Cybersecurity Continuous Monitoring at Fermilab Irwin Gaines NLIT 4 May 2015
Outline Why Continuous Monitoring Fermilab and its cyber challenge and strategy Fermilab cyber defenses: what needs to be monitored Examples of dashboards for monitoring 2
Why Continuous Monitoring? Any Cyber security program consists of two main components: the sets of security controls (management, operational and technical) that protect cyber systems the sets of processes and practices that provide assurance that the cyber assets are being protected in an effective, efficient and compliant manner We must provide assurance (to the cyber team, to lab management, to DOE site management, and to outside auditors) that both the technical controls and the process workflows are working as designed 3
Use cases for continuous monitoring auditors who are verifying compliance with certain orders or standards DOE oversight authorities who are viewing the operation of the program on a continuous basis laboratory management who wants assurance that systems are being protected cyber program management who make resource allocation decisions and need assurance that resources are being applied to highest priority and highest payoff projects cyber program operations team who need assurance that all systems are fully operational Bonus points if the same tools can support all of these cases! 4
What do we need to monitor Status of process workflows for testing security controls and updating risk assessments (is our paperwork up to date) Current threat status (who is shooting at us) Current vulnerability status (where might we be hit) Operational status of security counter-measures (are our shields up e.g., heartbeat monitors) Functional status of security counter-measures (are our shields properly repelling attacks) 5
Fermilab: America s Particle Physics and Accelerator Laboratory 6
Fermi's Cyber Security Challenges.gov domain name makes us an attractive target an enormous network bandwidth makes us an extremely attractive target needs of our science demand a relatively open and unconstrained network large numbers of visiting scientists bring their own devices (mobile and non) Rapidly evolving threat landscape demands alertness and agility 7
Fermilab s Cyber Strategy A compliance based checklist strategy will be neither effective nor efficient: Unable to properly prioritize limited resources nor respond to evolving threat environment A risk management strategy can overcome these limitations Execution of this strategy requires the ability to provide oversight bodies with constant insight into the state of cyber risks and defenses: continuous monitoring 8
Fermilab s Cyber Defenses The FNAL Computer Security program is made up of layered defenses, operating in either passive or active modes of operation. These defenses consist of: Scanning for critical vulnerabilities and policy violations Regular and ad-hoc penetration testing of all systems Tarpit and blackhole networks Intrusion Detection Systems Active blocking mechanisms Logging of host and network events Web proxy and web antivirus scanning Plus additional services operated by other groups including virus scanning, configuration management, authentication and access control, and network management 9
Fermilab Cyber Defenses 10
Fermi Continuous Monitoring Components An operational cyber dashboard that shows current status of both paper processes and technical controls A management dashboard (part of FermiDash) that highlights performance indicators and flags areas needing attention Behind the scenes workflows that generate the data for he dashboards (as well as generating alerts, alarms and warnings) 12
Operational Dashboard 13
Program Management 14
Documentation Suite 15
ST&E Tracker 16
Security Document Status 17
Data Calls 18
CSBoard Meetings 19
CSBoard example: Risk Assessments 20
Threat Management 21
Netflow 22
Honeypot 23
Vulnerability Management 24
Issue tracking 25
Web Proxy 26
Critical Vulnerabilities Oct 5, 2012: FNAL Critical Vulnerability: Exposing Adobe ColdFusion Servers to the Internet June 19, 2012: FNAL Critical Vulnerability: Hypernews June 14, 2012: Cumulative Security Update for Internet Explorer (MS012 037) June 14, 2012: RE RELEASE: Vulnerability in RDP (MS12 020) March 16, 2012: Vulnerability in RDP (MS12 020) December 27, 2011: Telnet server (telnetd) remote code execution November 11, 2011: Vulnerability in TCP/IP (MS11 083) August 24, 2011: Flexera FlexNet/FlexLM License Manager August 2, 2010: Microsoft Shell.LNK Handling (MS10 046) January 14, 2009: Microsoft SMB Service (MS09 001) October 23, 2008: Microsoft Server Service (MS08 067) October 7, 2008: Microsoft Terminal Services Policy Violation October 7, 2008: pcanywhere Policy Violation October 7, 2008: TimBukTu Policy Violation October 7, 2008: VNC Policy Violation May 25, 2007: Vulnerability in SRMWATCH April 4, 2007: Vulnerability in MIT Kerberos Telnet server April 2, 2007: Vulnerability in Windows Animated Cursor Handling (935423) 2007 Jan 12: Critical Vulnerability: MS07 004 (929969) 2006 Dec 23: Critical Vulnerability: Symantec Antivirus 10.0.x & 10.1.x 2006 Oct 23: Critical Vulnerability: OpenPBS/Torque 2006 Aug 09: Critical Vulnerability: MS06 040 (921883) MS Server Service 2006 May 16: RealVNC 4.1.1 and earlier Authentication Bypass 2006 Jan 05: Critical Vulnerability: MS06 01 (912840) MS Windows WMF Handling Irwin Gaines Cybersecurity Continuous Monitoring at Fermilab 27
Incident Management 29
Total Incidents 30
Incident Root Causes 31
Asset Management 32
CST System Status 33
Property database 34
System Registration 35
Sysadmin Registration 36
Data Management http://cddocdb.fnal.gov/0041/004169/001/sbi Verified R%3ASTTR_FOA_2011_Phase_I.pdf http://wwwnumi.fnal.gov/fnal_minos Violation Art K. removed file /computing/dh/data/log link 37
Management Dashboard 38
Conclusions Continuous monitoring tools have had significant positive effect: Security team gets automated reminders of scheduled required events and notices of areas of concern One-stop shopping helps information retrieval Site office in particular gets continuous insight into program Aids in dealing with audits Leverages use of standard commercial tools (Service-Now, Splunk, SharePoint, etc) 39