The ESUKOM project aims to develop a real-time security solution for enterprise networks that works based upon the correlation of metadata. A key challenge for ESUKOM is the steadily increasing adoption of mobile consumer electronic devices (smartphones) for business purposes which generates new threats for enterprise networks. The ESUKOM approach focuses on the integration of available and widely deployed security measures (both commercial and open source) based upon the Trusted Computing Group’s IF-MAP specification. The idea is to operate on a common data pool that represents the current status of an enterprise network. Currently deployed security measures will be integrated and will be able to share information as needed across this common data pool. This will enable the ESUKOM solution to realize real-time security measures. All data shared across the common pool will be formulated according to a well-defined data model.
Nowadays, a reliably working IT infrastructure is essential for any enterprise. Supporting IT services are inherently necessary in order to support employees by their daily work. Those IT services get even more important when they are also exposed to external customers. Since IT infrastructures are so crucial, they are also a worthwhile target of attack. The current threat level is known to anybody who follows the well-known websites that post IT-Security related news. Especially industrial espionage is a major subject for concerns.
For the ESUKOM project, mobile devices such as smartphones play a key role when current threats for IT infrastructures are considered. To compromise such devices is often easier compared to other devices in use such as laptops or stationary personal computers. There are a number of reasons for that:
- Mobility: Ultra-portable devices are used in different environments with different security levels. Physical access to those devices eases to mount a successful attack.
- Dynamic networking: Mobile devices are dynamically connected to arbitrary networks. This includes unsecure networks like the internet as well as more secure networks like a company’s LAN. Furthermore, mobile devices are able to establish ad hoc mesh networks with by leveraging various communication techniques like Bluetooth.
- No security policy for smartphones: Smartphones emerge to small mobile computers with lots of processing power and storage capabilities. Their “App-based”, extensible application frameworks allow to adapt a smartphone to one’s personal needs. Smartphones are widely used across companies in order to manage appointments and contacts and to communicate via email. However, security policies that can be enforced by technical measures currently just don’t exist in practice.
Thus, companies have to adapt their IT infrastructure in such a way that allows to securely integrate the usage of mobile devices for business tasks.
Scientific and technical goals
The overall goal of the ESUKOM project is the prototypical development of a security solution that works based upon the Trusted Computing Group’s IF-MAP specification. In order to achieved this goal, the following tasks will be accomplished:
- Implementation of IF-MAP software components
A MAP server and a set of MAP clients will be developed. We aim to extend common open source tools like Nagios, iptables or Snort with support for IF-MAP. Furthermore, NCP and macmon as members of the consortium will extend their VPN respectively NAC solution with IF-MAP features.
- Development of an advanced metadata model
The IF-MAP specification currently defines a model for metadata that specifically targets use cases in the area of network security. This metadata model will be extended and refined within the ESUKOM project. We aim to add new types of metadata as well as to improve drawbacks of the current metadata model.
- Development of correlation algorithms
The analysis and correlation of metadata graphs that are managed by a MAP server is a challenging task. The available specifications give only rough indications how a user might benefit from such a common data pool. We aim to develop algorithms and approaches in order to ease the analysis of large metadata graphs.
- Integration of deployed security tools
Another important goal is the conceptual integration of security tools. It must be clarified which sort information should be shared across which existing tools.
Thus, the intended ESUKOM solution consists of four logical components:
- A MAP server,
- an advanced metadata model,
- a set of correlation algorithms and
- a set of MAP clients.
Thus, ESUKOM aims to form the basis for the future adoption of IF-MAP.