EGI-CSIRT Face2Face meeting in Lisbon

18 May 2017, 09:00 → 19 May 2017, 17:35 Europe/Lisbon

6 (Lisbon,)

Daniel Kouril (CESNET), David Kelsey (STFC), Sven Gabriel (NIKHEF), Vincent Brillault (CERN)

For logistics and video information see the EGI CSIRT private wiki.

Timings and even the order of topics may change.

Thursday, 18 May

09:00 → 09:30 Intro

Agenda

09:00 Intro / Logistitcs / Agenda

Speaker: Dr Sven Gabriel (NIKHEF)

09:30 → 10:30 FedCoud Security: Honeypots in Fedclouds

Security of orchestration/contextualisation services

Conveners: Daniel Kouril (CESNET), Fyodor Yarochkin (AS)

slides Honeypots-daniel.pptx

10:30 → 11:00 Coffee

11:00 → 11:45 Planning: Traings in EGI Service Portfolio

Start discussion on post Engage Phase,

Conveners: David Kelsey (STFC), Malgorzata Krakowian (EGI.eu), Dr Sven Gabriel (NIKHEF)

11:45 → 12:30 EGI-CSIRT Web Appearance: Web Page

Status EGI-CSIRT Web Page

Conveners: Barbara Krasovec (JSI), Mr Ian Neilson (STFC), Sophie Ferry (CEA)

slides CSIRT_WEB_Lisbon2017.pdf

12:30 → 14:00 Lunchbreak

14:00 → 14:15 SVG evolution and procedure improvements: Critical Vulnerability Handling (Voms Example)

Convener: Dr Sven Gabriel (NIKHEF)

slides EGI-CSIRTF2F-SVG-evolution-LAC.pptx

14:15 → 14:45 SVG evolution and procedure improvements

Convener: Linda Cornwall (STFC)

slides EGI-CSIRTF2F-SVG-evolution-LAC.pptx

14:45 → 15:10 IRTF: Projects - WLCG Traceability & Isolation WG Report

Convener: Vincent Brillault (CERN)

15:10 → 15:30 IRTF: VO Security channel challenge

Convener: Vincent Brillault (CERN)

15:30 → 16:00 Coffeebreak

16:00 → 17:30 IRTF: GoeGrid Incident Issues

Conveners: Daniel Kouril (CESNET), Dr Sven Gabriel (NIKHEF), Mr Tobias Dussa (KIT-CERT), Vincent Brillault (CERN)

16:00 GoeGrid Issues / How to Contact Users

Clarify procedures (VOs, AAI check-in, robots) Discussion, identify possible policy violations of the users/VO, escalate to Management via OMB

Speaker: Vincent Brillault (CERN)

16:30 VM image handing in IR

Concept to use syncthing to share VM images, what is needed at the sites, what at irtf. POC, then ask OMB for approval/support

Speaker: Mr Tobias Dussa (KIT-CERT)

Friday, 19 May

09:00 → 10:00 Planning: Post EGI/Next Meeting

Start discussion on post Engage Phase,

Convener: David Kelsey (STFC)

10:00 → 10:30 SSC-FC: Status Update Calendar

Develop the security challenge framework
Page 39 of 64Experience from EGI-InSPIRE has shown that performing security service challenges on the operational infrastructure
is useful confirm that there is sufficient audit information for traceability of any incident, that procedures and tools are
sufficient and that participants are trained and aware of the need to participate in incident response. The framework for
these security challenges will be modified and extended to meet the evolving scenarios.
Develop the software vulnerability handling process to adapt to new technology and deployments
Software vulnerability issues in the EGI core infrastructure have been handled through a close relationship with
the technology providers, many of whom supply members of the Software Vulnerability Group (SVG). The general
principles will remain, including the assessment of risks and the issuing of advisories. In the evolving scenarios of EGI-
Engage there are, however, likely to be different types of relationship with the technology providers, especially when
this does not involve membership of SVG. The procedures and methods for handling vulnerabilities in EGI-Engage
will evolve accordingly.

 FedCloud SSC
    presentation Status 15 min.
    discussion

expected outcome:

next steps
wps (who does what)
timeline


Communication channel SSCs (who coordinates this?)
    NGI RT-IR: We should use bulk ticket creation for that
        Presentation: Status tools / how we did this in the past / summary earlier results 
    Site-Security Telephone numbers check Per NGI
        Preparation: compile checklist / like where do we end up, does the person picking up the phone know what we are talking about

expected outcome:

status report of the quality our communication channels (mail/phone)
present at OMB?

Conveners: Boris Parak (CESNET), Dr Sven Gabriel (NIKHEF)

10:30 → 11:00 More Coffee

11:00 → 11:30 IRTF: IRTF Handover Critical Vulnerability Handling to Operations

Conveners: Daniel Kouril (CESNET), Dr Sven Gabriel (NIKHEF), Vincent Brillault (CERN)

11:00 Handover discussion

Questions that I see are: - Monitoring: How to make sure that Operations people are allowed to see the relevant info. - Is the info there distinct enough so that they don't trap into false positives/mitigations/etc, what do we need to do in terms of training/documentation? - Ticket creation still be done by us (Massticket Magic) - Low level tech communications (Advisories etc) should be done by us. In addition we may need to provide support (on Duty dude has to provide this) For now we can assume that we use our tools, no need to move to ggus atm. Peter will be available/dial in on Friday (mainly for the FedCloud Sec stuff) perhaps we can through this at him as well, and get to a point where we can present this at OMB and ask for approval. Can you guys collect/present the needed info so that we can discuss it. Only very brief, likely we can re-use some of the Prague stuff we had back then. Security Monitoring may need some more love here.

11:30 → 12:30 Policies/Procedures: Secure Services

Draft Procedure to allow EGI to (re-)Certify externally managed services.

Convener: Dr Sven Gabriel (NIKHEF)

12:30 → 14:00 Lunchbreak

14:00 → 15:30 IRTF: Debriefing

Convener: Vincent Brillault (CERN)

15:30 → 16:00 Coffee

16:00 → 17:00 Monthly Tickets Updates

Convener: Dr Sven Gabriel (NIKHEF)