Cyber Incident Response

Similar documents
Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Software as a Service (SaaS) and Platform as a Service (PaaS) (ENCS 691K Chapter 1)

Windows Azure and private cloud

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

SESSION 703 Wednesday, November 4, 9:00am - 10:00am Track: Advancing ITSM

A Gentle Introduction to Cloud Computing

Cloud Courses Description

Security Model for VM in Cloud

Private Cloud Database Consolidation with Exadata. Nitin Vengurlekar Technical Director/Cloud Evangelist

Build and Manage Private and Hybrid Cloud. Urban Järund, Sr Regional Services Manager Nordics, Red Hat

Build & Manage Clouds with Red Hat Cloud Infrastructure Products. TONI WILLBERG Solution Architect Red Hat toni@redhat.com

Covering my IaaS: Security and Extending the Datacenter. Brian Bourne Tadd Axon

Intel IT Cloud 2013 and Beyond. Name Title Month, Day 2013

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Clodoaldo Barrera Chief Technical Strategist IBM System Storage. Making a successful transition to Software Defined Storage

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

How To Build A Software Defined Data Center

Considerations for Adopting PaaS (Platform as a Service)

MS 20246C Monitoring and Operating a Private Cloud

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

7 Ways OpenStack Enables Automation & Agility for KVM Environments

FREE AND OPEN SOURCE SOFTWARE FOR CLOUD COMPUTING SERENA SPINOSO FULVIO VALENZA

Cloud Essentials for Architects using OpenStack

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Openshift for Continuous Integration

Performance Management for Cloudbased STC 2012

Cloud Hosting. QCLUG presentation - Aaron Johnson. Amazon AWS Heroku OpenShift

Cloud Courses Description

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Sistemi Operativi e Reti. Cloud Computing

Management for the Mobile-Cloud Era

Demystifying the Cloud Computing

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Implementing Microsoft Azure Infrastructure Solutions

Virtualization - Adoption

A Complete Open Cloud Storage, Virt, IaaS, PaaS. Dave Neary Open Source and Standards, Red Hat

Unleash the IaaS Cloud About VMware vcloud Director and more VMUG.BE June 1 st 2012

Introduction to OpenStack

Trust but Verify. Vincent Campitelli. VP IT Risk Management

Third Party Cloud Services Its Adoption in the New Age

PLUMgrid Open Networking Suite Service Insertion Architecture

Cloud Computing and Open Source: Watching Hype meet Reality

Proactively Secure Your Cloud Computing Platform

SUSE Cloud 2.0. Pete Chadwick. Douglas Jarvis. Senior Product Manager Product Marketing Manager

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

SYMANTEC DATA CENTER SECURITY: MONITORING EDITION 6.5

Private Cloud Management

Savanna Hadoop on. OpenStack. Savanna Technical Lead

Virtualization and Cloud Computing

Implementing Software- Defined Security with CloudPassage Halo

Service Orchestration

Virtual Machine Instance Scheduling in IaaS Clouds

Security & Trust in the Cloud

Virtualization and IaaS management

What Cloud computing means in real life

TOSCA Interoperability Demonstration

Implementing XML-based Role and Schema Migration Scheme for Clouds

Infrastructure as a Service (IaaS)

Journey to the Cloud and Application Release Automation Shane Pearson VP, Portfolio & Product Management

1 What is Cloud Computing? Cloud Infrastructures OpenStack Amazon EC CAMF Cloud Application Management

How To Protect Your Cloud From Attack

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

VMware's Cloud Management Platform Simplifies and Automates Operations of Heterogeneous Environments and Hybrid Clouds

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Security Considerations for Public Mobile Cloud Computing

CLOUD COMPUTING. When It's smarter to rent than to buy

How To Run A Modern Business With Microsoft Arknow

Certified Cloud Computing Professional VS-1067

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

The New Style of IT. Rob McMahon. Director Cloud Computing HP General Western Europe

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

vcloud Suite Architecture Overview and Use Cases

Li Sheng. Nowadays, with the booming development of network-based computing, more and more

Monitoring, Managing and Supporting Enterprise Clouds with Oracle Enterprise Manager 12c Name, Title Oracle

CLOUD COMPUTING. A Primer

Virtualization and Cloud: Orchestration, Automation, and Security Gaps

Adding value as a Cloud Broker. Nick Hyner Director Cloud Services EMEA Twitter Dell.com/Cloud

Experiences with Transformation to Hybrid Cloud: A Case Study for a Large Financial Enterprise

Security Aspects of Cloud Computing

Building Private & Hybrid Cloud Solutions

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

VMware on VMware: Private Cloud Case Study Customer Presentation

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

Top 20 Critical Security Controls

Planning, Provisioning and Deploying Enterprise Clouds with Oracle Enterprise Manager 12c Kevin Patterson, Principal Sales Consultant, Enterprise

Transcription:

Secure Information Sharing for Cyber Response Teams Cyber Incident Response Models and Platforms for Information and Resource Sharing UTSA Team Ram Krishnan, Assistant Professor (ECE) Ravi Sandhu, Professor (CS) and Executive Director (ICS) Amy Zhang, PhD Candidate, UTSA October 06, 2014

THANKS! 2

Cyber Incidents Recent incidents JPMorgan Chase and 9 other financial institutions >76M households compromised Target, Home Depot, Michaels, Nieman Marcus 3

Cyber Incident Response Information sharing Two major challenges Policy Technology 4

National Information Sharing and Inter-agency collaboration and coordination to enhance situational awareness Share malicious activities on federal systems Technologies, tools, procedures, analytics Coordination Initiatives 5 Ref: http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative

