The Network Security Handling and Response Process for customised security notifications to CERT Teams
The NSHaRP process provides a mechanism to quickly and effectively inform affected users by allowing CERTs to tailor how and for what type of incidents they want their notifications to be triggered for. The system adds value to the GÉANT community as it serves as an extension to the NRENs CERTs, if they do not have either the available human or the technical resources to monitor for security incidents affecting their constituents.
NSHaRP allows for the extension of the NRENs' detection and mitigation capability to GÉANT borders, therefore enabling the attack to be mitigated before it transits the GÉANT network. This is a highly innovative and unique security service in that it caters for different requirements from each NREN, by enabling the customisation of their NREN specific alerts in their hands.
What is NSHaRP?
NSHaRP is at its core a security notification system. It is also a ticketing system in that it is supported by the GÉANT NOC (Network Operations Centre), therefore it is a notification system that will create a trouble ticket for your incident, but will also provide support in dealing with your security incidents. The options available to affected teams could range from specialists performing further investigation of the said incidents to performing mitigation actions on the CERTs behalf.
Why is it so important?
In the age of ever increasing capacities on backbone networks, it is becoming imperative to ensure that these networks are not used for malicious activities. These large networks are the common point for many Research and Education Networks. GÉANT in its role as the pan-European network provides not only connectivity between NRENs but also beyond Europe to its sister networks such as Internet2 in the US, CLARA in Latin America & TEIN in Asia-Pacific.
It is therefore extremely important that information relating to security events affecting these networks can be exchanged efficiently and quickly. GÉANT has implemented the NSHaRP - a complete alerting, notification and resolution system. At its core NSHaRP leverages the power of Netreflex that uses netflow from the GÉANT network to detect and report on incidents. This has been coupled with a largely automated ticketing component enabling a large number of incident tickets to be dealt with without engineer intervention and ensuring valuable engineer time can be spent on investigating incidents if and when they occur.
The NSHaRP process is comprised of multiple incident information sources originating from multiple partners, internal systems, CERT partners & external project security sources. This multi-faceted method of pooling security related information ensures that all aspects of incident data can be pooled into providing a a single and dedicated stream of data to participating CERT teams. All information is stored in a structured format enabling aggregation and fusion of multiple incidents for single bad actors and providing reporting of total security related incidents for senior management.
Closing the security loop
By using an automated security alerting system, this enables a larger volume of incidents to be processed and investigated with limited engineer resources. As a trouble ticketing system is used in notifications, it provides the ability to track the lifecycle of incidents from notification through to closure, thereby, completing the process and ensuring that there is a handoff from those that notify of incidents to the appropriate parties who will deal with the affected systems.
NSHaRP is providing a valuable service to the GÉANT NRENs as well as partner networks by ensuring the prompt notification and mitigation of security incidents that may affect research traffic is dealt with in a resource efficient and timely manner.