Spotlight: Cybera

[Music]

[Music] uh so first i'd like to introduce myself uh my name is mae lynn i'm the director of programs and services at cybera um and today uh we're here to introduce you to sibera and then we'll be doing a little bit of a talk about a bit more of a technical talk around one of the security services that we're developing next slide okay so to start cybera is a not-for-profit member-driven organization responsible for driving economic growth through the use of digital technology our core role is to oversee the development and operations of alberta's advanced system of networks and computers that keep our members such as governments educators and not-for-profits and entrepreneurs at the forefront of technological change

next slide so siberia is one of the 13 partner organizations that operate the re the canadian national research and education network so this network separate is separate from the traditional commercial network that we use day-to-day during our home and work so the the function of the research and education network is to connect post-secondary institutions to global research organizations around the world through an ultra high speed network that reaches speeds of up to 100 gigabytes per second and cyber manages the alberta portion of the network in canada so cybera is all about working to position alberta at the forefront of technological innovation so we do this through empathy thought leadership transparency and collaboration um and these values are not just words on a

screen we do as an organization strive to embody these characteristics so siberia's mandate has five core pillars so the first one is connect so in addition to accessing the research and education network we provide network services to our members such as direct access to peering networks around the world i on our enable pillar we provide above the network services such as free access to our rapid access cloud or working with tech talent and small medium enterprises to provide fellowship opportunities around data science our third pillar is share so siberia leads collaborative shared service programs with the intent to help to reduce costs and improve efficiencies for our members we also advocate on behalf albertans by

responding to governments on policy decisions such as equitable access to internet and the privacy rights of albertans around data and our fifth pillar is secure so our goal here on the secure pillar is to work with members to help enhance their security reduce the barrier to access and access access security services we also are looking to simplify a cybersecurity ecosystem for our members um if you're interested in learning more about some of the the issues that our our members are facing uh there is a panel tomorrow entitled the fishbowl evolving landscape of cyber security at 11 25 where our ciso curtis place will be speaking with a few of the csos and cios in higher education

next slide uh so currently there are a lot of cyber security services that are are coming up um a lot of national and provincial services that are being spent up um it's a bit confusing for our members in terms of where and how to access all these services so siberia's role is to try and simplify this ecosystem and make it a bit more understandable and accessible by providing a single catalog of services as well as making sure that we listen to the needs of our members to make sure that we're providing services that best address their security gaps in addition um to listening to their needs um we also want to make sure that we're addressing the diverse threats

that the post-secondary and k-12 organizations face so in the next section um joe thompson uh we'll be going into a little bit more detail about one of the security services that is currently being developed by sibera okay thank you um you can hear me yep cool okay um so i'm joe thompson i'm the director of operations at cybera i oversee the network operations and security operations teams here and um so what um what i'm going to go over in this next section here is a service that we're developing at cybera for our members called ids as a service so as mentioned cyber provides our members with network access the type of network access varies for

each member some members have access to a peering network others have access to the research and education network and other members have access to the public internet through us so because of this we're in a key position to centrally centrally monitor what's known as the north-south traffic of our members and so this creates the opportunity for us to monitor and analyze traffic on behalf of members creating a low barrier way for members to gain insight into that type of traffic and so this is the basis of what we're calling the ibs as a service so in designing this service when designing the architecture we initially chose zeek as the core ideas component and as many attendees here are

know zeek is a popular and flexible network monitoring framework it there's there's a lot of benefits to it uh its clustering capability would allow us to monitor several points of our network um and have the data easily converge in a central manner but when we started building out the service leveraging zeke we realized that the raw data that zeke provides might be a little bit too low level for our target audience that audience being the network administrators of our membership they're already juggling numerous other tasks and we really didn't want to burden them with an additional task of sifting through zeke blogs so first we began looking for a z community package that could do this type of

analysis for us and the zeke intelligence framework is notable here but we weren't able to find something that we were comfortable with it's also possible that we missed something but in our research we came across an open source project called circada and cerakotta is a more traditional ids based on a set of static rules that compares against network traffic we were able to get suricata up and running in a matter of an hour and when we pointed it to a flow of traffic it immediately began giving us parsed and small understandable results and so this is exactly what we're looking for and the logo here is the suricata logo so this is the current architecture of

the ids as a service that that we're building out we have some compute hardware deployed at two of our main network locations the hardware is connected to our core routers the router sends a mirror of our member traffic to the hardware this mirrored stream only contains the traffic of members who have explicitly opted into this service cerakata then analyzes the stream and parses the results and we have a log parsing agent in this case we're using something called fluentd to read circada's results and that log parsing agent then sends the results to a central database once the results are stored in a database a member can log into a web-based portal and see the results of

their analyzed traffic so we're really excited about this service but we do understand that there's some limitations to it the first is that we can only analyze unencrypted traffic we initially had concerns that there wouldn't be enough unencrypted traffic these days to make the service worthwhile however that's not the case a significant percentage of network traffic is still encrypt is still unencrypted additionally analyzing encrypted traffic would open a door that we prefer to be left closed uh it would require us to set up sensitive and complicated certificate proxy and reading and analyzing and doing this would make our analysis points much more attractive to compromise due to the reward of being able to see this type of sensitive information

uh our members have appreciated that we're not analyzing encrypted traffic either uh and uh they don't consider the inability this inability to take away the advantages of the service as a whole the next limitation is that we're relying on certicotta's rule sets to detect potential threats this means that if there's a lag in new rules it could limit the usefulness of our service but so far we haven't had an issue with this it is something that we'll we'll keep an eye on uh since we're new to using circumvent circuit in a production capacity uh we'll keep an eye on it to to see if this actually becomes a true limitation uh and the third limitation is scaling

so as i mentioned before zeek has a really nice clustering capability which allows it to scale really easily but circada does not have native clustering our initial investigation shows that if we want to scale cerricada we have to deploy multiple instances of surakada and have uh the mere traffic be divided up into uh where we want uh each of those cerakata instances to analyze the specific streams of traffic we're currently looking at the best way of doing this but we're not considering it a blocker at this time but despite the limitations there are some benefits and we do believe these benefits outweigh the limitations that i just went over first of all it's a very low

service a low very low barrier service for our members all they do is opt in to the service they don't need to deploy configure manage a collector of their own they don't have to do anything on premise they just sign up for the service um and and that's really it uh the second is that our members will gain insight into their north-south traffic where they didn't have where most of our members didn't have that type of insight before so combining the two low barrier to access and the ability to gain insight where there wasn't insight before we feel like this is going to be a really beneficial service to our members