my recent set of talks have evolved from "what the technology looks like" and more into "what did your journey look like?" along with "how much did it cost?"
so i decided to conjure up a public history about where SES came from, how CIF evolved out of it, and the massive amounts of duct-tape it took along the way.
many people and groups are responsible for the success of this adventure. this written history is meant to describe our story as a way to thank all those in the higher education security community that helped to build what we have today.
in no small part, the people involved with higher-ed security operations, both in terms of the UNISOG community as well as the evolution into the REN-ISAC community have invested a great deal in making this successful. no where else could this sort of work have been done.
- UNISOG for setting the stage, showing how information sharing should happen, well before "it was cool"
- CSI2, the Department of Justice, the REN-ISAC, Indiana University for their stewardship of our initial work and guidance in bootstrapping of this work
- the REN-ISAC community for funding the initial SESv2 work
- the REN-ISAC community and the National Science Foundation for bootstrapping and funding the SESv3 work
the history of the Security Event System, and the Collective Intelligence Framework.
- unisog botnet tracker developed as a way to share botnet threat intelligence
- initial snort rules wget script created, as well as Snort::Rules CPAN module
- the RENIOR idea develops in parallel
- REN-ISAC implements information sharing for operational protection and response using CSV files and wget
- REN-ISAC and UNISOG communities merge into the REN in an effort to consolidate resources and activities
- wes, CSI2 crew, beer, … ‘how hard can it be?’
- federated event management was a hard problem
- big-data was still a hard problem
- common standards for sharing was/still is a hard (impossible?) problem
- finding resources to work on the problem proved difficult
- would members even share data in an automated fashion? (legal, etc)
- most open-source tools were immature, non-existent
- most commercial tools were extremely expensive
- wes joins CSI2 working group
- RI in partnership with CSI2 writes a grant proposal to the DoJ soliciting $120k to fund "the Security Event System" for the automated exchange of event data
- initial grant awarded
- wes (barely3am) is contracted via the grant to develop SES v1
- SESv1 beta deployed in the RI community
- SESv1 production is deployed in the RI community
- initial "collective intelligence framework" is prototyped as a way to bring other intelligence sources into SES
- newly instated membership fee structure funds wes full time post-grant to continue SESv2 development
- SESv2 beta1 is deployed to subsection of RI community
- SESv3 grant proposed to NSF
- SESv3 grant awarded to RI for the development of SESv3
- SESv3 grant work commences in parallel to existing SESv2 (CIF v0/v1) work
- SESv2 (CIFv0) deployed to RI community
- SESv2/SESv3 road-show begins
- SESv2.1 (CIFv1) deployed to the REN-ISAC community
the REN-ISAC community has contributed substantially to the inception, success and sustainability of this project. the character of that support has permitted the project to grow beyond the borders of our community and past political and cultural boundaries - something that other efforts at automated information sharing have failed to accomplish..
SESv1: CSI2, the REN-ISAC community
- Department of Justice Grant, $120,000 over one year
- indirects of ~$27,000 in "facilities and adminstration" overhead
- CSI2/the REN-ISAC brokered the grant, provided guidance
- REN-ISAC community piloted, productionize the project
SESv2: the REN-ISAC community
- Derived from REN-ISAC community membership fees
- ~$200,000 (wes’s two year salary, inc benefits)
- the REN-ISAC community piloted and productionize the project
SESv3: the REN-ISAC community
- National Science Foundation Grant $800,000 over three years
- indirects of ~$250,000 in "facilities and adminstration" overhead