Security Operations

Availability: UCOP

Service Description
ITS provides various services to support security operations at UCOP: patch management, vulnerability management, and security posture monitoring.

Patch Management. UCOP has updated its patch policy where patches are applied monthly for Windows, Linux, Middleware, Platform/infrastructure and MS SQL and nightly for Infrastructure support and cloud-service based deployments. Annual patch for DB2 remains unchanged as regression testing can take months to validate and no patching is required for MySQL as redeployment is considered during system update or replacement via Puppet. Factors that are being taken into consideration are timing and frequency of patch application, prioritization of vulnerabilities and patch dependencies, testing, method of application to OS, Middleware, Application and Database, alternative approach/additional considerations, software inventory management and exception processes. For more information contact cybersecurity@ucop.edu

Vulnerability Management. UCOP Security Operations Vulnerability Management plan provides periodic patch updates in order to prevent vulnerabilities. UCOP Security Operations scan the entire UCOP address range, including AWS instances, using latest version of Nessus Professional and the results will be in a shared Box folder. Most critical issues will be addressed first, up to the capacity to handle results. ServiceNow requests will be used to report vulnerability findings. Detailed scan results will be reported to the UCOP CISO, DCIO and CTO within 10 business days of scan completion. In case some vulnerabilities that cannot be resolved, service owners will submit a documentation notifying of that and of what steps are to be taken to mitigate the vulnerability to UCOP CISO and UCOP CRE for review and coordination. UCOP Security Operations will follow up after the ServiceNow requests are closed, by re-running the vulnerability scan for the host(s) identified in the ServiceNow ticket to ensure that the vulnerability has been resolved. Necessary report will be submitted to UCOP CISO, DCIO and CTO for immediate vulnerabilities. For more information contact cybersecurity@ucop.edu

Security Posture Monitoring. TDS Security Operations has implemented Security Posture Monitoring, an enterprise grade audit logging and analysis software solution (based on IBM QRadar), to aid in managing, correlating, and detecting suspicious activities related to the organizations’ most critical data assets. All systems within the UCOP network are required to participate.

This service's advanced detection capabilities enable ISP to collect, correlate, and report on security events from critical data assets in real time, so that ISP can alert technical contacts of unusual or unauthorized activities immediately. The QRadar infrastructure allows us to make real-time correlations across multiple dimensions (identity, vulnerability, asset, time, patterns and other events) and a wide variety of both local and campus-wide log sources, including:

  • Local system and application logs
  • Firewall logs
  • Authentication events
  • Intrusion detection alerts
  • Vulnerability scanning results

These advanced correlations allow UCOP security operations security analysts to rapidly detect if a system has been successfully attacked, is currently being probed for attack, or to detected advanced threats before they cause serious damage. For more information, contact cybersecurity@ucop.edu

Cost
The cost of the service is covered by central IT funding.