As part of CSIRT’s mobile monitoring offering for special events, we undertook monitoring of the corporate and customer traffic of the Cisco House at the London 2012 Olympics. This engagement presents us with an excellent opportunity to showcase Cisco technology, while keeping a close watch on potential network security threats. CSIRT monitoring for this event will be active for the entire life-span of the Cisco House, from two months before the Olympics, until two months after.
For the London 2012 engagement, we shipped our gear in a 14RU military-grade rack that is containerized: made for shipping. Inside the mobile monitoring rack we have an assortment of Cisco kit and third-party kit that mirrors the monitoring we do internally:
- Catalyst 3750 to fan out traffic to all the other devices
- FireEye for advanced malware detection
- Two Cisco IronPort WSA devices for web traffic filtering based on reputation
- Cisco UCS box where we run multiple VMs
- Lancope StealthWatch collector for NetFlow data
- and a Cisco 4255 IDS for intrusion detection
We mirror the signatures that we have deployed internally at Cisco out to these remote locations. Depending on the environment where the mobile monitoring rack is deployed, we may also do some custom tuning. The kit in the mobile monitoring rack can do intrusion detection, advanced malware detection, and collect and parse NetFlow and log data for investigation purposes. The Cisco UCS rack server also helps us have several VMs, allowing us to run multiple tools that complement the other devices in the rack. For example, we run a Splunk instance on a VM to collect the logs generated by all the services. The data from the gear in the mobile monitoring rack is analyzed by our team of analysts and investigators, to eliminate false positives, conduct mitigation and remediation, and finally produce an incident report if required.
The main objective of our monitoring at the London 2012 Olympics is to secure the network at this temporary Cisco House installation in the Olympic Park. This is not the first time we have used our mobile monitoring suite, it has been used to protect internal events like the Cisco Global Sales Meeting, WWITMO, CIO Summit, and for external meetings, security conferences, and events where we have a significant networking presence. We have also tooled these racks to make them easily deployable at acquisitions, where if Cisco acquires a company, we can quickly drop them into a central location, providing the full spectrum of security monitoring.
We have had some successes with our mobile monitoring: at one event for example, we detected a conference attendee who was infected with a worm, and used the Cisco WCS and the Wireless LAN Controller to triangulate the location of the user. Once we had identified the user, we determined that their system had been root-kitted. The impact to the event was that this infected machine had been sending thousands of SPAM emails, which had gotten the conference network blacklisted. We were then able to assist the user in mitigating the threat and prevent further harm to the other attendees at the conference.
At the conclusion of a CSIRT mobile monitoring event, we compile data from the various tools and appliances and produce a report that details any incidents that may have occurred during the event. Sometimes there is nothing of interest, but on multiple occasions we have had incidents where an infected systems was causing harm, which we had to remediate or block from the network.
Additionally, CSIRT uses these mobile monitoring engagements to pilot and test out new technologies. A number of years ago we started looking at the Cisco IronPort WSA, and began using it in our mobile monitoring deployments. Our team has since successfully completed a successful deployment of the WSA throughout Cisco that is now protecting the entire Cisco network.
Crucial to the success of the CSIRT mobile monitoring deployment at the Cisco House was the close collaboration with IT NDCS. We worked with the NDCS implementation team to redirect traffic via WCCP to our WSAs, and with various colleagues in the NDCS Design Core Network group, the NDCS Design Unified Communications as a Service (UCaaS) group, the NDCS Field Implementations team, and in AS.