Incident Response Decision Aid

From MilcordWiki

Overview

irDA is an incident response Decision Aid (irDA) that guides Level I operators in the analysis, verification, notification and remediation of security incidents. In particular, irDA fuses the outputs of Security Threat Management (STM) COTS security products with other in-context digital evidence and dynamically in real time recommends the optimal course of action (i.e. analysis, containment, notification, eradication, recovery) to the operator.

Need

An event correlation and incident response capability is necessary for rapidly detecting damaging and disruptive incidents, minimizing disclosure, alteration, and destruction of digital assets, mitigating the vulnerabilities that were exploited, and restoring computing services. The first line of defense in this war is fought by the Level I information security operators tasked with monitoring the various security software tools.

Approach

irDA guides Level I operators in the analysis, verification, notification and remediation of security incidents. irDA architecture integrates Milcord’s belief-net based course of action assessment and planning technology with the correlation engine underlying OpenService Security Threat Manager. The irDA belief nets fuse the outputs of security threat manager with other in-context digital evidence and recommend the optimal course of action (i.e. investigation, verification, notification, remediation) to the operator.

Technically, the problem is one of clustering and identification of events generated by Security Threat Management (STM) platforms. For instance, a worm incident will generate a substantial number of raw events (hundreds of thousands) in an enterprise network. An STM platform will correlate these raw events but it will still generate a high number of alerts (a couple of dozen) for each incident, overloading the security operator.

irDA clusters the underlying events and their alerts that belong to the same “incident”, and recognizes the specific type of attack (e.g. DoS, inappropriate usage, unauthorized access). irDA then further classifies the subtype (e.g. reflector attack, amplifier attack, DDoS, SYN flood) of an incident (e.g. DoS attack) as evidence is accumulated. Once the incident is correctly identified, then irDA provides specific mitigation advice for containment, eradication,recovery, and prevention.

Benefits

Given the relatively inexperienced frequently changing Level I security operator cadre in the DoD workforce, irDA provides substantial value in improving the risk posture of DoD information assets by providing a 24x7 online help to operators.

Applications

Government applications of irDA include DoD, Homeland Security, and Federal civilian agency security operations. In the commercial market, managed service security providers would be the early adopters of our technology.

References

• Grance, T., Kent, K. and Kim, B., “Computer Security Incident Handling Guide”, NIST Special Publication 800-61
• Minieri, J. Effective Threat Management using Vulnerability Correlation, ISSA Journal, Nov. 2004.
• Caglayan, A., Gioioso, M., Minieri, J., and Frank, B. (2006) “Incident Response Decision Aid – irDA”, Technical Report, DTIC AD Number ADB318493, Open Service Inc. Westborough, MA Jan. 2006.