LCG/EGEE Incident Response Planning

Slides:



Advertisements
Similar presentations
LCG/EGEE/OSG Security Incident Response Grid Operations workshop CERN, 2 November 2004 David Kelsey CCLRC/RAL, UK
Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005
Test Organization and Management
INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
LCG and HEPiX Ian Bird LCG Project - CERN HEPiX - FNAL 25-Oct-2002.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Monitoring in EGEE EGEE/SEEGRID Summer School 2006, Budapest Judit Novak, CERN Piotr Nyczyk, CERN Valentin Vidic, CERN/RBI.
02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
Incident Response Plan for the Open Science Grid Grid Operations Experience Workshop – HEPiX 22 Oct 2004 Bob Cowles – Work.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
UKI ROC/GridPP/EGEE Security Mingchao Ma Oxford 22 October 2008.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operational Security Coordination Team Ian.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks ROC Security Contacts R. Rumler Lyon/Villeurbanne.
Security Operations David Kelsey GridPP Deployment Board 3 Mar 2005
Reflections “from around the block.” (Security) Ian Neilson GridPP Security Officer STFC RAL.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
INFSO-RI Enabling Grids for E-sciencE An overview of EGEE operations & support procedures Jules Wolfrat SARA.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.
EGEE is a project funded by the European Union under contract IST Roles & Responsibilities Ian Bird SA1 Manager Cork Meeting, April 2004.
Last update 22/02/ :54 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD VO Registration procedure Presented by.
EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.
Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK
Recent lessons learned: Operational Security David Kelsey CCLRC/RAL, UK GDB Meeting, BNL, 5 Sep 2006.
26/01/2007Riccardo Brunetti OSCT Meeting1 Security at The IT-ROC Status and Plans.
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
LCG User, Site & VO Registration in EGEE/LCG Bob Cowles OSG Technical Meeting Dec 15-17, 2004 UCSD.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
INFSO-RI Enabling Grids for E-sciencE Operational Security Coordination Team OSCT report EGEE-4, Pisa Ian Neilson, CERN.
Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,
OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
Bob Jones EGEE Technical Director
Regional Operations Centres Core infrastructure Centres
EGI – Round table discussion
David Kelsey CCLRC/RAL, UK
LCG Security Status and Issues
Ian Bird GDB Meeting CERN 9 September 2003
Incident Response Plan for the Open Science Grid
The CCIN2P3 and its role in EGEE/LCG
Romain Wartel EGEE08 Conference, Istanbul, 23rd September 2008
Maite Barroso, SA1 activity leader CERN 27th January 2009
Nordic ROC Organization
David Kelsey CCLRC/RAL, UK
Integrated Site Security for Grids
LCG Operations Centres
LCG Operations Workshop, e-IRG Workshop
Solutions for federated services management EGI
Office 365 Security Assessment Workshop
Leigh Grundhoefer Indiana University
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
gLite The EGEE Middleware Distribution
Anatomy of a Common Cyber Attack
Presentation transcript:

LCG/EGEE Incident Response Planning Ian Neilson Grid Deployment Group CERN EGEE3 Athens 21 April 2005 - 1

Incident Response Overview The OSG Incident Handling and Response Guide What it mandates What it recommends How to map to LCG/EGEE? Response Planning Classification based Use-cases Role of OSCT, ROCS etc. Grid Incident definition: “..event that poses a .. threat [to] the integrity of services, resources, infrastructure, or identities.” Note: We do have existing but old agreement: https://edms.cern.ch/document/428035 EGEE3 Athens 21 April 2005 - 2

Incident Response The OSG Incident Handling and Response Guide What it mandates (MUST do’s) REPORT RESPOND PROTECT information gathered ANALYSE What it recommends (SHOULD do’s) Provide monitored contact mailing lists at sites Public Disclosure (summary) through site Public Relations Use signed mails How to map to LCG/EGEE? EGEE3 Athens 21 April 2005 - 3

