Automatically and autonomously monitoring digital activities on CERN’s network and its firewalls between CERN and the Internet, activities on CERN’s computing clusters and related with CERNs web services is an essential part for guaranteeing the protection of the operation and reputation of the Organization. It allows us to detect --- attempted or successful --- break-ins (“An attack for more security”; https://home.cern/cern-people/updates/2017/05/computer-security-attack-more-security) or preventive scans for vulnerabilities of our computing infrastructure (“CERN under friendly poking”; http://home.cern/cern-people/updates/2017/11/computer-security-cern-under-friendly-poking), and, of course, the abuse of our computing facilities for malicious deeds (“Virtual Misconduct – Real Consequences”; http://home.cern/cern-people/updates/2017/10/computer-security-virtual-misconduct-real-consequences). Therefore, the new CERN Security Operations Center (SOC) was deployed recently to cope with CERN’s ever growing networking and computing resources. It shall automatically check for malicious activities, alert in such cases the Computer Security Team and end-users, and provide all necessary information to conduct and conclude incident forensics (of present or past incidents).

At the core of this new SOC lies threat intelligence data, i.e. structured information on various ongoing and past computer security events. This includes “Indicators of Compromise” (IoC), e.g. malicious IP addresses or domains as well as signatures (“file hashes”) of various malware samples. IoC are constructed from the results of investigations of computer security incidents discovered at CERN, but also received from partner organisations. Through participation in vetted trust groups the CERN Computer Security Team is automatically exchanging threat intelligence information with peer organisations. This data exchange is managed by a dedicated open-source tool dubbed “MISP” (“Malware Information Sharing Platform”; http://www.misp-project.org/) and covers not only IoC but also tactics, techniques and procedures used by the various threat actors or groups of threat actors. Seeing any CERN computing activity linked to such threat intelligence data indicates a problem: CERN computing resources might have been attacked, abused or compromised…

Hence, different Intrusion Detection Systems (IDS) have been deployed at CERN. On the network level, i.e. at CERN’s outer perimeter firewall but also at the boundaries between internal networks --- so-called “gates” ---, one network-based IDS (“Snort”; https://www.snort.org/) is simply looking for different patterns of malicious activity in the flow of data. The second, more sophisticated one (“BroIDS”; https://www.bro.org/) extracts source and destination IP addresses and port numbers, transferred data volumes as well as some high level application metadata. Similarly, host-based IDSes gather information from CERN’s computing clusters in the data centre (e.g. “LXPLUS”, “LXBATCH”), from CERN’s Single Sign On portal, from the LDAP and Active Directory services, from the centrally managed web servers, from the Domain Name Server, and from several other sources (see our Privacy Statement for the full list; https://security.web.cern.ch/security/home/en/privacy_statement.shtml). All this security data is being processed in real time and enriched with missing information such as the hostname linked to an IP address (in those cases where the source of data only contains IP addresses) or adding geographic (“GeoIP”; https://www.maxmind.com/en/home) information. All data gets stored in two different systems (“Elastic Search” and “HDFS”), one allowing the data to be easily queried and visualised via web dashboards, the other one for longer term storage where we keep data for one year maximum.

The SOC automatically compares any security data against known IoC and raises an alert every time such an IoC is being seen. Advanced intrusion detection methods employ complex rules and correlation among multiple sources of data. Subsequently, raised alerts undergo a further step of aggregation by correlating similar alerts (for example multiple CERN devices being targeted by the same malware) in order to identify common root causes. Incorporating additional context around the detected activity also allows us to easily reject false alerts. Once a security incident is detected and confirmed, incident response kicks in. At CERN, due to its unique academic environment and the associated academic freedom, computer security is highly democratic and all computing users are responsible for it.  As such, for most security incidents affected end users will receive an automatic notification informing them of the problem. The CERN Computer Security portal (https://security-issues.web.cern.ch/) provides additional guidance on how to resolve the different classes of security incidents (with or without the help of the Computer Security Team). When the situation asks for, the CERN Computer Security Team has dedicated tools for the handling of large scale security incidents (i.e. “FIR” and “the Hive”). But, hopefully, thanks to this new SOC, that should be rare: We should be able to follow the upscaling of CERN’s data center and the ever increase of traffic towards and from the Internet: Monitoring and intrusion detection for the protection of the operation and reputation of CERN.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report (https://cern.ch/security/reports/en/monthly_reports.shtml). For further information, questions or help, check our website (https://cern.ch/Computer.Security) or contact us at Computer.Security@cern.ch.