protecting your campus with shared intelligence
DESCRIPTION
Benefits of deploying CIF within SUNY and bringing the campuses together to share information security intelligence.TRANSCRIPT
Protecting Your Campus With Shared
Intelligence
Jeff MurphyUniversity at Buffalo
Information Security [email protected]
The Never Ending Story
Everyday people on our campuses:•click on phishing URLs•open attachments that connect to botnets•are scanned for vulnerabilities
Can we deal with this on our own?
• Sure. (and most of us do)• We purchase reputation services from companies
like HP, Sophos, etc. • We join communities like REN-ISAC• But much of this data is already available on the
Internet (for free!)• ... and in our logs (if we put in a little effort
to pull it out!)
Can we do this together?
• Yes!• SUNY has 64 campuses, each sees threats every day. • Since each appears distinct to an outsider, we see attacks at
different times.• If we can collect and share this information using
automation, campuses that see attacks early can help mitigate attacks on campuses that see the same attack later.
How do we do this?• Start with public spammer/botnet/malware data
• Feed it into a system called CIF which will normalize it
• Add our own data to CIF- IPs scanning our networks- URLs phishing us- spambots dumping spam into our systems
• Extract high value data as snort rules, firewall rules, simple lists that can be imported into your local hygiene apps
What is CIF?• Developed by Wes Young at REN-ISAC
• Scrapes the Internet for interesting datasets
• Normalizes them into a format that can be queried
• Provides output in a variety of formats
• Actively used by many gov/private/public entities to share intelligence
CIF Overview
Example Output (Default)
Example Output (Snort)
Example Output (Phishing URLs)
SUNY CIF?
• Runs in SUNY Cloud• Accepts contributions from SUNY
campuses• Available to any campus
CIF By This Guy…