National team of security analysts collaborating to secure Canada’s R&E network

In early 2019, Canada’s 13 provincial, territorial and federal partners in the National Research and Education Network (NREN) began implementing a new security platform to coordinate protection of this critical infrastructure. The Security Information and Event Management initiative will improve our identification, management and response to cyber security threats, thereby strengthening the overall security of the network.

This initiative represents an unprecedented pan-Canadian effort to coordinate network threat monitoring. It has involved the creation of a team of NREN Security Analysts, together with the deployment of common monitoring equipment on the NREN partners’ infrastructures.

For a better understanding of what this all means, I spoke to Cybera’s security analyst, Andrew Klaus (pictured), about what he and his counterparts will be doing, and why this initiative is so important.

What is Security Information and Event Management (SIEM)?

It really is just a data collector with monitoring capabilities. We’re implementing equipment that will allow all NREN partners to not only monitor our individual networks for security events, but also cross-correlate with each other on what we are seeing.

Specifically, we’re monitoring network flow traffic — when a server talks to another machine, or an IP address talks to another address — as well as events from our own network devices. The SIEM is really a system for improving the sharing of cyber security knowledge.

What are the benefits of this knowledge sharing?

Well, for example, we can look at what firewall rules each partner has implemented — such as what kind of traffic they are blocking or allowing. And we can see what’s working and what’s not working on other networks, and copy that on our own network, or advise them on a setup that would be more beneficial. It’s all about optimizing the flow on the network and securing the traffic, without impacting the end-user experience. Collaboration helps this optimization, and also helps us all keep our cyber security costs down!

Can you give an example of a “security event”?

We had an incident where one of the hosts on the network was talking to an IP address that was flagged by the SIEM equipment as being possibly malicious. When we investigated, we discovered that there was malware running on one of our machines. After we addressed the issue, the incident report was shared with the group, so they could see the steps we took, and what we learned.

What are the next steps for the SIEM project?

This multi-tenancy project is being rolled out in stages, and the future goal (at least in Alberta) is to start bringing post-secondaries on board to use the platform, so they can collaborate with us on detecting and addressing these issues.

We’re also investigating open-source SIEM solutions, to see if that would work better for us or our members.

This project is also helping us prepare for future collaborative security projects.

Any lessons learned so far?

We quickly realized that every NREN partner had a different setup for their infrastructure! For example, Cybera operates on IPv6 (Internet Protocol version 6) as well as IPv4, but many others are primarily IPv4, so this created its own unique issues. IPv6 is less tested, so we inevitably run into bugs that are unique to us.

Getting to the point where we are synchronized and producing data that everyone can utilize may therefore take a little time. But we’ll have a lot to study once all that shared data comes in.

To be honest, the greatest lesson learned so far has been realizing the benefit of our teams meeting face-to-face, as we are able to communicate next steps better that way. So, I guess there’s still no technological solution that beats traditional in-person discussions!

Any fun personal experiences with the project so far that you’d like to share?

Even though we’re still in the early stages, Cybera has already seen the benefit of the SIEM initiative. We operate a free public research cloud called the Rapid Access Cloud. There are times when we get notices that instances on our cloud have been hacked by a botnet. In the past, we didn’t really find out about these incidents until we got a complaint from a company that it was being hacked. With this tool, we’ve been able to detect those botnet hacks earlier on, before the company they are aimed against notices, and we’ve been able to stop it.

If nothing else, this has helped the reputation management of our cloud!