The Warden, system for sharing information about detected security incidents was conceived upon the needs of two accredited CSIRT teams within the CESNET2 network – the CESNET-CERTS team (security team for the CESNET2 network) and the CSIRT-MU team (security team for the network of the Masaryk University in Brno). The CESNET-CERTS team was looking for further sources of information about security incidents relating to the CESNET2 network while the CSIRT-MU team had information about such incidents from detection tools run in the MU network but had no use for data not related to the MU network.
This is where the idea to create a simple system operating on the “send data” and “receive data” principle was conceived. Many CERT/CSIRT teams dedicate their efforts to developing and operating useful tools and systems for monitoring network traffic and services and detecting traffic anomalies – based on netflow, IDS, honeypots, log analysis, etc. The CSIRT team uses the output of these detection systems for its own purposes and for the sake of the network it supervises. The data could be useful to other teams operating in different networks. However, the data is not accessible and the teams do not make them available as no simple mechanism for their efficient and secure sharing is at hand. Thus, the teams face unpleasant dilemma – whether to provide the data to the administrators of (security /CSIRT teams) networks concerned or whether to “dispose” of it, or rather to send it to large collection points such as Shadowserver, Mynetwatchman, Team Cymru etc. The former approach – to provide them to administrators of networks concerned – is laborious and may generate more work which the team may be unable to perform. The latter approach – to dispose of data – is inefficient waste of useful data. The alternative approach – a collection point – is a provisional solution with many negative implications. The teams should carefully consider what data can be stored in such points as there is no guarantee as to how the data will be treated. Moreover, needless delay and sometimes even distortion may occur.
This is where the Warden system, enabling the CERTS/CSIRT (security in general) teams to share and exploit information about anomalies detected in network traffic and services, can be useful. Network administrators may feed in information about uncovered threats they are willing to share (and which may not necessarily concern their network) as well as download data they deem interesting and would like to process in their systems and use it to enhance security of their respective networks.
The project also includes designing simple adaptation tools that would enable the existing operating systems to cooperate with the WARDEN system and to create mechanisms to validate and secure frequently sensitive data and access to it.