http://www.networkworld.com/news/2006/0705
06-argonne-national-lab.html
By Cara Garretson
NetworkWorld.com
07/05/06
Argonne National Laboratory, a division of the Department of
Energy
(DOE) operated out of the University of Chicago, is
spearheading an
effort to collect information about cyber security events
that is
beginning to gain steam.
Called The Federated Model, this information-sharing
initiative among
government, universities, and research labs began last fall
and
currently has about half a dozen active members, says Scott
Pinkerton,
manager of network services for the lab in DuPage County,
Ill.
The initiative is open to any organization wanting to share
details,
or even just view information, regarding attempts by
different IP
addresses to access networks and how organizations have
responded to
these attempts, in an effort to spot patterns of malicious
behavior
and proactively block security threats, says Pinkerton.
For example, if one member of the Federated Model suffers an
attack
from a certain IP address, another member may be able to
block that IP
address from accessing its network and thwart a second
attack, he
says.
"We're reinforcing the idea that we could be smarter,
and more
prepared," Pinkerton says. While the number of members
is growing,
Pinkerton says The Federated Model hasn't yet hit critical
mass.
Pinkerton discussed The Federated Model's progress at
Network World’s
IT Roadmap conference held in Chicago late last month during
a session
on security. He stressed the importance of monitoring
NetFlow data to
search for zero-day attack traffic patterns, a practice his
department
engages in. NetFlow is a Cisco technology for storing
traffic flow
histories on routers and switches.
Argonne has taken on the development of The Federated
Model's
repository and laid out specifications to be used for
submitting and
accessing information. Following IETF standards, data is
submitted in
XML format that is encrypted. The lab is working on adding
features,
such as an RSS feed that would tell members when new
information has
been added to the repository, Pinkerton says.
What's valuable about this data is not only learning what
IP addresses
are doing, but what organizations are doing in response to
potential
threats, says Tami Martin, intrusion detection systems
engineer with
Argonne. "You're learning the reactive measures other
sites are
taking," she says. "Also of intrinsic value is
[learning] the severity
of the action taken."
Eventually, members could get to the point where they can
completely
thwart an attack by following the actions of a trusted
member, says
Pinkerton.
All contents copyright 1995-2006 Network World, Inc
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|