Security/InfoSec

From MozillaWiki
< Security(Redirected from Security/OpSec)
Jump to: navigation, search

Enterprise Information Security Team

Infosec assists Mozillians in defining and operating security controls to ensure that data at Mozilla is protected consistently across the organization.

  • we help you define the risks around your services and data
  • we help projects design and implement security controls
  • we maintain a risk-based inventory of systems and their functional security controls to help Mozilla management determine where to invest in security measures
  • we develop a catalog of services and tools that help you appropriately secure your data
  • we respond to security investigations and incidents
  • we provide baseline practices and assist teams in defining their security standards

Contact

Email us at infosec [at] mozilla.com. For confidential information, encrypt your email using our public PGP: Operations Security (Mozilla Security Assurance) .

For security incidents, file a bug in Bugzilla under the product/component [1] or [2].

Our IRC channel is #infosec or #security at irc.mozilla.org.

Members

OpSec.png

Service Catalog

The services listed below are available to everyone working on the Mozilla project. Contact us directly for more details on any of the services listed below.

Service: Security Information and Event Management (SIEM)

MozDefAlerts.png
Support commitment
5k-10k events per second capacity; 10 days of event storage online; 1 year offline in AWS glacier
Costs
Engineering time, compute resources, AWS archiving
Service request
request bug
MozDefAttackerGlobe.png
MozDefAttackerOgres.png

Description

InfoSec develops and operates MozDef as a service to assist Mozilla projects in defending their operations. Mozilla systems can send events, logs and other data to MozDef to be automatically correlated and consistently treated.

What you can do with this service

  • Send events to be stored
  • Search events
  • Create dashboards summarizing events
  • Create alerts
  • Correlate on events
  • Collaborate in real time with incident handlers
  • Integrate systems into automated response to security events

Service: NSM: Network Security Monitoring

Support commitment
best effort, non-HA A statistical approach is used so results might not be 100% accurate by design. Logs limited to between 3 and 10 days.
Costs
traffic interception capabilities, servers for running it, disk space for log storage.
Service request
request bug

Description

The goal of the NSM project is to provide useful context information for both the IR and early detection of possible intrusions.

What you can do with this service

  • Coverage of traffic at the entry point and key routing points of Mozilla’s data centers including firewalls and Load Balancers.
  • Interfaces and utilities to facilitate and accelerate Incident Response
  • Detection of various network level anomalies that might suggest either intrusion or network issues.
  • Give a lot of statistical information that traditional monitoring systems can’t, from the application level protocols.
  • Make sense out of the data at the higher protocol levels, sessions and packets.

Service: Real-time systems forensic

MIG-logo-CC-small.jpg
Support commitment
business hours availability. 1 year data retention.
Costs
platform supported by InfoSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.
request bug

Description

Mig-console.png

InfoSec operates a client/server platform to facilitate the investigation of large numbers of systems in parallel. We distribute agents across endpoints of an infrastructure that can be queried in real-time through a central console. This service uses Mozilla InvestiGator (MIG).

What you can do with this service

  • Search filesystems by filename, content and hashes.
  • Check, add and delete user accounts.
  • Read and write host firewall rules.
  • Search through the memory of a live system.
  • Search for MAC addresses, IP addresses and connected IPs.
  • Verify conformity of a configuration with InfoSec best practices.

Service: Test driven systems security

Compliance Chart 1.png
Support commitment
business hours availability. 1 year data retention.
Costs
platform supported by InfoSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.
Service request
request bug

Description

Test driven systems security uses a battery of tests run against a system to evaluate its conformance with security best practices. The tests can be ran daily, or trigger on-demand, making it easy to implement and review security controls in real time.

What you can do with this service

  • Obtain a detailed view of the security controls deployed on a system, or across an infrastructure.
  • Fast iterations on the implementation and review of security controls. This is designed to accelerate the feedback loop between operational and security teams. immediate feedback is necessary.

Service: Rapid Risk (Impact) Assessment (RRA)

Rra.png
Support commitment
Response within a week.
Costs
30 minutes meeting with InfoSec.
Service request
request bug

Description

The Rapid Risk (Impact) Assessment (also called Rapid Risk Analysis) is a 30 minutes or less discussion about the potential risks of a project. The RRA is high level and lightweight.

