SDN-Enablement of ISP Threat Sharing

F5 Miniatura
Published August 30, 2018

Guest blog from the Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world.

A widely-held belief across our security community is that high-quality cyber threat information sharing benefits teams tasked with operations, analysis, and response. Such benefit demands, of course, that the threat sharing be truly high-quality. Luckily, good commercial platforms are available today to ease the burden of setting up, operating, and running a successful threat sharing group. Few excuses thus exist for security teams who are not currently sharing data.

An additional belief commonly held in our community is that cyber exploits are becoming faster, more intelligent, and more elusive. Such attack attributes are being achieved using a dose of our own Sand Hill Road-funded technology: Automation, machine learning, and autonomy. The resulting so-called synthetic attacks are too fast and too elusive for any manual, human-coordinated response – and this is a frightening prospect for security teams.

F5 Networks, in conjunction with TAG Cyber, commissioned a recent working group during F5 Agility 2018 in Boston to examine these two considerations – threat information sharing and synthetic cyber offense – in the context of an additional factor: That is, the working group was asked to perform their examination with respect to an emerging technology trend that might offer promising benefits to security teams: Software-defined networking (SDN).[1]

The working group – which consisted of industry participants invited largely from the global service provider community[2] – was thus invited to spend its time discussing, debating, and focusing on the following fundamental question: Can emerging SDN-enabled service provider infrastructure provide an underlying collective platform for automated cyber threat information sharing between global carriers to reduce the risk of synthetic attack?

To address this multi-pronged question, the working group identified three more focused questions that would organize and focus the discussions, and that would help produce an aggregate answer:

·      SDN for Security – What are the relevant pros and cons of SDN for cyber security?

·      Improved ISP Sharing – What strategies can be followed to improve overall ISP sharing?

·      Functional Requirements – What platform features support SDN-enabled sharing?

Many additional relevant topics were raised during the working group activity, but these three focused questions seemed to work well to produce the conclusion that SDN infrastructure does, in fact, provide an excellent base on which to enable automated threat information sharing between carriers. In fact, the working group agreed on this basic principle: To stop automated, synthetic attacks, service providers will need to rely on automated defenses.

SDN for Security

The first question focused on how SDN can provide an effective base for security – versus how SDN itself might be secured (a topic considered outside the scope of this effort). To that end, participants offered their views on the following aspects of SDN that were designated as well-suited to dynamic, automated sharing of threat information across multiple service provider infrastructure deployments:

  • Controller Visibility – The SDN controller has centralized visibility over all managed devices. Such visibility enabled automation of all ingest, handling, and delivery of telemetry from managed devices for sharing externally. This could be done natively by the controller using its visibility across the southbound interface, or by specially deployed sensors working with an SDN application across the northbound interface.
  • Support for Rapid Failure – Automating the sharing function will require the ability to innovate new capabilities and features; to that end, software-enabled infrastructure supports rapid introduction of features that might be successful – or that might support rapid failure (to be quickly identified and replaced). Thus, the software-orientation of SDN supports a more flexible environment for creating a new capability.
  • Potential for Self-Defending – The working group spent considerable time on the prospects for software to develop self-defending capability. This appears to be an essential component of any security defense that will have to contend with the speed and scope of automated synthetic attacks. Dynamic detection of indicators followed by self-controlled response will be a requirement for SDN support of sharing.

Improving ISP Sharing

The second question focused on how global ISPs might generally improve current sharing of threat information. Quite a bit of compare-and-contrast discussion was held regarding the relative methods used within the service provider community versus the high-profile sharing procedures and methods used in the financial services sector.[3] The working group thus identified the following suggestions for better sharing – in the context of emerging SDN:

  • Groups and Partnerships – Many of the best threat sharing initiatives in the global ISP community have tended to emerge from either ad hoc working groups or multi-lateral partnerships between carriers to solve a given problem through sharing. This suggests that SDN enablement of automated sharing will need support for creation of communities, temporary agreements, and dynamic trust groups.
  • Inclusion of Provider Co-Ops – The ISP community – like the financial services sector – includes many hundreds of small service providers and communications services vendors. These smaller Co-Ops will require functional support for automated sharing through their vendor or cloud-based, as-a-service relationships. They might be brought into automated sharing groups through various product or financial incentives.
  • Norms for Global Sharing – The sharing of threat information across any meaningful swath of diverse global carriers cannot be governed by one commonly enforced policy. Rather, any automated sharing initiative will require norms-based agreement, where most carriers voluntarily decide to include egress and ingress feeds to a common sharing ecosystem.

Functional Requirements

The third question focused on identifying functional requirements for SDN platforms and vendor solutions that would support automated threat information sharing between carriers. Agreement existed amongst the working group that vendors are motivated to serve their customers, and will respond best if user groups organize their needs into working standards. The main functional features identified for SDN-enabled sharing are as follows:

  • Threat Bus Architecture – The working group created a so-called threat bus concept, which served as an abstract functional destination for shared threat information. The threat bus would have to handle and protect information properly, and would have to respect attributes such as degrees of attribution, confidence levels, and so on. Subsequent work would be needed to specify how the bus implementation would work.
  • Standard Protocols and Interfaces – The working group decided that standards-based threat sharing protocols were essential for proper operation of any automated ecosystem. The well-known STIX and TAXII protocols were used as exemplary standards for inclusion in emerging SDN designs. While nothing in SDN should preclude such work, this has not been an explicit focus in any SDN work the group was aware of to date.
  • Use-Case Driven Support – The working group was adamant that functional designs be use-case driven. This supports a crawl-walk-run method of introducing automated sharing. One use-case discussed involved different carriers alerting each other – in an automated manner – if a detected attack appeared to be originated from the infrastructure of the other carrier.

The next steps recommended by the working team were as follows: (1) To publish this article from the group discussion to assist other related efforts in their planning process; (2) To take back to each constituent organization the results of the study to foster ideas for SDN-based sharing and to influence standards activity, and (3) To engage in discussions with the vendor community to recommend more attention to this vital area.

The conclusion of this working group is easy to state: That is, it was uniformly agreed upon by members that, in fact, emerging SDN-enabled service provider infrastructure can provide an underlying collective platform for automated cyber threat information sharing between global carriers to reduce the risk of synthetic attack. Arriving at such a conclusion was an exciting prospect for the team, given the agreed intensity of automated synthetic attacks.

Prepared by TAG Cyber LLC:


[1] Readers desiring a thorough examination of software defined networking (SDN) fundamentals are directed to Software Defined Networks – A Comprehensive Approach, by Paul Goransson and Chuck Black (Morgan Kaufman, 2014).

[2] To respect the privacy of participants and their organizations, this note only refers in aggregate to conclusions and recommendations made during the working group session, rather than the names of any experts or groups represented I the study. Participants had the opportunity to review and suggest edits to this note – but any remaining errors are the responsibility of the author.

[3] One major conclusion drawn by the working group is that the financial services sector does the most effective job of any sector at publicly marketing their threat sharing tools, methods, and FS-ISAC ecosystem.