Security/InfoSec: Difference between revisions

Jump to navigation Jump to search

Security/InfoSec (view source)

Revision as of 23:33, 17 September 2014

7,235 bytes added ,  17 September 2014
no edit summary
No edit summary
Line 1: Line 1:
==Operations Security Team==
=Operations Security Team=
OpSec is a strategic group focused on information security. We articulate a vision for the operations of services that support the Mozilla mission and Manifesto.
{{TOC right|limit=2}}
OpSec assists Mozillians in defining and operating security controls to ensure that data at Mozilla is protected consistently across the organization.


Our goal is to help groups inside and outside of Mozilla operate services and manage data in a way that respects the principles of the Mozilla Manifesto.
* we help you define the risks around your services and data
* we help projects design and implement security controls
* we maintain a risk-based inventory of systems and their functional security controls to help Mozilla management determine where to invest in security measures
* we develop a catalog of services and tools that help you appropriately secure your data
* we respond to security investigations and incidents
* we provide baseline practices and assist teams in defining their security standards
[[File:OpSec.png|600px]]


OpSec operates as a consulting team. We do not mandate security requirements. We support operational teams in the design, implementation and maintenance of systems that guarantee the security of information Mozilla is entrusted with.
= Service Catalog =


We offer security services, described in our service catalog. In addition to security engineering, we specialize in Incident Response and Risk Assessment. OpSec is typically the goto team when a compromise is detected in the Mozilla network.
The services listed below are available to everyone working on the Mozilla project. Contact us directly for more details on any of the services listed below.
=== Who we are ===
 
== Service: Security Information and Event Management (SIEM) ==
 
; Support commitment
: 5k-10k events per second capacity; 10 days of event storage online; 1 year offline in AWS glacier
; Costs
: Engineering time, compute resources, AWS archiving
; Service request
: [[https://bugzilla.mozilla.org/enter_bug.cgi?assigned_to=jbryner%40mozilla.com&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_fx_iteration=---&cf_fx_points=---&component=Security%20Assurance%3A%20Operations&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&defined_groups=1&flag_type-4=X&flag_type-607=X&flag_type-800=X&flag_type-803=X&form_name=enter_bug&groups=infra&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=Linux&priority=--&product=mozilla.org&rep_platform=x86_64&short_desc=MozDef%20Service%20request%20for%20%3Cteam%20name%3E&target_milestone=---&version=other|request bug]]
 
=== Description ===
 
OpSec develops and operates MozDef as a service to assist Mozilla projects in defending their operations. Mozilla systems can send events, logs and other data to MozDef to be automatically correlated and consistently treated.
 
=== What you can do with this service ===


* [https://mozillians.org/en-US/u/joes/ Joe Stevensen] [:joes]
* Send events to be stored
* [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] [:kang]
* Search events
* [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] [:ulfr]
* Create dashboards summarizing events
* [https://mozillians.org/en-US/u/jbryner/ Jeff Bryner] [:jeff]
* Create alerts
* [https://mozillians.org/en-US/u/gene/ Gene Wood] [:gene]
* Correlate on events
* [https://mozillians.org/en-US/u/michalpurzynski/ Michal Purzynski] [:michal`]
* Collaborate in real time with incident handlers
* Integrate systems into automated response to security events
 
== Service: NSM: Network Security Monitoring ==
 
; Support commitment
: best effort, non-HA A statistical approach is used so results might not be 100% accurate by design. Logs limited to between 3 and 10 days.
; Costs
: traffic interception capabilities, servers for running it, disk space for log storage.
; Service request
: [[https://bugzilla.mozilla.org/enter_bug.cgi?assigned_to=mpurzynski%40mozilla.com&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_fx_iteration=---&cf_fx_points=---&component=Security%20Assurance%3A%20Operations&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&defined_groups=1&flag_type-4=X&flag_type-607=X&flag_type-800=X&flag_type-803=X&form_name=enter_bug&groups=infra&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=Linux&priority=--&product=mozilla.org&rep_platform=x86_64&short_desc=NSM%20Service%20request%20for%20%3Cteam%20name%3E&target_milestone=---&version=other|request bug]]
 
=== Description ===
 
The goal of the NSM project is to provide useful context information for both the IR and early detection of possible intrusions.
 
