Security: The Network PerspectiveJeff Collyer

Christy JosephJoe Agler

This presentation will break down some of the tools used by our Information Security Engineers to keep you safe on the UVa

networks.

Who now?

• Jeffrey Collyer– ITS since 1999, email, networks, hostmaster. Joined InfoSec in 2015 right

before Phoenix.

• Christy Joseph– CS from 1996-2004, ITS since 2004, LDAP, User database, Infrastructure

Applications, Joined InfoSec in 2016

• Joe Agler– In IT since 2004, five years of IT Security experience. UVA ITS since 2016.

EI-VAMS, Carbon Black, CyberArk. Joined InfoSec in 2017

2

Layers of Security

• “Defense in depth” is an information security concept in which multiple layers of security controls are placed throughout information technology systems.

• The intent is to provide redundancy should one security control fail or a vulnerability be exploited.

• Secure the network using different tools than the endpoint/desktop.

3

Onions have layers*

4

* Shrek

You are here

Academic Protected Network (APN)

• What– A new wired network rolling out across grounds

• Why– To give wired machines basic protection from Internet threats

5

Internet Circa 1986 Internet Today

Internet today

• Average survival time for an unpatched computer connected to the open internet is currently under 5 minutes– That’s less time than it takes to download all the patches you need

from your OS vendor

• Anecdotal evidence – 800+ scans hit a machine I put up on the open internet while I was at lunch (~1 hour)

6

APN Protections

• APN is firewall protected from Internet traffic– Computers on the internet cannot scan or attack an APN host directly

• no communication can start from the outside and come in– APN hosts can still communicate out

• to get updates, browse the web, etc– APN hosts can still communicate to all UVA resources

• Still print to printers– Your cable router already does this for your home network

• APN has Intrusion Prevention System(IPS) protection

7

Gory Details

8

Network Device Type IP Network

Academic Open

Network

Academic Protected Network

More Secure

NetworkPublicly Available Server 128.143.x.x/16 Printer (no Internet access) 172.16.x.x/16 Internal (Grounds) Server 172.29.x.x/16 Printer (with Internet access) 172.29.x.x/16 Standard Laptop or Desktop 172.28.x.x/16 Managed Laptop or Desktop 137.54.128.x/17

For updates and changes to UVA’s IP Address Space go to https://its.virginia.edu/network/ipspace.html.

APN to Remember

• Only wired connections using DHCP• Much like the MSN• It does use a new IP range

– If you limit access to resources by IP you will need to change your filters

• On ground networks including the various VPNs can connect to resources on the APN, nothing new required

9

Intrusion Prevention System

• What – Monitors network traffic– Matches signatures in network traffic like AV– Also matches patterns and thresholds (network scans)– Has a list of know bad IP addresses

• Why– Block the Bad Stuff

• Botnets• Ransomware

10

IPS is your friend

• But wait didn’t you just say that the APN won’t let attackers in?– What if a machine is already compromised?

• A laptop that moves around• Existing host moved to APN from open network

• IPS only logs activity on a Signature/Rule hit– Preserves your privacy

• Receives daily sometime hourly updates, so its always scanning for the newest threats

• Only blocking very specific known bad items

11

IPS Rollout

• Initially in front of the APN networks

• Over time will be rolled out to other networks– 10/2/2017 – APN– 10/23/2017 – Guest Networks– 11/27/2017 – MSN– 1/8/2018 – Dorm Networks– 1/24/2018 – Wireless

• There is a whitelisting process if something is blocked in error

• More at https://www.secureuva.virginia.edu/ips/

12

IPS Notification

13

Network Anti-Malware

• Malware is a persistent problem at UVa

• Allows remote control by external parties and/or uses infected devices to propagate additional malware attacks

• Presents a serious security risk for UVa data

• FireEye Network Security appliance provides a layer of protection by acting as an Intrusion Detection System (IDS)

14

FireEye Network Security

• Continuously analyzes network traffic looking for botnet transmissions & executables.

• Explodes executables in VM sandbox.

• Alerts are generated from identified malware callbacks from within our network.

• A Security Incident is generated in ServiceNow, which sends out a notification to the Security Analyst team.

