Free Network Monitoring for Colorado Jurisdictions
What is PISCES?
The Public Infrastructure Security Cyber Education System (PISCES) provides qualified students with curricula and supervised experiences to act as entry-level cyber analysts. Students analyze streaming data for small communities or municipalities who may otherwise not be able to obtain cybersecurity to the extent needed. Through PISCES, a reliable high-quality pipeline is being developed to address the shortage of cyber professionals ready for the workforce.
PISCES works with professors to develop a curriculum for students in cyber-related fields and to give those students controlled access to real data from communities and municipalities. Students learn and enhance their skills in detecting threats while providing information to the municipalities and communities to secure the threat and prevent future attacks.
Why is PISCES needed?
PISCES trains a future workforce of entry-level cyber analysts to meet with ever-growing demand for businesses to adapt to and protect against dynamic cyber threats. Municipalities and communities facing similar vulnerabilities need these services but in many cases are unable to secure the resources to meet their needs. For municipalities, collaboration with universities and students helps them meet these needs and remain protected.
What are the students’ key capabilities and for what types of jobs are they prepared?
Students will be prepared to work with and process large volumes of live data. They have worked with network flow data and developed alerts from an embedded intrusion detection system (IDS). These students are capable of monitoring real-live data streams in abundance and detect irregularities from expected data, pinpoint those irregularities to determine the validity in an attack or malicious actor, and through this screening, they report credible threats. With these qualifications and experiences, these students can work in diverse industries and sectors.
What are the incentives for getting involved?
Students ultimately benefit from working with real-time data and, through their involvement in this program, will have their information distributed to top-tier companies who seek to hire thus giving these students an advantage in the job market upon graduation. This symbiotic relationship with companies serves a dual purpose in that it provides companies access to valuable and well-trained new employees and it provides universities the benefit of name recognition, potentially higher employment statistics for alumni, and a strengthened academic program.
How sustainable is PISCES and how will you maintain the program?
Volunteer efforts as well as support from the Department of Homeland Security have supported the establishment and operation of PISCES. As the program grows, a goal is to partner directly with hiring organization (public and private) to meet funding and sustainability goals. PISCES has initiated a team to focus on this issue.
What are you going to do with our data?
The data collected are limited to packet headers and alerts from an intrusion detection system embedded in the collector. This is metadata about how content is delivered but not the content itself (no email, health records, criminal justice data, financial transactions, or privacy information). Within the collector system, a Suricata intrusion detection system is updated daily with detection patterns. The monitoring stack itself is located at the Western Washington University Poulsbo Cyber Range and is both physically protected and monitored for security events just like any other PISCES customer.
Do the communities have any insight into the data?
PISCES uses a community liaison to oversee tickets and conduct outreach to the data sharing partners to validate student findings. Additionally, notifications and alerts are sent to all the participating communities highlighting any suspicious activity the students observe.
What is the PISCES data retention policy?
Currently, the data is retained for 90 days in a first-in, first-out stack.
Do any third parties have access to the data?
How is data collected from the network?
PISCES now ships all collectors with a network tap to avoid situations in which customers lack networking switches capable of spanning or mirroring ports. Deploying the collector with the tap will cause an approximately 10-second network outage.
Can a data sharing partner get access to the intrusion detection system services or alerts?
No, but if the data sharing partner has specific questions, the students can be tasked with obtaining the necessary data.
If the data sharing partner asked for a data retention policy to be instated, would you be amenable to adding that?
No. The PISCES monitoring stack is not the system of record for any data collected from customer networks, and PISCES cannot set retention schedules.
What about public disclosure?
No. Since PISCES is not a data originator and the monitoring stack is not the system of record, we will not be responsive to public records requests and will direct any received requests back to the data sharing partner.
Does the ELK stack include anything that would actively interfere with the data sharing partner’s infrastructure?
No. Data collection is passive and the monitoring stack itself is not located on the customer premise.
How do we maintain the security of data?
The monitoring stack housing customer metadata is protected by strong access control, which includes both technology (e.g., firewalls) and process (user provisioning and deprovisioning). Each PISCES “chapter” (which may be an entire state) uses physical and virtual network isolation. The Cyber Range is also monitored by PISCES itself, along with an additional intrusion detection system for redundancy.
Access is provided through VPN tunnels only. Dedicated OpenVPN and DNS servers are provisioned for each chapter. All services are authenticated against a LDAP server. Dedicated OpenLDAP servers are also provisioned for each state. Additionally, dedicated physical and virtual network isolation is established for each state via the firewall and cloud network virtualization.
TLS is enabled on all services. The services are also protected by rotating TLS certificates via Let’s Encrypt. All services run on stripped down and hardened docker containers as non-privileged user processes.
In addition to the protections listed above, the Elasticsearch product has built-in protections against data loss and corruption, including:
- Collectors connect and deliver metadata to the Cyber Range via a nested SSH tunnel.
- Communications are encrypted to, from, and within the Elasticsearch cluster with SSL/TLS.
- Role-based access control is established for Elasticsearch users.
- Elasticsearch nodes authenticate users as they join the cluster using SSL certificates.
Who helps a new academic institution understand how to join and administer their part of the program?
PISCES International helps introduce new academic institutions to PISCES. This includes providing an overview of and answering questions about the program, curriculum, and objectives and working with academic institutions to sign the memorandum of understanding. PISCES International also hosts an annual academic workshop for participating schools to share information and lessons learned.
Who helps a new school figure out how to deliver the curriculum?
Western Washington University takes the lead with onboarding new schools. In the future, the program aims to establish a lead academic institution within a given state that PISCES will onboard and who will then onboard other academic institutions in the state.
Are there standardized performance metrics (e.g., students taught, students passed) and, if so, how are they reported?
Yes, but within limits. Student privacy is protected by law so we can ask the professor how many students passed, but they do not have to answer. The basic metric used regarding students is the number of students who take and complete the course. Via qualitative feedback, we also elicit whether the students perceived value in and benefited from the course. In the future, we hope to garner positive data from the employers that PISCES students are more prepared for the workforce then those who do not participate in the program.
How is the curriculum standardized and who determines what is best?
The PISCES program determines which knowledge areas must be mastered and that is also in line with the National Institute of Standards and Technology National Initiative for Cybersecurity Education framework. Instructor feedback is also collected and evaluated annually to identify areas of improvement and implement new ideas and techniques.
How is the curriculum maintained? Shared?
Each school adjusts the curriculum to fit their program while Western Washington University maintains the master. Through the annual academic workshop, we gather input on changes that should be considered and incorporated. Since our goal is to better prepare students for the workforce, we tend to focus changes from that perspective. In the new year, we plan to add a second course on a different topic that can benefit from a live data stream. This course would follow the same road map, although the school that develops the curriculum will lead the curation process. All the curriculum is free to the participating schools.
How are the technology platforms maintained?
PISCES International maintains the infrastructure with engineering operations provided by Critical Insight along with resources from Western Washington University that maintain hands-on access to the monitoring stack hosted at the Cyber Range.