Incident Response Reporting (MUST) Provide contact information Individual contacts Monitored list (optional but HIGHLY desirable) Management through GOCDB (?soon) Report to LOCAL site security = sites should have local plan Does not replace or interfere with local plans Report to INCIDENT-REPORT-L@project.org Initial incident notification only, no chat Closed list Filtered abuse@.. & security@.. Currently we use project-lcg-security-csirts@cern.ch -egee- alias Open list hence no moderated lists EGEE3 Athens 21 April 2005 - 4

Incident Response Responding (MUST) Classification Containment More later… Containment Assumes local containment process in place Attacks through the grid Default action to block grid access initially Authorization control MUST be provided for services Attacks on the grid Little/no possible central control Notify the attacking site (NREN CSIRTS) Coordination of blocking, restoration of service Notification INCIDENT-DISCUSS-L@project.org User, VO if identity compromise Management Post-Incident Analysis EGEE3 Athens 21 April 2005 - 5

Incident Response Response Planning Objectives Provide a framework to use when something happens But must be usable flexibly Can be tested Classification Based ‘Use Cases’ LOW e.g. Local single non-privileged identity compromised, local denial of service. MEDIUM e.g. Local privileged identity compromised, attack on grid service not threatening grid stability. HIGH e.g. Exploitation of trust fabric, attack leading to grid instability or denial of service against all service replicas. EGEE3 Athens 21 April 2005 - 6

Incident Response Incident Class: LOW Case: Some local unattributed activity from a single user Reported by user to GGUS based on accounting Actors: GGUS, User, Site Response: Report received by SSO from GGUS Investigation (Site <-> User) Analysis: Single identity compromised Route to compromise may change response Notification by SSO: User, VO(suspend), REPORT-L, GGUS Issues: How does SSO contact user, VO? 000’s of distributed users -> notification overload …. EGEE3 Athens 21 April 2005 - 7

Incident Response Incident Class: Medium Case: Compute Element relaying SPAM Reported by external corporate security team Actors: Site, Ex-CSIRT Response: Report received by SSO from Ex-CSIRT Prelim. Investigation (SSO) Close service, remove from network Notification: REPORT-L, NREN CSIRT Analysis: CE rooted Notification: DISCUSS-L Issues Service-based threat analysis would be useful EGEE3 Athens 21 April 2005 - 8

Incident Response Incident Class: HIGH Case: Poisoning of information system Reported simultaneously from multiple locations, widespread job misdirection, failure, DOS Actors: Multiple Site, Experts, Developers/Deployment + Users, VOs, Management Response Reports might start as unassociated REPORT-L posts Team leader created, creates team – Notify: REPORT-L Prelim Analysis: logs, network traffic Mitigation: network blocking, rebuild/lock IS – Notify: DISCUSS-L Analysis: Broken protocol Patch Created, Packaged and Deployed – Notify: Site admin Notification: DISCUSS-L Issues How to bootstrap team and its leader – ROC/OSCT role Team communications – Incident tracking tools Team communications to developers Deployment scheduling – how long EGEE3 Athens 21 April 2005 - 9

Incident Response Incident Tracking Repository? Would be useful for Communications Analysis Reporting Could be difficult because of Which groups have access Becomes a target itself May duplicate logging of local systems How would it interact with local systems Current candidates LCG Savannah – Use for Service Challenge GGUS – Certificate Support but need development …? EGEE3 Athens 21 April 2005 - 10

Incident Response Summary OSG Document now needs to be implemented Need to put this into LCG/EGEE context Basic IR planning and model plans are necessary Use-case and role-play useful tools for creating these Should be tested in future security exercises OSCT is the group to organise this Note: Andrew Cormack’s document comparing grid incident response to ‘traditional’ CSIRT activities attached to the agenda. EGEE3 Athens 21 April 2005 - 11

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.