1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

Slides:



Advertisements
Similar presentations
AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Advertisements

Installation & User Guide
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Using the Self Service BMC Helpdesk
1 Effective, secure and reliable hosted security and continuity solution.
Request Tracker IT Partners Conference Oliver Thomas 19 April 2005.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Don McCarty Manager Postal Service East Tennessee State University.
SECAM Systems Product Presentation SECAM Systems © 2010.
Web Plus Overview Division of Cancer Prevention and Control National Center for Chronic Disease Prevention and Health Promotion CDC Registry Plus Training.
University of Florida Incident Tracking and Reporting Kathy Bergsma
Next Gen Web Solutions Student Employment Employer Training Template.
Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Module 5: Configuring Access for Remote Clients and Networks.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Software Configuration Management (SCM)
Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.
Effective Customer Service: Exploring the process from beginning to end.
Proprietary and Confidential Preferred by Students ►24/7 online access ►Easy ordering and tracking ► delivery confirmation Online Ordering and Delivery.
Proprietary and Confidential 1. College Registration 2. College as Receiver 3. College as Sender Postsecondary Demonstrations.
How To Batch Register Your Students
Incident Response Updated 03/20/2015
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
LGC Website and Customer On-line Tools LGC RESOURCE 2014.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Web Self Service Take Home Message Web Self Service gives CRM information access to assigned non-CRM users.
Term 2, 2011 Week 3. CONTENTS The physical design of a network Network diagrams People who develop and support networks Developing a network Supporting.
1 Conservation Transaction Plug-In (CTP) Tool Overview March 23 & 25, 2010 Tim Pilkowski State Conservation Agronomist Annapolis, MD USDA is an equal opportunity.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
LBTO IssueTrak User’s Manual Norm Cushing version 1.3 August 8th, 2007.
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Chapter 6 of the Executive Guide manual Technology.
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
V 1.0 May 16,2011 Audience: Staff Outlook Agent For the latest version of this document please go to:
(*Fax messaging is available only upon request; fees apply.) What Is Unified Messaging? Voice, fax* and messaging within a single interface Access.
A Web Based Workorder Management System for California Schools.
RINGS (ResNet Integrated Next Generation Solution) Educause Security Professionals Conference 2006.
Computer Emergency Notification System (CENS)
0 eCPIC Admin Training: Automating User Account Management These training materials are owned by the Federal Government. They can be used or modified only.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
USER MANUAL USER MANUAL 21 June TABLE OF CONTENTS System Description4 How It Works?5 PLUGIN Maxxbooking Plugin6-7 Hotel Info & Description8-9 Availability.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
How to Build a NOC. Identify Customers –Who are your customers? Understand Customer Expectations –What are your user expectations? –SLA’s? Support Service.
MassHealth Medicaid Management Information System (MMIS) Provider Online Service Center (POSC) Technical Upgrade January 13, 2016.
Message Validation, Processing, and Provisioning System (MVPS) Access for Jurisdictions User has SAMS User ID Center for Surveillance, Epidemiology, and.
Page PearsonAccess™ Technology Training Online Test Configuration.
Microsoft Customer 2 Partner Connector Quick Reference Guide
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Security fundamentals
Phase 4: Manage Deployment
How Can NRCS Clients Use the Conservation Client Gateway
Project Management: Messages
Common Methods Used to Commit Computer Crimes
Partner Smart Assist Service
IT Partners Conference Oliver Thomas 19 April 2005
Installation & User Guide
Printer Admin Print Job Manager
Auburn Information Technology
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
PitchBook For MS Dynamics Plugin
COMPLETE BUSINESS TEXTING SOLUTION
Presentation transcript:

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office

2 Overview ► Cornell’s incident response strategy ► Introduction to Network Quarantine ► Review of Scan at Registrations System (SARS) ► Post Mortem (What we did intelligently) ► Future considerations and direction

3 Security Support Structure ► Contact Center  Part of Customer Services and Marketing  Address end user support ► Patch support ► Virus remediation ► Network Operations Center (NOC)  Part of Systems and Operations  Initial security triage  Incident response ► Blocks ► Notifications ► IT Security Office  Development of operational procedures  Technical solutions  Backline support

4 Some Security Challenges at Cornell ► A general openness and decentralization leads to a larger number of incidents ► Responding to incidents can be staff intensive ► Unmanaged (students) systems arrive on our network several times each year ► Incident notification is a challenge ► Individual remediation is desired ► Wide range of end user support needs

