PISCES

The Public Infrastructure Security Cyber Education System (PISCES) provides qualified students with curricula and supervised experiences to act as entry-level cyber analysts. Students analyze streaming data for small communities or municipalities who may otherwise not be able to obtain cybersecurity to the extent needed. Through PISCES, a reliable high-quality pipeline is being developed to address the shortage of cyber professionals ready for the workforce.

PISCES works with professors to develop a curriculum for students in cyber-related fields and to give those students controlled access to real data from communities and municipalities. Students learn and enhance their skills in detecting threats while providing information to the municipalities and communities to secure the threat and prevent future attacks.

The Public Infrastructure Security Cyber Education System (PISCES) provides qualified students with curricula and supervised experiences to act as entry-level cyber analysts. Students analyze streaming data for small communities or municipalities who may otherwise not be able to obtain cybersecurity to the extent needed. Through PISCES, a reliable high-quality pipeline is being developed to address the shortage of cyber professionals ready for the workforce.

PISCES works with professors to develop a curriculum for students in cyber-related fields and to give those students controlled access to real data from communities and municipalities. Students learn and enhance their skills in detecting threats while providing information to the municipalities and communities to secure the threat and prevent future attacks.

Students ultimately benefit from working with real-time data and, through their involvement in this program, will have their information distributed to top-tier companies who seek to hire thus giving these students an advantage in the job market upon graduation. This symbiotic relationship with companies serves a dual purpose in that it provides companies access to valuable and well-trained new employees and it provides universities the benefit of name recognition, potentially higher employment statistics for alumni, and a strengthened academic program.

Students will be prepared to work with and process large volumes of live data. They have worked with network flow data and developed alerts from an embedded intrusion detection system (IDS). These students are capable of monitoring real-live data streams in abundance and detect irregularities from expected data, pinpoint those irregularities to determine the validity in an attack or malicious actor, and through this screening, they report credible threats. With these qualifications and experiences, these students can work in diverse industries and sectors.

PISCES ships all collectors with a network tap to avoid situations in which customers lack networking switches capable of spanning or mirroring ports. Deploying the collector with the tap will cause an approximately 10-second network outage.

The monitoring stack housing customer metadata is protected by strong access control, which includes both technology (e.g., firewalls) and process (user provisioning and deprovisioning). Each PISCES “chapter” (which may be an entire state) uses physical and virtual network isolation. The Cyber Range is also monitored by PISCES itself, along with an additional intrusion detection system for redundancy.

Access is provided through VPN tunnels only. Dedicated OpenVPN and DNS servers are provisioned for each chapter. All services are authenticated against a LDAP server. Dedicated OpenLDAP servers are also provisioned for each state. Additionally, dedicated physical and virtual network isolation is established for each state via the firewall and cloud network virtualization.

TLS is enabled on all services. The services are also protected by rotating TLS certificates via Let’s Encrypt. All services run on stripped down and hardened docker containers as non-privileged user processes.

In addition to the protections listed above, the Elasticsearch product has built-in protections against data loss and corruption, including:

• Collectors connect and deliver metadata to the Cyber Range via a nested SSH tunnel.
• Communications are encrypted to, from, and within the Elasticsearch cluster with SSL/TLS.
• Role-based access control is established for Elasticsearch users.
• Elasticsearch nodes authenticate users as they join the cluster using SSL certificates.

The data collected are limited to packet headers and alerts from an intrusion detection system embedded in the collector. This is metadata about how content is delivered but not the content itself (no email, health records, criminal justice data, financial transactions, or privacy information). Within the collector system, a Suricata intrusion detection system is updated daily with detection patterns. The monitoring stack itself is located at the Western Washington University Poulsbo Cyber Range and is both physically protected and monitored for security events just like any other PISCES customer.

Currently, the data is retained for 90 days in a first-in, first-out stack.

Third parties do not have access to the data.

PISCES uses a community liaison to oversee tickets and conduct outreach to the data sharing partners to validate student findings. Additionally, notifications and alerts are sent to all the participating communities highlighting any suspicious activity the students observe.

Data sharing partners can ask the community liaison specific questions about the data, and the participating students can be tasked with obtaining it.

No. The PISCES monitoring stack is not the system of record for any data collected from customer networks, and PISCES cannot set retention schedules.

No. Since PISCES is not a data originator and the monitoring stack is not the system of record, we will not be responsive to public records requests and will direct any received requests back to the data sharing partner.

No. Data collection is passive and the monitoring stack itself is not located on the customer premise.

PISCES International maintains the infrastructure with engineering operations provided by Critical Insight along with resources from Western Washington University that maintain hands-on access to the monitoring stack hosted at the Cyber Range.