Embed Size (px)
DESCRIPTION
Network Quarantine At Cornell University. Steve Schuster Director, Information Security Office. Overview. Cornell’s incident response strategy Introduction to Network Quarantine Review of Scan at Registrations System (SARS) Post Mortem (What we did intelligently) - PowerPoint PPT Presentation
Citation preview
11
Network QuarantineNetwork QuarantineAtAt
Cornell UniversityCornell University
Steve SchusterSteve Schuster
Director, Information Security Director, Information Security OfficeOffice
2
OverviewOverview
►Cornell’s incident response strategyCornell’s incident response strategy► Introduction to Network QuarantineIntroduction to Network Quarantine►Review of Scan at Registrations Review of Scan at Registrations
System (SARS)System (SARS)►Post Mortem (What we did Post Mortem (What we did
intelligently)intelligently)►Future considerations and directionFuture considerations and direction
3
Security Support StructureSecurity Support Structure► Contact CenterContact Center
Part of Customer Services and MarketingPart of Customer Services and Marketing Address end user supportAddress end user support
► Patch supportPatch support► Virus remediationVirus remediation
► Network Operations Center (NOC)Network Operations Center (NOC) Part of Systems and OperationsPart of Systems and Operations Initial security triageInitial security triage Incident responseIncident response
► BlocksBlocks► NotificationsNotifications
► IT Security OfficeIT Security Office Development of operational proceduresDevelopment of operational procedures Technical solutionsTechnical solutions Backline supportBackline support
4
Some Security Challenges at Some Security Challenges at CornellCornell
► A general openness and decentralization A general openness and decentralization leads to a larger number of incidentsleads to a larger number of incidents
► Responding to incidents can be staff Responding to incidents can be staff intensiveintensive
► Unmanaged (students) systems arrive on Unmanaged (students) systems arrive on our network several times each yearour network several times each year
► Incident notification is a challengeIncident notification is a challenge► Individual remediation is desiredIndividual remediation is desired► Wide range of end user support needsWide range of end user support needs
5
Responding to IncidentsResponding to Incidents
► Security Office will react and contain campus Security Office will react and contain campus systems that are compromised or highly vulnerablesystems that are compromised or highly vulnerable
► NOC had a mix of tools and manual processes for NOC had a mix of tools and manual processes for opening case, notifying impacted parties and opening case, notifying impacted parties and implementing containmentimplementing containment
► Security Office often sends NOC containment Security Office often sends NOC containment requests that were tedious to service with current requests that were tedious to service with current toolstools
► Response to wide range security issues put much Response to wide range security issues put much strain on Contact Centerstrain on Contact Center
► Current mechanism for containment was not fully Current mechanism for containment was not fully effective and didn’t work in some environmentseffective and didn’t work in some environments
6
Network QuarantineNetwork Quarantine
► ObjectivesObjectives Provide better end user communication based Provide better end user communication based
upon observed incidentupon observed incident Articulate self-remediation information and Articulate self-remediation information and
requirements when appropriaterequirements when appropriate Improve cost effectiveness of security supportImprove cost effectiveness of security support
► NocNoc► Contact CenterContact Center
More effective system isolationMore effective system isolation Better incident tracking and remediation for local Better incident tracking and remediation for local
support providerssupport providers Quicker/escalated response for critical systemsQuicker/escalated response for critical systems
7
Network QuarantineNetwork Quarantine(Basic Features)(Basic Features)
► The right action is taken depending upon type of systemThe right action is taken depending upon type of system ““Registration” 10 spaceRegistration” 10 space DMZ blockedDMZ blocked ““Critical system” notificationCritical system” notification
► Response for systems identified as critical is escalated to Security Response for systems identified as critical is escalated to Security Office and appropriate local support providerOffice and appropriate local support provider
► Incidents can be created, modified and closed via web and socket Incidents can be created, modified and closed via web and socket interfacesinterfaces Latter allows batch and automationLatter allows batch and automation
► NQ interacts with Vantive, creating new case when incident NQ interacts with Vantive, creating new case when incident openedopened
► Modifications to an incident trigger e-mail to user, net admin and Modifications to an incident trigger e-mail to user, net admin and updates to Vantiveupdates to Vantive
► Specific incident remediation information provided for end users Specific incident remediation information provided for end users ► With appropriate credentials, CIT personnel, including Contact With appropriate credentials, CIT personnel, including Contact
Center, and campus system administrators can search for and Center, and campus system administrators can search for and review incidentsreview incidents
8
Network QuarantineNetwork Quarantine
► An incidentAn incident Incident type and descriptionIncident type and description Method of containmentMethod of containment Self-release optionSelf-release option Type of remediationType of remediation Specific support and remediation messages to Specific support and remediation messages to
usersusers Supporting documentationSupporting documentation Action trackingAction tracking
► Network QuarantineNetwork Quarantine
9
Network QuarantineNetwork Quarantine(Specific Features)(Specific Features)
► For each new incidentFor each new incident New incident type for trackingNew incident type for tracking Establishment of resolution requirementsEstablishment of resolution requirements Incident specific message to usersIncident specific message to users
► Users receive much better communicationUsers receive much better communication► Self-release feature Self-release feature
Users are able correct the issue Users are able correct the issue Save staff time at the Contact CenterSave staff time at the Contact Center
