Towards Efficient Collaboration in Cyber Security Peter Hui Joe Bruce Glenn Fink Michelle Gregory Daniel Best Liam McGrath Pacific Northwest National Laboratory {peter.hui, joseph.bruce, glenn.fink, michelle.gregory, daniel.best, liam.mcgrath}@pnl.gov Alex Endert Virginia Polytechnic Institute and State University aendert@cs.vt.edu ABSTRACT Cyber security analysts in different geographical and organizational domains are often largely tasked with similar duties, albeit with domain-specific variations. These analysts necessarily perform much of the same work independently— for instance, analyzing the same list of security bulletins released by largely the same set of software vendors. As such, communication and collaboration between such analysts would be mutually beneficial to the analysts involved, potentially reducing redundancy and offering the opportunity to preemptively alert each other to high-severity security alerts in a more timely fashion. However, several barriers to practical and efficient collaboration exist, and consequently, no such framework exists to support these efforts. In this paper, we discuss the inherent difficulties which make efficient collaboration between cyber security analysts a difficult goal to achieve. We discuss preliminary ideas and concepts towards a collaborative cyber-security framework currently under development, whose goal is to facilitate analyst collaboration across these boundaries. While still in its early stages, we describe work-in- progress towards achieving this goal, including motivation, functionality, concepts, and a high-level description of the proposed system architecture. KEYWORDS: Cyber-security systems, collaborative software frameworks, collaborative security frameworks, computer security 1. INTRODUCTION Although distributed geographically and often across different organizations, cyber-security analysts often face a similar set of tasks and, in many cases, analyze much of the same data. To this end, with some qualifications, it would be beneficial for cyber-security analysts to be able to share such information amongst each other. For example, suppose several software companies release bulletins documenting security vulnerabilities in each of their respective products, with some more severe than others. Cyber-security analysts across many different organizations, each charged with the similar tasks of defending their respective network infrastructures, will typically analyze a large common subset of these reports, prioritizing the more severe reports for action over those that are less pressing. Our studies [3][4][5] suggest that analysts across many different organizations scrutinize large numbers of similar reports on a daily basis, resulting in a significant amount of redundant analysis. A framework to support the communication of high-priority warnings amongst peer analysts would help to reduce the amount of redundant work, but currently no such collaborative framework exists. Secondly, the ability to communicate such high-priority security bulletins between peers efficiently has the potential to bring such warnings to analysts’ attention in a more timely fashion than would otherwise be possible, potentially offering a higher probability of preempting future attacks, an effect from which all collaborating analysts would benefit collectively. However, the design of such a meaningful and effective collaborative framework is not without its challenges. For one, the types of data in which analysts are interested will almost certainly vary in some regard between peers; an analyst charged with defending a network of Linux systems would almost certainly be interested in a different subset of data than that of an analyst defending a Windows network. On the other hand, peers of Linux administrators might expect to be interested in a largely common subset. Security is an inherent issue as well. Although peer analysts are collaborating in this sense, with the introduction of cross-domain data sharing, a collaborative