12/19/2015By W. Ribbeck Scientific Method Basic Steps (The Rattlesnake Experiment)
Brought to you by Rice University Office of Information ... · 10/19/2017 · Barry Ribbeck...
Transcript of Brought to you by Rice University Office of Information ... · 10/19/2017 · Barry Ribbeck...
Brought to you by Rice University Office of Information Technology
Barry Ribbeck, Dean Lane, Paul Engle, Dylan Jacob
A long time ago, in a university far far in the south……
Our Environment
Medium sized private school (~12K people total)
Research focused
Centralized IT but with a lot of free range options
• No centralized inventory control or IT purchase control
• No centralized authX requirements
• NetReg network moving to auth based network access
So opportunities for improvement are abundant
Our Security Challenge
Improve or maintain network security and increase
clock speed (time to implement).
Make it more secure but don’t get in the way
So we started looking for ways to do that.
Where do you start?
Our institutional mission statement lists a focus on research,
academia and community as our top priority in that order.
Improving IT security clock speed for anything research
related looks like a good place to start.
The solution would need to be measurable since speed was
a factor.
Our Approach
Of all the tools in our toolbox, which technologies provide the
potential for the highest positive security impact?
Of all of those tools which ones can be used to improve our
clock speed in support of research?
Then how do we measure them?
Potential Tools vs Controls
CIS CSC # Control Discription
802.1X Wired(ISE)
Grouper(I2)
SIEM(Splunk) VPN
TrustSec(Future)
1HW Inventory 1 1
2SW Inventory 1 1
4Vulnerability Assessment and Remediation 1 1
5Administrative Privileges 1 1 1 1
6Monitoring and Log Analysis 1 1 1
9Controlling Network Ports 1 1 1 1
13Data Protection 1 1 1 1 1
14Controlled Access 1 1 1 1 1
15Wireless Access 1 1
19Incident Response 1 1
IMPACT TALLEY 9 5 8 4 5
TOOLS
IT Security Choke Points
Where are we slow or inefficient?
• Firewall rule changes for researchers accessing
restricted data
• Dis-contiguous research network subnets
• Compliance management & reporting
• Inventory management
Est. Security Maturity Change
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4
Polices Completed
Controls 1-5 Implemented
All Controls Implemented
All Controls Automated
All controls Reported
Predicted Maturity Increase
If implemented correctly, we estimated almost a full point improvement in
security maturity
Addressing Clock Speed
• Say no (doesn’t support our mission very well)
• Delegate / Distribute control
• Eliminate Steps and automate
• Remove / Reduce barriers
• Measure and evaluate consistently
Sanity Check
1. Identified the problem
2. Developed a plan and approach
3. Identified the tools
4. Predicted goals to measure against for success
5. Verified implementation should not decrease security
6. Applied acceleration methods
All that’s left is to implement and measure
Measuring Clock Speed
• We used our ticketing system to look at time to completion
before and after implementation in specific areas.
• We also looked at before and after ticket count where tickets
no longer exist because they are self service.
• Some functions such as group changes went from days to
no recorded effort.
• The longest times recorded now are for creating something
unique. Once a new profile is create it takes much less time
to copy and leverage the existing template.
Clock speed for security has been measurably improved in the
areas we where we wanted to have a positive impact.
Review of Successes
• Access through firewall & ad hoc segregated network
– VPN with 802.1X profile and distributed
administration via Grouper
• Inventory management – 802.1X ISE reporting
through SIEM for compliance management and
reporting
• Correlate users to incidents, vulnerabilities and access
request before and after changes show signs of
improvement
Where we failed or are failing
• Could be deploying more quickly.
• Did not comprehend and communicate the importance
of the inventory benefits of 802.1X
• Could have been more timely and purposeful in
explaining the benefits properly to administration.
• We did not set out from the start to use 802.1X wired
for inventory purposes.
Deployment Examples
1. Wired systems – about 30% of campus
2. The 802.1X and Security (Identify, detect, protect,..)
3. Research (Provost Project)
4. Research (ad hoc Network)
Grouper Benefits
• Leveraging group across services
• Moving the control point for groups from IT to the
group owner/steward
• Automation of reporting to the group owner/steward
THE END
Barry Ribbeck {Security} - brr at Rice.edu
Dylan Jacobs {Network} – dtj1 at Rice.edu
Paul Engle {IAM} – pengle at Rice.edu
Dean Lane {IAM} – dlane at Rice.edu
Breeder Questions
• What do you do with devices that can’t do 802.1X?
(MAB + Profiling)
• How do you segregate your research Network?
• What problems do you incur with 802.1X supplicants?
• How difficult is it supporting 802.1X clients not bound
to AD? (BYOD)
Network Port Access Control
• Our Network Registration needs to be replaced
• The current solution
• Is end of life
• Has a number of security holes
• Does not really provide accurate data (our fault)
• 802.1X solution provides both better security, accurate real time
data and appears to work well in our environment
What About Inventory Management?
Inventory is only as good if you can keep it up to date.
Tracking changes manually does not scale and eats up
too much staff time.
Using authenticated network access, we can
dynamically identify anything and anyone on our wired
network which is really the thing we care about.
From person to IP to MAC to machine to services it is all
there.