Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base Joshua Drummond, Security Architect Neil Matatall, Security Programmer/Analyst Marina Arseniev, Associate Director of Enterprise Architecture University of California, Irvine

Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base

Joshua Drummond, Security Architect

Neil Matatall, Security Programmer/Analyst

Marina Arseniev, Associate Director of Enterprise Architecture

University of California, Irvine

About us… Located in Southern California Year Founded: 1965 Enrollment: over 24K students 1,400 Faculty (Academic Senate) 8,300 Staff 6,000 degrees awarded annually Carnegie Classification: Doctoral/Research – Extensive Extramural Funding - 311M in 2005-2006 Undergoing significant enrollment growth

Located in Southern California

Year Founded: 1965

Enrollment: over 24K students

1,400 Faculty (Academic Senate)

8,300 Staff

6,000 degrees awarded annually

Carnegie Classification: Doctoral/Research – Extensive

Extramural Funding - 311M in 2005-2006

Undergoing significant enrollment growth

Security Status Across Higher Ed? http://www.privacyrights.org 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants. 5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft. 4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen. 3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address.

800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants.

5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft.

4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen.

3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address.

Security is Multi-layer

We do a lot… SDLC and Change Management Security requirements and design reviews from get-go. Code reviews Developers reuse security components Automated nightly code and application security scanning Scheduled network & configuration vulnerability scanning Consolidated storage of sensitive data, database model reviews of personal identity data Concurrency and stress testing to detect thread security

Security requirements and design reviews from get-go.

Code reviews

Developers reuse security components

Automated nightly code and application security scanning

Scheduled network & configuration vulnerability scanning

Consolidated storage of sensitive data, database model reviews of personal identity data

Concurrency and stress testing to detect thread security

Still had problems Urgent call from our director: Have you patched server X? Is Server Y behind a firewall? Did Server Y have any Credit Card information stored? Is the database encrypted? When was the last time a security review of Application X was done? Peter The Anteater is on vacation! Peter is now at Google! Different answers from different people. Little confidence that information is current.

Urgent call from our director:

Have you patched server X?

Is Server Y behind a firewall?

Did Server Y have any Credit Card information stored?

Is the database encrypted?

When was the last time a security review of Application X was done?

Peter The Anteater is on vacation!

Peter is now at Google!

Different answers from different people.

Little confidence that information is current.

Not enough… Many security layers meant many documents owned by many people Scattered checklists, spreadsheets, and diagrams not accessible Host IP change = document update nightmare. New server? Update how many firewalls? Missing information, such as whom to contact Proprietary knowledge departed with staff turnover Spreadsheet Hell!

Many security layers meant many documents owned by many people

Scattered checklists, spreadsheets, and diagrams not accessible

Host IP change = document update nightmare.

New server? Update how many firewalls?

Missing information, such as whom to contact

Proprietary knowledge departed with staff turnover

Spreadsheet Hell!

What we learned … Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate . Explored different approaches and tools – both vendor and open source. Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase. Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository.

Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate .

Explored different approaches and tools – both vendor and open source.

Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase.

Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository.

Objectives Quickly respond to threats. Organize, consolidate, and centralize security procedures and facts about layers of security. Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc Track security checklists Track code, database, and security reviews, results and follow-up Track oversight functions for secure development, acquisition, maintenance, operations and decommissioning .

Quickly respond to threats.

Organize, consolidate, and centralize security procedures and facts about layers of security.

Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc

Track security checklists

Track code, database, and security reviews, results and follow-up

Track oversight functions for secure development, acquisition, maintenance, operations and decommissioning .

Agenda Background on Ontologies and Protégé Realized value - demonstration of our knowledgebase and reports How to implement this in your organization Summary Useful URLs and Q&A

Background on Ontologies and Protégé

Realized value - demonstration of our knowledgebase and reports

How to implement this in your organization

Summary

Useful URLs and Q&A

Background What is an Ontology? “ An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge . Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “ Supports inheritable properties (is-a) Attributes of an object can be complex objects themselves (rich). Nestable… Writing Short Story Historical Novel Classic Medieval Modern Book Ontology

What is an Ontology?

“ An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge . Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “

Supports inheritable properties (is-a)

Attributes of an object can be complex objects themselves (rich). Nestable…

Stanford University’s Protégé Allows easy modeling and creation of ontology Auto generates forms for collecting and capturing information based on ontology and class definitions. “ Reverse slots” allow rich linking ability and automatic updates of changing relationships. Remember the removal of the server and associated updates of firewall rules?