=== What you can do with this service ===
 
* Coverage of traffic at the entry point and key routing points of Mozilla’s data centers including firewalls and Load Balancers.
* Interfaces and utilities to facilitate and accelerate Incident Response
* Detection of various network level anomalies that might suggest either intrusion or network issues.
* Give a lot of statistical information that traditional monitoring systems can’t, from the application level protocols.
* Make sense out of the data at the higher protocol levels, sessions and packets.
 
== Service: Real-time systems forensic ==
 
; Support commitment
: business hours availability. 1 year data retention.
; Costs
: platform supported by OpSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.
; Service request
: [[https://bugzilla.mozilla.org/enter_bug.cgi?assigned_to=jvehent%40mozilla.com&blocked=896480&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_fx_iteration=---&cf_fx_points=---&component=Security%20Assurance%3A%20Operations&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&defined_groups=1&flag_type-4=X&flag_type-607=X&flag_type-800=X&flag_type-803=X&form_name=enter_bug&groups=infra&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=Linux&priority=--&product=mozilla.org&rep_platform=x86_64&short_desc=MIG%20Service%20request%20for%20%3Cteam%20name%3E&target_milestone=---&version=other|request bug]]
 
=== Description ===
 
OpSec operates a client/server platform to facilitate the investigation of large numbers of systems in parallel. We distribute agents across endpoints of an infrastructure that can be queried in real-time through a central console. This service uses Mozilla InvestiGator (MIG).
 
=== What you can do with this service ===
 
* Search filesystems by filename, content and hashes.
* Check, add and delete user accounts.
* Read and write host firewall rules.
* Search through the memory of a live system.
* Search for MAC addresses, IP addresses and connected IPs.
* Verify conformity of a configuration with OpSec best practices.
 
== Service: Test driven systems security ==
 
; Support commitment
: business hours availability. 1 year data retention.
; Costs
: platform supported by OpSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.
; Service request
: [[https://bugzilla.mozilla.org/enter_bug.cgi?assigned_to=jvehent%40mozilla.com&blocked=896480&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_fx_iteration=---&cf_fx_points=---&component=Security%20Assurance%3A%20Operations&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&defined_groups=1&flag_type-4=X&flag_type-607=X&flag_type-800=X&flag_type-803=X&form_name=enter_bug&groups=infra&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=Linux&priority=--&product=mozilla.org&rep_platform=x86_64&short_desc=TDS%20Service%20request%20for%20%3Cteam%20name%3E&target_milestone=---&version=other|request bug]]
 
=== Description ===
 
Test driven systems security uses bateries of tests ran against a system to evaluate its conformance with security best practices. The tests can be ran daily, or trigger on-demand, making it easy to implement and review security controls in real time.
 
=== What you can do with this service ===
 
* Obtain a detailled view of the security controls deployed on a system, or across an infrastructure.
* Fast iterations on the implementation and review of security controls. This is designed to accelerate the feedback loop between operational and security teams. immediate feedback is necessary.
 
== Service: Rapid Risk Assessment (RRA) ==
 
; Support commitment
: Response within a week.
; Costs
: 30 minutes meeting with OpSec.
; Service request
: [[https://bugzilla.mozilla.org/enter_bug.cgi?bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_fx_iteration=---&cf_fx_points=---&component=Security%20Assurance%3A%20Operations&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&defined_groups=1&flag_type-4=X&flag_type-607=X&flag_type-800=X&flag_type-803=X&form_name=enter_bug&groups=infra&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=Linux&priority=--&product=mozilla.org&rep_platform=x86_64&short_desc=RRA%20request%20for%20%3Cteam%20name%3E&target_milestone=---&version=other|request RRA]]
 
=== Description ===
 
The Rapid Risk Assessment (also called Rapid Risk Analysis) is a 30 minutes or less discussion about the potential risks of a project. The RRA (pronounced RA) is high level and lightweight.
 
