Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Making A Federal Case About Sharing Security Data

Department of Energy initiative offers 'Federated Model' for exchanging, diagnosing security information among trusted partners

Security professionals at the U.S. Department of Energy (DoE) have developed a new model for sharing security information that could work in any industry or supply chain.

In a joint effort with many other DoE research labs and university security teams, Argonne National Laboratory last week unveiled the Federated Model for Cybersecurity, a method of capturing and sharing information about security problems with trusted partners at near-real-time speeds.

The Federated Model operates something like a "neighborhood watch" for sharing information about potential crime, explains Michael Skwarek, deputy CIO and cybersecurity program manager at Argonne National Laboratory.

"In a neighborhood watch, if you see something suspicious, you set up a telephone tree so that everyone who lives in the neighborhood can be notified very quickly, and they can decide how they want to respond," Skwarek says. "In the Federated Model, trusted partners have the means to quickly and securely exchange information about suspicious activity they see, even if there's no actual breach or incident involved. They're not operating in silos. They're not waiting for vendors to collect data and distribute it to them. They can notify each other about the problem in a matter of minutes, and they can share information about what they've tried to do to stop it."

Although it was developed in a joint effort among DoE labs and university research centers, the Federated Model could be used by any group of organizations that agrees to form a "federation," Skwarek says. The model's developers hope it will be adopted widely among government agencies, defense organizations, and private industry groups. "There's no reason why it couldn't be used by organizations in any walk of life," he says.

The Federated Model, which has been in development for approximately five years, outlines an XML framework that enables security systems, such as intrusion detection systems, to share data in an automated, common format. The partners in the federation are given encryption keys so they can share their security intelligence only among themselves, without risking leaks to the bad guys or the media. In a crisis, members of the federation could add other trusted parties to the "phone tree" by giving them the encryption keys, Skwarek says.

"What you're really doing is creating communities," Skwarek says. "It could be a group of organizations in the same geographic region, or in the same industry. It's really just a question of how much they trust each other."

Initially, the Federated Model defines methods for sharing information about malicious entities -- not just the IP addresses of suspicious devices, but DNS domain names, URLs that may carry malware, and even email addresses of spammers and malware distributors. "Once you have that information, you can decide if you want to blacklist those entities or block a certain type of traffic," Skwarek states. "It's up to the organization to decide how to respond, though there may also be data that discusses what's been tried or what's been found to work."

Skwarek says the Federated Model might give groups of organizations a fighting chance to defend themselves against zero-day exploits and targeted attacks that occur without warning against a group of organizations, such as last week's cyberattacks on South Korean and U.S. government Websites.

"For us in government, we sometimes get reports from intelligence agencies about new attacks, but it might be hours, days, even weeks before we get all the data," Skwarek says. "A similar sort of report comes from the security vendors, who recognize a threat and notify you when they've developed a fix, which can take a lot of time and is usually limited to whatever silo of technology they make. We need a system that works faster than that so we can make our responses faster."

Over time, "federations" might also use the data they collect through the model to do postmortems on incident response and formulate faster, more efficient ways to respond to specific types of attacks, Skwarek says

"When you think about it, the attackers already have methods for sharing information, for assessing victims' defenses and reacting quickly," Skwarek observes. "What we need is a way for the good guys to share their information just as quickly. This [Federated Model] might be a step in that direction."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...