Wednesday, October 22, 2003

Will Companies Let U Penn Collect Monitoring Data?

Thanks to the SANS Newsbites, I just read a fascinating article by Dan Verton at Computerworld. He reports that insurer AIG will "will offer discounted insurance rates to customers that deploy security sensors being developed by the Cyber Incident Detection & Data Analysis Center." CIDDAC, which doesn't have a web site I could find, consists of AdminForce LLC, Air Products and Chemicals, the U.S. Department of Justice, the Electric Power Research Institute, General Motors Acceptance Corp., Harvey & Mortensen Attorneys at Law, Independence Blue Cross, Liberty Bell Bank, Lockheed Martin Corp., NetForensics Inc., the Pennsylvania State Attorney General's Office, Temple University, the University of Pennsylvania's Institute for Strategic Threat Analysis & Response, and the U.S. Attorney for the Eastern District of Pennsylvania. Again, from the article:
"The goal is to deploy what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible—and eventually the world—and feed incident data to a centrally managed operations facility at the University of Pennsylvania in Philadelphia... Although it has maintained a low profile to date, CIDDAC is the result of a volunteer effort by various private-sector IT companies and other firms, along with the Philadelphia InfraGard chapter.
The consortium has developed what it claims is a technical solution to the private sector's primary concern about information sharing: government access to proprietary data. 'We have a way to gather the appropriate information on cyberattacks and security incidents without digging through production data,' said Charles 'Buck' Fleming, acting executive director of CIDDAC and CEO of AdminForce LLC in Boulder, Colo.
CIDDAC is operating a prototype monitoring and operations center at facilities owned by AdminForce."
This will not work. No company is going to let AdminForce or anybody else deploy sensors in exchange for discounted insurance rates. I am flying to Dallas tomorrow on behalf of a client to evaluate the risks of outsourced managed monitoring. Having done managed monitoring in the Air Force and as a civilian, I know that clients require an extreme amount of trust in their managed monitoring vendor. I don't see security-minded organizations letting "CIDDAC" deploy sensors with the ability to see Internet-bound traffic. Does CIDDAC realize they are performing a wiretap?

The security research community's biggest problem is access to suitable data. This is caused by privacy concerns. Here's a paper on the subject. If privacy is such an issue, imagine how much bigger a problem it is to protect corporate secrets. Would a company allow a third party to watch its phone records for patterns of misuses? Of course not, unless the company trusts the vendor implicitly and creates iron-clad contracts protecting its data from disclosure and abuse.

No comments: