January 2026 - CHLA InfoSec Monthly Operations Report

Executive Summary

This report documents Information Security operations for January 2026 at Children’s Hospital Los Angeles (CHLA). The month was dominated by three major initiatives:

  1. Internal Penetration Test (Mandiant) - Week-long assessment by Mandiant (Google Cloud Security) (January 19-23, 2026)

  2. Dr. Shahab Linux Workstation Deployment - Production Linux workstation deployment with EAP-TLS authentication

  3. CHLA Linux 802.1X Deployment Runbook - Comprehensive deployment documentation with attribute-driven CI/CD architecture

CRITICAL OPERATIONAL EVENT: Sarah from Mandiant (Google Cloud Security) conducted internal network assessment from January 19-23, 2026. Deployment activities were accelerated to demonstrate security posture improvements in real-time.

Month at a Glance

Category Activity Status Notes

Security Assessment

Internal Penetration Test (Mandiant)

COMPLETE

5-day engagement, findings pending

Infrastructure

Dr. Shahab Linux Workstation Deployment

IN PROGRESS

MAB onboarding complete, EAP-TLS migration pending

Documentation

CHLA Linux 802.1X Deployment Runbook

IN PROGRESS

3,681 lines, 54 attributes, Rev 3.0

Incident Response

Dr. Pat Levitt Auth Failure

ACTIVE

Reported Jan 30, investigation ongoing

Key Metrics

Metric Value Context

ISE Policy Objects Created

18

Identity groups (2), dACLs (4), authz profiles (4), rules (8)

Runbook Development

3,681 lines

Comprehensive deployment guide with 54 attributes

Documentation Formats

4

AsciiDoc source → HTML, PDF, DOCX, Markdown

Infrastructure Attributes

54

CI/CD-ready attribute-driven documentation

Defender Status: chlxsbg workstation reported as NOT connected to Microsoft Defender for Endpoint as of Jan 30. Validation pending.

1. Week 1: January 5-9 - Infrastructure Foundation

1.1. Monday, January 5

1.1.1. Linux Research Workstation ISE Design

Objective: Design ISE policy framework for Linux research workstations with zero-trust network access.

Requirements:

  • Certificate-based authentication (EAP-TLS (802.1X))

  • Posture assessment integration (Cisco Secure Client Posture Module)

  • Segmented network access (research NAS: 10.134.144.109)

  • Compliance monitoring (Cisco Secure Umbrella Client, Microsoft Defender for Endpoint)

Design Philosophy: MAB onboarding → Posture discovery → EAP-TLS migration → Full network access

This staged approach allows initial connectivity while enforcing progressive security requirements.
ISE Policy Architecture
Endpoint Identity Groups
Group Name Purpose Parent

Linux-Workstations

Top-level Linux endpoint classification

(root)

Linux-Research-Workstations

Research workstations (EAP-TLS capable)

Linux-Workstations

Linux-Research-Onboarding

Initial MAB onboarding group

Linux-Workstations

Static Assignment Critical: ISE Profiling service will override group assignments unless Static Assignment checkbox is enabled during endpoint registration.
Downloadable ACLs (dACLs)

Zero-Trust Design Principle:

Each dACL implements least-privilege access:

  1. DACL_Research_Onboard - MAB onboarding phase (8-hour reauth timer)

    • DNS: 10.112.142.41, 10.192.142.41

    • DHCP: UDP 67/68

    • AD Authentication: 10.112.118.141, 10.112.118.143, 10.100.11.28, 10.100.11.27 (Kerberos 88, LDAP 389/636)

    • ISE Posture: 10.101.2.131, 10.101.2.132, 10.248.11.134, 10.248.11.135 (TCP 8443)

    • Research NAS: 10.134.144.109 (all protocols)

    • Internet: HTTP/HTTPS (80/443), ICMP

    • DENY: RFC1918 private networks (logged)

  2. Research-Linux-Posture-Discovery - Posture assessment phase

    • All services from dACL #1

    • ISE remediation portal: remediation.chla.org

  3. Research-Linux-Compliant - Posture compliant, full research access

    • Research VLAN (40) unrestricted

    • NAS full protocol access

    • Collaboration tools

    • Internal documentation portals

  4. Research-Linux-Quarantine - Non-compliant quarantine

    • DNS only

    • ISE remediation portal only

    • DENY: All other traffic (logged)
Authorization Profiles
Profile Name VLAN dACL Reauth Timer

Linux_Research_Onboard

40 (CHLA-IoT)

DACL_Research_Onboard

28800s (8 hrs)

Linux-Research-Posture-Pending

40

Research-Linux-Posture-Discovery

(session)

Linux-Research-Full

40

Research-Linux-Compliant

(session)

Linux-Research-Quarantine

999 (Critical Auth Fallback)

Research-Linux-Quarantine

3600s (1 hr)

VLAN 999 (Critical Auth Fallback) is a remediation-only network. Workstations in quarantine must resolve compliance issues before regaining research network access.

1.2. Tuesday, January 6

1.2.1. Documentation Strategy Established

Decision: Adopt AsciiDoc as primary documentation format for all ISE deployment guides.

Rationale:

  • Attribute-driven content (change once, update everywhere)

  • Multi-format output (HTML, PDF, DOCX) from single source

  • Version control friendly (plain text)

  • Professional formatting (tables, admonitions, code blocks)

  • CI/CD integration ready
Attribute-Driven Documentation Benefits
// Define infrastructure once
:ise-ppan-ip: 10.101.2.131
:nas-research: 10.134.144.109

// Reference everywhere
Log into ISE at {ise-ppan-ip}
Mount research NAS at {nas-research}

Result: Infrastructure changes require updating attribute definitions only, not hunting through 3,000+ lines of documentation.

1.3. Wednesday-Friday, January 7-9

1.3.1. Claroty XDome VNC Investigation

Context: Meeting with Mauricio (Claroty vendor) on January 7 regarding VNC session discovery in industrial OT networks.

Objective: Understand XDome platform capabilities for detecting unauthorized remote access protocols (VNC, RDP, TeamViewer) in medical device networks.

Security Concern: VNC traffic detected in OT segments without centralized inventory.

Risk: Unauthorized remote access to medical imaging equipment, infusion pumps, and patient monitoring systems.

Follow-Up Action: Schedule technical deep-dive with Mauricio to review XDome deployment architecture and integration with existing SIEM (Sentinel/QRadar).

2. Week 2: January 12-16 - Pre-Pentest Preparation

2.1. Monday, January 12

2.1.1. GitOps Concerns Documentation

Topic: Securing git repositories containing infrastructure-as-code (IaC) and network automation scripts.

Key Concerns:

  1. Secrets management in automation repositories

  2. Age encryption for sensitive configuration files

  3. GitLab/GitHub access control policies

  4. Pre-commit hooks (gitleaks, TruffleHog)
Secrets Management Strategy
# dsec - Domain Secrets Manager
# Hierarchical secret storage with age encryption

dsource d001 dev/network       # Development secrets
dsource d001 staging/network   # Staging environment
dsource d001 prod/network      # Production (restricted)

Production Secret Access:

Production credentials (d001 prod/network) require:

  • Security clearance approval

  • MFA verification

  • Audit logging to SIEM

  • Time-limited access tokens

2.2. Tuesday-Wednesday, January 13-14

2.2.1. Pen Testing Resources Research

Preparation for January 19-23, 2026 engagement:

Reviewed penetration testing methodologies and defensive countermeasures:

  • NIST SP 800-115 (Technical Guide to Information Security Testing)

  • PTES (Penetration Testing Execution Standard)

  • OWASP Testing Guide v4

  • Mandiant M-Trends 2025 Report

Evil Twin Attack Scenarios

Wireless Security Concern: CHLA operates 2,000+ APs across 10 buildings. Rogue AP detection critical.

Evil Twin Attack Vector:

  1. Attacker deploys rogue AP with SSID matching legitimate network

  2. Higher signal strength attracts client associations

  3. Credential harvesting via fake captive portal

  4. Man-in-the-middle (MITM) position established

Defensive Controls:

  • Cisco CMX (Connected Mobile Experiences) for rogue AP detection

  • Wireless IDS/IPS (Cisco CleanAir)

  • Certificate-based authentication (EAP-TLS (802.1X)) - immune to credential phishing

  • Client-side certificate pinning (future enhancement)

Termux Wireless Assessment Tools

Research Context: Android-based wireless security assessment using Termux terminal emulator.

Tools Evaluated:

  • aircrack-ng - WPA/WPA2 analysis

  • bettercap - Network reconnaissance and MITM

  • tcpdump - Packet capture

  • nmap - Port scanning and service detection

Use Case: Lightweight wireless assessment from mobile device during physical security walkthroughs.

2.3. Thursday-Friday, January 15-16

2.3.1. LUKS Full Disk Encryption Research

Objective: Implement full disk encryption (FDE) for Linux research workstations containing PHI/PII.

Technology: LUKS (Linux Unified Key Setup) with TPM 2.0 integration

LUKS Deployment Architecture
# Partition scheme for research workstation
/dev/nvme0n1p1  →  /boot (unencrypted, 1GB)
/dev/nvme0n1p2  →  LUKS container (remainder)
  ├── /           (root filesystem, ext4)
  ├── /home       (user data, ext4)
  └── swap        (encrypted swap)

Key Management Strategy:

  1. Primary: TPM 2.0 sealed key (automatic unlock for authorized boot state)

  2. Recovery: Passphrase stored in dsec (secrets management) (d001 prod/workstations/luks-recovery)

  3. Escrow: LUKS header backup encrypted with age, stored in Borg repository

Compliance: HIPAA Security Rule §164.312(a)(2)(iv) - Encryption and Decryption

TPM Anti-Evil-Maid Protection:

LUKS key sealed to PCR0-7 (firmware, bootloader, kernel measurements). If evil maid attack modifies boot chain, TPM refuses to unseal key → forces manual passphrase entry → alerts security team.

3. Week 3: January 19-23 - Internal Penetration Test Week

CRITICAL OPERATIONAL PERIOD

Engagement: Internal Penetration Test (Mandiant)

Dates: January 19-23, 2026

Scope: Internal network assessment (wired/wireless)

Lead Assessor: Sarah

Vendor: Mandiant (Google Cloud Security)

3.1. Monday, January 19 - Pentest Day 1

3.1.1. Pre-Engagement Briefing

Rules of Engagement:

  • Scope: Internal CHLA corporate network (excludes patient care VLANs)

  • Methodology: Black-box assessment (minimal prior knowledge)

  • Social engineering: OUT OF SCOPE

  • Denial of service testing: OUT OF SCOPE

  • Physical security testing: LIMITED (badge cloning, tailgating observation only)

3.1.2. Network Access Provisioning

# Temporary VLAN for pentest team
VLAN 998 - Pentest-Isolated
  - DHCP pool: 10.250.250.100-150
  - No ACLs (full visibility to corporate network)
  - Logged via NetFlow to QRadar
  - Temporary ISE authz profile: "Pentest-Unrestricted"

Post-Engagement Cleanup:

  • Remove pentest VLAN 998

  • Delete temporary ISE authz profiles

  • Rotate exposed service account credentials

  • Revoke temporary switch port configurations

3.2. Tuesday, January 20 - Pentest Day 2

3.2.1. Wireless Assessment Observations

Finding (Preliminary): Sarah identified 3 corporate SSIDs with different security postures:

  1. CHLA-Corporate - WPA2-Enterprise (EAP-PEAP/MSCHAPv2) WEAK

  2. CHLA-Guest - Open + captive portal EXPECTED

  3. CHLA-Secure - WPA2-Enterprise (EAP-TLS) STRONG

Concern: MSCHAPv2 vulnerable to offline dictionary attacks if RADIUS traffic captured.

Remediation: Migrate all corporate users to EAP-TLS (certificate-based authentication).

Quick Win: Deploy EAP-TLS configuration profile via Intune/JAMF. Users receive client certificate automatically without manual configuration.

3.3. Wednesday, January 21 - Pentest Day 3

3.3.1. AD Credential Harvesting Attempt

Test Scenario: Sarah deployed rogue LDAP responder to capture AD authentication attempts.

Result: BLOCKED

Defensive Control: ISE dACL on onboarding profile restricts LDAP traffic to authorized AD DCs only:

permit tcp any host {ad-dc-1} eq 389
permit tcp any host {ad-dc-1} eq 636
permit tcp any host {ad-dc-2} eq 389
permit tcp any host {ad-dc-2} eq 636
deny tcp any any eq 389 log
deny tcp any any eq 636 log

Lesson Learned: Zero-trust dACLs prevent lateral movement even with network access.

3.3.2. Linux Workstation Deployment Acceleration

Strategic Decision: Fast-track Dr. Shahab Asgharzadeh workstation deployment to demonstrate:

  1. Certificate-based authentication (EAP-TLS)

  2. Posture assessment integration

  3. Zero-trust network segmentation

  4. Compliance monitoring (Defender, Umbrella)

Goal: Showcase security improvements to Sarah in real-time.

Deployment Timeline (Accelerated)
Phase Activity Owner Status

Phase 1

ISE policy objects creation

Evan Rosado

DONE

Phase 2

Workstation prep (chlxsbg)

Ben (Desktop Support)

DONE

Phase 3

Certificate enrollment (ADCS)

Evan Rosado

IN PROGRESS

Phase 4

NetworkManager EAP-TLS config

Ben + Evan Rosado

PENDING

Phase 5

Posture client installation

Evan Rosado

PENDING

Phase 6

Validation & handoff

Evan Rosado

PENDING

Blocker Identified (Jan 23): Microsoft Defender for Endpoint not connected on chlxsbg.

Impact: Posture policy will fail compliance check.

Action Required: Troubleshoot Defender connectivity before EAP-TLS migration.

3.4. Thursday, January 22 - Pentest Day 4

3.4.1. Runbook Development Sprint

Objective: Document Dr. Shahab Linux Workstation Deployment deployment process for knowledge transfer.

Deliverable: CHLA Linux 802.1X Deployment Runbook

Scope: Complete deployment guide from ISE policy creation through post-deployment validation.
Runbook Structure
= Dr. Shahab Linux Workstation Deployment - CHLA
:description: CHLA InfoSec monthly operations summary - January 2026

== Phase 0: Prerequisites & Validation
   - ISE resource verification
   - Certificate authority health check
   - AD group membership validation

== Phase 1: ISE Pre-Configuration
   1.5 Cisco Secure Posture Client validation
   1.6 Cisco Secure Umbrella Client validation

== Phase 2: Workstation Configuration
   - OS installation & hardening
   - Domain join procedures
   - Certificate enrollment

== Phase 3: 802.1X Configuration
   - NetworkManager EAP-TLS setup
   - Switch port configuration
   - Initial authentication test

== Phase 4: Post-Deployment Validation
   - ISE Live Logs verification
   - Network connectivity testing
   - Compliance monitoring

== Appendix A: Troubleshooting
== Appendix B: Switch Configuration
== Appendix C: Certificate Management
== Appendix D: ISE Configuration Guide (GUI-based)

Documentation as Code: Runbook uses 54 attributes for infrastructure references. Changes to IP addresses, hostnames, or policy names require updating attribute definitions only.

3.5. Friday, January 23 - Pentest Day 5 (FINAL)

3.5.1. Pentest Wrap-Up Session

Final Briefing with Sarah:

Preliminary Feedback:

  • Network segmentation: STRONG

  • Wireless security: IMPROVING (EAP-TLS migration recommended)

  • Endpoint protection: MODERATE (Defender coverage gaps identified)

  • Privileged access: REVIEW PENDING

Formal Report: Expected delivery February 7, 2026

3.5.2. Azure DevOps LFS Issue

Git LFS Endpoint Misconfiguration:

Repository push failing with:

batch response: Post "https://chla.visualstudio.com/_git/...":
net/http: TLS handshake timeout

Root Cause: .lfsconfig pointing to deprecated Azure DevOps LFS endpoint.

Fix Required:

# Update .lfsconfig
[lfs]
url = https://dev.azure.com/chla/_git/infrastructure

# Re-push
git lfs push --all origin main

4. Week 4: January 26-30 - Runbook Refinement & Incident Response

4.1. Monday, January 26

4.1.1. Azure Legacy Infrastructure Kick-Off

Project: Legacy infrastructure migration to Azure Government Cloud

Stakeholders:

  • Infrastructure team

  • Security architecture

  • Compliance (HIPAA, HITRUST)

Scope: Migrate on-premises workloads to Azure Gov Cloud with zero-trust network architecture.

Security Requirements:

  • Private endpoints (no public IPs)

  • Azure Bastion for administrative access

  • NSG rules with zero-trust principles

  • Azure Policy enforcement (HIPAA compliance)

  • Microsoft Defender for Cloud integration

4.2. Tuesday-Thursday, January 27-29

4.2.1. Runbook Attribute Maximization

Refactoring Initiative: Convert all hardcoded values in CHLA Linux 802.1X Deployment Runbook to AsciiDoc attributes.

