Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base
description
Transcript of Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base
Chaos to Clarity: Consolidate Your Security Information into a Knowledge
Base
Joshua Drummond, Security ArchitectNeil Matatall, Security Programmer/Analyst
Marina Arseniev, Associate Director of Enterprise Architecture
University of California, Irvine
About us…
• Located in Southern California• Year Founded: 1965• Enrollment: over 24K students• 1,400 Faculty (Academic Senate)• 8,300 Staff• 6,000 degrees awarded annually• Carnegie Classification: Doctoral/Research –
Extensive• Extramural Funding - 311M in 2005-2006• Undergoing significant enrollment growth
Security Status Across Higher Ed? http://www.privacyrights.org
– 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants.
– 5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft.
– 4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen.
– 3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address.
Security is Multi-layer
U serIden tity M anagem ent
A u then tica tionE duca tion
N etw ork /W ebA ccoun t A dm in
F irew a lls , E ncryp tionLogg ing/A ud iting
A p plicationA u tho riza tionLogg ing /A ud it
T est T oo ls
D ataA u tho riza tionLogg ing /A ud it
E ncryp tion ,Inven to ry
O p era tio nsB ackups ( inc l o ff-s ite)
Logg ing /A ud itD isaste r R ecove ry
P o licies , S tan d ard s , P ro ced ures , T ech n ica l R efe ren ce A rch itec tu reA pp roved T oo ls and L ifecyc le
E xcep tions by A pp rovalR egu la rly rev iew ed
We do a lot…SDLC and Change Management
• Security requirements and design reviews from get-go.
• Code reviews
• Developers reuse security components
• Automated nightly code and application security scanning
• Scheduled network & configuration vulnerability scanning
• Consolidated storage of sensitive data, database model reviews of personal identity data
• Concurrency and stress testing to detect thread security
Still had problems
• Urgent call from our director:
– Have you patched server X?– Is Server Y behind a firewall?– Did Server Y have any Credit Card information stored?– Is the database encrypted?– When was the last time a security review of Application X was
done?
• Peter The Anteater is on vacation! • Peter is now at Google!• Different answers from different people.• Little confidence that information is current.
Not enough…
– Many security layers meant many documents owned by many people
– Scattered checklists, spreadsheets, and diagrams not accessible
– Host IP change = document update nightmare.
– New server? Update how many firewalls? – Missing information, such as whom to contact– Proprietary knowledge departed with staff turnover
Spreadsheet Hell!
What we learned …
• Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate.
• Explored different approaches and tools – both vendor and open source.
• Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase.
– Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository.
Objectives
• Quickly respond to threats.
• Organize, consolidate, and centralize security procedures and facts about layers of security.
– Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc
– Track security checklists– Track code, database, and security reviews,
results and follow-up– Track oversight functions for secure
development, acquisition, maintenance, operations and decommissioning.
Agenda
• Background on Ontologies and Protégé• Realized value - demonstration of our
knowledgebase and reports• How to implement this in your
organization• Summary• Useful URLs and Q&A
Background
• What is an Ontology?
– “An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge. Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “
– Supports inheritable properties (is-a)
– Attributes of an object can be complex objects themselves (rich). Nestable…
Writing
Short StoryHistorical
Novel
Classic Medieval Modern
Book Ontology
Stanford University’s Protégé
• Allows easy modeling and creation of ontology
• Auto generates forms for collecting and capturing information based on ontology and class definitions.
• “Reverse slots” allow rich linking ability and automatic updates of changing relationships.
– Remember the removal of the server and associated updates of firewall rules?
Stanford University’s Protégé
• Generates an HTML view of knowledge and ontology.
• Can be exported in XML format– generate reports in other formats and for specific
audiences, without storing redundant data.
• Multi-user capable
• Highly Scaleable – Simulations have handled over 5 million objects
• Open source at http://protege.stanford.edu/– Java API to program against– Under active development (last release Aug 24, 2007)
Protégé GUI
HIPAA?
