Attachment 5
COMPLETED SIEM & IDS INSTALLATION REPORT & INITIAL DEPLOYMENT STATUS REPORT
Completion of SIEM & IDS Installation The installation of the SIEM and IDS system was completed the afternoon of 10/31/11 and was accomplished after seven days of concerted effort between USDN and CCSF’s Internet & Data Security Specialist. At this point in time all necessary hardware and software to include the SIEM/IDS server, firewalls and taps have been installed and configured. USDN has verified that network data capture is taking place and that the SIEM/IDS system is functioning as intended. USDN notes that although the installation task had been originally initiated on August 23, 2011 it was not until October 31, 2011 that the fully functioning SIEM/IDS system could be deployed, a period of over two months. The reason for this is that considerable setbacks were experienced due to the failure of CCSF’s Technical Operations Manager to follow USDN’s requests and instructions regarding the setup and configuration of the SIEM/IDS hardware and his refusal to cooperate in the installation process as ordered by CCSF’s Chief Information Technology Officer (CITO). As a result the CITO removed the Technical Operations Manager from the project and assigned his responsibilities to the Internet & Data Security Specialist on 10/13/11. With this change in CCSF personnel, the SIEM/IDS installation project was completed within a week’s time. The details attributed to the delays and failed initial installation of the SIEM/IDS system are described in the sections below.
Initial SIEM & IDS Deployment Status The installation and deployment of the SIEM and IDS system became significantly behind schedule as noted in the previous section and remediation has been halted until the issues in this report are addressed and fixed. Furthermore, all of the issues and statements of fact included in this document are supported by “direct” evidence and relates specifically to the issue it is being asked to substantiate. All information presented as evidence is in a manner that CCSF can independently verify, which USDN strongly encourages.
ROOT CAUSE #1 The CCSF infrastructure has not been deployed as we had agreed, which has caused multiple failures to the USDN IDS System. BACKGROUND USDN is following a standard deployment model which uses mirrored ports on the different network segments to collect packets with completely passive network interfaces. The CCSF’s switches have the ability to chart, log and display the CPU, Port, and Backplane usage statistics. If the usage on any metric climbs above 70% for more than a second or reaches 80% at any time, USDN will install hardware network taps to alleviate the bottlenecks.