► Process automation, better user Process automation, better user communication and self-release has saved communication and self-release has saved moneymoney
10
Network Quarantine Network Quarantine (Cost Savings)(Cost Savings)
► Prior to NQPrior to NQ Virus remediation Virus remediation
costs/incidentcosts/incident► Contact Center – Contact Center –
Average 10 minutesAverage 10 minutes► NOC – Average 3 NOC – Average 3
minutesminutes System compromise System compromise
costs/incidentcosts/incident► Contact CenterContact Center
Simple support -- 20 Simple support -- 20 minutesminutes
Full rebuild – 1-4 hoursFull rebuild – 1-4 hours► NOC – Average NOC – Average
Average 5 minutesAverage 5 minutes
► With NQWith NQ Virus remediation Virus remediation
costs/incidentcosts/incident► Contact Center – Same Contact Center – Same
but many self-releasebut many self-release► NOC –under 1 minuteNOC –under 1 minute
System compromise System compromise costs/incidentcosts/incident
► Contact CenterContact Center Simple support -- 20 Simple support -- 20
minutesminutes Full rebuild – 1-4 hoursFull rebuild – 1-4 hours
► NOC – Average NOC – Average Under 1 minuteUnder 1 minute
** Significant savings realized using self-release and better end user support
11
Scan at Registration SystemScan at Registration System(SARS)(SARS)
►All on-campus student computers were All on-campus student computers were automatically scanned upon automatically scanned upon registrationregistration
►ObjectsObjects Drastically reduce the number of infected Drastically reduce the number of infected
or compromised student systems coming or compromised student systems coming to campusto campus
Promote better security practicesPromote better security practices
12
Enabling Features of NQ that Enabling Features of NQ that Supported SARSSupported SARS
►Automation of containment and Automation of containment and remediationremediation
►Redirection to Network Quarantine Redirection to Network Quarantine infrastructureinfrastructure
►Articulated steps to support self-Articulated steps to support self-remediationremediation
► Incident tracking Incident tracking
13
Scan at Registration System Scan at Registration System (SARS)(SARS)
►Requirements for ResNet registrationRequirements for ResNet registration Each computer system must be registered Each computer system must be registered
with a valid NetIDwith a valid NetID Each computer must be configured to a Each computer must be configured to a
minimum set of security standardsminimum set of security standards►No open writable filesharesNo open writable fileshares►All administrative accounts must have a All administrative accounts must have a
passwordpassword►Must be patched Must be patched
14
Student Registration ProcessStudent Registration Process
► Every on-campus student went through the follow Every on-campus student went through the follow processprocess Plug into network and get redirected to ResNet Plug into network and get redirected to ResNet
Registration pageRegistration page Authentication with NetID and fill in necessary information Authentication with NetID and fill in necessary information
for registrationfor registration Wait 90 seconds for registration to complete and system Wait 90 seconds for registration to complete and system
check to occurcheck to occur If the system passed all three testsIf the system passed all three tests
► Registration competeRegistration compete ElseElse
► Redirected to NQRedirected to NQ► Informed of the problem and provided directions for Informed of the problem and provided directions for
remediationremediation► Rescan upon completion of remediationRescan upon completion of remediation► RepeatRepeat
15
Scan at Registration Scan at Registration StatisticsStatistics
► Approximately 6500 systems scanned over Approximately 6500 systems scanned over move in weekendmove in weekend
► Of all systems scannedOf all systems scanned 65% were probably firewalled65% were probably firewalled 35% were not firewalled35% were not firewalled
► 25% were clean25% were clean► 10% had at least one of the three problems10% had at least one of the three problems
► Close to 12% of the systems had at least Close to 12% of the systems had at least one problem (780)one problem (780)
► Around 85% of all quarantined students Around 85% of all quarantined students were able to perform self remediationwere able to perform self remediation
16
Network QuarantineNetwork QuarantineOn-Boarding MetricsOn-Boarding Metrics
0
100
200
300
400
500
600
700
800
900
Date
Number of VulnerableSystems
Number of Open Cases
17
Post MortemPost Mortem
► Gaining early support from Contact Center Gaining early support from Contact Center and NOC was an absolute requirementand NOC was an absolute requirement
► Can’t under estimate the stress of move in Can’t under estimate the stress of move in weekend (the parent affect)weekend (the parent affect)
► Trust is important but “bail out” features go Trust is important but “bail out” features go further further If the scanning or quarantine infrastructure failed If the scanning or quarantine infrastructure failed
registration would continue as beforeregistration would continue as before If the Contact Center could not support the If the Contact Center could not support the
demands of quarantined students all could be demands of quarantined students all could be released immediatelyreleased immediately
18
Future ConsiderationsFuture Considerations
► Should scanning be expanded to other Should scanning be expanded to other constituents and infrastructures?constituents and infrastructures?
► Should we be more aggressive with our Should we be more aggressive with our scanning?scanning? Scan more frequentlyScan more frequently Deeper analysisDeeper analysis
► Should we limit ourselves to network Should we limit ourselves to network scanning or install end point components?scanning or install end point components?
► Should we establish minimum expectations Should we establish minimum expectations for all computers connecting to our for all computers connecting to our network?network?
1919
Screen ShotsScreen Shots
20
Network QuarantineNetwork Quarantine(Incident Types)(Incident Types)
21
Network QuarantineNetwork Quarantine(Incident Types)(Incident Types)
22
Network QuarantineNetwork Quarantine(Incident Messages)(Incident Messages)
23
Network QuarantineNetwork Quarantine(Incident Containment)(Incident Containment)
24
Network QuarantineNetwork Quarantine(Incident Remediation)(Incident Remediation)
25
Network QuarantineNetwork Quarantine(User’s View)(User’s View)
26
Network QuarantineNetwork Quarantine(User’s View)(User’s View)
27
Network QuarantineNetwork Quarantine(User’s View)(User’s View)
128.XXX.XXX.XXX