Before:

Log into ISE at 10.101.2.131
Contact sasgharzadeh@chla.usc.edu

After:

// Attributes defined once
:ise-ppan: 10.101.2.131
:user-shahab-email: sasgharzadeh@chla.usc.edu

// Referenced everywhere
Log into ISE at {ise-ppan}
Contact {user-shahab-email}

Result: 54 total attributes covering infrastructure, users, ISE policies, VLANs, and file paths.
Attribute Categories
Category Count Examples

Infrastructure

18

DNS servers, AD DCs, ISE cluster, NAS

Device-Specific

10

Hostname, MAC, IP, switch port, certificates

ISE Policy

18

Policy sets, authz profiles, dACLs, endpoint groups, VLANs

Users

4

Dr. Shahab, Xiangming Ding (email, short names)

Filesystem

4

Certificate directories, SSSD config, crypttab

4.2.2. Netapi Reference Removal

Compliance Issue: CHLA Linux 802.1X Deployment Runbook contained 70 references to netapi (proprietary automation CLI) (proprietary automation CLI).

Problem: Runbook intended for sharing with CHLA InfoSec team. Netapi is personal tooling, not approved for enterprise use.

Solution: Replace all netapi commands with ISE GUI navigation instructions.
Before/After Examples
Before (Netapi) After (ISE GUI) 
netapi ise mnt coa "b4:e9:b8:f6:c8:17"

Navigate to: Operations → RADIUS → Live Sessions

  1. Filter by MAC: b4:e9:b8:f6:c8:17

  2. Click Disconnect icon (⊗)

  3. Confirm disconnect

 
netapi ise get-endpoint-groups

Navigate to: Context Visibility → Endpoints

View all registered endpoints and their assigned identity groups.

Personal Tooling Strategy:

  • CHLA Runbook: ISE GUI instructions (shareable with team)

  • HOME Runbook: Netapi automation commands (personal infrastructure)

Separation ensures work documentation is portable while retaining automation capabilities for personal use.

4.3. Friday, January 30

4.3.1. Incident Response: Dr. Pat Levitt Authentication Failure

Alert Received: 15:15 PST via Microsoft Teams

User: Dr. Pat Levitt

Title: USC Faculty/Non Physician CWR Neurology CWR

Email: plevit@chla.usc.edu

Issue: Authentication failure (method unknown)

Status: ACTIVE INVESTIGATION

Initial Response Plan
Phase Actions

1. Information Gathering

  • Confirm exact failure symptoms (login error? network access?)

  • Determine authentication type (802.1X? VPN? Windows login?)

  • Establish timeline (new issue vs. recurring)

2. ISE Diagnostics

Load credentials: dsource d001 dev/network
Search sessions: netapi ise dc failed --limit 20 | grep -i "levitt"
Get session: netapi ise mnt session <MAC>
Auth history: netapi ise dc auth-history <MAC> --limit 10

3. Common Failure Checks

  • AD account status (locked? disabled? password expired?)

  • Certificate validity (if EAP-TLS)

  • Endpoint group assignment

  • Authorization rule matching

  • ISE Live Logs detailed failure reason

4. Resolution

TBD based on findings

Investigation Log:

Will be updated as findings are discovered…​

4.3.2. Daily Capture System Implementation

New Workflow: AsciiDoc-based daily captures with multi-format output.

Created:

  • WRKX-2026-01-30-chla-infosec-ops.adoc (attribute-driven)

  • WRKX-2026-01-30-chla-infosec-ops.md (quick reference)

  • build.sh (converts .adoc → HTML, PDF, DOCX)

Benefits:

  • Professional reports for leadership

  • Searchable PDF archives

  • DOCX for collaboration/editing

  • Same attribute pattern as CHLA Linux 802.1X Deployment Runbook
Build Script Usage
# Build all formats
./build.sh 2026/01/WRKX-2026-01-30-chla-infosec-ops.adoc

# Build specific format
./build.sh 2026/01/WRKX-2026-01-30-chla-infosec-ops.adoc pdf

# Output location
2026/01/output/
  ├── WRKX-2026-01-30-chla-infosec-ops.html (48K)
  ├── WRKX-2026-01-30-chla-infosec-ops.pdf (148K)
  └── WRKX-2026-01-30-chla-infosec-ops.docx (16K)

.gitignore configured to exclude output/ directories. Build artifacts not tracked in version control.

