Cybersecurity Continuous Monitoring at Fermilab. Irwin Gaines NLIT 4 May 2015

Transcription

1 Cybersecurity Continuous Monitoring at Fermilab Irwin Gaines NLIT 4 May 2015

2 Outline Why Continuous Monitoring Fermilab and its cyber challenge and strategy Fermilab cyber defenses: what needs to be monitored Examples of dashboards for monitoring 2

3 Why Continuous Monitoring? Any Cyber security program consists of two main components: the sets of security controls (management, operational and technical) that protect cyber systems the sets of processes and practices that provide assurance that the cyber assets are being protected in an effective, efficient and compliant manner We must provide assurance (to the cyber team, to lab management, to DOE site management, and to outside auditors) that both the technical controls and the process workflows are working as designed 3

4 Use cases for continuous monitoring auditors who are verifying compliance with certain orders or standards DOE oversight authorities who are viewing the operation of the program on a continuous basis laboratory management who wants assurance that systems are being protected cyber program management who make resource allocation decisions and need assurance that resources are being applied to highest priority and highest payoff projects cyber program operations team who need assurance that all systems are fully operational Bonus points if the same tools can support all of these cases! 4

5 What do we need to monitor Status of process workflows for testing security controls and updating risk assessments (is our paperwork up to date) Current threat status (who is shooting at us) Current vulnerability status (where might we be hit) Operational status of security counter-measures (are our shields up e.g., heartbeat monitors) Functional status of security counter-measures (are our shields properly repelling attacks) 5

6 Fermilab: America s Particle Physics and Accelerator Laboratory 6

7 Fermi's Cyber Security Challenges.gov domain name makes us an attractive target an enormous network bandwidth makes us an extremely attractive target needs of our science demand a relatively open and unconstrained network large numbers of visiting scientists bring their own devices (mobile and non) Rapidly evolving threat landscape demands alertness and agility 7

8 Fermilab s Cyber Strategy A compliance based checklist strategy will be neither effective nor efficient: Unable to properly prioritize limited resources nor respond to evolving threat environment A risk management strategy can overcome these limitations Execution of this strategy requires the ability to provide oversight bodies with constant insight into the state of cyber risks and defenses: continuous monitoring 8

9 Fermilab s Cyber Defenses The FNAL Computer Security program is made up of layered defenses, operating in either passive or active modes of operation. These defenses consist of: Scanning for critical vulnerabilities and policy violations Regular and ad-hoc penetration testing of all systems Tarpit and blackhole networks Intrusion Detection Systems Active blocking mechanisms Logging of host and network events Web proxy and web antivirus scanning Plus additional services operated by other groups including virus scanning, configuration management, authentication and access control, and network management 9

10 Fermilab Cyber Defenses 10

11 Fermi Continuous Monitoring Components An operational cyber dashboard that shows current status of both paper processes and technical controls A management dashboard (part of FermiDash) that highlights performance indicators and flags areas needing attention Behind the scenes workflows that generate the data for he dashboards (as well as generating alerts, alarms and warnings) 12

12 Operational Dashboard 13

13 Program Management 14

14 Documentation Suite 15

15 ST&E Tracker 16

16 Security Document Status 17

17 Data Calls 18

18 CSBoard Meetings 19

19 CSBoard example: Risk Assessments 20

20 Threat Management 21

21 Netflow 22

22 Honeypot 23

23 Vulnerability Management 24

24 Issue tracking 25

25 Web Proxy 26

26 Critical Vulnerabilities Oct 5, 2012: FNAL Critical Vulnerability: Exposing Adobe ColdFusion Servers to the Internet June 19, 2012: FNAL Critical Vulnerability: Hypernews June 14, 2012: Cumulative Security Update for Internet Explorer (MS ) June 14, 2012: RE RELEASE: Vulnerability in RDP (MS12 020) March 16, 2012: Vulnerability in RDP (MS12 020) December 27, 2011: Telnet server (telnetd) remote code execution November 11, 2011: Vulnerability in TCP/IP (MS11 083) August 24, 2011: Flexera FlexNet/FlexLM License Manager August 2, 2010: Microsoft Shell.LNK Handling (MS10 046) January 14, 2009: Microsoft SMB Service (MS09 001) October 23, 2008: Microsoft Server Service (MS08 067) October 7, 2008: Microsoft Terminal Services Policy Violation October 7, 2008: pcanywhere Policy Violation October 7, 2008: TimBukTu Policy Violation October 7, 2008: VNC Policy Violation May 25, 2007: Vulnerability in SRMWATCH April 4, 2007: Vulnerability in MIT Kerberos Telnet server April 2, 2007: Vulnerability in Windows Animated Cursor Handling (935423) 2007 Jan 12: Critical Vulnerability: MS (929969) 2006 Dec 23: Critical Vulnerability: Symantec Antivirus 10.0.x & 10.1.x 2006 Oct 23: Critical Vulnerability: OpenPBS/Torque 2006 Aug 09: Critical Vulnerability: MS (921883) MS Server Service 2006 May 16: RealVNC and earlier Authentication Bypass 2006 Jan 05: Critical Vulnerability: MS06 01 (912840) MS Windows WMF Handling Irwin Gaines Cybersecurity Continuous Monitoring at Fermilab 27

27 Incident Management 29

28 Total Incidents 30

29 Incident Root Causes 31

30 Asset Management 32

31 CST System Status 33

32 Property database 34

33 System Registration 35

34 Sysadmin Registration 36

35 Data Management Verified R%3ASTTR_FOA_2011_Phase_I.pdf Violation Art K. removed file /computing/dh/data/log link 37

36 Management Dashboard 38

37 Conclusions Continuous monitoring tools have had significant positive effect: Security team gets automated reminders of scheduled required events and notices of areas of concern One-stop shopping helps information retrieval Site office in particular gets continuous insight into program Aids in dealing with audits Leverages use of standard commercial tools (Service-Now, Splunk, SharePoint, etc) 39