Cybersecurity Information Exchange Framework - Docbox
advertisement
2.1 CYBEX - The Cybersecurity Information Exchange Framework Tony Rutkowski, tony@yaanatech.com Rapporteur, ITU-T Cybersecurity Rapporteur Group EVP, Yaana Technologies Senior Fellow, Georgia Tech, Sam Nunn School, Center for International Strategy, Technology, and Policy (CISTP) What is the Cybersecurity Information Exchange Framework (CYBEX) ? • A global initiative to – identify a set of platform specifications to facilitate the trusted exchange of information among responsible parties worldwide supporting cybersecurity for • Infrastructure protection • Incident analysis and response • Law enforcement and judicial forensics – Enhance the availability, interoperability, and usefulness of these platforms • Extensible use of best-of-breed open cyber security information exchange platforms • Facilitated by the Cybersecurity Rapporteur Group of ITU-T (Q.4/17) • ITU-T Recommendations during 2010-2011, with continuing evolution to current user community versions and needs What is cybersecurity? Intergovernmental agreements and cooperation Tort & indemnification Contractual service agreements and federations 1. Measures for protection Legal remedies may also institute protective measures 4. Legal Remedies Criminal law Resilient infrastructure Real-time data availability 2. Measures for threat detection Regulatory/ administrative law Encryption/ VPNs esp. for signalling Data retention and auditing Provide basis for actions Investigation & measure initiation Forensics & heuristics analysis Reputation sanctions Patch development 3. Measures for thwarting and other remedies = information exchange for analysis = information exchange for actions Provide data for analysis Blacklists & whitelists Identity Management Routing & resource constraints Deny resources Vulnerability notices Provide awareness of vulnerabilities and remedies Network/ application state & integrity The CYBEX Initiative: basic model for information exchange Cybersecurity Organization Cybersecurity Information acquisition (out of scope) Structure information Identify & discover cyber security information and organizations requesting & responding with cybersecurity information Trusted exchange of cyber security information Cybersecurity Organization Cybersecurity Information use (out of scope) Structured Information Vulnerability/State Exchange Cluster SCAP SP800-126 Security Content Automation Protocol XCCDF eXtensible Configuration Checklist Description Format CVE Common Vulnerabilities and Exposures CCE ARF Assessment Results Format OVAL = new = referenced Common Platform Enumeration Open Vulnerability and Assessment Language CVSS CWSS CWE Common Vulnerability Scoring System = imported CPE Common Weakness Enumeration Exchange Terms and Conditions X.cybex-tc Cyber information terms and condition exchange format Common Configuration Enumeration Common Weakness Scoring System Event/Incident/Heuristics Exchange Cluster Specific Events CEE Common CEE Event Common CEE Expression CEE Event Common ExpressionEvent Common Event Expression Expression CAPEC Common Attack Pattern Enumeration and Classification IODEF RFC5070 Incident Object Description Exchange Format MAEC Malware Attribution Enumeration and Characterization PFOC Phishing, Fraud, and Other Non-Network Layer Reports X.gridf SmartGrid Incident Exchange Format Black/Whitelist Exchange Format LEA/Evidence Exchange Cluster RFC3924 TS102232 Handover Interface and ServiceSpecific Details (SSD) for IP delivery TS102657 Handover interface for the request and delivery of retained data Architecture for Lawful Intercept in IP Networks X.dexf TS23.271 Handover for Location Services Digital Evidence Exchange File Format ERDM Electronic Discovery Reference Model Discovery and Trusted Exchange Discovery Cluster = imported X.cybex.1 An OID arc for cybersecurity information exchange = new X. cybex.2 XML namespace in the Exchange of Cybersecurity Information = referenced X. cybexdisc OID-based discovery mechanisms in the exchange of cybersecurity information Identity Trust Cluster X.evcert X.eaa Extended Validation Certificate Entity authentication assurance TS102042 V.2.0 Policy requirements for certification authorities issuing public key certificates X. chirp Cybersecurity Heuristics and Information Request Protocol Exchange Cluster X.cybexbeep BEEP Profile for Cybersecurity Information Exchange Framework X.cybextp Transport protocols supporting cybersecurity information exchange LEA/Evidence Exchange TS102232-1 Handover Interface and Service-Specific Details (SSD) for IP delivery A Cybersecurity Namespace • Trusted global cybersecurity information exchange requires identifiers for – The parties and other objects involved in the exchanges – The information exchanged – The terms and conditions associated with the exchanged information • A global cyber security namespace is part of CYBEX and described in draft Rec. ITU-T X.cybex.1 • The OID namespace 2.48 has been reserved for this purpose by joint ISO|IEC JTC1 SC6 and ITU SG17 action – OID namespaces • Are hierarchical and enable autonomous distributed management • Were developed for and have been used for these kinds of purposes for the past 30 years • Can also be used to meet new ETSI TC LI Dynamic Triggering requirement for a global identifier for warrants and related needs A Global Cybersecurity Namespace 0 ITU-T|ITU-R [Allocated by ITU-T SG17] 1 Joint ITU-T & ISO 2 [jointly allocated by ITU-T SG17 and ISO|IEC JTC1 SC6] ISO [Allocated by ISO|IEC JTC1 SC6] 3 1 0 Every country has a numeric identifier automatically reserved in the OID 2.48 cybersecurity namespace 4 2 ... 48 = cybersecurity 48 Architecture TBD 4 ... 250 ... 756 France Afghanistan 1 [each country , organization, subdivision allocates namespaces and levels as desired] ... Suisse 840 USA nnn FIRST Non-country organizations can also be allocated identifiers ... Use of the OID cybersecurity namespace: an example Cybersecurity Organization Ensures coherent ability to know who is involved, specific identification of the information, and expected treatment policies Cybersecurity Organization 2.48.1.756.3 Incident 2.48.1.756.3.1.[local identifier] 2.48.1.250.2 Terms & conditions 2.48.1.756.3.2.[local identifier] [hypothetical French agency] [hypothetical Swiss agency] Local agency and community identifiers can continue to be used The namespace identifiers need not be publicly exposed – only unique and consistent within the namespace The cybersecurity problems are about to get much worse • Cloud Services and SmartGrids create potential significant new cybersecurity threats with far reaching consequences • Public services are being pushed into the marketplace with – – – – No regulation No standards Availability of massive network data center resources With little understanding of the cybersecurity dimensions, much less effective solutions – No international agreements Will history repeat itself? • Similar kinds of cyber security challenges were faced a hundred years ago – – – – – Fast-paced new network technology emerged Networks became global in scope Harmful incidents were rapidly scaling Governments did not intervene to avoid harm to innovation Sinking of the Titanic in 1912 finally motivated global action • Every new network technology has faced similar challenges – The 1980s OSI Internet had public infrastructure security solutions, but lacked innovation – The 1990s TCP/IP academic Internet had no public infrastructure security solutions, but was great for innovation • Criminals , hackers, terrorists, miscreants are also innovative and have many incentives • CYBEX assembles open, extensible, technology-neutral capabilities essential for public network infrastructure/service cybersecurity in different forms over the past hundred years It usually takes a major disaster How many cyber icebergs do you need before substantial global action occurs?
