Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Making A Federal Case About Sharing Security Data

Department of Energy initiative offers 'Federated Model' for exchanging, diagnosing security information among trusted partners

Security professionals at the U.S. Department of Energy (DoE) have developed a new model for sharing security information that could work in any industry or supply chain.

In a joint effort with many other DoE research labs and university security teams, Argonne National Laboratory last week unveiled the Federated Model for Cybersecurity, a method of capturing and sharing information about security problems with trusted partners at near-real-time speeds.

The Federated Model operates something like a "neighborhood watch" for sharing information about potential crime, explains Michael Skwarek, deputy CIO and cybersecurity program manager at Argonne National Laboratory.

"In a neighborhood watch, if you see something suspicious, you set up a telephone tree so that everyone who lives in the neighborhood can be notified very quickly, and they can decide how they want to respond," Skwarek says. "In the Federated Model, trusted partners have the means to quickly and securely exchange information about suspicious activity they see, even if there's no actual breach or incident involved. They're not operating in silos. They're not waiting for vendors to collect data and distribute it to them. They can notify each other about the problem in a matter of minutes, and they can share information about what they've tried to do to stop it."

Although it was developed in a joint effort among DoE labs and university research centers, the Federated Model could be used by any group of organizations that agrees to form a "federation," Skwarek says. The model's developers hope it will be adopted widely among government agencies, defense organizations, and private industry groups. "There's no reason why it couldn't be used by organizations in any walk of life," he says.

The Federated Model, which has been in development for approximately five years, outlines an XML framework that enables security systems, such as intrusion detection systems, to share data in an automated, common format. The partners in the federation are given encryption keys so they can share their security intelligence only among themselves, without risking leaks to the bad guys or the media. In a crisis, members of the federation could add other trusted parties to the "phone tree" by giving them the encryption keys, Skwarek says.

"What you're really doing is creating communities," Skwarek says. "It could be a group of organizations in the same geographic region, or in the same industry. It's really just a question of how much they trust each other."

Initially, the Federated Model defines methods for sharing information about malicious entities -- not just the IP addresses of suspicious devices, but DNS domain names, URLs that may carry malware, and even email addresses of spammers and malware distributors. "Once you have that information, you can decide if you want to blacklist those entities or block a certain type of traffic," Skwarek states. "It's up to the organization to decide how to respond, though there may also be data that discusses what's been tried or what's been found to work."

Skwarek says the Federated Model might give groups of organizations a fighting chance to defend themselves against zero-day exploits and targeted attacks that occur without warning against a group of organizations, such as last week's cyberattacks on South Korean and U.S. government Websites.

"For us in government, we sometimes get reports from intelligence agencies about new attacks, but it might be hours, days, even weeks before we get all the data," Skwarek says. "A similar sort of report comes from the security vendors, who recognize a threat and notify you when they've developed a fix, which can take a lot of time and is usually limited to whatever silo of technology they make. We need a system that works faster than that so we can make our responses faster."

Over time, "federations" might also use the data they collect through the model to do postmortems on incident response and formulate faster, more efficient ways to respond to specific types of attacks, Skwarek says

"When you think about it, the attackers already have methods for sharing information, for assessing victims' defenses and reacting quickly," Skwarek observes. "What we need is a way for the good guys to share their information just as quickly. This [Federated Model] might be a step in that direction."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3595
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or in...
CVE-2021-3592
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 byt...
CVE-2021-3593
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or in...
CVE-2021-3594
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or ind...
CVE-2021-33622
PUBLISHED: 2021-06-15
Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value.