Difference between revisions of "EGI CSIRT:SMG"
Line 3: | Line 3: | ||
== Long-term Objectives== | == Long-term Objectives== | ||
Security monitoring is a key component to security. The EGI CSIRT works to | Security monitoring is a key component to security. The EGI CSIRT works to | ||
provide the EGI security staff with tools and procedures to detect and | provide the EGI, NGI and site security staff with tools and procedures to detect and | ||
contain security incidents as well as weaknesses that could lead to a | contain security incidents as well as weaknesses that could lead to a | ||
compromise. In doing so, the EGI CSIRT collaborates closely with the sites | compromise. In doing so, the EGI CSIRT collaborates closely with the sites | ||
and NGI, however it does not provide replacements for site and NGI level | and NGI, however it does not provide replacements for site and NGI level | ||
monitoring. Even though the results developed are primarily ment for EGI, | monitoring. Even though the results developed are primarily ment for EGI, | ||
they | they are designed and developed so that they could be utilized on the | ||
site and/or NGI level as well. | site and/or NGI level as well. | ||
Line 28: | Line 28: | ||
In order to accomplish the objectives, the EGI CSIRT will develop own tools, | In order to accomplish the objectives, the EGI CSIRT will develop own tools, | ||
mainly to grid specific areas and use existing tools if possible and | mainly to grid specific areas and use existing tools if possible and advise on their usage. Developed probes are not intrusive and do not attempt tocircumvent any security mehanisms and are not resource intensive. Results | ||
collected by these probes are only available to the EGI CSIRT members and | collected by these probes are only available to the EGI CSIRT members and | ||
communicated to the appropriate site security contacts. We will also provide recommendations and advisories to the sites and NGI as to how to combine | communicated to the appropriate site security contacts. We will also provide recommendations and advisories to the sites and NGI as to how to combine | ||
existing technologies to provide efficient local security monitoring. When | existing technologies to provide efficient local security monitoring. When | ||
applicable, collaboration will be established with similar groups of NREN | applicable, collaboration will be established with similar groups of NREN | ||
CSIRTs. | CSIRTs. The tools should be seamlessly integrated with common operational mechanisms used routinely by the security and operations. | ||
=== Vision for year 1 === | === Vision for year 1 === | ||
* Help sites achieve common baseline | * Help sites achieve a common baseline | ||
* | ** Define (and document) mechanisms and best practices to gather logs and other data in orther to ease resolution of incidents and suspicious activities. Common repositories (e.g. central syslog) and tools for its management are inherently involved in this task. | ||
* Pakiti | * Provide for (semi)automatic handling of alerts | ||
** CSIRT providing a machine-readable format of "interesting" characteristics (IP, user name, subject name, ...). Site-level tools being able to fetch these alerts and evaluated, e.g. using data from central syslog. On-demand and/or on-the-fly processing possible. | |||
* Further development of Pakiti and Nagios (some topics mentioned below) | |||
* Providing components as a service | |||
** We provide a basic suppport for independent installation of the tools, but will also explore the possibility to provide the functionality from our services (outsourcing) | |||
** (Simple) procedures describing manipulation with the sensitive data (passing among services, access rights) | |||
* A single point aggregating information available and providing a basic access to them - a dashboard | |||
== Tasks == | == Tasks == |
Revision as of 14:04, 21 October 2010
public team pages| Incident Response Task Force (IRTF) | Security Drills Group (SDG) | Security Monitoring Group (SMG) |
public pages | Mission | Incident reporting | Dissemination | Alerts | Operational notices | Monitoring | Security challenges | Policies | Contacts |
Security Monitoring Group
Long-term Objectives
Security monitoring is a key component to security. The EGI CSIRT works to provide the EGI, NGI and site security staff with tools and procedures to detect and contain security incidents as well as weaknesses that could lead to a compromise. In doing so, the EGI CSIRT collaborates closely with the sites and NGI, however it does not provide replacements for site and NGI level monitoring. Even though the results developed are primarily ment for EGI, they are designed and developed so that they could be utilized on the site and/or NGI level as well.
The EGI CSIRT strives to collect various information from the infrastructure, even using own probes and sensors or by combining results generated by other systems (e.g., accounting) on different levels of the infrastructure. The data collected will be evaluated based on current needs and risks, and alarms raised accordingly. The security monitoring system will provide both high-level overview to get a quick notion about the infrastructure as well as a sufficient level of details necessary to sort out security issues detected. The system will archive and evaluate history to follow and forecast trends in security.
Security monitoring will also provide mechanisms and tools to assist inincident containment, for example to gather important log records. Information about users' activities will be used to identify last actions performed by a user to e.g. estimate the sites possibly infected. A way of (semi)automated processing of alerts and warnings issued by the EGI security groups will be investigate and possibly developed.
