Intrusion-detection net revived

FedCIRC

The General Services Administration and Carnegie Mellon University this fall will start testing a new technology to analyze and report on patterns in the cyber intrusion information gathered across government, an idea that was first floated and eventually sunk two years ago.

The data analysis capability (DAC) being developed by the CERT Coordination Center for GSA's Federal Computer Incident Response Center will analyze data already being collected by intrusion- detection systems at many agencies, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at GSA.

Those systems typically report on unusual or unauthorized network activity that might indicate that someone is attempting to attack or break into agency systems. The DAC will gather data from the sensors or from agencies' own analyses at a central point within FedCIRC for identification of potential vulnerabilities and attacks.

That analysis will then be shared with participating agencies, along with steps to protect against, react to or recover from any incidents, McDonald said. FedCIRC is the overarching source for security incident warnings and analysis for all civilian agencies.

The idea of a governmentwide system for analyzing intrusion-detection data first emerged in 1999 as part of the Clinton administration's National Plan for Information Systems Protection.

Privacy concerns raised by advocacy groups and Congress after erroneous reports that the analysis would be performed on private-sector networks as well as government networks forced GSA and the administration to withdraw the proposed Federal Intrusion Detection Network in 2000.

Even as more agencies turn to vendors for intrusion data analysis within their own networks, this type of centralized analysis capability is a necessary tool for raising the entire government's information security posture, said Amit Yoran, a former director of the Defense Department CERT's Vulnerability Assessment and Assistance Program.

And it is technically feasible to analyze the vast amount of information that the DAC will have to handle from all of the civilian agencies, said Yoran, co-founder of Riptech, a managed security services company. Riptech handles approximately 2 terabytes of incident information every day from all of its government and industry clients, he said.

As an incentive for agencies, GSA will allow participants in the pilot project to use the technology to analyze their own incident information in real time, McDonald said. That analysis will then be sent to FedCIRC to map the governmentwide incident and vulnerability status.

If the pilot project is successful, the DAC is expected to reach full operating ability in fiscal 2003, she said.