Industry Perspectives

CARIS2: Better Incident Response at Scale

Jun 17, 2019 | by Kathleen Moriarty, Dell |

The Coordinating Attack Response at Internet Scale 2 (CARIS2) workshop met on February 28th and March 1st, 2019 in Cambridge, MA, USA for a productive and collaborative session. The overall theme for CARIS is to better scale incident response, which also includes research leading to attack prevention in protocols and systems. This workshop focused on changes to infrastructure and monitoring as on-the-wire or transport encryption becomes stronger (e.g. TLSv1.3 and QUIC) and ubiquitous. Security controls and incident detection techniques will inevitably shift to the endpoint, requiring innovation to better secure networks and develop new detection capabilities. There are numerous research areas to explore related to this shift and CARIS2 worked to prioritize viable concepts that emerged from collaborative brainstorming breakouts. You can learn more by reading the full report (in development).

CARIS2 drew a diverse set of participants, which aided in the productive collaboration. The workshop had four main breakout sessions with specific objectives and guidance enabling brainstorming in non-competitive areas to ensure open collaboration progressing workshop themes. The generated research ideas also facilitate a work stream to advance ideas, possibly through the IETF, or if research through the IRTF.

The presentations from selected papers served as an introduction to either a model to emulate for scaling, or balancing defense and monitoring capabilities considering privacy in an encrypted world.

In the first case, there are strong examples such as the Manufacturer Usage Description (MUD) protocol where a manufacturer (vendor or even distributor) establishes the expected use profile for a device. The MUD profile can be updated by the manufacturer when new firmware or software is released, or in the event of a vulnerability announcement. Shifting the responsibility of generating the filters that can go beyond the access control level of ports and protocols to the manufacturer, the security management scales in that a small number of analysts can set the policy for devices widely deployed in numerous environments. The protocol for automatic security configuration (PASC) and the protocol for Automatic Vulnerability Assessment (PAVA) work automating IoT security, by Oscar Garcia-Morchon and Thorsten Dahm, builds upon MUD and also holds promise for scaling security management.

The paper on IPv6 aggregation served as an excellent introduction to a brainstorming session determining methods to conduct monitoring while considering privacy. The IPv6 aggregation work was developed by two researchers, Dave Plonka and Arthur Berger who perform measurement research with access to substantial amounts of data at Akamai. With an interest to use IPv6 data at the endpoint, but protect user privacy in the middle of the network, this idea works to balance measurement capabilities with privacy for end users. Using this as an example to promote similar thought process for research on monitoring and measurement has the potential to overcome the "arms race" between network monitoring and privacy in technology standards. See the CARIS2 report and papers for more information on projects resulting from this breakout discussion.

Another breakout had the participants quite engaged and the topic may result in a workshop of its own. This breakout examined the effectiveness of indicator or incident exchange groups exploring opportunities to improve the efficiency and scale of response. This breakout followed a different format and kept the participants actively engaged after two long days. An artist in the room, drew a sailboat on the whiteboard with wind at its sails, an anchor, and an iceberg looming ahead (picture included below). Each participant had sticky notes to write out what they felt was supporting incident responders (wind at their sails), holding them back (anchor), and what trouble lies ahead (iceberg). The resulting prioritized list (highlights further below) provides rich research opportunities to advance incident response in terms of efficiency and scale.

KMoriarty CARIS2


  • Trust in incident response teams
  • Need to protect network as a forcing function
  • Current efforts supported by profit
  • FEAR - initially a burst of wind, but eventually leads to complacency


  • Too many standards
  • Regional border impact data flows
  • Lack of Resources/Participation
  • Monoculture


  • Dynamic threat landscape
  • Liability
  • Bifurcation of Internet
  • Lack of skilled analysts
  • Sensitivity of Intelligence/trust

The results are summarized in the report and will be useful for research to improve the problem space. I'm encouraged by the output and work efforts culminating from CARIS2 and look forward to resulting research work and future CARIS workshops.

# # #

Learn more about Session Encryption protocols; TLS, QUIC and Beyond; Service Provider Monitoring, and Data Center Monitoring in previous RSA blogs by Kathleen Moriarty.