5. Outstanding Action Items

5.1. Critical Priority

  1. Dr. Pat Levitt Authentication Issue ACTIVE

    • Assigned: Evan Rosado

    • Deadline: February 3, 2026

    • Status: Investigation in progress

  2. Microsoft Defender for Endpoint Connectivity - chlxsbg BLOCKED

    • Assigned: Evan Rosado

    • Blocker: Prevents posture compliance

    • Action: Validate Defender agent installation and cloud connectivity

  3. Pentest Findings Remediation PENDING

    • Assigned: InfoSec Team

    • Deadline: 30 days post-report (March 9, 2026)

    • Status: Awaiting formal report (Feb 7)

5.2. High Priority

  1. MSCHAPv2 to EAP-TLS Migration PLANNING

    • Scope: 5,000+ corporate wireless users

    • Deadline: Q2 2026

    • Dependencies: Intune MDM enrollment, certificate auto-enrollment

  2. ISE Posture Policies - Linux IN PROGRESS

    • Requirements: UFW firewall, ClamAV antivirus, Defender, Umbrella

    • Status: Policies defined, testing pending

  3. Camera IP Documentation (InfoBlox) PENDING

    • Assigned: Network Operations

    • Context: 200+ security cameras missing IPAM records

  4. JOY Workstation Follow-Up PENDING

    • User: [USER REDACTED]

    • Issue: Intermittent 802.1X failures

    • Assigned: Evan Rosado

5.3. Normal Priority

  1. SNE-21 Investigation PENDING

    • Context: Network equipment anomaly

    • Assigned: Network Engineering

  2. CVE-2026-20029 iTrack Submission PENDING

    • System: iTrack (patient tracking)

    • Severity: TBD

    • Action: Coordinate with vendor for patch

  3. GetWell Network YouTube Integration Review PENDING

    • Context: Patient entertainment system internet access

    • Security concern: Unrestricted internet from clinical VLAN

    • Assigned: Evan Rosado + Clinical Engineering

  4. Claroty XDome Technical Deep-Dive PENDING

    • Vendor: Claroty (Mauricio)

    • Topic: VNC detection in OT networks

    • Scheduled: TBD

  5. Victor Negri Follow-Up PENDING

    • Context: [REDACTED]

    • Assigned: Evan Rosado

6. Deliverables & Documentation

6.1. Completed Deliverables

Deliverable Format Lines/Pages Status

CHLA Linux 802.1X Deployment Runbook

AsciiDoc

3,681 lines

Rev 3.0

ISE Policy Objects (Linux Research)

ISE Configuration

18 objects

DEPLOYED

dACL Design Documentation

AsciiDoc

450 lines

DONE

Daily Capture System

Shell script + templates

150 lines

OPERATIONAL

Attribute-Driven Runbook

AsciiDoc attributes

54 attributes

IMPLEMENTED

6.2. In-Progress Documentation

Document Owner Target Date

ISE Integration Architecture Diagrams

Evan Rosado

Feb 15, 2026

Posture Policy Implementation Guide

Evan Rosado

Feb 28, 2026

EAP-TLS Migration Playbook

Evan Rosado + Wireless Team

Mar 15, 2026

Azure Government Cloud Architecture

Infrastructure + Evan Rosado

Apr 1, 2026

7. Lessons Learned

7.1. Technical Insights

Attribute-Driven Documentation is Critical for CI/CD

Centralizing configuration values as attributes enables:

  • Infrastructure changes without documentation rewrites

  • Environment-specific builds (dev/staging/prod)

  • Consistent naming across all documentation

  • Reduced human error in copy-paste operations

Example: Changing ISE PAN IP address requires updating 1 attribute definition instead of hunting through 3,681 lines.

Separate Work vs. Personal Tools

netapi (proprietary automation CLI) is powerful for automation but proprietary. Work documentation must use standard, shareable methods (ISE GUI) to enable knowledge transfer.

Strategy:

  • CHLA runbooks: GUI-based (shareable with team)

  • HOME runbooks: CLI automation (personal infrastructure)

Operational Incidents Always Take Priority

Dr. Shahab Linux Workstation Deployment deployment was paused immediately when Dr. Pat Levitt authentication issue reported.

