthorized Access)
• Saves Money (H/W) - Identifies Network Abuse (Webservers, Login
Anomalies, Software Install, Policy Violations, Etc.)
• Saves Money (Staff) - Reduces System Administration Time Via Reasoning,
Presentation and Drilldown of Data From Other Security Products
• Improves Effectiveness of Security System - Identifies Intentional and
Inadvertent Security Holes (Eg. Mis-configured Firewall)
27
DAIWatch / FAA Goals
• Provide real time insider and outsider threat analysis for all
network areas including health status of the network.
• Phase 1
– Deploy to limited number of machines and receive accreditation to
progress
• Phase 2
– Initial deployment of approximately 40-50 hosts would provide an
opportunity for demonstrating the assessment and value of this tool in a
controlled network environment.
28
DAIWatch / FAA Progress
•
•
•
•
•
•
•
Funds contracted on 12 March 2003
FAA received DAIWatch Server
ORINCON/FAA set up the server and configured DAIWatch
1 Windows 2000 client installed and running
Undergoing 1 week evaluation
Waiting for approval software evaluation board
Status / User Meeting on 15 May - ORINCON/FAA
29
Summary
• CyberWolf
• Air Force Enterprise Defense (AFED)
• Distributed Agents for Information Warfare
(DAIWatch)
30
Questions??
Lt. Matt Manger
Rome Research Site
[email protected]
(315) 330-1874
6 May 2003
31