Harnessing the Power of Threat Intelligence in Grids and Clouds: WLCG SOC Working Group

Abstract

The modern security landscape affecting Grid and Cloud sites is evolving to include possible threats from a range of avenues, including social engineering as well as more direct approaches. An effective strategy to defend against these risks must include cooperation between security teams in different contexts. It is essential that sites have the ability to share threat intelligence data with confidence, as well as being able to act on this data in a timely and effective manner. As reported at ISGC 2017, the Worldwide LHC Computing Grid (WLCG) Security Operations Centres Working Group (WG) has been working with sites across the WLCG to develop a model for a Security Operations Centre reference design. This work includes not only the technical aspect of developing a security stack appropriate for sites of different sizes and topologies, but also the more social aspect of sharing data between groups of different kinds. In particular, since many Grid and Cloud sites operate as part of larger University or other Facility networks, collaboration between Grid and Campus / Facility security teams is an important aspect of maintaining overall security. We discuss recent work on sharing threat intelligence, particularly involving the WLCG MISP instance hosted at CERN. In addition, we examine strategies for the use of this intelligence, as well as considering recent progress in the deployment and integration of the Bro Intrusion Detection System (IDS) at contributing sites. An important part of this work is a report on the first WLCG SOC WG Workshop / Hackathon, a Workshop planned at time of writing for December 2017. This Workshop provides an opportunity to assist participating sites in the deployment of these security tools as well as giving attendees the opportunity to share experiences and consider site policies as a result. This Workshop is hoped to play a substantial role in shaping the future goals of the working group, as well as shaping future workshops.