Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Making A Federal Case About Sharing Security Data

Department of Energy initiative offers 'Federated Model' for exchanging, diagnosing security information among trusted partners

Security professionals at the U.S. Department of Energy (DoE) have developed a new model for sharing security information that could work in any industry or supply chain.

In a joint effort with many other DoE research labs and university security teams, Argonne National Laboratory last week unveiled the Federated Model for Cybersecurity, a method of capturing and sharing information about security problems with trusted partners at near-real-time speeds.

The Federated Model operates something like a "neighborhood watch" for sharing information about potential crime, explains Michael Skwarek, deputy CIO and cybersecurity program manager at Argonne National Laboratory.

"In a neighborhood watch, if you see something suspicious, you set up a telephone tree so that everyone who lives in the neighborhood can be notified very quickly, and they can decide how they want to respond," Skwarek says. "In the Federated Model, trusted partners have the means to quickly and securely exchange information about suspicious activity they see, even if there's no actual breach or incident involved. They're not operating in silos. They're not waiting for vendors to collect data and distribute it to them. They can notify each other about the problem in a matter of minutes, and they can share information about what they've tried to do to stop it."

Although it was developed in a joint effort among DoE labs and university research centers, the Federated Model could be used by any group of organizations that agrees to form a "federation," Skwarek says. The model's developers hope it will be adopted widely among government agencies, defense organizations, and private industry groups. "There's no reason why it couldn't be used by organizations in any walk of life," he says.

The Federated Model, which has been in development for approximately five years, outlines an XML framework that enables security systems, such as intrusion detection systems, to share data in an automated, common format. The partners in the federation are given encryption keys so they can share their security intelligence only among themselves, without risking leaks to the bad guys or the media. In a crisis, members of the federation could add other trusted parties to the "phone tree" by giving them the encryption keys, Skwarek says.

"What you're really doing is creating communities," Skwarek says. "It could be a group of organizations in the same geographic region, or in the same industry. It's really just a question of how much they trust each other."

Initially, the Federated Model defines methods for sharing information about malicious entities -- not just the IP addresses of suspicious devices, but DNS domain names, URLs that may carry malware, and even email addresses of spammers and malware distributors. "Once you have that information, you can decide if you want to blacklist those entities or block a certain type of traffic," Skwarek states. "It's up to the organization to decide how to respond, though there may also be data that discusses what's been tried or what's been found to work."

Skwarek says the Federated Model might give groups of organizations a fighting chance to defend themselves against zero-day exploits and targeted attacks that occur without warning against a group of organizations, such as last week's cyberattacks on South Korean and U.S. government Websites.

"For us in government, we sometimes get reports from intelligence agencies about new attacks, but it might be hours, days, even weeks before we get all the data," Skwarek says. "A similar sort of report comes from the security vendors, who recognize a threat and notify you when they've developed a fix, which can take a lot of time and is usually limited to whatever silo of technology they make. We need a system that works faster than that so we can make our responses faster."

Over time, "federations" might also use the data they collect through the model to do postmortems on incident response and formulate faster, more efficient ways to respond to specific types of attacks, Skwarek says

"When you think about it, the attackers already have methods for sharing information, for assessing victims' defenses and reacting quickly," Skwarek observes. "What we need is a way for the good guys to share their information just as quickly. This [Federated Model] might be a step in that direction."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...