Avoiding Information Overload: Automated Data Processing with n6Return to TOC presented at FIRST 2014

by Pawel Pawlinski,

Summary : A specialist in the Security Projects Team at CERT Polska, his main interests in the domain of network security include intrusion detection systems, anomaly detection algorithms, honeypots and data visualization. He is responsible for the design of the n6 platform for sharing security-related data and a hybrid system for detecting client-side attacks - Honeyspider Network 2.
Automated data feeds, internal detection systems and external knowledge repositories are invaluable sources of information for any team responsible for incident response, or IT security in general. Nevertheless, faced with a huge amount of heterogeneous data, how can we make the best use of it? Effective information sharing - often-discussed and undoubtedly important topic - is just one aspect of this problem. Other challenges include appropriate summarization of information to create situational awareness and supporting both operational work and long-term analyzes by establishing a comprehensive data repository.
We will present our approach to these issues from a national CERT perspective and our experience in development of the n6 (Network Security Incident eXchange) platform. n6 aims to integrate feeds coming from both internal systems and external parties, systematize data processing and facilitate sharing of information with other entities. We will discuss design principles of the platform, its evolution over the years and recent use cases.