Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Incident Response

Published byอุบล เคนเนะดิ Modified over 5 years ago

Similar presentations

Presentation on theme: "Federated Incident Response"— Presentation transcript:

1 Federated Incident Response
Authentication and Authorisation for Research and Collaboration David Groep (borrowing heavily from Hannah Short, CERN) Policy and Best Practice activity coordination Nikhef ISGC Security Workshop Taipei Mach 31, 2019 Security Workshop 2019 co-supported by EOSC-HUB

2 R&E federation and eduGAIN – what you may know already
eduGAIN – many countries & economic regions with an R&E identity federation … yet incident response has to be global (since the miscreants certainly are ) … full of valuable resources (data, network, services) graphics sources: map technical.edugain.org; federation drawing: Hannah Short, CERN; Infrastructure logos: AARC Pilot use cases

3 But what appears trivial
SP IdP SP notices suspicious jobs executed by a handful of users from an IdP Notifies IdP IdP identifies over 1000 compromised identities IdP identifies all SPs accessed Notifies SPs SP SP SP graphics source: Hannah Short, CERN

4 … may not be so … Small IdP may not have capability to block users, or trace their usage SP IdP SP notices suspicious jobs executed by a handful of users from an IdP Notifies IdP X IdP identifies over 1000 compromised identities ! IdP identifies all SPs accessed Large SP does not share details of compromise, for fear of damage to reputation ! X Notifies SPs X X SP SP No security contact details! ! SPs are not bound to abide by confidentiality protocol and disclose sensitive information ! SP graphics source: Hannah Short, CERN

5 A Security Incident Response Trust Framework – Sirtfi summary
Require that a security incident response capability exists with sufficient authority to mitigate, contain the spread of, and remediate the effects of an incident. Operational Security Assure confidentiality of information exchanged Identify trusted contacts Guarantee a response during collaboration Incident Response Improve the usefulness of logs Ensure logs are kept in accordance with policy Traceability Confirm that end users are aware of an appropriate AUP Participant Responsibilities

6 Sirtfi today https://refeds.org/SIRTFI
countries with at least one Sirtfi entity graphics source: AARC2 DNA3.2 Report on Incident Response in FIM; data: technical.edugain.org

7 Want to check? http://sirtfi.cern.ch/
graphics source: Hannah Short, CERN

8 Response: Prepare, Act, and Report
Before the incident support and implement Sirtfi – see infrastructure (proxies) should adopt interoperable policies - identity federations should adopt common incident response procedures – through the new eduGAIN support function leverage templated s to ensure proper information sharing – AARC-I051 establish communications channels in advance During an incident follow the latest procedures – from your infrastructure, federation, eduGAIN, or (NREN) CERT initial procedures available at

9 Exercising the processes with mock incidents
IdP1 SP1 SP2 SP3 Federation2 Federation1 Federation4 Federation3 eduGAIN Identity1 from IdP1 accesses the 3 SPs Informant notices malicious activity at SP1 and informs them Exercise date Report URL March 2018 Incident Simulation #1 Report November 2018 Incident Simulation #2 Report

10 AARC-I051 – the current best practice (and evolution)

11 How to be effective during an incident?
AARC-I051 –

12 Summary and what to do today (OK: and also tomorrow …)
Prepare support and implement Sirtfi - adopt interoperable policies - adopt common incident response procedures – AARC-I051 leverage templated s for proper information sharing establish communications channels in advance and be plugged-in … share, with the support of your infrastructure CERT/CSIRT teams Access to security contacts Access to threat intelligence Access to vulnerability reports Access to expertise for advanced incident investigation, e.g. forensics Fostering of trust between members Trusted Introducer eduGAIN security nren-CERT EGI-CSIRT REN-ISAC FIRST

13 davidg@nikhef.nl Planned progress on “SCC Coordination”
More exercises, coordinated via WISE Improve available tooling Promote sharing of trust resulting from exercises

14 Shameless plug: WISE & SIGISM Kaunas meeting
WISE SCCC WG Shameless plug: WISE & SIGISM Kaunas meeting

Download ppt "Federated Incident Response"

Similar presentations

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.

Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.

Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.

Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.
SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.

SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.
Building Trust for Research and Collaboration

Building Trust for Research and Collaboration
WISE Information Security for Collaborating E-Infrastructures

WISE Information Security for Collaborating E-Infrastructures
Introduction to AAI Services

Introduction to AAI Services
WLCG Update Hannah Short, CERN Computer Security.

WLCG Update Hannah Short, CERN Computer Security.

Similar presentations

Ads by Google