Title: Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base
1- Chaos to Clarity Consolidate Your Security
Information into a Knowledge Base - Joshua Drummond, Security Architect
- Neil Matatall, Security Programmer/Analyst
- Marina Arseniev, Associate Director of Enterprise
Architecture - University of California, Irvine
2About us
- Located in Southern California
- Year Founded 1965
- Enrollment over 24K students
- 1,400 Faculty (Academic Senate)
- 8,300 Staff
- 6,000 degrees awarded annually
- Carnegie Classification Doctoral/Research
Extensive - Extramural Funding - 311M in 2005-2006
- Undergoing significant enrollment growth
3Security Status Across Higher Ed?
http//www.privacyrights.org
- 800,000 in November, 2006 Hacker(s) gained
access to a database containing personal
information on current and former students,
current and former faculty and staff, parents of
financial aid applicants, and student applicants.
- 5,800 in August, 2007 Computer with the SSNs of
students was discarded before its hard drive was
erased, forcing the school to warn students about
potential identify theft. - 4,375 on September, 2007 Former students at risk
for identity fraud after an instructor's laptop
computer was stolen. - 3,100 on September, 2007 A technical problem in
the way student bills are printed possibly
allowed student SSNs to be sent to another
student's address.
4Security is Multi-layer
5 We do a lotSDLC and Change Management
- Security requirements and design reviews from
get-go. - Code reviews
- Developers reuse security components
- Automated nightly code and application security
scanning - Scheduled network configuration vulnerability
scanning - Consolidated storage of sensitive data, database
model reviews of personal identity data - Concurrency and stress testing to detect thread
security
6Still had problems
- Urgent call from our director
- Have you patched server X?
- Is Server Y behind a firewall?
- Did Server Y have any Credit Card information
stored? - Is the database encrypted?
- When was the last time a security review of
Application X was done? - Peter The Anteater is on vacation!
- Peter is now at Google!
- Different answers from different people.
- Little confidence that information is current.
7Not enough
- Many security layers meant many documents owned
by many people - Scattered checklists, spreadsheets, and diagrams
not accessible - Host IP change document update nightmare.
- New server? Update how many firewalls?
- Missing information, such as whom to contact
- Proprietary knowledge departed with staff
turnover - Spreadsheet Hell!
8What we learned
- Maintaining separate spreadsheets on server
configurations, firewalls, and personal identity
data, each with redundant and inconsistent
information, is inappropriate in today's security
climate. - Explored different approaches and tools both
vendor and open source. - Merged with the Enterprise Architecture approach
to use Stanfords Protégé Knowledgebase. - Open source ontology and knowledge-based tool, to
intelligently capture and maintain comprehensive
enterprise security information in a single
repository. -
9Objectives
- Quickly respond to threats.
- Organize, consolidate, and centralize security
procedures and facts about layers of security. - Facts about data, architectures, components,
applications, encryption, auditing/logging,
firewalls/rules, backup procedures, etc - Track security checklists
- Track code, database, and security reviews,
results and follow-up - Track oversight functions for secure development,
acquisition, maintenance, operations and
decommissioning.
10Agenda
- Background on Ontologies and Protégé
- Realized value - demonstration of our
knowledgebase and reports - How to implement this in your organization
- Summary
- Useful URLs and QA
11Background
- What is an Ontology?
- An ontology describes the concepts and
relationships that are important in a particular
domain, providing a vocabulary for that domain as
well as a computerized specification of the
meaning of terms used in the vocabulary. In
recent years, ontologies have been adopted in
many business and scientific communities as a way
to share, reuse and process domain knowledge.
Ontologies are now central to many applications
such as scientific knowledge portals, information
management systems, and electronic commerce. - Supports inheritable properties (is-a)
- Attributes of an object can be complex objects
themselves (rich). Nestable
Book Ontology
Writing
Short Story
Historical Novel
Classic
Medieval
Modern
12Stanford Universitys Protégé
- Allows easy modeling and creation of ontology
- Auto generates forms for collecting and capturing
information based on ontology and class
definitions. - Reverse slots allow rich linking ability and
automatic updates of changing relationships. - Remember the removal of the server and associated
updates of firewall rules?
13Stanford Universitys Protégé
- Generates an HTML view of knowledge and ontology.
- Can be exported in XML format
- generate reports in other formats and for
specific audiences, without storing redundant
data. - Multi-user capable
- Highly Scaleable
- Simulations have handled over 5 million objects
- Open source at http//protege.stanford.edu/
- Java API to program against
- Under active development (last release Aug 24,
2007)
14Protégé GUI
15Protégé Knowledge Capture
16(No Transcript)
17HIPAA?