Allows easy modeling and creation of ontology

Auto generates forms for collecting and capturing information based on ontology and class definitions.

“ Reverse slots” allow rich linking ability and automatic updates of changing relationships.

Remember the removal of the server and associated updates of firewall rules?

Stanford University’s Protégé Generates an HTML view of knowledge and ontology. Can be exported in XML format generate reports in other formats and for specific audiences, without storing redundant data. Multi-user capable Highly Scaleable Simulations have handled over 5 million objects Open source at http://protege.stanford.edu/ Java API to program against Under active development (last release Aug 24, 2007)

Generates an HTML view of knowledge and ontology.

Can be exported in XML format

generate reports in other formats and for specific audiences, without storing redundant data.

Multi-user capable

Highly Scaleable

Simulations have handled over 5 million objects

Open source at http://protege.stanford.edu/

Java API to program against

Under active development (last release Aug 24, 2007)

Protégé GUI

Protégé – Knowledge Capture

HIPAA?

Protégé – Application Instances

Protégé – Authentication Instances

Protégé – Authorization Instances

Protégé – Patching Procedures

Protégé – Backup Procedures

Protégé – Query Capability

Agenda Background on Ontologies and Protégé Realized value - demonstration of our knowledgebase and reports How to implement it in your organization Summary Useful URLs and Q&A

Background on Ontologies and Protégé

Realized value - demonstration of our knowledgebase and reports

How to implement it in your organization

Summary

Useful URLs and Q&A

Using Protégé to Capture Reviews

Using Protégé to Capture Reviews

Realized Value: Auto-generated Reports from Protégé Network Inventory Report By Host Name By IP Address Firewall Rules Report By Firewall By Host Name By IP Address Personal Identity Database Report By Server By Database Personal Identity Datafile Report By Server Application Report Includes developed and vendor applications

Network Inventory Report

By Host Name

By IP Address

Firewall Rules Report

By Firewall

By Host Name

By IP Address

Personal Identity Database Report

By Server

By Database

Personal Identity Datafile Report

By Server

Application Report

Includes developed and vendor applications

Before and After - Firewalls Unix Sys Admin Windows Sys Admin Department Firewall Admin Campus Border Firewall Admin Database Admin

Report: Firewall by Host

Reports: Personal Identity Database by Server

Reports: Personal Identity Datafile by Server

Agenda Background on Ontologies and Protégé Realized value - demonstration of our knowledgebase and reports How to implement it in your organization Summary Useful URLs and Q&A

Background on Ontologies and Protégé

Realized value - demonstration of our knowledgebase and reports

How to implement it in your organization

Summary

Useful URLs and Q&A

How to Implement in your Organization… Step 1: Inventory existing spreadsheets and documents Step 2: Identify information you want to track centrally. Step 3: Design your ontology (or copy ours) Step 4: Assign roles – who updates, who views Step 5: Capture information Step 6: Add any customizations to Protégé Step 7: Create secured reports for various audiences

Step 1: Inventory existing spreadsheets and documents

Step 2: Identify information you want to track centrally.

Step 3: Design your ontology (or copy ours)

Step 4: Assign roles – who updates, who views

Step 5: Capture information

Step 6: Add any customizations to Protégé

Step 7: Create secured reports for various audiences

Our Ontology

Updates 3 ways to update your knowledge base Desktop Client / Local Project Only one person can update at a time Must have access to project file Web Server Multi-User, access anywhere Interface has its weaknesses Client / Server Best of both worlds Must have desktop client installed

3 ways to update your knowledge base

Desktop Client / Local Project

Only one person can update at a time

Must have access to project file

Web Server

Multi-User, access anywhere

Interface has its weaknesses

Client / Server

Best of both worlds

Must have desktop client installed

Updates – Client / Server Use built-in client-server mode for multi-user updates Grant access to individual users Support for role-based permissions Updates are propagated in near-real-time BE CAREFUL! Everything is stored in plain text

Use built-in client-server mode for multi-user updates

Grant access to individual users

Support for role-based permissions

Updates are propagated in near-real-time

BE CAREFUL!

