Re: Visual Interpretation of Internet Threats

[Jay Tumas <jay_tumas () HARVARD EDU>]

Hi Connie,

We have looked at (and used) a number of real time global/local
cyber-security threat feed/visualization products including Certstation,
Arbornet's Active Threat Feed, and Sourcefire's RNA product.  All have
their pros and cons for security professionals responsible for global
cyber-threat visibility.  They all enable another layer of preparedness
on our part, but found them insufficient for our many customers (~100
Schools, Departments and Affiliates of the University) when attempting
to deliver them the visibility required to protect their local environments.

So to that end, we created a custom, real-time Security Alerts Dashboard
for our customers that is accessible via a Secure NOC Services Web
Portal.  I have attached a screen shot that displays our top level
view.  The Dashboard takes input from our core/border network SNORT IDS
infrastructure, VPN concentrators and ACS cluster, and displays
triggered signature/alert data in a number of ways.  As we are
responsible for overall network security at the University, our top
level view displays cyber-threat posture across the entire University
network footprint, whereas a customer would only see data related to
their particular network address space.  The logical map pictured is a
representation of the network sliced by type of customer and address
space.  Red objects on the map indicate that there is active security
"events" occurring, green objects indicate all-clear, and any other
color means somebody better do some investigating to determine if they
have an issue or not.  The "Alerts per Hour" graph below the map is just
that, by customer (this is mostly IDS alert data).  The "Recent Alerts"
list is a live, scrolling stack of triggered IDS sigs and Alerts from
across the infrastructure.  *This* particular feature is very useful in
providing the visibility required to detect overall network health and
cyber-threat posture.  On the right you will find our "Top 5 Alerting
IP's" list (which details the Top 5 IDS signature offenders), "Top 5
Alerting Signatures" list (which details the most popular triggered
signature over the last time delta) , and "Summary Report" buttons
(which allows customers to instantly receive summary reports for their
LAN's cyber-threat activity).

An adjunct sub-system to this interface is our Auto-Alerting System.
The web portal described above takes it's input from a SNORT signature
set of approximately 3000 signatures - which means it's a raw feed with
some false positives, however all valuable info once a LAN's baseline
activity is understood.  The Auto-Alerting System's function is to send
out email alerts to our customer's local security teams when a small
subset (~20) of high-confidence signatures are triggered for their
area.  This subset of sigs have proven to be 99.999% accurate in
identifying compromised systems because they trigger on activity that is
the result of a compromise, and not the compromise attempt itself.  By
eliminating false positives, this has become an invaluable tool in
detecting and removing infected/compromised systems across out entire
infrastructure of ~500,000 IP addresses.

We recently have developed a more advanced interface enhancing
visibility, correlation and thresholding on IDS/ADS/Any alerts by
integrating an Anvil front-end portal and a custom backend that can sift
through millions (probably billions) of alerts efficiently and present
the user with actionable cyber-threat assessment data quickly and
accurately.....but that is a discussion for another thread.

If you (or anyone) has any interest in discussing any of these custom
product further please let me know.

J

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jay Tumas - BSEE, NSA/IAM&IEM
                      ~~~~~~~~~~~~~~~~~~~~
- Network Operations, Security and Incident Response Team Manager
- Longwood Medical Area Technical Subcommittee Chair
- Boston Infragard Members Alliance, Executive Board Member
                      ~~~~~~~~~~~~~~~~~~~~
       Harvard University - UIS/Network Operations Center
                  60 Oxford Street, Suite 132
                      Cambridge, MA. 02138
                      ~~~~~~~~~~~~~~~~~~~~
       Office: 617-496-8500  Mobile Device: 617-733-6169
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"The first method for estimating the intelligence of a ruler is
to look at the men he has around him." - Niccolo Machiavelli



Sadler, Connie wrote:
> This may be a strange request, but I'm wondering if anyone knows of attempts to make visuals of Internet threats. One of the big issues we face is 
> the fact that people don't see the threats, and what they don't see, they don't take seriously. Metrics help, demos help, and good stories 
> help, but if anyone knows of some visuals that can help people to actually "see" the threat, or a representation of the threat, I'd LOVE to 
> hear about it.
>
> This might be a good student project??  ;-)
>
> Thanks...
>
> Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
> IT Security Officer, Brown University
> Campus Box 1885, Providence, RI 02912
> Connie_Sadler () Brown edu,  Office: 401-863-7266
> PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
> PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB