CERT and ArcSight Join Forces to Battle Cyberthreats

In an era when cyberterrorism is more than just a nuisance, the need to provide effective means to thwart such attacks is critical for today's leading businesses and universities, as well as the general public. To help create technology for security information sharing and research, Carnegie Mellon University's CERT Coordination Center located at its Software Engineering Institute in Pittsburgh, PA, and enterprise security risk management software provider ArcSight, headquartered in Sunnyvale, CA, have launched the Cyber Security Information Sharing Project (CSISP). Along with three other universities yet to be named, the new group plans to conduct ongoing research to find solutions that will enable companies' to uncover and effectively fight off cyberattacks by using information gathered from throughout the security community. Each participating school will act as a data-collection end point and send attack information straight to the CERT Coordination Center (CERT/CC).

"We are pleased that ArcSight is offering its technology to help improve the state-of-art in event aggregation, security analysis, and incident management," says CERT director Rich Pethia. "The unique combination of private enterprise, public scholarship, and research embodied in CSISP is an innovative model that will contribute to the reduction in overall risk to the United States due to serious cyberthreats and attacks."

The CERT/CC was established in 1998 to provide technical advice and to coordinate responses to security risks. The organization identifies trends to intruder activity and works with other security experts such as AusCERT to develop solutions for security problems and then releases these strategies to the broad community. CERT also publishes technical documents and provides security-training courses.

If the project works, it could be used as a model for data-sharing initiatives for the government and private sectors. As cyberthreats continue to escalate, the initiative seeks to improve a current system that is slower in responding to requests for help. For instance, those businesses now reporting potential security threats to CERT must either call an 800 number or fill out a form on its Web site and then wait for answers.

The concept of developing a security information-sharing environment comes from the White House's Strategy to Secure Cyberspace, known as an Information Sharing and Analysis Center (ISAC). To help facilitate a real-world ISAC environment, ArcSight will install its security risk management software at CERT and the other universities. ArcSight's distributed security architecture will act as a local monitoring and aggregation point for relevant security data coming from devices like firewalls and intrusion detection systems.

The project will also allow for testing and enhancing emerging security data-sharing standards including the Intrusion Detection Message Exchange Format and the Intrusion Detection Message Exchange Format both of which have been submitted as standards to the Internet Engineering Task Force.

CERT will manage the CSISP program and ArcSight will work with the organization to refine the messaging mechanisms that are designed to support the ISAC function. A particular emphasis will be placed on addressing message content, confidentiality, and privacy. It is hoped that new discoveries and innovations will emerge and can then be made available to the general public in the form of conference presentations, published research, and general announcements.

"The United States needs powerful assets in the war against cyberterrorism," says ArcSight's Chairman and CEO Robert Shaw. "We are proud to be a catalyst with the CERT/CC in assembling a potent group of researchers and security practitioners to accelerate the development of the technologies required to implement Information Sharing and Analysis Centers."