18Protégé Application Instances
19Protégé Authentication Instances
20Protégé Authorization Instances
21Protégé Patching Procedures
22Protégé Backup Procedures
23Protégé Query Capability
24Agenda
- Background on Ontologies and Protégé
- Realized value - demonstration of our
knowledgebase and reports - How to implement it in your organization
- Summary
- Useful URLs and QA
25Using Protégé to Capture Reviews
26Using Protégé to Capture Reviews
27(No Transcript)
28Realized Value Auto-generated Reports from
Protégé
- Network Inventory Report
- By Host Name
- By IP Address
- Firewall Rules Report
- By Firewall
- By Host Name
- By IP Address
- Personal Identity Database Report
- By Server
- By Database
- Personal Identity Datafile Report
- By Server
- Application Report
- Includes developed and vendor applications
29Before and After - Firewalls
Unix Sys Admin
Windows Sys Admin
Department Firewall Admin
Campus Border Firewall Admin
Database Admin
30(No Transcript)
31Report Firewall by Host
32Reports Personal Identity Database by Server
33Reports Personal Identity Datafile by Server
34Agenda
- Background on Ontologies and Protégé
- Realized value - demonstration of our
knowledgebase and reports - How to implement it in your organization
- Summary
- Useful URLs and QA
35How to Implement in your Organization
- Step 1 Inventory existing spreadsheets and
documents - Step 2 Identify information you want to track
centrally. - Step 3 Design your ontology (or copy ours)
- Step 4 Assign roles who updates, who views
- Step 5 Capture information
- Step 6 Add any customizations to Protégé
- Step 7 Create secured reports for various
audiences
36Our Ontology
37Updates
- 3 ways to update your knowledge base
- Desktop Client / Local Project
- Only one person can update at a time
- Must have access to project file
- Web Server
- Multi-User, access anywhere
- Interface has its weaknesses
- Client / Server
- Best of both worlds
- Must have desktop client installed
38Updates Client / Server
- Use built-in client-server mode for multi-user
updates - Grant access to individual users
- Support for role-based permissions
- Updates are propagated in near-real-time
- BE CAREFUL!
- Everything is stored in plain text
39Customizations
- Modified the existing HTML Export plug-in to
change the structure of the output HTML - Encrypt Sensitive Values
- List Instances before Slots on Class pages
- Made string attributes that are URLs actual
hyperlinks - Add line breaks between multiple Slot values
40Using Protégé to Capture Reviews
41Automation
- Although editing of knowledge base is done
centrally through the desktop client, we wanted
to automate the generation of reports - Wrote two Java classes that use the Protégé API
to emulate actions usually done through GUI - edu.uci.adcom.protege.ProjectXmlExport
- edu.uci.adcom.protege.ProjectHtmlExport
42Using XSLT for Reports
- Replicate exactly and replace former spreadsheets
with the same functionality - Created canned reports for specific views on
knowledge - XSLT is used to transform XML export of entire
knowledge base to report specific simple XML - Then again from the simple XML to multiple HTML
views for each report - XSL and CSS are flexible and can be modified to
customize presentation of data
43Report Generation Process Outline
44Reports Personal Identity Datafile by Server
45Putting it all together
- Ant script is used to tie everything together
- Can be easily scheduled to generate reports
46Metrics Firewall Management
- After
- Centralized inventory of knowledge about firewall
rules - Zero spreadsheets
- 3 custom reports HTML and Excel
- Centralize maintenance of single repository
across organizational units - No redundancy
- Before
- Border, Police, Financial Services, Windows OS,
and Server Firewall - Each firewall had its own spreadsheet maintained
by a different person (5 spreadsheets total) - 30 servers behind multiple firewalls. Servers
duplicated across spreadsheets.
47Metrics Network and Data Inventory
- Before
- White Boards and Documents
- Partial Network Inventory
- Unpatched servers on whiteboard
- 4 units keeping redundant or out of sync
information in private locations - Limited access - personal computers
- Sensitive data locations unclear
- Servers with no virus protection or backed up
- After
- New information - that didnt exist
- Integrated database, network, and application
information - Zero spreadsheets
- 9 custom reports HTML and Excel
- Centralize maintenance of repository across
organizational units - Access to repository extended to 60 individuals
based on privileges - Clearer view of potential holes in security for
analysis and proactive planning - Sensitive data tracked
- 40 data files
- 50 database fields
- Added 40 hosts to backup and anti-virus scanning
procedure
48Future Plans
- Continue to evolve the ontology to include more
attributes and relationships - Continue capturing and updating new information
- Automate capture of information with tools
- Create an plugin for encrypting sensitive
information - Create a slot-based authorization plugin
- Generate checklists intelligently based on
attributes - Example if reviewing an application running on
IIS and MS SQL Server, the checklist would be
customized to that environment. - Create notifications about potential trouble
spots - A personal identity database field that has not
been encrypted.
49QA
- AdCom's application security checklist -
http//snap.uci.edu/viewXmlFile.jsp?resourceID144
0 - Stanfords Protégé Knowledgebase and Ontology
Tool (Java, Open Source)- http//protege.stanford.
edu - XML/XSLT processing - http//xerces.apache.org
- Ant - http//ant.apache.org