National Cybersecurity Center 6 Ref: http://www.whitehouse.gov/files/documents/cyber/cybersecuritycentersgraphic.pdf

Project Scope Focus on technical challenges Sharing amongst a set of organizations Information, infrastructure, tools, analytics, etc. May want to share malicious or infected code/systems (e.g. virus, worms, etc.) Sensitive Often ad hoc What are the effective ways to facilitate sharing in such circumstances? Information sharing models Infrastructure, technologies, platforms 7

Electric Grid Scenario Cyber incidents in electricity providers Local utilities, regional, state, national operators Need a standing platform that facilitates sharing Controlled access 8

Community Scenario Cyber incidents across critical infrastructure providers in a community Emergency response, healthcare, banks, utility Need a community information sharing platform Controlled access Community Cyber Security Maturity Model Yardstick to determine current cyber security posture 9

Data Exfiltration Scenario Unusual file transfers from IP addresses within an org to an external IP address Similar activities observed in partner orgs Need to find if these events are connected Any correlation between those files? Share resources for analysis+collaboration 10

Key Requirements for Information Sharing Cyber infrastructure Light-weight and agile Rapid deployment and configuration Secure isolated environment 11

Cyber Infrastructure for Sharing Traditional platforms Shared storage SharePoint, Dropbox, Google Drive, etc. Shared infrastructure Grid computing Modern platform Cloud 12

Cloud Service Models Software as a Service (SaaS) Network accessible software Platform as a Service (PaaS) App dev environment with cloud characteristics Infrastructure as a Service (IaaS) Virtualized hardware infrastructure 13

Physical Datacenter IaaS Cloud VM VM VM VM VM VM VM VM VM VM VM VM Hypervisor Hypervisor Hypervisor Hypervisor Physical Machine Physical Machine Physical Machine Physical Machine Tenant 1: Need 3 VMs Tenant 2: Need 3 VMs Tenant 3: Need 2 VMs Tenant 2: Need 3 VMs Each tenant sees a virtual private datacenter Tenant 4: Need 1 VM 14

Cloud IaaS Advantages for Cyber Incident Sharing Virtualized resources Theoretically, one can take a snapshot and mobilize Operational efficiency Light-weight and agile Rapid deployment and configuration Dynamic scaling Self-service 15

Cloud IaaS Challenges for Cyber Incident Sharing Tenants are strongly isolated IaaS clouds lack secure sharing models Storage Compute Networks Need ability to snapshot tenant infrastructure, share, and control who can access Share by copy 16

Sharing Model in Cloud IaaS View #1: Org A View #2: SID Participant A Add/Remove Data Join/Leave Users Secure Isolated Domain (SID) Add/Remove Data Participant C Join/Leave Users View #1: Org C View #2: SID Add/Remove Data Join/Leave Users Participant B Can create multiple secure isolated projects (SIPs) within SID with different controls View #1: Org B View #2: SID 17

Conceptual Model Administrative Model Operational Model Collaboration Group Establish/Disband Join User Join User ORG A Leave User Add Version Remove Version Merge Version Create RO/RW Subject Kill Subject Create Object Read/Update Version Suspend/Resume Suspend/Resume Version Version Leave User Add Version Remove Version Merge Version ORG B Substitute User Import Version Substitute User 18

Read-only Vs Read-Write Subjects Org A Collaboration Group Org B Read Export Read Only subjects can read from multiple groups/entities Read-Write subjects restricted to one group Malicious Group Subject Object 19

Merge Vs Export of Objects Org A Merge Collaboration Group Copy? Merge Org B Add Add Copy? Export Export Add? Newly created group object Org C Add 20

OpenStack OpenStack > 200 companies ~14000 developers >130 countries Dominant open-source cloud IaaS software Ref: http://www.openstack.org 21

OpenStack Access Control (OSAC) 22

OSAC-SID 23

OSAC-SID Administrative Model 24

OSAC-SID Operational Model 25

SID and SIP in OpenStack CPS SID-Critical-Infrastructure SAWS Admin: CPSadmin Users: Alice@CPS, Bob@CPS member IT-CPS Create member Admins: CPSadmin, SAWSadmin Users: Alice@CPS, Harry@SAWS SIP- PortScanning SIP-DOS Join member Admin: SAWSadmin Users: Harry@SAWS member IT-SAWS Share objects, VMs, etc. Admin: SAPDadmin Users: Martin@SAPD member IT-SAPD 26 SAPD

Key Accomplishments (1) Developed sharing models Formal specification Cloud-based instantiation Enhanced OpenStack with SID/SIP capabilities Cyber incident response capabilities out of the box Self-service SID/SIP specific security Share data, tools, etc. in an isolated environment Ability to execute and analyze malicious code in an isolated environment Practitioners can deploy a cyber incident response cloud Potential blueprint for official OpenStack adoption 27

Key Accomplishments (2) Initial work published in Association for Computing Machinery (ACM) Workshop on Information Sharing and Collaborative Security (WISCS 14) To be presented on November 3, 2014 in Scottsdale, AZ Potential dissertation topic for Amy Zhang, PhD Candidate 28

Next Steps (1) Integrate STIX-TAXII in SID Information Sharing Specifications for Cybersecurity Trusted Automated exchange of Indicator Information (TAXII) Structured Threat Information expression (STIX) Cyber Observable expression (CybOX) 29

Next Steps (2) Fine-grained and expressive access control Hardened SID/SIP User-friendly interface for management Develop cyber incident response lifecycle management in cloud Prepare, share, detect & analyze, contain/eradicate, post-incident activity, etc. 30

Thanks Comments, Q&A 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information