Software Engineering Institute Carnegie Mellon

Tools & Methods
Acquisition
Architecture, Product Lines, and Predictable Assembly
Process
Security
System Interoperability and Dependability

Tools & Methods > Security

Helping organizations protect against, detect, and respond to attacks on networked systems

If you have any questions about these tools and methods, see CERT Coordination Center or contact SEI Customer Relations.

Automated Incident Reporting (AirCERT)
Automated Incident Reporting (AirCERT) is a scalable distributed system for sharing security-event data among administrative domains. The goal of AirCERT is to provide a capability to discern trends and patterns of intruder activity spanning multiple administrative domains. Using AirCERT, organizations can exchange security data ranging from raw alerts generated automatically by network intrusion-detection systems (and related sensor technology), to incident reports based on the assessments of human analysts. The infrastructure is designed around several formats for exchanging reports (including IODEF, IDMEF, and SNML) and provides a set of configurable data normalization tools for transforming data to the AirCERT framework. This framework automates the process of sanitization, normalization, and sharing, enabling cooperation and coordination on an otherwise impractical scale and making possible a whole new class of analyses.

CERT Knowledgebase
The CERT Knowledgebase contains structured information on vulnerabilities and malicious code. Parts of the knowledgebase are publicly available to help system and network administrators and other technology professionals protect and defend their systems from intruders. These parts include the vulnerability catalog, which includes descriptions of vulnerabilities, their impacts, and remediation information. Users can search or browse the database by vulnerability name or ID number, common vulnerabilities and exposures (CVE) number, date that the vulnerability became public, date that the database was updated, or severity. Other parts of the knowledgebase are available on a restrictedaccess basis to critical-infrastructure operators, CSIRTs with national responsibility, malicious-code analysts, and others.

e-RA
e-RA is a technique developed for the General Services Administration’s Office of Electronic Government by an SEI team. It enables organizations to analyze their own authentication risks and requirements for their Internet sites without having to call in authentication experts. It is used to elicit requirements for authentication of transaction- based systems based on the risks to those systems and to users. The purpose of e-RA is to guide the selection of an appropriate level of authentication that will enable the system to resist threats to data, users, and organizations that could result from unauthorized system transactions. The technique can be performed using a Microsoft Access-based tool that can be downloaded at Electronic Risk and Requirements Assessment.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method is a self-directed, risk-based, strategic assessment and planning technique for security. In using OCTAVE, a small team of people from the operational (or business) units and the information technology department work together to address the security needs of an organization.

Resiliency Engineering Framework (REF)
REF is the foundation for a process improvement approach to security and business continuity. REF provides a process structure into which an organization’s best practices can be inserted, measured, and managed, and it maps to leading international practice standards such as ISO 27000 Series and COBIT. It enables organizations to optimize their security and business continuity investments and to ensure that their important assets stay productive in supporting business processes and services even in the face of disruptive events.

System for Internet-Level Knowledge (SiLK)
The System for Internet-Level Knowledge (SiLK) is a collection of traffic-analysis tools developed to facilitate security analysis of large networks. The SiLK tool suite supports the efficient collection, storage, and analysis of network flow data, enabling network security analysts to query large historical traffic data sets rapidly. SiLK is ideally suited for analyzing traffic on the backbone or border of a large, distributed enterprise or mid-sized Internet service provider.

Survivable Systems Analysis (SSA)
Survivable Systems Analysis (SSA) is a practical engineering process that permits systematic assessment of the survivability properties of proposed systems, existing systems, and modifications to existing systems. The analysis is carried out at the architecture level as a cooperative project by an SEI team working with a team of system architects, developers, and stakeholders. The method proceeds through a series of joint working sessions, culminating in a briefing on findings and recommendations.

Vendor Risk Assessment and Threat Evaluation (V-RATE)
Commercial off-the-shelf (COTS) components are being integrated into critical systems where failures can lead to severe consequences. Yet with little access to the code or its development process, the security and survivability of these components is difficult to analyze. Vendor Risk Assessment and Threat Evaluation (V-RATE) assesses vendor capabilities as a strong indicator of product quality. The process is based on taxonomies of vendor risks and the acquiring organization’s risk-management skills.