=== What you can do with this service ===
 
* Quickly identify risks related to your project, service, tool, etc.
* Make decision making more efficient: spend more time where it matters on your project, service, tool (where the risks are).
* Get your service recorded in a risk heatmap to compare it with other services.
* Find out if you need a security review.
 
== Service: Security Review ==
 
; Support commitment
: Response within a week.
; Costs
: One or more meeting with OpSec.
; Service request
: [https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=Security%20Assurance%3A%20Operations Open a bug]
 
=== Description ===
 
Security reviews are in depth reviews of the security of a project. They are more specific, thorough and more time consuming than Rapid Risk Assessments (RRA). An RRA is required before performing a security review that is more than a quick reply in a bug.
 
=== What you can do with this service ===
 
* Get an in depth security review of your project with technical details, recorded in a document.
* Get a quick in-line reply in Bugzilla (responses sec-review flag).
* Get architectural tips from the security point of view at the project design time.
 
== Security Incident Response ==
 
; Support commitment
: FILLME
; Costs
: FILLME
; Service request
: [https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=Security%20Assurance%3A%20Incident Open a bug]


=== What we do ===
=== Description ===


* Incident detection
The Security Incident Response process is designed to facilitate a rapid coordinated response to system and network security incidents.
* Incident response
* System security
* Network security
* Risk analysis
* Controls, practices, standards development and checking conformance to these


=== Contacts ===
=== What you can do with this service ===
Email us at opsec [at] mozilla.com. For confidential information, encrypt your email using our public PGP: [http://gpg.mozilla.org/pks/lookup?op=get&search=0xBC17301B491B3F21 Operations Security (Mozilla Security Assurance)].


For security incidents, file a bug in Bugzilla under the component mozilla.org :: Security Assurance: Incident .
* Incident investigation.
* Coordinated response.
* Containment, eradication, and recovery of security incident
* Notification and communication of incident related details, activities, status, and resolution.
* Post Mortem.


Our public mailing list is [https://lists.mozilla.org/listinfo/opsec opsec [at] lists.mozilla.org].
= Tools catalog =


We're also in #security on irc.mozilla.org .
== System call auditing: Audisp-json ==


=== Services Catalog ===
; Services provided
The services listed below are available to everyone working on the Mozilla project. Contact us directly for more details on any of the services listed below.
: Auditing
; Maturity
: Release Candidate
; Source code
: https://github.com/gdestuynder/audisp-json


To subscribe to OpSec's services, please file a bug under component [https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=Security%20Assurance%3A%20Operations mozilla.org :: Security Assurance: Operations].
=== Description ===


==== MozDef: Mozilla Defense Platform ====
Linux Audit can record information about any system call, and relay it to a user-space process. Audisp-json is a plugin for Auditd which takes these events, correlate them and issue a standard, single JSON message in the MozDef format -over HTTPS (it does not use syslog).


The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
Audisp-json coupled with MozDef provide a strong solution to monitor and correlate security event on linux systems. It supersede the audisp-cef plugin.


Goals:
== Trophy Store ==


* Provide a platform for use by defenders to rapidly discover and respond to security incidents.
; Services Provided
* Automate interfaces to other systems like bunker, banhammer, mig
: Development
* Provide metrics for security events and incidents
; Maturity
* Facilitate real-time collaboration amongst incident handlers
: Alpha
* Facilitate repeatable, predictable processes for incident handling
; Source Code
* Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation
: https://github.com/gene1wood/trophy-store


==== NSM: Network Security Monitoring ====
=== Description ===


The goal of the NSM project is to gain visibility into a network at the packet level. Environments that control their own network can implement NSM and benefit from its security monitoring capabilities.
A web application to automate and simplify the process of requesting or renewing certificates, generating SSL keys, issuing certificates and deploying the resulting keys and certificates into software load balancers.