In order to accomplish the objectives, the EGI CSIRT will develop own tools, mainly to grid specific areas and use existing tools if possible and advise on their usage. Developed probes are not intrusive and do not attempt tocircumvent any security mehanisms and are not resource intensive. Results collected by these probes are only available to the EGI CSIRT members and communicated to the appropriate site security contacts. We will also provide recommendations and advisories to the sites and NGI as to how to combine existing technologies to provide efficient local security monitoring. When applicable, collaboration will be established with similar groups of NREN CSIRTs. The tools should be seamlessly integrated with common operational mechanisms used routinely by the security and operations.
Vision for year 1
- Help sites achieve a common baseline
- Define (and document) mechanisms and best practices to gather logs and other data in orther to ease resolution of incidents and suspicious activities. Common repositories (e.g. central syslog) and tools for its management are inherently involved in this task.
- Provide for (semi)automatic handling of alerts
- CSIRT providing a machine-readable format of "interesting" characteristics (IP, user name, subject name, ...). Site-level tools being able to fetch these alerts and evaluated, e.g. using data from central syslog. On-demand and/or on-the-fly processing possible.
- Further development of Pakiti and Nagios (some topics mentioned below)
- Providing components as a service
- We provide a basic suppport for independent installation of the tools, but will also explore the possibility to provide the functionality from our services (outsourcing)
- (Simple) procedures describing manipulation with the sensitive data (passing among services, access rights)
- A single point aggregating information available and providing a basic access to them - a dashboard
Tasks
The lists of action at each task are not definite and will be discussed further. Some of tasks are well understood and there exist a vision about their focus. Other tasks will require more discussions about the actual contect and particular goals that are feasible.
Monitoring of security patches using Pakiti
- finer access control, e.g., based on information from GOC DB
- Generating statistics and reports
- Tagging of and notifications (alarms) about severe vulnerabilities
- Producing OVAL format for EGI advisories (e.g. SVG ones) and their processing
- Support NGIs in setting a local instances of Pakiti
- Performance improvements if needed/asked
- Integration with existing monitoring frameworks (Nagios)
- Pakiti server verification
- Integration with dashboards, UI improvements
- Operation of the EGI Pakiti server at CESNET
- Simplification of the installation procedure
Security monitoring with Nagios
- Development of new probes (based on risk analysis and experience with previous incidents)
- Support for short-lived "dynamic" probes (if needed) (a procedure and template for a quick introduction of new "volatile" probes testing some very particular characteristics, which needs a fast reaction
- guides, docs for NGIs/sites
- Support NGIs in setting local instances of CSIRT Nagios
- operation of the CSIRT Nagios instance at GRNET
- Handling of results (raising alarms, sending notifications, access control to results, ...)
- Evaluation of possible integration of security probes with standard Nagios (securing results, ...)
- Integration with dashboards
- Evaluation of results from multiple different sources
- Aggregating security alerts in a single place
Tracing users
- Tools to collect information about users from multiple sources (L&B, accounting, logs)
- Evaluation of this data to trace users' last steps on demand
- Evaluating log records produced by grid middleware (including checking that components logs appropriate information)
Site level tools
- recommendation for setting up a central syslog server
- specification of filters for the syslog
- (semi)automatic processing of EGI security advisories (checking logs for IP addresses, DNs, ...)
- best practises for log maintanence
Security Dashboard
- providing a single place to overwiew current status, history and provide additional details
- integration with existing EGI dashboards and appropriate frameworks will be evaluated
Persons
Coordinator
- Daniel Kouril (kouril@ics.muni.cz), Czech Republic NGI
Participants
class="sortable"Name | NGI | Home Organization | Effort Available (PM or FTE) |
---|---|---|---|
Stuart Kenny | Ireland NGI | TCD | |
David O'Callaghan | Ireland NGI | TCD | |
Christos Triantafyllidis | Greek NGI | AUTH | |
Jinny Chien | - | ASGC | |
Daniel Kouril | Czech Republic NGI | CESNET | 0.25 FTE |
Michal Prochazka | Czech Republic NGI | CESNET | 0.25 FTE |
Dusan Vudragovic | Serbia NGI | AEGIS | |
Angela Poschlad | German NGI | KIT | |
Bartlomiej Balcerek | Poland NGI | WCSS (CYFRONET) | 4 |
Emir Imamagic | Croatia NGI | ||
Riccardo Brunetti | Italy NGI | INFN | |
Guiseppe Misurelli | Italy NGI | INFN | |
Dorine Fouossong | France NGI | ||
Feyza Eryol | TR NGI | TUBITAK-ULAKBIM |