1. EGEE ARM-2 – 5 Oct 2004 - 1 LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN

2. EGEE ARM-2 – 5 Oct 2004 - 2 Security Coordination Objectives Ownership of … Security incidents From notification to resolution Liaise with national/institute CERTs Middleware security problems Liaise with development & deployment groups Co-ordination of security monitoring Post-mortem analysis Access to team of experts Security Service Challenges - LCG

3. EGEE ARM-2 – 5 Oct 2004 - 3 Security Activities in EGEE JRA3JRA1 NA4 Middleware Security Group LCG/EGEE Joint Security Group NA4 Solutions/Recommendations Req. SA1 “Joint Security Group” defines policy and procedures For LCG/GDB and EGEE/SA1 (Cross Membership of OSG) CA Coordination From Dave Kelsey’s CHEP’04 Plenary Talk Security Activities in EGEE

4. EGEE ARM-2 – 5 Oct 2004 - 4 OSG - Security Incident Handling and Response Guide (draft) To guide the development and maintenance of a common capability for handling and response to cyber security incidents on Grids. The capability will be established through (1) common policies and processes, (2) common organizational structures, (3) cross-organizational relationships, (4) common communications methods, and (5) a modicum of centrally-provided services and processes.

5. EGEE ARM-2 – 5 Oct 2004 - 5 Policy – the Joint Security Group Security & Availability Policy Usage Rules Certification Authorities Audit Requirements GOC Guides Incident Response User Registration Application Development & Network Admin Guide http://cern.ch/proj-lcg-security/documents.html (1) Common policies and processes

6. EGEE ARM-2 – 5 Oct 2004 - 6 Security Coordination - Groups Parties from OSG IR Security Operations Centre(s) (=?GOCs/CICs) Organize, coordinate, track, report Security contacts Defined for every grid participant: users and resources Incident Response & Technical Experts Managed list of available expertise Ad hoc Incident Response teams Formed on demand Security Operations Advisory group Advise development and practice of SOC (=JSG+?) X-SOC coordination SOCs participation/communication across grid boundaries (2) common organizational structures

7. EGEE ARM-2 – 5 Oct 2004 - 7 Security Coordination - Channels OSCT ROC RC CIC/GOC CSIRT “External” GRID Media/Press “PR” (3) cross-organizational relationships, EGEE operational channels still being established. Responsibilities and processes being defined.

8. EGEE ARM-2 – 5 Oct 2004 - 8 Security Coordination – Comms. Incident Reporting List INCIDENT-SEC-L@xxx.yyy Security Contacts Discussion List INCIDENT-DISCUSS@xxx.yyy External contact Reporting Other grids MUST be Encrypted How is this achieved and managed? Tracking system MUST be secure Press and Public Relations (4) common communications methods

9. EGEE ARM-2 – 5 Oct 2004 - 9 Operational Security - Services List Management Alert/Discuss – ref: previous slide Multiple ad-hoc IR Teams Experts Ticket Tracking System Where do problems enter? – local contact Can this be part of support lists? Must be secure Public Relations Guidelines, practice statements Policy interface to JSG Evidence gathering/preservation – use local law enforcement OSCT must (help) define process behind all these services (5) a modicum of centrally-provided services and processes

10. EGEE ARM-2 – 5 Oct 2004 - 10 Security Coordination - Issues “Security Operations Centre”: what is it for EGEE/LCG? Don’t think we can have “Central” control So formulate activity as “coordination team” Security contacts lists need management Dead boxes, moderated boxes, etc etc Do we have appropriate contact: site security or local admin? Need to coordinate through Regional Operations Centres (ROC) Need to utilise services from Core Infrastructure Centres (CIC) Wherever possible - don’t duplicate channels What is the relationships with LCG GOCs and EGEE CICs? –Are they the same? Are we communicating with local site security team or grid ‘admin’ responsibles

11. EGEE ARM-2 – 5 Oct 2004 - 11 Operational Security – where to start? “Start small and keep it simple.” Define basic structures Where/how lists hosted Where/how problems tracked Who/where/how ‘experts’ organised JSG review and update policy documents ROCs to take over management of contacts lists Must integrate with site registration process Establish what level of support is behind site security entries Relationships with local/national CERT Validate/test entries Exercise channels and raise awareness by Security Challenges – next slide.

12. EGEE ARM-2 – 5 Oct 2004 - 12 2004 Security Service Challenges Objectives Evaluate the effectiveness of current procedures by simulating a small and well defined set of security incidents. Use the experiences of a) in an iterative fashion (during the challenges) to update procedures. Formalise the understanding gained in a) & b) in updated incident response procedures. Provide feedback to middleware development and testing activities to inform the process of building security test components. Exercise response procedures in controlled manner Non-intrusive Compute resource usage trace to owner –Run a job to send an email Storage resource trace to owner –Run a job to store a file Disruptive Disrupt a service and map the effects on the service and grid