NSHaRP: Network Security Handling and Response Process Wayne Routly, DANTE TF-CSIRT Technical Seminar Malahide.ie, 03 June 2011
Contents GEANT : Who What How GEANT : Security Protecting GEANT Users A Security Conundrum Overflowing with Requirements Early Work.Lots of It A Process is Born A Solution A Look Under the Hood So What Are the Options To Profile or Not to Profile The Process in Action Where Are We Now? Conclusion
GEANT : Who What How State of the Art Pan-European Network..Transit Network.ISP 18 Physical Pops 40 GB links -> 100GB TB of Data shifted 10 million+ IPs >100 Workstations Unusual Traffic Truly Global Interconnects NRENs Commercial & Commodity Traffic
Protecting GEANT Users In an age of ever faster networks, greater connectivity, networks and users are under even greater risk of attack. Network Based Attacks Paypal, VISA Amazon Wikileaks Political Maintain service levels by proactively monitoring and mitigating against potential attacks?
A Security Conundrum How do we notify potential victims / sources & assist in solving those incidents for dozens of situations? # Of EVENTS 3500 3000 2500 2000 1500 1000 500 0 Number of Events Detected - 12 mnts How do we double the number of tickets we can handle without doubling the manpower? Automate it? 300 250 200 150 100 50 0 Attacks where NREN DST - April 2011
Overflowing with Requirements Dozens of ways to report events.. How do we notify potential victims & assist in solving those incidents for dozens of situations? I only want to see events that have a HIGH severity rating I want Information gathering events to be sent to the CERT & my manager I want Denial of Service events sent to the CERT and Network Scan events _ sent to the Security Officer I want evidence of attack to be included for all events I only want to be notified of a maximum of 30 events per week I want to see all events originating from my network I want to see events targeting my network and coming from my network I can only handle 5 incidents per day I only want to be notified of DoS events I want to know what incidents are attacks on my network I need my notifications to be digitally signed
Early work.lots of it Presentations @ TF-CSIRT / TNC / APM Quantitative Cross Comparative Analysis of Tools for Anomaly Detection Anomaly Tool Implementation in GÉANT Anomaly Detection in Backbone Networks: Building a Security Service Upon an Innovative Tool GEANT Access Port Manager (APM) Meetings A dozen internal presentations ;-) Papers Computers & Security / IEEE Operational Experiences with Anomaly Detection in Backbone Networks Poster/Demo - SIGCOMM Towards Automatic Root-Cause Analysis of Network Anomalies using Frequent Itemset Mining
A Process is Born DANTE is rolling out NSHaRP Complete security solution Provides mechanism to quickly and effectively inform affected users Adds Value - Serves as an extension to NRENs CERT An Automated Incident Notification & Handling System Extends NRENs detection and mitigation capability to GEANT borders Innovative and Unique - Caters for different types of requirements Supported with GEANT NOC TTS
A Look Under The Hood Netreflex 2.5 BGP, IS-IS & Netflow Mashup Anomaly Detection & Alerting Ability to create profiles..lots of profiles Expandable Anomaly Type capability Can also be used by the NOC? Service Desk Express Automated GEANT NOC Ticket Creation 2 nd 3 rd Line Support Automated Ticket Closure Modular & Extendable about those profiles.
So what are the options
To Profile or Not to Profile
User Warning POWERPOINT ANIMATION VIEWER DISCRETION IS ADVISED
The Process.In Action NREN A Profile for NREN A Profile for NREN B Profile for Domain A Domain A GÉANT NREN B Usage of GÉANT resources to protect end users Not only a notification system, but a complete security solution
Where Are We Now Development Process Completed Testing in progress Training Next Steps Pilot 2 months (Invitation) Production August 2011 IP Peering Reporting Future enhancements Adding external sources? Correlate multiple events Expanding incident palette Evolution of threats X-ARF?
Conclusions Big.Really Big Network Protect Users - Wikileaks How to cater for user requirements? Can this be automated? I want it my way, oh, and that way as well NSHaRP Network Security Handling & Response Process Pieces that make it all work Netreflex & SDE TTS Profiles, Profiles and even more Profiles Pilot July, Production August Future Work New Anomalies X-ARF
Questions & Answers
Thank-You Thank You Wayne Routly wayne.routly@dante.net Juan Quintanilla Juan.Quintanilla@dante.net