Nov 4 – 8, 2019
Adelaide Convention Centre
Australia/Adelaide timezone

Harnessing the power of threat intelligence for WLCG cybersecurity

Nov 5, 2019, 4:45 PM
Riverbank R3 (Adelaide Convention Centre)

Riverbank R3

Adelaide Convention Centre

Oral Track 3 – Middleware and Distributed Computing Track 3 – Middleware and Distributed Computing


David Crooks (Science and Technology Facilities Council STFC (GB))


The information security threats currently faced by WLCG sites are both sophisticated and highly profitable for the actors involved. Evidence suggests that targeted organisations take on average more than six months to detect a cyber attack, with more sophisticated attacks being more likely to pass undetected.

An important way to mount an appropriate response is through the use of a Security Operations Centre (SOC). A SOC can provide detailed traceability information along with the capability to quickly detect malicious activity. The core building blocks of such a SOC are an Intrusion Detection System and a threat intelligence component, required to identify potential cybersecurity threats as part of a trusted community. The WLCG Security Operations Centre Working Group has produced a reference design for a minimally viable Security Operations Centre, applicable at a range of WLCG sites.

While the fundamental technologies required for this approach are relatively well understood, with much of the technical capability to provide WLCG sites with threat intelligence already in place, an important factor in the sharing of threat intelligence is the formation of appropriate trust groups.

We present the approach of the working group to facilitating the collaboration necessary to form these groups, including both technological and social aspects, along with our most recent results. We emphasise the importance of collaboration not only between WLCG sites, but also between grid and campus teams. This type of broad collaboration is essential given the nature of threats faced by the WLCG, which can often be a result of compromised campus resources.

Consider for promotion Yes

Primary authors

David Crooks (Science and Technology Facilities Council STFC (GB)) Liviu Valsan (CERN)

Presentation materials