melainalegaspi
commented
2 years ago @hannes-ucsc to spike for design.
Open theathorn opened 2 years ago
melainalegaspi
commented
2 years ago @hannes-ucsc to spike for design.
hannes-ucsc
commented
2 years ago There is zero substance on the FireEye site linked to above. I haven't the slightest clue as to what it does and how it works. The documentation portal requires a sign-in which I don't have: https://docs.fireeye.com/. With the information available to me, I am unable to provide a design on how to integrate that product.
Amazon GuardDuty (#4174) offers detection of anomalous behavior as an indicator of the presence of malicious code, even code for which a signature is not known. I think that suffices for our purposes. Azul is different from Dockstore in that it does not accept code from external users. So there is no need to scan any user-submitted payloads for malicious code, signature based or not. We will air-gap our supply chain (#4030), manually review all source dependencies before incorporating them, and either use binary dependencies from compliant sources (#4188) or scan binary dependencies from non-compliant sources (#4177).
melainalegaspi
commented
2 years ago @theathorn to tag Nneka on Slack.
theathorn
commented
2 years ago @theathorn to discuss this during this Thursday's compliance meeting.
nolunwa-ucsc
commented
2 years ago As I recall David S suggestion was implementation for Azul will be different for Dockstore based on the difference in system architecture. Based on AWS shared responsibility matrix Amazon Managed Service - Endpoint Protect System (EPS) and GuardDuty is the recommended service to meet this control object. I agreed with the layered security defense approach as stated by Hannes. Endpoint security provides anti-malware protection, specifically, the following actions are supported: EC2 instances register with EPS, EC2 instances deregister from EPS, EC2 instances real-time anti-malware protection, EPS agent-initiated heartbeat, EPS restore quarantined file, EPS event notification, EPS reporting
theathorn
commented
2 years ago Hannes and Daniel to talk to David or Chaz about experience with EPS. If we move forward with this, Azul team will do a spike to try it out. @hannes-ucsc : "A big difference to our current design is that EPS would offer real time scanning while ClamAV only offers on demand."
melainalegaspi
commented
2 years ago @hannes-ucsc to Slack David and/or Chaz.
melainalegaspi
commented
2 years ago @hannes-ucsc to decide on next steps.
hannes-ucsc
commented
2 years ago hannes-ucsc
commented
2 years ago Contacted David on Slack:
https://ucsc-gi.slack.com/archives/C02B4S0V6GH/p1657564141788769
nolunwa-ucsc
commented
2 years ago @hannes-ucsc David is open to explaining what we do with FireEye, but don't have much to demo for it. I will invite him to our Thursday meeting
theathorn
commented
2 years ago theathorn
commented
2 years ago
Per Information Integrity Procedure, SI-03(7): The information system implements non-signature-based malicious code detection mechanisms.
@nolunwa : "Dockstore uses FireEye HX - UCSC procured the license. If the Azul team decide to use HX I need to reach out to Troy's team".