Open theathorn opened 2 years ago
@hannes-ucsc to spike for design.
There is zero substance on the FireEye site linked to above. I haven't the slightest clue as to what it does and how it works. The documentation portal requires a sign-in which I don't have: https://docs.fireeye.com/. With the information available to me, I am unable to provide a design on how to integrate that product.
Amazon GuardDuty (#4174) offers detection of anomalous behavior as an indicator of the presence of malicious code, even code for which a signature is not known. I think that suffices for our purposes. Azul is different from Dockstore in that it does not accept code from external users. So there is no need to scan any user-submitted payloads for malicious code, signature based or not. We will air-gap our supply chain (#4030), manually review all source dependencies before incorporating them, and either use binary dependencies from compliant sources (#4188) or scan binary dependencies from non-compliant sources (#4177).
@theathorn to tag Nneka on Slack.
@theathorn to discuss this during this Thursday's compliance meeting.
As I recall David S suggestion was implementation for Azul will be different for Dockstore based on the difference in system architecture. Based on AWS shared responsibility matrix Amazon Managed Service - Endpoint Protect System (EPS) and GuardDuty is the recommended service to meet this control object. I agreed with the layered security defense approach as stated by Hannes. Endpoint security provides anti-malware protection, specifically, the following actions are supported: EC2 instances register with EPS, EC2 instances deregister from EPS, EC2 instances real-time anti-malware protection, EPS agent-initiated heartbeat, EPS restore quarantined file, EPS event notification, EPS reporting
Hannes and Daniel to talk to David or Chaz about experience with EPS. If we move forward with this, Azul team will do a spike to try it out. @hannes-ucsc : "A big difference to our current design is that EPS would offer real time scanning while ClamAV only offers on demand."
@hannes-ucsc to Slack David and/or Chaz.
@hannes-ucsc to decide on next steps.
Contacted David on Slack:
https://ucsc-gi.slack.com/archives/C02B4S0V6GH/p1657564141788769
@hannes-ucsc David is open to explaining what we do with FireEye, but don't have much to demo for it. I will invite him to our Thursday meeting
Per Information Integrity Procedure, SI-03(7): The information system implements non-signature-based malicious code detection mechanisms.
@nolunwa : "Dockstore uses FireEye HX - UCSC procured the license. If the Azul team decide to use HX I need to reach out to Troy's team".