5 Responding to Incidents ► Security Office will react and contain campus systems that are compromised or highly vulnerable ► NOC had a mix of tools and manual processes for opening case, notifying impacted parties and implementing containment ► Security Office often sends NOC containment requests that were tedious to service with current tools ► Response to wide range security issues put much strain on Contact Center ► Current mechanism for containment was not fully effective and didn’t work in some environments

6 Network Quarantine ► Objectives  Provide better end user communication based upon observed incident  Articulate self-remediation information and requirements when appropriate  Improve cost effectiveness of security support ► Noc ► Contact Center  More effective system isolation  Better incident tracking and remediation for local support providers  Quicker/escalated response for critical systems

7 Network Quarantine (Basic Features) ► The right action is taken depending upon type of system  “Registration” 10 space  DMZ blocked  “Critical system” notification ► Response for systems identified as critical is escalated to Security Office and appropriate local support provider ► Incidents can be created, modified and closed via web and socket interfaces  Latter allows batch and automation ► NQ interacts with Vantive, creating new case when incident opened ► Modifications to an incident trigger to user, net admin and updates to Vantive ► Specific incident remediation information provided for end users ► With appropriate credentials, CIT personnel, including Contact Center, and campus system administrators can search for and review incidents

8 Network Quarantine ► An incident  Incident type and description  Method of containment  Self-release option  Type of remediation  Specific support and remediation messages to users  Supporting documentation  Action tracking ► Network Quarantine Network Quarantine Network Quarantine

9 Network Quarantine (Specific Features) ► For each new incident  New incident type for tracking  Establishment of resolution requirements  Incident specific message to users ► Users receive much better communication ► Self-release feature  Users are able correct the issue  Save staff time at the Contact Center ► Process automation, better user communication and self-release has saved money

10 Network Quarantine (Cost Savings) ► Prior to NQ  Virus remediation costs/incident ► Contact Center – Average 10 minutes ► NOC – Average 3 minutes  System compromise costs/incident ► Contact Center  Simple support minutes  Full rebuild – 1-4 hours ► NOC – Average  Average 5 minutes ► With NQ  Virus remediation costs/incident ► Contact Center – Same but many self-release ► NOC –under 1 minute  System compromise costs/incident ► Contact Center  Simple support minutes  Full rebuild – 1-4 hours ► NOC – Average  Under 1 minute ** Significant savings realized using self-release and better end user support

11 Scan at Registration System (SARS) ► All on-campus student computers were automatically scanned upon registration ► Objects  Drastically reduce the number of infected or compromised student systems coming to campus  Promote better security practices

12 Enabling Features of NQ that Supported SARS ► Automation of containment and remediation ► Redirection to Network Quarantine infrastructure ► Articulated steps to support self-remediation ► Incident tracking

13 Scan at Registration System (SARS) ► Requirements for ResNet registration  Each computer system must be registered with a valid NetID  Each computer must be configured to a minimum set of security standards ► No open writable fileshares ► All administrative accounts must have a password ► Must be patched

14 Student Registration Process ► Every on-campus student went through the follow process  Plug into network and get redirected to ResNet Registration page  Authentication with NetID and fill in necessary information for registration  Wait 90 seconds for registration to complete and system check to occur  If the system passed all three tests ► Registration compete  Else ► Redirected to NQ ► Informed of the problem and provided directions for remediation ► Rescan upon completion of remediation ► Repeat

15 Scan at Registration Statistics ► Approximately 6500 systems scanned over move in weekend ► Of all systems scanned  65% were probably firewalled  35% were not firewalled ► 25% were clean ► 10% had at least one of the three problems ► Close to 12% of the systems had at least one problem (780) ► Around 85% of all quarantined students were able to perform self remediation

16 Network Quarantine On-Boarding Metrics

17 Post Mortem ► Gaining early support from Contact Center and NOC was an absolute requirement ► Can’t under estimate the stress of move in weekend (the parent affect) ► Trust is important but “bail out” features go further  If the scanning or quarantine infrastructure failed registration would continue as before  If the Contact Center could not support the demands of quarantined students all could be released immediately

18 Future Considerations ► Should scanning be expanded to other constituents and infrastructures? ► Should we be more aggressive with our scanning?  Scan more frequently  Deeper analysis ► Should we limit ourselves to network scanning or install end point components? ► Should we establish minimum expectations for all computers connecting to our network?

19 Screen Shots

20 Network Quarantine (Incident Types)

21 Network Quarantine (Incident Types)

22 Network Quarantine (Incident Messages)

23 Network Quarantine (Incident Containment)

24 Network Quarantine (Incident Remediation)

25 Network Quarantine (User’s View)

26 Network Quarantine (User’s View)

27 Network Quarantine (User’s View) 128.XXX.XXX.XXX

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.