An automated security alerts management system for the community

Following a previous article about managing cyber security incidents for the academic community in Ecuador and Chile, it is interesting now to talk about Yari, the system that to some extent enabled and promoted that work and collaboration.

Yari, is a noun in the Kichwa language, which means “sense”, because it is what it does: senses and identifies possible security problems in our institution’s networks and allows us to proactively alert them, avoiding future breaches or attacks.

It was developed entirely in open and free software and is a project created back in 2013 by the CEDIA CSIRT, as a tool to automate the management of security alerts, focusing its activity on collecting, processing, storing and notifying its member institutions with the details of every issue that it finds.

It started with just one feed: from Shadowserver but at the moment processes 25 different types of feeds, which adds up to 138 different categories of security events, thanks to the system’s simplicity for adding new feeds and categories.

The main beneficiaries are the CEDIA members, but nothing prevents, as in fact has already been done, that any institution or company, either public or private, could adopt it and even adapt it to their requirements and needs.

In Ecuador, the whole National Research and Education Network is being actively protected by the services of the system, with a total of 61 member institutions, counting practically all the country’s universities, including higher/technical institutes, colleges and even a few research organizations.

All of them add up to a beneficiary population of around 450,000 individuals who are directly or indirectly receiving active security services, and better yet, at no cost at all because all the services provided by the CSIRT are already part of the service plans that our institutions receive included in their membership.

The nearly 2 million alerts processed at the moment, guarantee the fulfilment of our objectives as a CSIRT: of improving the network traffic and reducing the security events through this system we’ve created, which also allows us -and our member institutions- to have up-to-date and historical statistics on security events in their particular networks, being at the same time a common point of contact, not only in the academic sphere, but also in the national and regional scope, with very strong world ties as well.

But alerting is not everything, we can also advise our members’ technical teams, on the mitigation of the reported problems, emphasizing those of what may have the greatest impact. This helps with building a cybersecurity culture and awareness. And looking back a bit, we can see that our community has moved from evading the issue and applying the “ostrich technique”, to actively looking to us for help because they understand that we are vested in providing a system that provides a solution.

Most of the feeds which the system works with are open and free, very few require a paid subscription, but in the end the costs are minimal compared to the benefits and savings of having the data managed by our platform. Benefits that include, as we have already said, statistics of multiple aspects related to the events managed.

Despite the many Yari’s features and functionalities, the journey is not complete and there are many things to improve.  Some of the new features and functionalities which are close to coming to light will open up a broader spectrum of deployment options for interested institutions or companies. Those already using Yari include:

• EcuCERT, the Ecuadorian National CERT, is deploying Yari right now,
• UTA, the Technical University of Ambato was the first (apart from CEDIA) to implement it back in 2017,
• REUNA, our counterpart in Chile, as mentioned in the previous article, implemented it in 2019 as part of a collaboration agreement,
• CUDI, the Mexican NREN is planning to adopting it along the same lines as REUNA,
• And -we are very excited about it- we are currently deploying it in MoRENet, the Mozambican NREN -despite the Spanish-Portuguese language barrier- and also in the same line of inter-institutional collaboration.

Incidentally, these agreements are at the very core of the CSIRT’s work, fostering the establishment and growth of trusted networks within the community. Yari has allowed us to have a product to offer to our peers, a product with minimal requirements, free, simple to use, effective, very flexible and actively maintained; that has facilitated and promoted mutual rapprochement and collaboration.

And last, but not least, it is worth mentioning that Yari has also allowed us to have time to think and develop other solutions and actively participate and collaborate in the cybersecurity community in our region and beyond.