What you can do with this service

  • Quickly identify risks impacts related to your project, service, tool, etc.
  • Make decision making more efficient: spend more time where it matters on your project, service, tool (where the risks are).
  • Get your service recorded in a risk heatmap to compare it with other services.
  • Find out if you need a threat model.

Service: Vulnerability Assessment

Support commitment
Response within a week.
Costs
One or more meetings with InfoSec.
Service request
request bug

Description

A vulnerability assessment is a semi-automated point-in-time assessment conducted by Mozilla Security using a vulnerability scanner and other “point and shoot” tools for an explicit set of target(s). May include a validation component, depending on scope and service risk.

What you can do with this service

  • Quickly identify commonly known vulnerabilities/misconfigurations in your application ranked by severity
  • Get a sense of a vendor systems security posture if the vendor is not forthcoming but is willing to be scanned
  • Get a manual verification of vulnerabilities/misconfigurations to weed out false positives (optional - based on scope and risk)

Service: Threat Modeling

Support commitment
Response within a week.
Costs
One or more meeting with InfoSec.
Service request
request bug

Description

Threat modeling defines a set of attack scenarios to consider against an application. They are more specific, thorough and often more time consuming than Rapid Risk Assessments (RRA). When a threat model or analysis is requested on a large service (ie, larger than a quick reply in a bug), an RRA is required to ensure that the security recommendations cover the areas of concerns of the service.

What you can do with this service

  • Get an in depth threat model of your project with technical details, recorded in a document.
  • Get a quick in-line reply in Bugzilla (responses sec-review flag).
  • Get architectural tips from the security point of view at the project design time.

Service: Penetration Testing

Support commitment
Response within a week
Testing timelines vary based on testing scope
Costs
One or more meeting with InfoSec.
Service request
request bug

Description

An adversarial exercise with the goal of demonstrating risks that could be exploited by a threat actor. Testing scope is heavily influenced by RRA and Threat Modeling results, which should be completed prior to Penetration Testing.

What you can do with this service

  • Get a detailed report of security controls that were tested and found effective/ineffective
  • Get recommendations on how to remedy ineffective security controls
  • Get proof of concept (PoC) evidence that demonstrates the ineffectiveness of security controls to support development and prioritization efforts

Security Incident Response

Support commitment
ASAP
Service request
request bug

Description

The Security Incident Response process is designed to facilitate a rapid coordinated response to system and network security incidents.

What you can do with this service

  • Incident investigation.
  • Coordinated response.
  • Containment, eradication, and recovery of security incident
  • Notification and communication of incident related details, activities, status, and resolution.
  • Post Mortem.

Tools catalog

System call auditing: Audisp-json

Services provided
Auditing
Maturity
Production
Source code
https://github.com/gdestuynder/audisp-json

Description

Linux Audit can record information about any system call, and relay it to a user-space process. Audisp-json is a plugin for Auditd which takes these events, correlate them and issue a standard, single JSON message in the MozDef format -over HTTPS (it does not use syslog).

Audisp-json coupled with MozDef provide a strong solution to monitor and correlate security event on linux systems. It supersede the audisp-cef plugin.

Trophy Store

Services Provided
Development
Maturity
Alpha
Source Code
https://github.com/gene1wood/trophy-store

Description

A web application to automate and simplify the process of requesting or renewing certificates, generating SSL keys, issuing certificates and deploying the resulting keys and certificates into software load balancers.

MIG: Mozilla InvestiGator

Services Provided
Endpoint Security
Maturity
Production
Source Code
http://mig.mozilla.org

Description

MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents.

MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messaging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays and a console client. It allows investigators to send actions to pools of agents, and check for indicator of compromise, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on.

MozDef: The Mozilla Defense Platform

Services Provided
Development
Maturity
Production
Source Code
http://mozdef.com

Description

The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.

Goals:

  • Provide a platform for use by defenders to rapidly discover and respond to security incidents.
  • Automate interfaces to other systems like bunker, banhammer, mig
  • Provide metrics for security events and incidents
  • Facilitate real-time collaboration amongst incident handlers
  • Facilitate repeatable, predictable processes for incident handling
  • Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation

Documentation maintained by InfoSec

Honorary members