Thursday, August 21, 2008

Request for flows

Problem Statement/Overview of Initiative:

- information has value though it is subjective to the possessor and the dispersion/dilution of instances of said data
- data at rest and data in motion have differing utilities/values
- shared infrastructures are often abstracted or ignored when in actual fact their intrinsic and aggregate value is a multiple of any individual member system or atomic piece of data
- organisations do not share security or incident data due to perceived reputational issues
- security posture and security spend is predicated upon real/percevied value of presence/absence of data/information but not upon complete systems/networks, fabrics or reachability to said data
- to generate even an interim or arbitrary currency of data value, context of data both at rest and in motion must me known
- fabrics provide connectivity, utility, and add-value services to endpoint/virtual nodes
- foundational values and attributes must be quantified for shared infrastructures/fabrics as a pre-requisite to factoring value of endpoint systems and subsequently data -> otherwise all value propositions are independent, incorrect and removed from their actual interdependency and 'real' cost
- once the concept of value can be assigned to classifications of infrastructure nodes based primarily upon their importance/utility, subsequent paths/flows and interdependencies may be weighted and valued (for example similar to metrics used for routing algorithms at a link, distance metric etc)

- *no large flow datasets are available to the security/network community (as per logs to dshield.org etc) with the exception of the Arbor ATLAS project from which primarily only Arbor benefit directly for such types of research.

Proposition:

To generate metrics for different classifications of nodes based upon a simple taxonomy of flows and weighted relationships to infrastructure services. (also utilising reachability/relationships with numbers of endpoints over time). Reachable endpoints/IPs may be virtual interfaces or physical interfaces and also may be subsets of greater nodes such as clusters/load balancers/virtual endpoints(EHV) etc.

Sample datasets of netflow/IPFIX data are required from a range of organisations over as long a time period as possible. Anonymisation will be applied to protect the innocent.

The author hopes to research the contextual relationships between nodes in an organisation and to weight and attribute value to flows in the hope of arriving at something akin to the ramble @ http://bsdosx.blogspot.com/2006/06/byo-rfc.html , also perhaps using a derivative of 'metcalfes law' based upon reachable/live endpoints to generate a 'total' value of the fabric and services to the business or organisation.

No comments: