ISO Routine Network Monitoring Policy

Background

UC’s Electronic Communications Policy (ECP) sets forth the University’s policy on privacy, confidentiality, and security in electronic communications and establishes the basic principles that the University follows for examining and disclosing electronic communications records. In recognition that network security monitoring necessarily involves examination of electronic communication records in some manner, the ECP authorizes and directs the Chancellor to establish local practices and procedures defining permissible routine network monitoring in collaboration with faculty, staff, and students. Berkeley has formalized the process of evaluating and approving such practices through its Information Risk Governance Committee (IRGC). IRGC members include faculty, staff, and students and come from areas across the campus to ensure the committee adequately represents the interests of diverse campus constituents. The Chancellor has delegated IRGC formal authority to establish policies and practices balancing security and privacy, including those that speak to permissible network monitoring.

Policy on Routine Network Monitoring

Monitoring of the Berkeley Campus network shall conform to the requirements of the ECP as implemented on the Berkeley Campus and be performed only by authorized UC employees or contractors in accordance with this policy, all other UC and Berkeley Campus policies, and applicable laws. Any additional network monitoring activities beyond those listed must be granted approval from IRGC. IRGC will also periodically review routine network monitoring to ensure such practices strike an appropriate balance between privacy and security. Any networking monitoring practices not approved by IRGC shall be prohibited.

Routine Network Monitoring Practices

Routine Network Monitoring

In accordance with ECP Section II.D.2 and Section V.B., the following practices represent activities performed on the Berkeley Campus network and made possible by virtue of Berkeley operating the network; these activities monitor the reliability and security of systems. Such activities may only be performed by authorized campus employees or contractors in accordance with the requirements of ECP and its implementation on the Berkeley Campus, including specified privacy risk mitigations. Routine monitoring activities shall be limited to the least perusal and subject to the shortest retention period required and authorized to ensure the reliability and security of systems. Any deviations will be recorded in the Routine Monitoring Transparency Report.

Routine network monitoring activities consist of:

Retention is one year for all data examined or collected
Summary
Description
Purpose
Data Examined/Collected
Network intrusion detection system (NIDS) data

ISO operates network sensors that apply automated rules to identify and record suspicious network traffic. The rules used to identify traffic are typically purchased from security vendors, and in some cases, we manually adjust or create new rules. 

Identify devices which have been compromised or are under active attack

Track information security threat landscape and identify campus trends

Determine the scope and other details when investigating information security breaches

The alerts generated by these sensors include source and destination information (IP addresses), rule triggering the alert, and the content of network communications flagged as suspicious including filenames, file types, and URLs These alerts are reviewed both through automated systems and manually by analysts. 

Some alerts are sent to 3rd party for analysis[1].

Network traffic connection data

ISO maintains appliances to generate network traffic connection data. This data specifies which Campus devices communicated with other devices connected to the Internet, and how much data passed between them. 

Identify suspicious network use patterns indicating a compromised system

Correlate with lists of known bad hosts to find compromised campus systems

Determine scope and verify containment when investigating and responding to information security breaches

Data elements collected include time, source and destination IP addresses, protocols used, includingapplication protocols (where available),network user (where available), URL category,and how much data was exchanged. The actual content of the communication is not captured, retained, or stored. This data is reviewed through automated systems for suspicious patterns indicating compromise and may be manually inspected while investigating information security incidents.
Central authentication data

Authentication to central Campus systems produces an audit record which is collected and monitored by ISO for suspicious patterns. Examples of systems that generate such authentication records include Calnet services (CAS/DUO), Active Directory, Network services (wireless/VPN/DHCP/firewalls), and bConnected services.  

Identify attacked or compromised credentials

Identify unauthorized access to campus systems and services

Determine the scope and other details when investigating information security breaches

Data collected includes the time, user identity, user location, target service, the result of the authentication attempt, and DUO two-factor device identifier (may include phone number)

Automated rules are used to identify suspicious patterns indicating a compromised account, and may be manually inspected while investigating information security incidents.

System/application logs

ISO provides a service to help departments meet policy requirements for collection and analysis of security logs for systems handling data classified as Protection Level P4. Data in this category typically consists of logs generated by firewalls, operating systems, web servers, and by specific application software. 

Identify systems under attack or successfully compromised

Correlate attacks across a large number of systems to detect patterns

Correlate with Network Intrusion data to gain insight into the impact of attacks

Determine the scope and other details when investigating information security breaches

Data collected varies based on the system generating logs, but may include time, target service, source and destination, error codes/messages, and result.

Automated rules are used to identify suspicious patterns indicating attack or compromise, and may be manually inspected while investigating information security incidents.

Network services and vulnerabilities

ISO routinely scans devices connected to the campus network, to determine what devices are present, what services are available through the network, and whether these services may be vulnerable to known attacks. These scans are initiated from a dedicated network that many Campus units permit through firewalls, in order to get an “insider” view. ISO also collects publicly available information on campus systems, made available by security researchers, to identify campus systems available on the Internet which may be vulnerable to attack.

Identify campus network systems which may be vulnerable to attack, and request action by those responsible to secure the system

Identify private information which may be inadvertently shared, such as a file share made public

Provide additional details when investigating information security breaches and ensure recovered systems are protected from future breaches

What devices are connected to the campus network, what services are available through the network, and whether these services may be vulnerable to known attacks.
Applications and versions being used on the network

ISO receives data feeds from central client management/patching infrastructure tools, such as BigFix, including basic device configuration, installed software and versions, and whether these configuration items and software versions may be vulnerable to known attacks. This information is processed and used similarly as data collected through network vulnerability scanning, but offers a much more complete picture of the status of systems on the Campus network than is possible through network-based scans. Limited application information is also collected through network sensors. 

Identify campus managed systems running software which may be vulnerable to attack, and request action by those responsible to secure the system

Provide additional details when investigating information security breaches and ensure recovered systems are protected from future breaches

Basic device configuration, installed software and software versions, and whether they may be vulnerable to known attacks.
Additional monitoring for hosts on protected data networks or high-security zones
NOTE: This designation is a department-level determination

There is increased monitoring for hosts on protected data networks and high-security zones. Departments opt-in to this based on the sensitivity of the data that their systems store or access. Generally, additional monitoring consists of lower thresholds for investigating alerts, additional file types are tracked, and additional data is sent to third-parties for analysis.

The purpose of this additional monitoring is to provide heightened scrutiny of potentially security-suspicious events for UC Berkeley’s most sensitive systems and data.

Specific instances of additional monitoring include:

Sending connection metadata and flow data to a 3rd party for analysis[1]. This includes the ability to capture full packets.

Scope of This Notice

This notice does not include:

  • Monitoring conducted by the UC Office of the President under the Coordinated Threat Detection and Identification Initiative[1]. However, UC Berkeley's implementation of UC's TDI conforms to this Policy.
  • Service-specific monitoring conducted by and on behalf of providers of electronic communication services, which providers must document and publish under ECP Section IV.C.2.b. (The bConnected transparency report is a model for how service providers communicate that information.) 

Current Issues

As the information security threat landscape continually evolves and new technologies emerge, IRGC will continually evaluate the balance of privacy and security to define the scope of permissible monitoring. 

Questions

Questions about the Routine Network Monitoring practices?

Questions about the Electronic Communications Policy?


Endnotes:

[1] UC Systemwide Threat Detection and Identification Initiative: https://security.ucop.edu/services/threat-detection-and-identification/i...