EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN

EGEE ARM-2 – 5 Oct Security Coordination Objectives LCG Grid Deployment Board (GDB) meeting in July Discover/own/chase/fix security incidents Liaise with national/institute CERTs Install/run appropriate monitoring/intrusion detection Ensure known problems are patched or worked around Analyse audit logs Perform security LCG Service Challenges Ownership of … Security incidents From notification to resolution Liaise with national/institute CERTs Middleware security problems Liaise with development & deployment groups Co-ordination of security monitoring Post-mortem analysis Access to team of experts

EGEE ARM-2 – 5 Oct Security Activities in EGEE JRA3JRA1 NA4 Middleware Security Group LCG/EGEE Joint Security Group NA4 Solutions/Recommendations Req. SA1 “Joint Security Group” defines policy and procedures For LCG/GDB and EGEE/SA1 (Cross Membership of OSG) CA Coordination From Dave Kelsey’s CHEP’04 Plenary Talk Security Activities in EGEE

EGEE ARM-2 – 5 Oct OSG - Security Incident Handling and Response Guide (draft) To guide the development and maintenance of a common capability for handling and response to cyber security incidents on Grids. The capability will be established through (1) common policies and processes, (2) common organizational structures, (3) cross-organizational relationships, (4) common communications methods, and (5) a modicum of centrally-provided services and processes.

EGEE ARM-2 – 5 Oct Policy – the Joint Security Group Security & Availability Policy Usage Rules Certification Authorities Audit Requirements GOC Guides Incident Response User Registration Application Development & Network Admin Guide (1) Common policies and processes

EGEE ARM-2 – 5 Oct Security Coordination - Groups Parties from OSG IR Security Operations Centre(s) (=?GOCs/CICs) Organize, coordinate, track, report Security contacts Defined for every grid participant: users and resources Incident Response & Technical Experts Managed list of available expertise Ad hoc Incident Response teams Formed on demand Security Operations Advisory group Advise development and practice of SOC (=JSG+?) X-SOC coordination SOCs participation/communication across grid boundaries (2) common organizational structures

EGEE ARM-2 – 5 Oct Security Coordination - Channels OSCT ROC RC CIC/GOC CSIRT “External” GRID Media/Press “PR” (3) cross-organizational relationships, EGEE operational channels still being established. Responsibilities and processes being defined.

EGEE ARM-2 – 5 Oct Security Coordination – Comms. Incident Reporting List Security Contacts Discussion List External contact Reporting Other grids MUST be Encrypted How is this achieved and managed? Tracking system MUST be secure Press and Public Relations (4) common communications methods ? →

EGEE ARM-2 – 5 Oct Operational Security - Services List Management Alert/Discuss – ref: previous slide Multiple ad-hoc IR Teams Experts Ticket Tracking System Where do problems enter? – local contact Can this be part of support lists? Must be secure Public Relations Securely accessible evidence repository Guidelines, practice statements Policy interface to JSG OSCT must (help) define process behind all these services (5) a modicum of centrally-provided services and processes

EGEE ARM-2 – 5 Oct Security Coordination - Issues “Security Operations Centre”: what is it for EGEE/LCG? Don’t think we can have “Central” control So formulate activity as “coordination team” Security contacts lists need management Dead boxes, moderated boxes, etc etc Do we have appropriate contact: site security or local admin? Need to coordinate through Regional Operations Centres (ROC) Need to utilise services from Core Infrastructure Centres (CIC) Wherever possible - don’t duplicate channels What is the relationships with LCG GOCs and EGEE CICs? –Are they the same? Are we communicating with local site security team or grid ‘admin’ responsibles

EGEE ARM-2 – 5 Oct Operational Security – where to start? “Start small and keep it simple.” Define basic structures Where/how lists hosted Where/how problems tracked Who/where/how ‘experts’ organised JSG review and update policy documents ROCs to take over management of contacts lists Must integrate with site registration process Establish what level of support is behind site security entries Relationships with local/national C Validate/test entries Exercise channels and raise awareness by Security Challenges – next slide.

EGEE ARM-2 – 5 Oct Security Service Challenges Objectives Evaluate the effectiveness of current procedures by simulating a small and well defined set of security incidents. Use the experiences of a) in an iterative fashion (during the challenges) to update procedures. Formalise the understanding gained in a) & b) in updated incident response procedures. Provide feedback to middleware development and testing activities to inform the process of building security test components. Exercise response procedures in controlled manner Non-intrusive Compute resource usage trace to owner –Run a job to send an Storage resource trace to owner –Run a job to store a file Disruptive Disrupt a service and map the effects on the service and grid