Strategies for Research Cybersecurity and
Compliance from the LabJim Basney (University of Illinois - Urbana-Champaign)
Michael Corn (University of California - San Diego)Von Welch (Indiana University)
Scale of the Challenge(Just) DoD Funding
432 Grants:
$358M is for All of UCSD
$34M for HS
$118M for MC
$206 for SIO
Resources● 3 FTE: Incident Response and Threat
Detection● 2 FTE: Risk and Compliance & Outreach● 7 FTE: Engineering and Services● Moi: Really just eye candy
=> 33 DoD grants / person (315 total awards / person)
Partners
● 3 fulltime research facilitators● San Diego SuperComputing InfoSec● Health System InfoSec● Export Control Office● Research Compliance Office● Grants and Contracts
● Distributed IT Staff?
Techniques that scale
Enterprise Security vs. Research Security● Inventory your environment● Write policies● Impose Controls
● Understand the Science Workflow● Understand the issues such as
reproducibility, data sharing, federation● Recognize and embrace research culture
in Higher Ed● Talk to Faculty
So what do I as a CISO need?● A better understanding of what sponsored research projects are operationally● Tools that are tuned for research projects and respect the operational
distinction between ‘enterprise’ and ‘research’ security● A more flexible toolkit ● A better understanding of the state of the art in research environments● Facility with research networking best practices (e.g., Science DMZ)● Risk assessment methodologies that don’t involve PII but are inclined to
availability● Staff that are trained to work with researchers● Reusable templates● The ability to see in the dark
A Joke
Additional SupportThe Educause Cybersecurity Program (led by the Higher Education Information Security Council or HEISC)
● Security Professionals Conference https://events.educause.edu/security-professionals-conference/2019
● Information Security Guide https://bit.ly/2GMmlPq
● Working Groups, Community Groups
Trusted CI https://trustedci.org/
● https://trustedci.org/guide
NSF Cybersecurity Summit
https://trustedci.org/2019-nsf-cybersecurity-summit
● Research centered talks, Training
NSF SolicitationsCC* Campus Cyberinfrastructure
https://www.nsf.gov/pubs/2019/nsf19533/nsf19533.htm
CICI Cybersecurity Innovation for Cyberinfrastructure
https://www.nsf.gov/pubs/2019/nsf19514/nsf19514.htm
Trusted CI:The NSF Cybersecurity Center of Excellence
Our mission: to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.
https://trustedci.org/
Trusted CI: Impacts
Trusted CI has impacted over 190 NSF projects since inception in 2012.More than 150 members of NSF projects attended our NSF Cybersecurity Summit. Seventy NSF projects attended our monthly webinars.We have provided more than 250 hours of training to the community.Thirty-five engagements, including nine NSF Large Facilities.
https://hdl.handle.net/2022/22148
Community-driven Guidance
Compliance Programshttps://trustedci.org/compliance-programs
Security Best Practices for Academic Cloud Service Providershttps://trustedci.org/cloud-service-provider-security-best-practices/
Operational Securityhttps://trustedci.org/guide
Identity Management Best Practiceshttps://trustedci.org/iam
Annual NSF Cybersecurity Summit
One day of training and workshops.Agenda driven by call for participation.Lessons learned and success from community.Will be in San Diego in 2019.
https://trustedci.org/summit/
Trusted CI 5-year Vision and Strategic Plan
“A NSF cybersecurity ecosystem, formed of people, practical knowledge, processes, and cyberinfrastructure, that enables the NSF community to both manage cybersecurity risks and produce trustworthy science in support of NSF’s vision of a nation that is the global leader in research and innovation.”
https://hdl.handle.net/2022/22178
Some select results:• Respondents’ cybersecurity
budgets vary widely.• Respondents inconsistently
establish cybersecurity officers.• Residual risk acceptance is
inconsistently practiced.
https://hdl.handle.net/2022/22171
Community Benchmarking
Engagements:One-on-one Collaborations
We take applications every six months.
