1 / 45

Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base

Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base Joshua Drummond, Security Architect Neil Matatall, Security Programmer/Analyst Marina Arseniev, Associate Director of Enterprise Architecture University of California, Irvine. About us….

kana
Download Presentation

Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base Joshua Drummond, Security Architect Neil Matatall, Security Programmer/Analyst Marina Arseniev, Associate Director of Enterprise Architecture University of California, Irvine

  2. About us… • Located in Southern California • Year Founded:  1965 • Enrollment: over 24K students • 1,400 Faculty (Academic Senate) • 8,300 Staff • 6,000 degrees awarded annually • Carnegie Classification:  Doctoral/Research – Extensive • Extramural Funding - 311M in 2005-2006 • Undergoing significant enrollment growth

  3. Security Status Across Higher Ed?http://www.privacyrights.org • 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants. • 5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft. • 4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen. • 3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address.

  4. Security is Multi-layer

  5. We do a lot…SDLC and Change Management • Security requirements and design reviews from get-go. • Code reviews • Developers reuse security components • Automated nightly code and application security scanning • Scheduled network & configuration vulnerability scanning • Consolidated storage of sensitive data, database model reviews of personal identity data • Concurrency and stress testing to detect thread security

  6. Still had problems • Urgent call from our director: • Have you patched server X? • Is Server Y behind a firewall? • Did Server Y have any Credit Card information stored? • Is the database encrypted? • When was the last time a security review of Application X was done? • Peter The Anteater is on vacation! • Peter is now at Google! • Different answers from different people. • Little confidence that information is current.

  7. Not enough… • Many security layers meant many documents owned by many people • Scattered checklists, spreadsheets, and diagrams not accessible • Host IP change = document update nightmare. • New server? Update how many firewalls? • Missing information, such as whom to contact • Proprietary knowledge departed with staff turnover Spreadsheet Hell!

  8. What we learned … • Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate. • Explored different approaches and tools – both vendor and open source. • Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase. • Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository.

  9. Objectives • Quickly respond to threats. • Organize, consolidate, and centralize security procedures and facts about layers of security. • Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc • Track security checklists • Track code, database, and security reviews, results and follow-up • Track oversight functions for secure development, acquisition, maintenance, operations and decommissioning.

  10. Agenda • Background on Ontologies and Protégé • Realized value - demonstration of our knowledgebase and reports • How to implement this in your organization • Summary • Useful URLs and Q&A

  11. Background Book Ontology • What is an Ontology? • “An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge. Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “ • Supports inheritable properties (is-a) • Attributes of an object can be complex objects themselves (rich). Nestable… Writing Short Story Historical Novel Classic Medieval Modern

  12. Stanford University’s Protégé • Allows easy modeling and creation of ontology • Auto generates forms for collecting and capturing information based on ontology and class definitions. • “Reverse slots” allow rich linking ability and automatic updates of changing relationships. • Remember the removal of the server and associated updates of firewall rules?

  13. Stanford University’s Protégé • Generates an HTML view of knowledge and ontology. • Can be exported in XML format • generate reports in other formats and for specific audiences, without storing redundant data. • Multi-user capable • Highly Scaleable • Simulations have handled over 5 million objects • Open source at http://protege.stanford.edu/ • Java API to program against • Under active development (last release Aug 24, 2007)

  14. Protégé GUI

  15. HIPAA?

  16. Protégé – Application Instances

  17. Protégé – Authentication Instances

  18. Protégé – Authorization Instances

  19. Protégé – Backup Procedures

  20. Protégé – Query Capability

  21. Agenda • Background on Ontologies and Protégé • Realized value - demonstration of our knowledgebase and reports • How to implement it in your organization • Summary • Useful URLs and Q&A

  22. Using Protégé to Capture Reviews

  23. Using Protégé to Capture Reviews

  24. Realized Value: Auto-generated Reports from Protégé • Network Inventory Report • By Host Name • By IP Address • Firewall Rules Report • By Firewall • By Host Name • By IP Address • Personal Identity Database Report • By Server • By Database • Personal Identity Datafile Report • By Server • Application Report • Includes developed and vendor applications

  25. Before and After - Firewalls Unix Sys Admin Windows Sys Admin Department Firewall Admin Campus Border Firewall Admin Database Admin

  26. Reports: Personal Identity Database by Server

  27. Agenda • Background on Ontologies and Protégé • Realized value - demonstration of our knowledgebase and reports • How to implement it in your organization • Summary • Useful URLs and Q&A

  28. How to Implement in your Organization… • Step 1: Inventory existing spreadsheets and documents • Step 2: Identify information you want to track centrally. • Step 3: Design your ontology (or copy ours) • Step 4: Assign roles – who updates, who views • Step 5: Capture information • Step 6: Add any customizations to Protégé • Step 7: Create secured reports for various audiences

  29. Our Ontology

  30. Updates • 3 ways to update your knowledge base • Desktop Client / Local Project • Only one person can update at a time • Must have access to project file • Web Server • Multi-User, access anywhere • Interface has its weaknesses • Client / Server • Best of both worlds • Must have desktop client installed

  31. Updates – Client / Server • Use built-in client-server mode for multi-user updates • Grant access to individual users • Support for role-based permissions • Updates are propagated in near-real-time • BE CAREFUL! • Everything is stored in plain text

  32. Customizations • Modified the existing HTML Export plug-in to change the structure of the output HTML • Encrypt Sensitive Values • List Instances before Slots on Class pages • Made string attributes that are URLs actual hyperlinks • Add line breaks between multiple Slot values

  33. Using Protégé to Capture Reviews

  34. Automation • Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports • Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI • edu.uci.adcom.protege.ProjectXmlExport • edu.uci.adcom.protege.ProjectHtmlExport

  35. Using XSLT for Reports • Replicate exactly and replace former spreadsheets with the same functionality • Created canned reports for specific views on knowledge • XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML • Then again from the “simple” XML to multiple HTML views for each report • XSL and CSS are flexible and can be modified to customize presentation of data

  36. Report Generation Process Outline

  37. Reports: Personal Identity Datafile by Server

  38. Putting it all together • Ant script is used to tie everything together • Can be easily scheduled to generate reports

  39. Metrics – Firewall Management Before • Border, Police, Financial Services, Windows OS, and Server Firewall • Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total) • 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets. After • Centralized inventory of knowledge about firewall rules • Zero spreadsheets • 3 custom reports – HTML and Excel • Centralize maintenance of single repository across organizational units • No redundancy

  40. Metrics – Network and Data Inventory Before • White Boards and Documents • Partial Network Inventory • Unpatched servers on whiteboard • 4 units keeping redundant or out of sync information in private locations • Limited access - personal computers • Sensitive data locations unclear • Servers with no virus protection or backed up After • New information - that didn’t exist • Integrated database, network, and application information • Zero spreadsheets • 9 custom reports –HTML and Excel • Centralize maintenance of repository across organizational units • Access to repository extended to 60 individuals based on privileges • Clearer view of potential holes in security for analysis and proactive planning • Sensitive data tracked • 40 data files • 50 database fields • Added 40 hosts to backup and anti-virus scanning procedure

  41. Future Plans • Continue to evolve the ontology to include more attributes and relationships • Continue capturing and updating new information • Automate capture of information with tools • Create an plugin for encrypting sensitive information • Create a slot-based authorization plugin • Generate checklists intelligently based on attributes • Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment. • Create notifications about potential trouble spots • A personal identity database field that has not been encrypted.

  42. Q&A • AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440 • Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu • XML/XSLT processing - http://xerces.apache.org • Ant - http://ant.apache.org

More Related