Presentation is loading. Please wait.

Presentation is loading. Please wait.

LCG/EGEE Incident Response Planning

Published byBartholomew Ward Modified over 5 years ago

Similar presentations

Presentation on theme: "LCG/EGEE Incident Response Planning"— Presentation transcript:

1 LCG/EGEE Incident Response Planning
Ian Neilson Grid Deployment Group CERN EGEE3 Athens 21 April

2 Incident Response Overview
The OSG Incident Handling and Response Guide What it mandates What it recommends How to map to LCG/EGEE? Response Planning Classification based Use-cases Role of OSCT, ROCS etc. Grid Incident definition: “..event that poses a .. threat [to] the integrity of services, resources, infrastructure, or identities.” Note: We do have existing but old agreement: EGEE3 Athens 21 April

3 Incident Response The OSG Incident Handling and Response Guide
What it mandates (MUST do’s) REPORT RESPOND PROTECT information gathered ANALYSE What it recommends (SHOULD do’s) Provide monitored contact mailing lists at sites Public Disclosure (summary) through site Public Relations Use signed mails How to map to LCG/EGEE? EGEE3 Athens 21 April

4 Incident Response Reporting (MUST)
Provide contact information Individual contacts Monitored list (optional but HIGHLY desirable) Management through GOCDB (?soon) Report to LOCAL site security = sites should have local plan Does not replace or interfere with local plans Report to Initial incident notification only, no chat Closed list Filtered & Currently we use -egee- alias Open list hence no moderated lists EGEE3 Athens 21 April

5 Incident Response Responding (MUST) Classification Containment
More later… Containment Assumes local containment process in place Attacks through the grid Default action to block grid access initially Authorization control MUST be provided for services Attacks on the grid Little/no possible central control Notify the attacking site (NREN CSIRTS) Coordination of blocking, restoration of service Notification User, VO if identity compromise Management Post-Incident Analysis EGEE3 Athens 21 April

6 Incident Response Response Planning Objectives
Provide a framework to use when something happens But must be usable flexibly Can be tested Classification Based ‘Use Cases’ LOW e.g. Local single non-privileged identity compromised, local denial of service. MEDIUM e.g. Local privileged identity compromised, attack on grid service not threatening grid stability. HIGH e.g. Exploitation of trust fabric, attack leading to grid instability or denial of service against all service replicas. EGEE3 Athens 21 April

7 Incident Response Incident Class: LOW
Case: Some local unattributed activity from a single user Reported by user to GGUS based on accounting Actors: GGUS, User, Site Response: Report received by SSO from GGUS Investigation (Site <-> User) Analysis: Single identity compromised Route to compromise may change response Notification by SSO: User, VO(suspend), REPORT-L, GGUS Issues: How does SSO contact user, VO? 000’s of distributed users -> notification overload …. EGEE3 Athens 21 April

8 Incident Response Incident Class: Medium
Case: Compute Element relaying SPAM Reported by external corporate security team Actors: Site, Ex-CSIRT Response: Report received by SSO from Ex-CSIRT Prelim. Investigation (SSO) Close service, remove from network Notification: REPORT-L, NREN CSIRT Analysis: CE rooted Notification: DISCUSS-L Issues Service-based threat analysis would be useful EGEE3 Athens 21 April

9 Incident Response Incident Class: HIGH
Case: Poisoning of information system Reported simultaneously from multiple locations, widespread job misdirection, failure, DOS Actors: Multiple Site, Experts, Developers/Deployment + Users, VOs, Management Response Reports might start as unassociated REPORT-L posts Team leader created, creates team – Notify: REPORT-L Prelim Analysis: logs, network traffic Mitigation: network blocking, rebuild/lock IS – Notify: DISCUSS-L Analysis: Broken protocol Patch Created, Packaged and Deployed – Notify: Site admin Notification: DISCUSS-L Issues How to bootstrap team and its leader – ROC/OSCT role Team communications – Incident tracking tools Team communications to developers Deployment scheduling – how long EGEE3 Athens 21 April

10 Incident Response Incident Tracking Repository? Would be useful for
Communications Analysis Reporting Could be difficult because of Which groups have access Becomes a target itself May duplicate logging of local systems How would it interact with local systems Current candidates LCG Savannah – Use for Service Challenge GGUS – Certificate Support but need development …? EGEE3 Athens 21 April

11 Incident Response Summary OSG Document now needs to be implemented
Need to put this into LCG/EGEE context Basic IR planning and model plans are necessary Use-case and role-play useful tools for creating these Should be tested in future security exercises OSCT is the group to organise this Note: Andrew Cormack’s document comparing grid incident response to ‘traditional’ CSIRT activities attached to the agenda. EGEE3 Athens 21 April

Download ppt "LCG/EGEE Incident Response Planning"

Similar presentations

LCG/EGEE/OSG Security Incident Response Grid Operations workshop CERN, 2 November 2004 David Kelsey CCLRC/RAL, UK

LCG/EGEE/OSG Security Incident Response Grid Operations workshop CERN, 2 November 2004 David Kelsey CCLRC/RAL, UK
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005
Test Organization and Management

Test Organization and Management
INFSO-RI-508833 Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:

Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Enabling Grids for E-sciencE www.eu-egee.org EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.

Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
LCG and HEPiX Ian Bird LCG Project - CERN HEPiX - FNAL 25-Oct-2002.

LCG and HEPiX Ian Bird LCG Project - CERN HEPiX - FNAL 25-Oct-2002.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Monitoring in EGEE EGEE/SEEGRID Summer School 2006, Budapest Judit Novak, CERN Piotr Nyczyk, CERN Valentin Vidic, CERN/RBI.

Monitoring in EGEE EGEE/SEEGRID Summer School 2006, Budapest Judit Novak, CERN Piotr Nyczyk, CERN Valentin Vidic, CERN/RBI.
02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.

02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
Incident Response Plan for the Open Science Grid Grid Operations Experience Workshop – HEPiX 22 Oct 2004 Bob Cowles – Work.

Incident Response Plan for the Open Science Grid Grid Operations Experience Workshop – HEPiX 22 Oct 2004 Bob Cowles – Work.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Similar presentations

Ads by Google