Review of Network Quarantine and Scan at Registration (SARS)

Review of Network Quarantine and Scan at Registration (SARS)

Network Quarantine At Cornell University Steve Schuster Director, Information Security Office 1 Overview Cornells incident response strategy Introduction to Network Quarantine Review of Scan at Registrations System (SARS) Post Mortem (What we did

intelligently) Future considerations 2 Organizational Structure Contact Center Part of Customer Services and Marketing Address end user support Patch support Virus remediation

Network Operations Center (NOC) Part of Systems and Operations Initial security triage Incident response Blocks Notifications IT Security Office

Development of operational procedures Technical solutions Backline support 3 Some Security Challenges at Cornell A general openness and decentralization leads to a larger number of incidents

Responding to incidents can be staff intensive Unmanaged (students) systems arrive on our network several times each year Incident notification is a challenge Wide range of end user support needs 4 Responding to Incidents

Security Office will react and contain campus systems that are compromised or highly vulnerable NOC had a mix of tools and manual processes for opening case, notifying impacted parties and implementing containment Security Office often sends NOC containment requests that were tedious to service with current tools Response to wide range security issues put much strain on Contact Center Current mechanism for containment was not fully effective and didnt work in some environments 5 Network Quarantine

Objectives Provide better end user communication based upon observed incident Articulate self-remediation information and requirements when appropriate Improve cost effectiveness of security support Noc Contact Center More effective system isolation Better incident tracking and remediation for local support providers

Quicker/escalated response for critical systems 6 Network Quarantine (Basic Features) The right action is taken depending upon type of system Registration 10 space DMZ blocked Critical system notification Response for systems identified as critical is escalated to Security

Office and appropriate local support provider Incidents can be created, modified and closed via web and socket interfaces Latter allows batch and automation NQ interacts with Vantive, creating new case when incident opened Modifications to an incident trigger e-mail to user, net admin and updates to Vantive Specific incident remediation information provided for end users With appropriate credentials, CIT personnel, including Contact

Center, and campus system administrators can search for and review incidents 7 Network Quarantine (Incident Types) 8 Network Quarantine (Incident Types) 9 Network Quarantine (Incident Messages)

10 Network Quarantine (Incident Containment) 11 Network Quarantine (Incident Remediation) 12 Network Quarantine (Users View)

13 Network Quarantine (Users View) 14 Network Quarantine (Users View) 128.XXX.XXX.XXX 15 Network Quarantine (Specific Features) For

each new incident New incident type for tracking Establishment of resolution requirements Incident specific message to users Users receive much better communication Self-release feature Users are able correct the issue Save staff time at the Contact Center Process automation, better user communication and self-release has saved

money 16 Incident Response Costs Virus remediation costs/incident Contact Center Average 10 minutes NOC Average 3 minutes System compromise costs/incident Contact Center Simple

support -- 20 minutes Full rebuild 1-4 hours NOC Average Average 5 minutes 17 Network Quarantine (Cost Savings) Virus remediation costs/incident

Contact Center Same but many selfrelease NOC under 1 minute System compromise costs/incident Contact Center Simple support -- 20 minutes Full rebuild 1-4 hours NOC Average Under 1 minute

18 Scan at Registration System (SARS) All on-campus student computers were automatically scanned upon registration Objects Drastically reduce the number of infected or compromised student systems coming to campus Promote better security practices 19

Enabling Features of NQ that Supported SARS Automation of containment and remediation Redirection to Network Quarantine infrastructure Articulated steps to support selfremediation Incident tracking 20 Scan at Registration System (SARS) Requirements

for ResNet registration Each computer system must be registered with a valid NetID Each computer must be configured to a minimum set of security standards No open writable fileshares All administrative accounts must have a password Must be patched 21 Student Registration Process

Every on-campus student went through the follow process Plug into network and get redirected to ResNet Registration page Authentication with NetID and fill in necessary information for registration Wait 90 seconds for registration to complete and system check to occur If the system passed all three tests Registration compete

Else Redirected to NQ Informed of the problem and provided directions for remediation Rescan upon completion of remediation Repeat 22 Scan at Registration Statistics Approximately 6500 systems scanned over

move in weekend Of all systems scanned 65% were probably firewalled 35% were not firewalled 25% were clean 10% had at least one of the three problems Close to 12% of the systems had at least one problem (780) Around 85% of all quarantined students were able to perform self remediation 23

Network Quarantine On-Boarding Metrics 900 800 700 600 Number of Vulnerable Systems Number of Open Cases 500 400 300 200

100 0 Date 24 Post Mortem Gaining early support from Contact Center and NOC was an absolute requirement Cant under estimate the stress of move in weekend (the parent affect) Trust is important but bail out features go further If the scanning or quarantine infrastructure failed

registration would continue as before If the Contact Center could not support the demands of quarantined students all could be released immediately 25

Recently Viewed Presentations

  • Diapositiva 1 - ESPE

    Diapositiva 1 - ESPE

    Estudio Financiero y Económico para la implantación de una tienda virtual de ropa de bebés en el Sector Norte de la Ciudad de Quito AMADA * ALICIA * ALICIA * ALICIA * AMADA * AMADA * ALICIA * ALICIA *...
  • adverse -

    adverse -

    Next Test: Homework Monday - Completing the Sentence, Synonyms and Antonyms Tuesday - Choosing the Right Word, Vocabulary in Context Wednesday - Parts of speech worksheet Thursday - Flashcards with parts of speech, synonyms and antonyms abnormal (adj) not usual,...
  • Microarray Technology - 현재와 미래

    Microarray Technology - 현재와 미래

    Genomic Sequence alignments and its application 조환규 교수 부산대학교 공과대학 정보 컴퓨터 공학부 [email protected] Biology and Informatics Mathematics : Physics = X : Biology X = ?
  • In the Business of….?

    In the Business of….?

    Lumber is harvested from trees and cut to size in a sawmill. Graphite: The part of the pencil that writes is made from graphite. Graphite, like metal, can be found in mines in the ground. ... Think of three goods...
  • Molecular evolution of proteins and Phylogenetic Analysis ...

    Molecular evolution of proteins and Phylogenetic Analysis ...

    Times Helvetica Monotype Sorts Arial Courier Geneva Symbol Times New Roman Sans titre 1 Molecular Evolution of Proteins and Phylogenetic Analysis Fred R. Opperdoes Christian de Duve Institute of Cellular Pathology (ICP) and Laboratory of Biochemistry, Université catholique de Louvain,...
  • Three theories of ethics - Routledge

    Three theories of ethics - Routledge

    Virtue ethics Ethics isn't just about acting, but about living An action is right if and only if it is what a virtuous agent would characteristically (i.e. acting in character) do in the circumstances Knowing how to act takes practical...
  • ENGI 8926: Mechanical Design Project II

    ENGI 8926: Mechanical Design Project II

    *We are designing a downhole turbine assy because they allow the passage of fluid in the event of a stall and . Project Overview. Client: Advanced Drilling Group. Purpose: Design a downhole turbine-operated assembly to power a variety of downhole...
  • Emily Dickinson - Mr. Lenzi

    Emily Dickinson - Mr. Lenzi

    Emily Dickinson Emily Elizabeth Dickinson (1830 -1886) Born in Amherst, Massachusetts to a wealthy and influential family She studied at the Amherst Academy for seven years as a young girl She also spent a short time at Mount Holyoke Female...