Currently accepting applications for second half of 2019:https://trustedci.org/application/
Deadline: April 3rd
A Network of Cybersecurity Fellows
Fellows are liaisons between Trusted CI and communities.Fellows receive training, travel support, and prioritized support.Building on models from UK Software Sustainability Institute, ACI-REFs, Campus Champions.Applications due: March 13https://trustedci.org/fellows
Cybersecurity Transition to Practice (TTP)
Enabling researcher and practitioner collaboration to accelerate cybersecurity research to practice via • matchmaking• business model coaching• workshops
https://trustedci.org/ttp
2019 Cybersecurity Transition to Practice (TTP) Workshop
Wednesday, June 19th, 9am - 5pm. Chicago, IL
● Cybersecurity Topical Panels with Researchers and Practitioners
● Poster Session
● Thematic Co-creation breakouts for Research Transition to
Practice
Request an invitation: https://trustedci.org/2019-ttp-workshop
The Trusted CI FrameworkFramework Core: • Concise, clear minimum requirements for cybersecurity programs
organized under the 4 Pillars: Mission Alignment, Governance, Resources, and Controls
• Based in general cybersecurity best practice and evidence of what works.
• Infrequent updates.Framework Implementation Guide: • Guidance vetted by and tailored to the open science community.• Curated pointers to the very best resources and tools.• Frequent (at least yearly) updates.
Coming soon!
Framework PillarsMission Alignment• Information classification, asset inventory, external requirements
Governance• Roles and responsibilities, policies, risk acceptance, program evaluation
Resources• People, budgets, services and tools
Controls• Procedural, technical, administrative safeguards and countermeasures
Open Science Cyber Risk Profile (OSCRP)
OSCRP helps leads of science projects understand cybersecurity risks to their science and prepare for discussing those risks with their campus security office.OSCRP was created by a team of computer security experts and scientists working together through a series of example use cases, which were then generalized to form the basis of the document.OSCRP provides a mechanism for applying controls to mission-specific assets.https://trustedci.org/oscrp/
OSCRP 2019 Planned Extensions
1. Data integrity issues in scientific computing, e.g., due to bit flips, are planned to be addressed.
2. Data privacy and confidentiality (e.g., PII, proprietary technologies) are planned to be explicitly addressed, including technical risk assessments.
3. Network-connected sensors and actuators (“cyber-physical systems”) are planned to be examined in more depth.
4. Mitigations are planned to be included.5. Cross references with the Trusted CI Framework will be added.
Trusted CI and Inclusivity
Cybersecurity requires diverse perspectives and cybersecurity community suffers from a lack of diversity.Trusted CI works to address it through its workforce development, outreach, and community building efforts by explicitly seeking out and encouraging underrepresented groups to apply and striving for inclusive demographics.
2018 NSF Cybersecurity Summit Student Program
Trusted CI Partners
https://trustedci.org/partners
Engagement and Performance Operations Center (EPOC)
Open Science Grid
REN-ISAC
Other Trusted CI Services
Large Facilities Security Team
Working group of security representatives from NSF Large Facilities.
https://trustedci.org/lfst/
Ask Us Anything
No question too big or too small.
Follow Us
https://trustedci.org
https://blog.trustedci.org
@TrustedCI
Cyberinfrastructure Vulnerabilities
Latest news on security vulnerabilities tailored for cyberinfrastructure community.
https://trustedci.org/vulnerabilities/
Specialized Information for Identity and Access Management, Science Gateways, Software Developmenthttps://trustedci.org/iam/
https://trustedci.org/sgci/
https://trustedci.org/software-assurance/
Operational Services for Securing Scientific Cyberinfrastructure
Research Security Operations CenterThe NSF Collaborative Security Response Center
Von Welch
“Security teams continually strive to identify and mitigate all vulnerabilities in order to maintain a strong security posture...
“An attacker only needs to find one to exploit...”
ResearchSOC complements Trusted CI
● Operational services and related training for NSF CI
● Community of Practice and Threat Intelligence Network
● Enabling Cybersecurity Research
● Outreach to Higher Ed Infosec regarding research CI
● Creating comprehensive cybersecurity programs
● Community building and leadership
● Training and best practices● Tackling specific challenges of
cybersecurity, software assurance, privacy, etc.
The ResearchSOC Team
Funded by NSF Grant 1840034.
Andrew Adams (PSC), Rich Angeletti (PSC), Ed Balas (IU), Richard Biever (Duke), Jesse Bowling (Duke), Cyd Burrows-Schilling (UCSD), Mary Conley (IU), Michael Corn (UCSD), Tom Davis (IU), Inna Kouper (IU), Mark Krenz (IU), Jim Marsteller (PSC), Scott Orr (IU), Sameer Patil (IU), Chris Rapier (PSC), Mike Stanfield (IU), Zalak Shah (IU), Susan Sons (IU), Todd Stone (IU), Von Welch (IU)
Cyberinfrastructure is More Diverse
!=Credit: Chris Coleman, School of Computing, University of Utah
Tuning, Tailoring,
and Training
for Science
https://omnisoc.iu.edu/…extensible
● Process and Create Cyber Threat Intelligence
● Notify Member Incident Response Teams
● Communicate and Share Information
● Conduct Proactive Threat Hunting
● Analyze Security Events
● Monitor and Triage Security Events
● Provide Call Center Services
Vulnerability Identification Service at the Three Rivers Optical Exchange (3ROX)
R&E networks are under constant
scanning by malicious actors attempting
to identify and subsequently exploit CI
vulnerabilities – weaknesses that can be
exploited by an attacker to perform
unauthorized actions.