Everything is stored in plain text

Customizations Modified the existing HTML Export plug-in to change the structure of the output HTML Encrypt Sensitive Values List Instances before Slots on Class pages Made string attributes that are URLs actual hyperlinks Add line breaks between multiple Slot values

Modified the existing HTML Export plug-in to change the structure of the output HTML

Encrypt Sensitive Values

List Instances before Slots on Class pages

Made string attributes that are URLs actual hyperlinks

Add line breaks between multiple Slot values

Using Protégé to Capture Reviews

Automation Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI edu.uci.adcom.protege.ProjectXmlExport edu.uci.adcom.protege.ProjectHtmlExport

Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports

Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI

edu.uci.adcom.protege.ProjectXmlExport

edu.uci.adcom.protege.ProjectHtmlExport

Using XSLT for Reports Replicate exactly and replace former spreadsheets with the same functionality Created canned reports for specific views on knowledge XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML Then again from the “simple” XML to multiple HTML views for each report XSL and CSS are flexible and can be modified to customize presentation of data

Replicate exactly and replace former spreadsheets with the same functionality

Created canned reports for specific views on knowledge

XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML

Then again from the “simple” XML to multiple HTML views for each report

XSL and CSS are flexible and can be modified to customize presentation of data

Report Generation Process Outline Protégé Java - edu.uci.adcom.ProjectXMLExport XSLT – Massage to Domain Specific Data XSLT – Generate Individual Reports (For Web Reports) CSS – To Customize the Display

Reports: Personal Identity Datafile by Server

Putting it all together Ant script is used to tie everything together Can be easily scheduled to generate reports

Ant script is used to tie everything together

Can be easily scheduled to generate reports

After Centralized inventory of knowledge about firewall rules Zero spreadsheets 3 custom reports – HTML and Excel Centralize maintenance of single repository across organizational units No redundancy Metrics – Firewall Management Before Border, Police, Financial Services, Windows OS, and Server Firewall Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total) 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets.

After

Centralized inventory of knowledge about firewall rules

Zero spreadsheets

3 custom reports – HTML and Excel

Centralize maintenance of single repository across organizational units

No redundancy

Before

Border, Police, Financial Services, Windows OS, and Server Firewall

Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total)

30+ servers behind multiple firewalls. Servers duplicated across spreadsheets.

After New information - that didn’t exist Integrated database, network, and application information Zero spreadsheets 9 custom reports –HTML and Excel Centralize maintenance of repository across organizational units Access to repository extended to 60 individuals based on privileges Clearer view of potential holes in security for analysis and proactive planning Sensitive data tracked 40 data files 50 database fields Added 40 hosts to backup and anti-virus scanning procedure Metrics – Network and Data Inventory Before White Boards and Documents Partial Network Inventory Unpatched servers on whiteboard 4 units keeping redundant or out of sync information in private locations Limited access - personal computers Sensitive data locations unclear Servers with no virus protection or backed up

After

New information - that didn’t exist

Integrated database, network, and application information

Zero spreadsheets

9 custom reports –HTML and Excel

Centralize maintenance of repository across organizational units

Access to repository extended to 60 individuals based on privileges

Clearer view of potential holes in security for analysis and proactive planning

Sensitive data tracked

40 data files

50 database fields

Added 40 hosts to backup and anti-virus scanning procedure

Before

White Boards and Documents

Partial Network Inventory

Unpatched servers on whiteboard

4 units keeping redundant or out of sync information in private locations

Limited access - personal computers

Sensitive data locations unclear

Servers with no virus protection or backed up

Future Plans Continue to evolve the ontology to include more attributes and relationships Continue capturing and updating new information Automate capture of information with tools Create an plugin for encrypting sensitive information Create a slot-based authorization plugin Generate checklists intelligently based on attributes Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment. Create notifications about potential trouble spots A personal identity database field that has not been encrypted.

Continue to evolve the ontology to include more attributes and relationships

Continue capturing and updating new information

Automate capture of information with tools

Create an plugin for encrypting sensitive information

Create a slot-based authorization plugin

Generate checklists intelligently based on attributes

Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment.

Create notifications about potential trouble spots

A personal identity database field that has not been encrypted.

Q&A AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440 Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu XML/XSLT processing - http://xerces.apache.org Ant - http://ant.apache.org

AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440

Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu

XML/XSLT processing - http://xerces.apache.org

Ant - http://ant.apache.org