[PPT] - ISGC 2017 Security Workshop Sven Gabriel Security Incident PowerPoint Presentation

SLIDE 1

www.egi.eu

EGI-Engage is co-funded by the Horizon 2020 Framework Programme

f the European Union under grant number 654142

ISGC 2017 Security Workshop

Sven Gabriel

Security Incident handling in Federated Clouds

SLIDE 2

2017 March 5 2

CSIRT

Introduction

SLIDE 3

2017 March 5 3

CSIRT

Introduction Security in Distributed Infrastructures Incident Prevention Incident/Intrusion Detection Incident Response (IR) IR Communications Containment Forensics

SLIDE 4

2017 March 5 4

CSIRT

Security in Distributed Infrastructures

SLIDE 5

2017 March 5 5

CSIRT

Security and Business Models

Why bother about Security, another business model Cyberbunker: Mind Your Own Business policy

SLIDE 6

2017 March 5 6

CSIRT

Security in Distributed Infrastructures

Why bother about Security Security always has in impact how users experience services. How much you want to care about security is dependent on your business model. This has a serious impact and is a management decision, see for example:

http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=1

SLIDE 7

2017 March 5 7

CSIRT

Security and Users/Customers

How to sell security to the users/customers Some sociology:

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43265.pdf http://www.nature.com/news/how-to-hack-the-hackers-the-human-side-of-cybercrime-1.19872

SLIDE 8

2017 March 5 8

CSIRT

Security and Users/Customers

Examples from our Infra

Request to patch, . . .
You use our service from an unknown location, . . .
no, we can’t give you root on the compute cluster
no, we will not install your preferred editor on our

supercomputer

SLIDE 9

2017 March 5 9

CSIRT

Goal: keep Users/Customers happy

Ingredients

Have a clear set of agreed policies (ex. AUP)
Be transparent on why certain actions are requested

(Advisories)

Use the proper ’language’ for the intended recipient

(Admin/User)

Be prepared to deal with frustrated / swamped users.

SLIDE 10

2017 March 5 10

CSIRT

Security Incidents

Incidents, finally . . .

SLIDE 11

2017 March 5 11

CSIRT

Security Incidents in Distributed Infrastructures

Definition1: A security incident is the act of violating an explicit

r implied security policy (ex: local security policy, EGI

Acceptable Use Policy) (https://documents.egi.eu/public/ShowDocument?docid=47)

Who violates policies?
Criminals: Automated Attacks, compromised systems

rented out for illegal activities (Botnet, used for ddos, spam, distribute malware etc).

Hacktivism, Creative young people
Insiders, Users

SLIDE 12

2017 March 5 12

CSIRT

How attackers access the infra

External, unauthenticated Most serious, needs to be

prevented

External, authenticated Ex: stolen Credentials
Local, authenticated Also: Impersonation Vulnerabilities

SLIDE 13

2017 March 5 13

CSIRT

Security in Distributed Infrastructures

Incident Prevention
Incident/Intrusion Detection (also Tue. 16:00, Fyodor,

Watz)

Incident Response (Vincent)

SLIDE 14

2017 March 5 14

CSIRT

Who can Work on Security ...

SLIDE 15

2017 March 5 15

CSIRT

Incident Prevention

SLIDE 16

2017 March 5 16

CSIRT

Infrastructure Housekeeping

Vulnerability Handling Process:

Vulnerability Detection (often external sources)
Assessment (SVG/RAT) → Criticality
If Critical, develop: HeadsUp/Advisory, Security Monitoring
All Sites need to take action (patch/mitigate)
Follow up (Ticketing)
Monitor the Infrastructure

SLIDE 17

2017 March 5 17

CSIRT

Infrastructure Housekeeping

Why:

Prevent being victim of standard attacks (check your logs,

a lot background noise)

Clean-Up of an incident is expensive!
Provide an environment where users are ”protected” from

each other.

If the infra is not usable/working (for whatever reason) will

result in funding issues.