15

Security Information and Event Management (SIEM)

• System for collecting and analyzing data relevant to IT security & operations

• Intakes machine data from • Servers• Network equipment• Specialized security equipment • Application and Service logs (both on premises and cloud based)

• Provides an integrated point of view into the data• Makes it easier to spot trends and see patterns that are out of the

ordinary

16

SIEM at UVA

• SecureUVA Project launched in Fall 2016

• Includes Log Aggregation and Log Correlation

• Log Aggregation: Syslog-NG Store Box

• Log Correlation: Splunk

• Project will wrap up by end of December

17

Syslog-NG Store Box (SSB)

• Log aggregation appliance using Syslog protocol

• Ingests logs for over 150 log source hosts currently

• Data is parsed, indexed, and stored locally (with options for compression and encryption)

• Supports filtering and tagging data, custom retention policies, and custom report generation

• Licensing is based on # of log source hosts

18

Syslog-NG Store Box (SSB) cont.

• Filters and routes event data to downstream applications (log correlation, etc)

• Provides web access for log searching

• Will be coming soon as a contract service

19

Splunk

• Log correlation system; Gartner Magic Quadrant Leader

• High performance indexing/searching of virtually any log data

• Sophisticated searching using Search Processing Language (SPL)

• Licensing is based on GB of data ingested / day

• Will be coming soon as a contract service

20

Splunk Capabilities

• Saved searches and reports with a variety of scheduling options

• Alerts which fire based on results of saved searches

• Custom dashboards and forms

• Full featured data visualizations (line, area, column, bar, pie, bubble, scatter charts; gauges; cluster and chloropleth maps; tables with custom formatting, and more)

• Data normalization using field aliases, tags, and eventtypes

• External lookups (file based, KV store, external DB integrations, scripts)

21

UVa Splunk Uses

• Abuse Investigations

• Alerting on Indicators of Compromise (IOCs)– Identify potential account/device compromises– Example: Email log searching to identify spammers -> leads back to

compromised accounts

• Integration of and automated alerting based on Threat Intelligence feeds– Emerging Threats Pro is the feed we use today– Use it to look for logins by “bad” IPs on JointVPN

22

Alerts Example – Potential Spammers

Search driving the alert

23

Domain Name Service (DNS) Firewall

• DNS Firewall was implemented at UVA Mid-2017– DNS is equivalent to a phone book; Directory of names which

translate to IP addresses– DNS Firewall builds on that where certain security categories are

blocked– Proactively Detect and Automatically Contain Malware– Protects you while on UVA networks

24

How DNS Firewall disrupts malware

*image from www.infoblox.com

25

DNS Firewall – UVA Block page

26

What we do• Block from various Threat

Intelligence feeds (including your notifications)

• Block Categories– Antimalware– Ransomware– Phishing– Botnets– Command & Control– Indicators of Compromises

• Send hits to our Log Correlator (Logs!)

27

How can you stay protected?

– Public WiFi use• Utilize UVA Virtual Private Network (VPN) for a secure connection/protection

by DNS Firewall

– Phishing attempts• We block phishing URLs reported to abuse@virginia.edu to protect others

that may fall victim to Eve L. Phish• Don’t click on links• Report phishing emails to abuse@virginia.edu

28

Vulnerability and Patch Management

• SecureUVA project – Coming Soon• What is Vulnerability and Patch

Management?• Why Vulnerability and Patch

Management?• How does Vulnerability and Patch

Management protect me?

29

Scalable Vulnerability Scanner – Coming Soon

• Surveying available scanning products• For use by all of UVA Departments and LSP’s!• Goals:

– Identify vulnerable systems– Patch them quicker

• Added benefits: – Assist in inventorying systems– Assist in identifying software– Notification workflow for remediation

30

Critical ITS systems – Qualys

• Small scale Qualys implementation • Identify and/or classify areas of network• Establish Patch cycle/procedures• Focus on Critical and Urgent items

– Weekly Operational Intelligence meeting

31

Patch Management

• Currently have some Patch Management like– System Center Configuration Manager (SCCM)– Puppet

• Moving forward– Looking to provide solutions for all of UVA

• Operating System Updates, Applications, Drivers, Configurations

• Asset & Software inventory– Determine risk profile

32

Think about these -

• Patch Operating Systems and Applications– Prioritize Critical/Urgent/Internet Facing

• No OS or Application Patch support?– Retire unsupported/unpatched systems

immediately

• If you need ad-hoc vulnerability scans –– Service Request Catalog > Security >

SecureUVA Products and Services >SecureUVA- Vulnerability Management

33

Questions?

34

35