Goals:
== MIG: Mozilla InvestiGator ==


* Coverage of traffic at the entry point and key routing points of Mozilla's datacenters.
; Services Provided
* Coverage of traffic crossing firewalls
: Endpoint Security
* Full packet capture
; Maturity
* Centralized management
: Production
* Provide interfaces and utilities to facilitate and accelerate Incident Response
; Source Code
: http://mig.mozilla.org


==== MIG: Mozilla InvestiGator ====
=== Description ===


MIG is OpSec's platform for investigative surgery of remote endpoints. MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messenging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays and a console client. It allows investigators to send actions to pools of agents, and check for indicator of compromision, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on.
MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents.


Goals:
MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messaging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays and a console client. It allows investigators to send actions to pools of agents, and check for indicator of compromise, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on.


* Query a pool of endpoints to verify the presence of a specific indicators
== MozDef: The Mozilla Defense Platform ==
* Provide response mechanisms to lock down compromised endpoints
* Periodically verify endpoint's conformance with the security requirements


==== Audisp-json: System Auditing ====
; Services Provided
: Development
; Maturity
: Production
; Source Code
: http://mozdef.com


Auditd is the Linux auditing system that reliably collects information about any security-relevant event. Audisp-json is a plugin that correlates messages coming from the kernel's audit (and through audisp) into a single JSON message that is sent directly to a log server (it doesn't use syslog). The JSON format used is MozDef message format.
=== Description ===


Audisp-json coupled with MozDef provide a strong solution to monitor and correlate security event on linux systems.
The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.


==== Trophy Store (beta) ====
Goals:


Trophy Store seeks to simplify the process that Mozillians go through when requesting new or renewing existing SSL certificates by automating the process from request through to deployment.
* Provide a platform for use by defenders to rapidly discover and respond to security incidents.
* Automate interfaces to other systems like bunker, banhammer, mig
* Provide metrics for security events and incidents
* Facilitate real-time collaboration amongst incident handlers
* Facilitate repeatable, predictable processes for incident handling
* Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation


==== RRA: Rapid Risk Assessment ====
= Contact =


The Rapid Risk Assessment is a quick, 30 minutes or less, discussion about the potential risks of a project. It's a way for project managers and engineer to discuss high level security issues with the OpSec team. The output of a RRA is a matrix of security risks and recommended security levels.
Email us at '''opsec''' [at] mozilla.com. For confidential information, encrypt your email using our public PGP: [http://gpg.mozilla.org/pks/lookup?op=get&search=0xBC17301B491B3F21 Operations Security (Mozilla Security Assurance)] .


The RRA is designed to be lightweight and easy to run at the very beginning of a project. OpSec records the results of all RRA into its risk database, and uses that information to categorize security risks at Mozilla.
For security incidents, file a bug in Bugzilla under the component mozilla.org :: Security Assurance: Incident .


==== Security Review ====
Our public mailing list is [https://lists.mozilla.org/listinfo/opsec opsec [at] lists.mozilla.org].


Security reviews are complete reviews of the security of a project. They are long and time consuming, so OpSec reserves them to high risk projects. Projects managers can request that a member of OpSec performs a security review of her project, which typically means that said member will become an active member of the project for the duration of the review.
Our IRC channel is #security in [irc://irc.mozilla.org/security irc.mozilla.org].


Ideally, security reviews should start as early as possible. OpSec prefers to be involved during the design phases in order to discuss architectural choices and security requirements before systems are implemented.
= Members =


In most cases, security reviews become a quarterly goal of the OpSec member it is assigned to. After the project manager performs a RRA of the project, and if the risk levels requires it, a security review can become an OpSec goal.
* [https://mozillians.org/en-US/u/joes/ Joe Stevensen] [:joes]
* [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] [:kang]
* [https://mozillians.org/en-US/u/michalpurzynski/ Michal Purzynski] [:michal`]
* [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] [:ulfr]
* [https://mozillians.org/en-US/u/jbryner/ Jeff Bryner] [:jeff]
* [https://mozillians.org/en-US/u/gene/ Gene Wood] [:gene]
Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1016118"

Navigation menu