Making A Federal Case About Sharing Security Data

Security professionals at the U.S. Department of Energy (DoE) have developed a new model for sharing security information that could work in any industry or supply chain.

In a joint effort with many other DoE research labs and university security teams, Argonne National Laboratory last week unveiled the Federated Model for Cybersecurity, a method of capturing and sharing information about security problems with trusted partners at near-real-time speeds.

The Federated Model operates something like a "neighborhood watch" for sharing information about potential crime, explains Michael Skwarek, deputy CIO and cybersecurity program manager at Argonne National Laboratory.

"In a neighborhood watch, if you see something suspicious, you set up a telephone tree so that everyone who lives in the neighborhood can be notified very quickly, and they can decide how they want to respond," Skwarek says. "In the Federated Model, trusted partners have the means to quickly and securely exchange information about suspicious activity they see, even if there's no actual breach or incident involved. They're not operating in silos. They're not waiting for vendors to collect data and distribute it to them. They can notify each other about the problem in a matter of minutes, and they can share information about what they've tried to do to stop it."

Although it was developed in a joint effort among DoE labs and university research centers, the Federated Model could be used by any group of organizations that agrees to form a "federation," Skwarek says. The model's developers hope it will be adopted widely among government agencies, defense organizations, and private industry groups. "There's no reason why it couldn't be used by organizations in any walk of life," he says.

The Federated Model, which has been in development for approximately five years, outlines an XML framework that enables security systems, such as intrusion detection systems, to share data in an automated, common format. The partners in the federation are given encryption keys so they can share their security intelligence only among themselves, without risking leaks to the bad guys or the media. In a crisis, members of the federation could add other trusted parties to the "phone tree" by giving them the encryption keys, Skwarek says.

"What you're really doing is creating communities," Skwarek says. "It could be a group of organizations in the same geographic region, or in the same industry. It's really just a question of how much they trust each other."

Initially, the Federated Model defines methods for sharing information about malicious entities -- not just the IP addresses of suspicious devices, but DNS domain names, URLs that may carry malware, and even email addresses of spammers and malware distributors. "Once you have that information, you can decide if you want to blacklist those entities or block a certain type of traffic," Skwarek states. "It's up to the organization to decide how to respond, though there may also be data that discusses what's been tried or what's been found to work."

Skwarek says the Federated Model might give groups of organizations a fighting chance to defend themselves against zero-day exploits and targeted attacks that occur without warning against a group of organizations, such as last week's cyberattacks on South Korean and U.S. government Websites.

"For us in government, we sometimes get reports from intelligence agencies about new attacks, but it might be hours, days, even weeks before we get all the data," Skwarek says. "A similar sort of report comes from the security vendors, who recognize a threat and notify you when they've developed a fix, which can take a lot of time and is usually limited to whatever silo of technology they make. We need a system that works faster than that so we can make our responses faster."

Over time, "federations" might also use the data they collect through the model to do postmortems on incident response and formulate faster, more efficient ways to respond to specific types of attacks, Skwarek says

"When you think about it, the attackers already have methods for sharing information, for assessing victims' defenses and reacting quickly," Skwarek observes. "What we need is a way for the good guys to share their information just as quickly. This [Federated Model] might be a step in that direction."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.