SLIDE 18

2017 March 5 18

CSIRT

Goal: Reducing Security Incidents

Number of incidents using grid technology

SLIDE 19

2017 March 5 18

CSIRT

Goal: Reducing Security Incidents

Number of incidents using grid technology 1

SLIDE 20

2017 March 5 19

CSIRT

Grid/Cloud differences

Admin / User role separated in Grid
Grid Admins are Linux Systems experts
Grid Software is verified against EGI’s current Quality

Criteria (UMD)

FedCloud RCs (up to Hypervisor, Network) are managed

by Admins

VMs are managed by the Users

SLIDE 21

2017 March 5 20

CSIRT

Some Cloud Security

Non System Experts (Users) are admins of their Infrastructure they deploy in the cloud.

To mitigate this risk VM Endorsement Policy was

developed.

Distinguish between VM Operators/Users
Provide the users with endorsed secure VMs

SLIDE 22

2017 March 5 21

CSIRT

Incident/Intrusion Detection

SLIDE 23

2017 March 5 22

CSIRT

Incident/Intrusion Detection

Tue 16:00 Identifying Suspicious Network Activities in Grid Network Tue 16:30 Modern Monitoring Systems (Watz)

SLIDE 24

2017 March 5 23

CSIRT

Incident Response (IR)

SLIDE 25

2017 March 5 24

CSIRT

IR Requirements

Know your perimeter: Security Policies

https://wiki.egi.eu/wiki/Security_Policy_Group

Know your Infrastructure, who has which role, what are the

communication endpoints.

Have an Incident Response Procedure

(https://wiki.egi.eu/wiki/SEC01)

SLIDE 26

2017 March 5 25

CSIRT

Actors and Roles

Site Security Contact
EGI-CSIRT Security Officer on Duty
User
VO-Security Contact
External party

SLIDE 27

2017 March 5 26

CSIRT

IR Communications

SLIDE 28

2017 March 5 27

CSIRT

IR Communications

Questions:

You know now the actors, where do you get the contacts?

SLIDE 29

2017 March 5 27

CSIRT

IR Communications

Questions:

You know now the actors, where do you get the contacts?
You know that the contacts are in http://goc.egi.eu/

and https://operations-portal.egi.eu/vo/security

SLIDE 30

2017 March 5 27

CSIRT

IR Communications

Questions:

You know now the actors, where do you get the contacts?
You know that the contacts are in http://goc.egi.eu/

and https://operations-portal.egi.eu/vo/security

So, . . . what will you ask? . . . report?

SLIDE 31

2017 March 5 27

CSIRT

IR Communications

Questions:

You know now the actors, where do you get the contacts?
You know that the contacts are in http://goc.egi.eu/

and https://operations-portal.egi.eu/vo/security

So, . . . what will you ask? . . . report?
, see https://wiki.egi.eu/wiki/EGI_CSIRT:

Incident_reporting

Or

SLIDE 32

2017 March 5 27

CSIRT

IR Communications

Questions:

You know now the actors, where do you get the contacts?
You know that the contacts are in http://goc.egi.eu/

and https://operations-portal.egi.eu/vo/security

So, . . . what will you ask? . . . report?
, see https://wiki.egi.eu/wiki/EGI_CSIRT:

Incident_reporting

Or just contact abuse .at. egi.eu

SLIDE 33

2017 March 5 28

CSIRT

Containment

SLIDE 34

2017 March 5 29

CSIRT

Containment

Stop the incident! How?

SLIDE 35

2017 March 5 29

CSIRT

Containment

Stop the incident! How?
Stop a DN submitting new jobs/starting VMs

SLIDE 36

2017 March 5 29

CSIRT

Containment

Stop the incident! How?
Stop a DN submitting new jobs/starting VMs
Central Argus system

SLIDE 37

2017 March 5 29

CSIRT

Containment

Stop the incident! How?
Stop a DN submitting new jobs/starting VMs
Central Argus system
For the forensics see Vincents talk

SLIDE 38

2017 March 5 30

CSIRT

Forensics

SLIDE 39

2017 March 5 31

CSIRT

Forensics

Talk: Computer Forensics Analysis (FyodorVincent)

What went wrong
How to detect it
How to react to it . . .