|
|
(10 intermediate revisions by 4 users not shown) |
Line 1: |
Line 1: |
| =Enterprise Information Security Team= | | =Infosec= |
| {{TOC right|limit=2}}
| |
| Infosec assists Mozillians in defining and operating security controls to ensure that data at Mozilla is protected consistently across the organization.
| |
| * we help you define the risks around your services and data
| |
| * we help projects design and implement security controls
| |
| * we maintain a risk-based inventory of systems and their functional security controls to help Mozilla management determine where to invest in security measures
| |
| * we develop a catalog of services and tools that help you appropriately secure your data
| |
| * we respond to security investigations and incidents
| |
| * we provide baseline practices and assist teams in defining their security standards
| |
|
| |
|
| = Contact =
| | {{note|This page has been moved to https://infosec.mozilla.org/|error}} |
| Email us at '''opsec''' [at] mozilla.com. For confidential information, encrypt your email using our public PGP: [http://gpg.mozilla.org/pks/lookup?op=get&search=0xBC17301B491B3F21 Operations Security (Mozilla Security Assurance)] .
| |
| | |
| For security incidents, file a bug in Bugzilla under the product/component [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Investigation] or [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Incident].
| |
| | |
| Our IRC channel is #infosec or #security at [irc://irc.mozilla.org/security irc.mozilla.org].
| |
| | |
| = Members =
| |
| [[File:OpSec.png|left|200px]]
| |
| * [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] [:kang]
| |
| * [https://mozillians.org/en-US/u/michalpurzynski/ Michal Purzynski] [:michal`]
| |
| * [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] [:ulfr]
| |
| * [https://mozillians.org/en-US/u/jbryner/ Jeff Bryner] [:jeff]
| |
| * [https://mozillians.org/en-US/u/gene/ Gene Wood] [:gene]
| |
| * [https://mozillians.org/en-US/u/alm/ Aaron Meihm] [:alm]
| |
| * [https://mozillians.org/en-US/u/jclaudius/ Jonathan Claudius] [:claudijd]
| |
| * [https://mozillians.org/en-US/u/amuntner/ Adam Muntner] [:adamm]
| |
| * [https://mozillians.org/en-US/u/april/ April King] [:April]
| |
| | |
| = Service Catalog =
| |
| | |
| The services listed below are available to everyone working on the Mozilla project. Contact us directly for more details on any of the services listed below.
| |
| | |
| == Service: Security Information and Event Management (SIEM) ==
| |
| [[File:MozDefAlerts.png|right|300px]]
| |
| ; Support commitment
| |
| : 5k-10k events per second capacity; 10 days of event storage online; 1 year offline in AWS glacier
| |
| ; Costs
| |
| : Engineering time, compute resources, AWS archiving
| |
| ; Service request
| |
| : [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=MozDef&assigned_to=jbryner%40mozilla.com request bug]
| |
| | |
| [[File:MozDefAttackerGlobe.png|right|300px]]
| |
| [[File:MozDefAttackerOgres.png|right|300px]]
| |
| | |
| === Description ===
| |
| | |
| InfoSec develops and operates MozDef as a service to assist Mozilla projects in defending their operations. Mozilla systems can send events, logs and other data to MozDef to be automatically correlated and consistently treated.
| |
| | |
| === What you can do with this service ===
| |
| | |
| * Send events to be stored
| |
| * Search events
| |
| * Create dashboards summarizing events
| |
| * Create alerts
| |
| * Correlate on events
| |
| * Collaborate in real time with incident handlers
| |
| * Integrate systems into automated response to security events
| |
| | |
| == Service: NSM: Network Security Monitoring ==
| |
| | |
| ; Support commitment
| |
| : best effort, non-HA A statistical approach is used so results might not be 100% accurate by design. Logs limited to between 3 and 10 days.
| |
| ; Costs
| |
| : traffic interception capabilities, servers for running it, disk space for log storage.
| |
| ; Service request
| |
| : [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=NSM&assigned_to=mpurzynski%40mozilla.com request bug]
| |
| | |
| === Description ===
| |
| | |
| The goal of the NSM project is to provide useful context information for both the IR and early detection of possible intrusions.