• Built upon Three Rivers Optical Exchange (3ROX) Cybersecurity Service
• Based on ‘OpenVAS’ framework - Full Featured vulnerability scanner. Daily updates with over 50,000 vulnerability tests.
Vulnerability Identification Service
Probes externally from your networkIdentifies:• Misconfigured software• Exploitable software• Unnecessary services/exposed devices
Vulnerability Identification Service
• Initial ‘discovery’ scan to enumerate network connected assets
• Scheduled scanning• On demand scanning
Identifying threats to protect your network
Sharing Threat Intelligence for Network Gatekeeping with Automated Response • Make use of:
• Network sensors• Network metadata system logs files
• To identify:• Attackers • Compromised machines and accounts
• AND block:• Via network security appliances in place
• AND share: • Threat intelligence with other groups
IPS/IDS
Normal Data
Threat Intelligence
Edge
Attack Data
Control
Sensor Data
Aggregator
ThreatAnalyzer
ThreatRepository
Threat Response Actuators
Syslog services
Honeypot data
NetFlow captures
DenyHosts data
IDS data
Host Firewall insertion
“Black hole” routing
IPS insertion
Network Firewall insertion
Honeypot
Data collected near-real time
Analysis occurs between 1 min (most sources) and 5 min (network flow data)
Block lists generated every 3 minutes
< 3 seconds
30 min
Planned
ScienceDMZ
Honeypot
CampusNetwork
STINGAR in the enterprise
Build a Community of Research Cybersecurity Practitioners
https://www.ren-isac.net/ep/index.html
Build A CI Threat Intelligence Network
CyberInfrastructureThreat Intelligence
Network
Other sources● SCADA Threats● Community
Contributions● Trusted CI● ...
NSF CI Community
Improve Security Practice by Enabling Research
• Intrusion detection and prevention
• Network and threat analysis
• Security and privacy policies
Bolster the CUI compliance effort
NIST SP800-171 Controlled Unclassified Information (CUI) calls for over 100 controls
ResearchSOC (with OmniSOC) addresses nearly 20% of these controls in control families such as:
• Awareness and training• Audit and accountability• Incident response, • Security and risk assessment• Systems and communication protection• System and information integrity
Spring 2021
Researcher Engagement Workshop
Spring 2020
Student Engagement Workshop
Fall 2019
Surveys / Interviews
Spring 2019
Pilot Interviews
Researcher Needs and Access Timeline
Timeline and Initial Clients
Project startDevelopment of tech and contracts; outreach to InfoSec and Researchers
Beta Testing
Sustainability and for-fee services
GAGE
2019
2020
2021
For More [email protected]://researchsoc.iu.edu/
The ResearchSOC is supported by the National Science Foundation under Grant 1840034.
The views expressed do not necessarily reflect the views of the National Science Foundation or any other organization.
Thank you to pexels.com for images.
A (true) Story
Enable Higher Education Information Security Offices to Serve Research
College and university information security offices (ISOs) are challenged in their understanding of the specialized needs of research projects.ResearchSOC will reach out to ISOs to educate them on the motivations and techniques for engaging with and protecting research projects on their campuses.
https://events.educause.edu/security-professionals-conference/2019
Look for ResearchSOC at EDUCAUSE SPC 2019!
ResearchSOC Workshops● Annual 3 or 4 day Workshops (in lovely
San Diego)● Conference aligned workshops (starting
May 13th at Educause SPC)● Supporting participants ala Research
Facilitator community● Targeting CISO’s, Security Architects, and
Security professionals that support researchers
Sample Curriculum● Day 1: Overview of sponsored programs
(how research projects work)Facilitation trainingReview of common research-centric tools and technologies
● Days 2-3: Table top security plan development with actual PIs
● Day 4: Review and develop artifacts and collaborative support
Thank you. Questions?
https://researchsoc.iu.edu https://trustedci.org
ResearchSOC is supported by the National Science Foundation under Grant 1840034.Trusted CI is supported by the National Science Foundation under Grant 1547272.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
