Cyber Defence Data Exchange and
Collaboration Infrastructure (CDXI)
Luc Dandurand
NATO C3 Agency
luc.dandurand@nc3a.nato.int
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
2
NATO C3 Agency
Mission:

Enable NATO’s success through the unbiased provision of
comprehensive C4ISR capabilities
NC3A mainly provides acquisition and scientific support
to NATO and NATO Nations
Key player at helping Nations achieve interoperability
CDXI is sponsored by NATO Allied Command
Transformation (ACT, Norfolk, VA)
http://www.nc3a.nato.int/
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
3
What is the CDXI?
Ultimately, the goal of CDXI is to
 transport
cyber defence data between organisations
 through a resilient, global infrastructure
 structure the data for machine processing
 feed it directly into automated applications
 provide assurance of its origin and quality
 provide access controls for confidentiality
 provide tools to collaborate on improving the data
 enable commercial exploitation
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
4
Cyber Defence Data
Reference Information
 Vulnerabilities
 Software
(Applications and Operating Systems)
 Hardware
 Malware
 Patches and Fixes
 Verification Tests (e.g. IDS signatures & VA tests)
 Protocol specifications
 Certifications
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
5
Cyber Defence Data
Operational Information
 Events
 Incidents
 IP
addresses
 Implicated parties
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
6
What problems does it solve?
Beyond the basic need to exchange data
 Lots



of data sources saying different things
Errors & Discrepancies
Different focus and taxonomies
→ No simple way to fix known errors and collaborate
 Limited


ability to automate CD applications
Importing from the Web is often “manual”
Limited quality assurance → THIS IS A MAJOR PROBLEM
 No
resilience → Need a local copy of all data!
 No automated implementation/enforcement of
sharing policies
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
7
Examples of Discrepancies
CVE 2010-2941
18 Nov 2010
Possibly execute
arbitrary code via a
crafted packet
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
8
CVE 2010-2941
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
9
CVE 2010-2941
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
10
CVE 2010-2941
[…]
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
11
CVE 2010-2941
?
[…]
?
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
12
CVE 2010-2941
[…]
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
13
How do we fix this?
“Support dissension to reach consensus”
 Easily
modify the data and send back to community
 “Multiple truths” co-exist until further research
uncovers the “ultimate truth”
 Reject or block erroneous data coming into own
automated systems
Custom Quality Assurance Processes
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
14
Structured Cyber Defence Data
Strategy of CDXI is currently based on
 Pure


Single identifier for each element (e.g. “CVE-ID”)
Used to create all links to other data
 Agile


enumerations for the specified topics
Data Model
User-defined taxonomies
User-defined relationships
CDXI could implement most, if not all, standards
in CYBEX X.1500.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
15
Confidentiality
Limited sharing is a reality
 User-based
and role-based access controls
 Organisational sharing policies


Can limit user actions
Can automate sharing
 Multiple
security labels and mappings
 Instances of CDXI exist at every security level
(Unclassified, Secret and Top Secret)
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
16
Commercial Exploitation
Required since Industry has lots of data,
but more importantly, the resources to refine it
Proposed strategy is to encrypt records
 Sell keys
to decrypt the data through contract
Industry can resell
 Tools
that use the CDXI
 Content
 Quality assurance of content
 Data-mining
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
17
CDXI Architecture
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
18
Relation to CYBEX
Similar to CYBEX in that use/acquisition of the data is out of scope
Implements the following CYBEX functions




Structuring cybersecurity information for exchange purposes
Identifying and discovering cybersecurity information and entities
Establishment of trust and policy agreement between exchanging entities
Providing assured cybersecurity information exchange
Adds support for




Dissension to reach consensus, collaboration mechanisms
Custom quality assurance processes
Commercial exploitation
Provides Resilience
CDXI tackles the problem from a prototype implementation pointof-view, rather than the CYBEX standards-based approach
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
19
CDXI Way Ahead
Concept, high-level requirements and proposed
architecture will be completed Q1 2011
We plan to build and test a prototype in 2011
We plan to continue prototype development/testing
in 2012 and beyond
We hope for: Implementation by Industry?

Concept valid for any knowledge centric community!
For further information: luc.dandurand@nc3a.nato.int
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
20