| |
| | |
| === What you can do with this service ===
| |
| | |
| * Coverage of traffic at the entry point and key routing points of Mozilla’s data centers including firewalls and Load Balancers.
| |
| * Interfaces and utilities to facilitate and accelerate Incident Response
| |
| * Detection of various network level anomalies that might suggest either intrusion or network issues.
| |
| * Give a lot of statistical information that traditional monitoring systems can’t, from the application level protocols.
| |
| * Make sense out of the data at the higher protocol levels, sessions and packets.
| |
| | |
| == Service: Real-time systems forensic ==
| |
| [[File:MIG-logo-CC-small.jpg|right|400px]]
| |
| ; Support commitment
| |
| : business hours availability. 1 year data retention.
| |
| ; Costs
| |
| : platform supported by InfoSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.
| |
| : [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=MIG&assigned_to=jvehent%40mozilla.com&blocked=896480 request bug]
| |
| | |
| === Description ===
| |
| [[File:Mig-console.png|right|300px]]
| |
| InfoSec operates a client/server platform to facilitate the investigation of large numbers of systems in parallel. We distribute agents across endpoints of an infrastructure that can be queried in real-time through a central console. This service uses Mozilla InvestiGator (MIG).
| |
| | |
| === What you can do with this service ===
| |
| | |
| * Search filesystems by filename, content and hashes.
| |
| * Check, add and delete user accounts.
| |
| * Read and write host firewall rules.
| |
| * Search through the memory of a live system.
| |
| * Search for MAC addresses, IP addresses and connected IPs.
| |
| * Verify conformity of a configuration with InfoSec best practices.
| |
| | |
| == Service: Test driven systems security ==
| |
| [[File:Compliance Chart 1.png|right|600px]]
| |
| ; Support commitment
| |
| : business hours availability. 1 year data retention.
| |
| ; Costs
| |
| : platform supported by InfoSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.
| |
| ; Service request
| |
| : [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=MIG&assigned_to=jvehent%40mozilla.com&blocked=896480 request bug]
| |
| | |
| === Description ===
| |
| | |
| Test driven systems security uses bateries of tests ran against a system to evaluate its conformance with security best practices. The tests can be ran daily, or trigger on-demand, making it easy to implement and review security controls in real time.
| |
| | |
| === What you can do with this service ===
| |
| | |
| * Obtain a detailled view of the security controls deployed on a system, or across an infrastructure.
| |
| * Fast iterations on the implementation and review of security controls. This is designed to accelerate the feedback loop between operational and security teams. immediate feedback is necessary.
| |
| | |
| == Service: Rapid Risk (Impact) Assessment (RRA) ==
| |
| [[File:Rra.png|right|450px]]
| |
| ; Support commitment
| |
| : Response within a week.
| |
| ; Costs
| |
| : 30 minutes meeting with InfoSec.
| |
| ; Service request
| |
| : [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Review request bug]
| |
| | |
| === Description ===
| |
| | |
| The Rapid Risk (Impact) Assessment (also called Rapid Risk Analysis) is a 30 minutes or less discussion about the potential risks of a project. The RRA is high level and lightweight.
| |
| | |
| === What you can do with this service ===
| |
| | |
| * Quickly identify risks impacts related to your project, service, tool, etc.
| |
| * Make decision making more efficient: spend more time where it matters on your project, service, tool (where the risks are).
| |
| * Get your service recorded in a risk heatmap to compare it with other services.
| |
| * Find out if you need a threat model.
| |
| | |
| == Service: Threat Modeling ==
| |
| | |
| ; Support commitment
| |
| : Response within a week.
| |
| ; Costs
| |
| : One or more meeting with InfoSec.
| |
| ; Service request
| |
| : [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Review request bug]
| |
| | |
| === Description ===
| |
| | |
| Threat modeling defines a set of attack scenarios to consider against an application. They are more specific, thorough and often more time consuming than Rapid Risk Assessments (RRA).
