In collaboration with the Northeast Big Data Hub, this BD Spoke Planning workshop was organized by PI and co-PI's of the NSF Spokes Planning Grant on Cross-organization Big Data Cyber Attack Awareness. The goal of the workshop was to identify obstacles and opportunities for multiple institutions to share cyber attack-related information for enhanced detection, prevention, and response to cyber attacks. Because such information often contains sensitive data, solutions for sharing them often require approval from key stakeholders including network security analysts, Chief Information Security Officers (CISO's), Risk Management Officers, General Council Offices, etc. Therefore, this workshop invited representatives of these key stakeholders from four institutions (i.e., Penn State, Rutgers, Dartmouth College, and Columbia University) to discuss opportunities, obstacles, and solution ideas related to cross-organization sharing of cyber attack-related information. Participants of the workshop also includes representatives from industry partners and government agencies (Army Research Lab and Army Research Office). To facilitate discussions among the stakeholders, the workshop started with a demonstration of a simple platform for sharing network security data across organizations: a log query platform for network security analysts from one institution to post a query (in Python) regarding cyber security data to analysts in another institution.
This initial demonstration provided a context for workshop participants to actively engage in multiple panel discussions following the demo. A panel of network analysts discussed the potential utility and use cases of the Python query platform. Some analysts confirmed the utility of such sharing platform, while others are more interested in sharing higher-level information and context regarding ongoing cyber attacks. Another panel of a diverse group of stake holders (including CISO, Risk Management Officer, Associate General Council, and Northeast Hub Director) discussed potential obstacles in establishing agreements and obtaining approval for implementing the sharing of cyber attack information. The panel pointed out a major obstacle of sharing cyber security operational data is that it requires a deep level of trusts between all participating institutions, due to the highly sensitive nature of the information to be shared. An example of such trusted institutions is Big Ten, which has initiated, independently, an initiative to share Indicators of Compromise (IOCs). There were strong interests among the workshop participants to leverage the trusted relationships established between Big Ten universities.
These panels motivated the workshop participants to continue lively discussions about alternative ideas, their potential for adding values to the existing tools available for cyber defense. Conceptually, the participants are excited about the potential values for "pulling" relevant information from big cyber operational data distributed among institutions. One promising idea emerged from the discussion is the sharing of higher-level information (rather than low-level log queries) related to cyber attacks. However, there is a major gap that prevents effective sharing and processing of such information. While human knowledge regarding known cyber attack patterns exist, there is a lack of computational representation of cyber attack patterns that are flexible enough to allow various realizations of an attack pattern to be detected under uncertainty in an effective way. Without such a computational representation of cyber attack patterns, effective sharing of the attack pattern information is not feasible. After the workshop, members of the NSF Spokes Planning project on CROSS-organization Big data cyber Attack awaReness (CROSSBAR), through multiple discussions, decided to focus on addressing this gap so that cyber attack patterns sharing can be made possible.
Further details regarding the agenda of the workshop can be found below.