Last-minute presentation:
15:00 - 15:30 Connecting the AV industry Igor Muttik, McAfee
15:00 - 15:30 Connecting the AV industry, Igor Muttik, McAfee
This year several security companies have combined their efforts to organize the Industry Connections Security Group
(ICSG). This group is hosted under the umbrella of the IEEE. The mission of the ICSG (http://standards.ieee.org/prod-serv/indconn/icsg/index.html)
is to resolve the following problem:
"It was recognized that the bad actors have been able to leverage the underground economy to gain economies
of scale as well as access to specialist tools and services, whereas the security industry was generally responding to
threats as individual entities."
We shall tell you which companies organized ICSG and which events led to its creation. We shall briefly discuss the
relationship of ICSG to other industry groups such as AMTSO, EICAR, CARO, and APWG and why we believe there should be
no conflicts.
ICSG's first project was to develop a standard to share security information among AV companies. For that purpose
ICSG created a dedicated team. The Malware Working Group effort was initially focused on increasing the efficiency
of sample sharing, but very soon we broadened the approach to cover many other security details (such as URLs, domains,
IPv4/IPv6, ASNs, entities, and clean files). Other security vendors (even outside of the traditional AV circle) have
joined this working group and actively participate in the discussions. As a result, the sharing standard has become a
truly collaborative effort and it is able to cover many kinds of security data - not just information about malware
samples.
We shall look in detail at the XML metadata standard proposal that the Malware Working Group finalized in June 2009.
We shall start by listing common use cases:
- Prioritizing samples in analysis queues
- Covering nonstatic, parasitic, polymorphic and server-side polymorphic malware
- Relating malware strains to malicious domains and malware-writing groups
Then we shall describe in detail the structure of the XML metadata and its elements (using screenshots):
This XML schema is already routinely produced by four companies (and two more will release their implementations soon) as
part of a pilot program that ran from June to September 2009. We shall share our experiences of how this pilot worked
and what the participants learned from producing the output and consuming the inputs.
ICSG is an open group. We hope and expect that other security companies will join us and contribute to the common good.
Only together do security companies stand the best chance of effectively protecting computer users. In the long term,
the efforts of the ICSG and XML-metadata sharing are necessary steps to ensure such protection. If you agree, come
and learn about the details of this effort. If you disagree, come and join the debate!
del.icio.us 
digg this
