CICI: Secure and Resilient Architecture: NetSecOps — Policy-Driven, Knowledge-Centric, Holistic Network Security Operations Architecture
ABSTRACT:
Network infrastructure at University campuses is complex and sophisticated, often supporting a mix of enterprise, academic, student, research, and healthcare data, each having its own distinct security, privacy, and priority policies. Securing this complex and highly dynamic environment is extremely challenging, particularly since campus infrastructures are increasingly under attack from malicious actors on the Internet and (often unknowingly) internal campus devices. Different parts of the campus have very different policies and regulations that govern its treatment of sensitive data (e.g., private student/employee information, health care data, financial transactions, etc.). Furthermore, data-intensive scientific research traffic often requires exceptions to normal security policies, resulting in ad-hoc solutions that bypass standard operational procedures and leave both the scientific workflow and the campus as a whole vulnerable to attack. In short, state-of-the-art campus security operations still heavily rely on human domain experts to interpret high level policy documents, implement those policies through low-level mechanisms, create exceptions to accommodate scientific workflows, interpret reports and alerts, and be able to react to security events in near real time on a 24-by-7 basis.
This project addresses these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that assists information technology (IT) security teams by automating many of the operational tasks that are tedious, error-prone, and otherwise problematic in current campus networks. NetSecOps is policy-driven in that the framework encodes high-level human-readable policies into systematic policy specifications that drive the actual configuration and operation of the infrastructure. NetSecOps is knowledge-centric in that the framework captures data, information, and knowledge about the infrastructure in a central knowledge store that informs and guides IT operational tasks. The proposed NetSecOps architecture has the following unique capabilities: (1) the ability to capture campus network security policies systematically; (2) the ability to create new fine-grained network control abstractions that leverage existing security capabilities and emerging software defined networks (SDN) to implement security policies, including policies related to both scientific workflows and IT domains; (3) the ability to implement policy traceability tools that verify whether these network abstractions maintain the integrity of the high-level policies; (4) the ability to implement knowledge-discovery tools that enable reasoning across data from existing security point-solutions, including security monitoring tools and authentication and authorization frameworks; and (5) the ability to automatically adjust the network’s security posture based on detected security events. Research results and tools from the project will be released into the public domain allowing academic institutions to utilize the resources as part of their best-practice IT security operations.