Intrusion-detection net revived

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.fcw.com/fcw/articles/2002/0527/news-net-05-27-02.asp

By Diane Frank 
May 27, 2002

The General Services Administration and Carnegie Mellon University
this fall will start testing a new technology to analyze and report on
patterns in the cyber intrusion information gathered across
government, an idea that was first floated and eventually sunk two
years ago.

The data analysis capability (DAC) being developed by the CERT
Coordination Center for GSA's Federal Computer Incident Response
Center will analyze data already being collected by intrusion-
detection systems at many agencies, said Sallie McDonald, assistant
commissioner for information assurance and critical infrastructure
protection at GSA.

Those systems typically report on unusual or unauthorized network
activity that might indicate that someone is attempting to attack or
break into agency systems. The DAC will gather data from the sensors
or from agencies' own analyses at a central point within FedCIRC for
identification of potential vulnerabilities and attacks.

That analysis will then be shared with participating agencies, along
with steps to protect against, react to or recover from any incidents,
McDonald said. FedCIRC is the overarching source for security incident
warnings and analysis for all civilian agencies.

The idea of a governmentwide system for analyzing intrusion-detection
data first emerged in 1999 as part of the Clinton administration's
National Plan for Information Systems Protection.

Privacy concerns raised by advocacy groups and Congress after
erroneous reports that the analysis would be performed on
private-sector networks as well as government networks forced GSA and
the administration to withdraw the proposed Federal Intrusion
Detection Network in 2000.

Even as more agencies turn to vendors for intrusion data analysis
within their own networks, this type of centralized analysis
capability is a necessary tool for raising the entire government's
information security posture, said Amit Yoran, a former director of
the Defense Department CERT's Vulnerability Assessment and Assistance
Program.

And it is technically feasible to analyze the vast amount of
information that the DAC will have to handle from all of the civilian
agencies, said Yoran, co-founder of Riptech, a managed security
services company. Riptech handles approximately 2 terabytes of
incident information every day from all of its government and industry
clients, he said.

As an incentive for agencies, GSA will allow participants in the pilot
project to use the technology to analyze their own incident
information in real time, McDonald said. That analysis will then be
sent to FedCIRC to map the governmentwide incident and vulnerability
status.

If the pilot project is successful, the DAC is expected to reach full
operating ability in fiscal 2003, she said.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.