| |
| When a threat model or analysis is requested on a large service (ie, larger than a quick reply in a bug), an RRA is required to ensure that the security recommendations cover the areas of concerns of the service.
| |
| | |
| === What you can do with this service ===
| |
| | |
| * Get an in depth threat model of your project with technical details, recorded in a document.
| |
| * Get a quick in-line reply in Bugzilla (responses sec-review flag).
| |
| * Get architectural tips from the security point of view at the project design time.
| |
| | |
| == Security Incident Response ==
| |
| | |
| ; Support commitment
| |
| : ASAP
| |
| | |
| ; Service request
| |
| : [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Incident request bug]
| |
| | |
| === Description ===
| |
| | |
| The Security Incident Response process is designed to facilitate a rapid coordinated response to system and network security incidents.
| |
| | |
| === What you can do with this service ===
| |
| | |
| * Incident investigation.
| |
| * Coordinated response.
| |
| * Containment, eradication, and recovery of security incident
| |
| * Notification and communication of incident related details, activities, status, and resolution.
| |
| * Post Mortem.
| |
| | |
| = Tools catalog =
| |
| | |
| == System call auditing: Audisp-json ==
| |
| | |
| ; Services provided
| |
| : Auditing
| |
| ; Maturity
| |
| : Production
| |
| ; Source code
| |
| : https://github.com/gdestuynder/audisp-json
| |
| | |
| === Description ===
| |
| | |
| Linux Audit can record information about any system call, and relay it to a user-space process. Audisp-json is a plugin for Auditd which takes these events, correlate them and issue a standard, single JSON message in the MozDef format -over HTTPS (it does not use syslog).
| |
| | |
| Audisp-json coupled with MozDef provide a strong solution to monitor and correlate security event on linux systems. It supersede the audisp-cef plugin.
| |
| | |
| == Trophy Store ==
| |
| | |
| ; Services Provided
| |
| : Development
| |
| ; Maturity
| |
| : Alpha
| |
| ; Source Code
| |
| : https://github.com/gene1wood/trophy-store
| |
| | |
| === Description ===
| |
| | |
| A web application to automate and simplify the process of requesting or renewing certificates, generating SSL keys, issuing certificates and deploying the resulting keys and certificates into software load balancers.
| |
| | |
| == MIG: Mozilla InvestiGator ==
| |
| | |
| ; Services Provided
| |
| : Endpoint Security
| |
| ; Maturity
| |
| : Production
| |
| ; Source Code
| |
| : http://mig.mozilla.org
| |
| | |
| === Description ===
| |
| | |
| MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents.
| |
| | |
| MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messaging protocol implemented in the MIG Scheduler. MIG has an API, a database, RabbitMQ relays and a console client. It allows investigators to send actions to pools of agents, and check for indicator of compromise, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on.
| |
| | |
| == MozDef: The Mozilla Defense Platform ==
| |
| | |
| ; Services Provided
| |
| : Development
| |
| ; Maturity
| |
| : Production
| |
| ; Source Code
| |
| : http://mozdef.com
| |
| | |
| === Description ===
| |
| | |
| The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
| |
| | |
| Goals:
| |
| | |
| * Provide a platform for use by defenders to rapidly discover and respond to security incidents.
| |
| * Automate interfaces to other systems like bunker, banhammer, mig
| |
| * Provide metrics for security events and incidents
| |
| * Facilitate real-time collaboration amongst incident handlers
| |
| * Facilitate repeatable, predictable processes for incident handling
| |
| * Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation
| |
| | |
| = Documentation maintained by InfoSec =
| |
| * [https://wiki.mozilla.org/Security/OpSec This page]
| |
| * [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS]
| |
| * [https://wiki.mozilla.org/Security/Guidelines/Key_Management Key Management]
| |
| * [https://wiki.mozilla.org/Security/Guidelines/OpenSSH OpenSSH]
| |
| | |
| = Honorary members =
| |
| * [https://mozillians.org/en-US/u/joes/ Joe Stevensen] [:joe]
| |