ArcSight Teams With CERT

ArcSight this week is set to unveil plans to work with the CERT Coordination Center to improve security event information-sharing and analysis.

ArcSight, Sunnyvale, Calif., said it will install its security risk management software for free at CERT/CC and at a handful of universities to facilitate the Cyber Security Information Sharing Project (CSISP). The software will collect and aggregate data from firewalls and other security devices at the universities, and pass the information to CERT/CC for analysis.

The goal of CSISP is to create a model that shows the benefits of sharing security event information between organizations, said Rich Pethia, CERT/CC director. There has been a lot of talk about information-sharing in the IT security community but it rarely is a reality, he said.

"One of the purposes of this project is to demonstrate that there are real benefits to be accrued from sharing this kind of data so that analysis can be done to identify problems that can't necessarily be seen from a local perspective," Pethia said.

Cross-organization sharing of cybersecurity information is one of the recommendations in the National Strategy to Secure Cyberspace, said Larry Lunetta, vice president of marketing and business development at ArcSight.

Information Sharing and Analysis Centers (ISACs),which evolved from a 1998 presidential directive that encouraged industries to share information about threats and vulnerabilities in their sector,have been formed but haven't become popular, Lunetta said.

Companies don't share information about cyberattacks because they don't want bad publicity, said Brad Johnson, a vice president at System Experts, a security consulting firm in Sudbury, Mass. The downside is other companies can't learn from the attacks and protect themselves.

If CSISP succeeds, "it would be a boon to everybody," Johnson said.

Aside from serving as a model for information-sharing, other goals of CSISP are to identify issues involved in sharing security data,such as privacy,and to promote open standards in tools used in the information-sharing process, Pethia said.

For the CSISP implementation, ArcSight is adding support for Intrusion Detection Message Exchange Format (IDMEF) and Incident Object Description and Exchange Format (IODEF) draft XML-based IETF standards for exchanging security messages to its Distributed Security Architecture.

CERT/CC and ArcSight are seeking proposals from U.S. universities interested in participating in CSISP, which Pethia expects will begin in 30 to 60 days.