Protégé – Application Instances
Protégé – Authentication Instances
Protégé – Authorization Instances
Protégé – Backup Procedures
Protégé – Query Capability
Agenda
• Background on Ontologies and Protégé• Realized value - demonstration of our
knowledgebase and reports• How to implement it in your
organization• Summary• Useful URLs and Q&A
Using Protégé to Capture Reviews
Using Protégé to Capture Reviews
Realized Value: Auto-generated Reports from Protégé
• Network Inventory Report – By Host Name – By IP Address
• Firewall Rules Report – By Firewall – By Host Name – By IP Address
• Personal Identity Database Report – By Server – By Database
• Personal Identity Datafile Report – By Server
• Application Report– Includes developed and vendor applications
Before and After - Firewalls
Unix Sys AdminWindows Sys Admin
Department Firewall Admin
Campus Border Firewall AdminDatabase Admin
Reports: Personal Identity Database by Server
Agenda
• Background on Ontologies and Protégé• Realized value - demonstration of our
knowledgebase and reports• How to implement it in your
organization• Summary• Useful URLs and Q&A
How to Implement in your Organization…
• Step 1: Inventory existing spreadsheets and documents
• Step 2: Identify information you want to track centrally.
• Step 3: Design your ontology (or copy ours)
• Step 4: Assign roles – who updates, who views
• Step 5: Capture information
• Step 6: Add any customizations to Protégé
• Step 7: Create secured reports for various audiences
Our Ontology
Updates
• 3 ways to update your knowledge base• Desktop Client / Local Project
– Only one person can update at a time– Must have access to project file
• Web Server– Multi-User, access anywhere– Interface has its weaknesses
• Client / Server– Best of both worlds– Must have desktop client installed
Updates – Client / Server
• Use built-in client-server mode for multi-user updates
• Grant access to individual users– Support for role-based permissions
• Updates are propagated in near-real-time
• BE CAREFUL! – Everything is stored in plain text
Customizations
• Modified the existing HTML Export plug-in to change the structure of the output HTML
– Encrypt Sensitive Values
– List Instances before Slots on Class pages
– Made string attributes that are URLs actual hyperlinks
– Add line breaks between multiple Slot values
Using Protégé to Capture Reviews
Automation
• Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports
• Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI– edu.uci.adcom.protege.ProjectXmlExport– edu.uci.adcom.protege.ProjectHtmlExport
Using XSLT for Reports
• Replicate exactly and replace former spreadsheets with the same functionality
• Created canned reports for specific views on knowledge
• XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML
• Then again from the “simple” XML to multiple HTML views for each report
• XSL and CSS are flexible and can be modified to customize presentation of data
Protégé
Java - edu.uci.adcom.ProjectXMLExport
XSLT – Massage to Domain Specific Data
XSLT – Generate Individual Reports
(For Web Reports) CSS – To Customize the Display
Report Generation Process Outline
Reports: Personal Identity Datafile by Server
Putting it all together
• Ant script is used to tie everything together
• Can be easily scheduled to generate reports
After• Centralized inventory of
knowledge about firewall rules
• Zero spreadsheets• 3 custom reports – HTML and
Excel• Centralize maintenance of
single repository across organizational units
• No redundancy
Before• Border, Police, Financial
Services, Windows OS, and Server Firewall
• Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total)
• 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets.
Metrics – Firewall Management
After• New information - that didn’t exist
– Integrated database, network, and application information
• Zero spreadsheets• 9 custom reports –HTML and
Excel• Centralize maintenance of
repository across organizational units
• Access to repository extended to 60 individuals based on privileges
• Clearer view of potential holes in security for analysis and proactive planning
• Sensitive data tracked– 40 data files– 50 database fields
• Added 40 hosts to backup and anti-virus scanning procedure
Before
• White Boards and Documents– Partial Network Inventory– Unpatched servers on
whiteboard
• 4 units keeping redundant or out of sync information in private locations
• Limited access - personal computers
• Sensitive data locations unclear• Servers with no virus protection
or backed up
Metrics – Network and Data Inventory
Future Plans
• Continue to evolve the ontology to include more attributes and relationships
• Continue capturing and updating new information – Automate capture of information with tools
• Create an plugin for encrypting sensitive information• Create a slot-based authorization plugin• Generate checklists intelligently based on attributes
– Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment.
• Create notifications about potential trouble spots– A personal identity database field that has not been
encrypted.
Q&A
• AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440
• Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu
• XML/XSLT processing - http://xerces.apache.org• Ant - http://ant.apache.org