Educause Security Discussion mailing list archives
Re: Visual Interpretation of Internet Threats
From: Jay Tumas <jay_tumas () HARVARD EDU>
Date: Thu, 29 Nov 2007 11:57:09 -0500
Hi Connie, We have looked at (and used) a number of real time global/local cyber-security threat feed/visualization products including Certstation, Arbornet's Active Threat Feed, and Sourcefire's RNA product. All have their pros and cons for security professionals responsible for global cyber-threat visibility. They all enable another layer of preparedness on our part, but found them insufficient for our many customers (~100 Schools, Departments and Affiliates of the University) when attempting to deliver them the visibility required to protect their local environments. So to that end, we created a custom, real-time Security Alerts Dashboard for our customers that is accessible via a Secure NOC Services Web Portal. I have attached a screen shot that displays our top level view. The Dashboard takes input from our core/border network SNORT IDS infrastructure, VPN concentrators and ACS cluster, and displays triggered signature/alert data in a number of ways. As we are responsible for overall network security at the University, our top level view displays cyber-threat posture across the entire University network footprint, whereas a customer would only see data related to their particular network address space. The logical map pictured is a representation of the network sliced by type of customer and address space. Red objects on the map indicate that there is active security "events" occurring, green objects indicate all-clear, and any other color means somebody better do some investigating to determine if they have an issue or not. The "Alerts per Hour" graph below the map is just that, by customer (this is mostly IDS alert data). The "Recent Alerts" list is a live, scrolling stack of triggered IDS sigs and Alerts from across the infrastructure. *This* particular feature is very useful in providing the visibility required to detect overall network health and cyber-threat posture. On the right you will find our "Top 5 Alerting IP's" list (which details the Top 5 IDS signature offenders), "Top 5 Alerting Signatures" list (which details the most popular triggered signature over the last time delta) , and "Summary Report" buttons (which allows customers to instantly receive summary reports for their LAN's cyber-threat activity). An adjunct sub-system to this interface is our Auto-Alerting System. The web portal described above takes it's input from a SNORT signature set of approximately 3000 signatures - which means it's a raw feed with some false positives, however all valuable info once a LAN's baseline activity is understood. The Auto-Alerting System's function is to send out email alerts to our customer's local security teams when a small subset (~20) of high-confidence signatures are triggered for their area. This subset of sigs have proven to be 99.999% accurate in identifying compromised systems because they trigger on activity that is the result of a compromise, and not the compromise attempt itself. By eliminating false positives, this has become an invaluable tool in detecting and removing infected/compromised systems across out entire infrastructure of ~500,000 IP addresses. We recently have developed a more advanced interface enhancing visibility, correlation and thresholding on IDS/ADS/Any alerts by integrating an Anvil front-end portal and a custom backend that can sift through millions (probably billions) of alerts efficiently and present the user with actionable cyber-threat assessment data quickly and accurately.....but that is a discussion for another thread. If you (or anyone) has any interest in discussing any of these custom product further please let me know. J ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jay Tumas - BSEE, NSA/IAM&IEM ~~~~~~~~~~~~~~~~~~~~ - Network Operations, Security and Incident Response Team Manager - Longwood Medical Area Technical Subcommittee Chair - Boston Infragard Members Alliance, Executive Board Member ~~~~~~~~~~~~~~~~~~~~ Harvard University - UIS/Network Operations Center 60 Oxford Street, Suite 132 Cambridge, MA. 02138 ~~~~~~~~~~~~~~~~~~~~ Office: 617-496-8500 Mobile Device: 617-733-6169 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "The first method for estimating the intelligence of a ruler is to look at the men he has around him." - Niccolo Machiavelli Sadler, Connie wrote:
This may be a strange request, but I'm wondering if anyone knows of attempts to make visuals of Internet threats. One of the big issues we face is the fact that people don't see the threats, and what they don't see, they don't take seriously. Metrics help, demos help, and good stories help, but if anyone knows of some visuals that can help people to actually "see" the threat, or a representation of the threat, I'd LOVE to hear about it. This might be a good student project?? ;-) Thanks... Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer, Brown University Campus Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu, Office: 401-863-7266 PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB
Current thread:
- Visual Interpretation of Internet Threats Sadler, Connie (Nov 29)
- <Possible follow-ups>
- Re: Visual Interpretation of Internet Threats Aaron Wade (Nov 29)
- Re: Visual Interpretation of Internet Threats Kathy Bergsma (Nov 29)
- Re: Visual Interpretation of Internet Threats Gary Flynn (Nov 29)
- Re: Visual Interpretation of Internet Threats Brent Sweeny (Nov 29)
- Re: Visual Interpretation of Internet Threats Peter Charbonneau (Nov 29)
- Re: Visual Interpretation of Internet Threats Hull, Dave (Nov 29)
- Re: Visual Interpretation of Internet Threats Ozzie Paez (Nov 29)
- Re: Visual Interpretation of Internet Threats Willis Marti (Nov 29)
- Re: Visual Interpretation of Internet Threats Jay Tumas (Nov 29)
- Re: Visual Interpretation of Internet Threats Basgen, Brian (Nov 29)
- Re: Visual Interpretation of Internet Threats John McNair (Nov 29)