Rule: Production user impact > project work > documentation > research

7.2. Process Improvements

Build Scripts for Professional Reports

build.sh enables one-command generation of:

  • HTML for web/email sharing

  • PDF for formal reports/archiving

  • DOCX for collaborative editing

Impact: Monthly operations reports can be generated in seconds, not hours of manual formatting.

Static Assignment Checkbox is Non-Negotiable

ISE Profiling service will override endpoint group assignments unless Static Assignment is explicitly enabled.

Failure Mode: Manually assign endpoint to group → Profiler moves it back to "Unknown" → Authorization fails → User loses network access

Solution: Document checkbox requirement prominently in all deployment procedures.

8. Security Posture Assessment

8.1. Strengths

Control Evidence

Zero-Trust Network Access

dACLs restrict traffic to authorized services only. Lateral movement blocked even with network access.

Certificate-Based Authentication

EAP-TLS immune to credential phishing, offline dictionary attacks, and evil twin attacks.

Posture Assessment Integration

Continuous compliance monitoring (firewall, antivirus, Defender, Umbrella).

Segmented Research Network

VLAN 40 isolated from clinical systems. Quarantine VLAN 999 for non-compliant devices.

Comprehensive Logging

ISE Live Logs, NetFlow to QRadar, dACL deny rules logged for forensics.

8.2. Weaknesses & Remediation

Weakness Risk Remediation Priority

MSCHAPv2 (CHLA-Corporate SSID)

Credential harvesting via RADIUS capture

Migrate to EAP-TLS

CRITICAL

Defender Coverage Gaps

Unmonitored endpoints (Linux workstations)

Validate Defender agent deployment

HIGH

VNC in OT Networks

Unauthorized remote access to medical devices

Deploy Claroty XDome monitoring

HIGH

GetWell YouTube Access

Unrestricted internet from clinical VLAN

Implement DNS filtering (Umbrella)

MEDIUM

9. Recommendations

9.1. Immediate Actions (Next 30 Days)

  1. Complete Dr. Pat Levitt Investigation

    • Root cause analysis

    • Preventive controls if systemic issue

  2. Resolve Microsoft Defender for Endpoint Connectivity

    • Validate agent installation on chlxsbg

    • Test posture policy enforcement

    • Document troubleshooting procedures

  3. Review Pentest Findings

    • Formal report expected Feb 7

    • Prioritize remediation roadmap

    • Allocate resources for fixes

  4. Finalize Dr. Shahab Linux Workstation Deployment Deployment

    • MAB → EAP-TLS migration

    • User acceptance testing

    • Knowledge transfer to Desktop Support

9.2. Strategic Initiatives (Next 90 Days)

  1. EAP-TLS Migration Planning

    • Pilot group selection (100 users)

    • Intune MDM enrollment verification

    • Certificate auto-enrollment testing

    • Rollback procedures

  2. Linux Posture Policy Deployment

    • Define compliance requirements

    • ISE posture agent deployment

    • Remediation workflows

    • User communication

  3. Claroty XDome Integration

    • Technical architecture review

    • SIEM integration (Sentinel/QRadar)

    • Alert tuning

    • Runbook development

  4. Azure Government Cloud Migration

    • Zero-trust network architecture

    • Private endpoint design

    • NSG rule standardization

    • Compliance validation (HIPAA, HITRUST)

10. Security Tools & Platforms - Learning Roadmap

10.1. Overview

This section tracks security tools and platforms that require hands-on learning, implementation, or deeper integration into CHLA InfoSec operations. All items are marked as NOT STARTED - these represent skill development and platform maturation goals for upcoming quarters.

Purpose: Document tools requiring dedicated learning time and operational integration beyond basic awareness. This roadmap ensures systematic skill development and prevents ad-hoc tool adoption.

10.2. Threat Intelligence & Analysis Platforms

Tool/Platform Learning Objectives Business Value Status

Cisco Talos Intelligence

  • Threat feed integration with ISE/Firepower

  • IP/domain reputation lookups

  • Malware analysis workflow

  • Vulnerability intelligence correlation

  • Integration with SIEM (QRadar/Sentinel)

Real-time threat intelligence for network access control, IoT device profiling, DNS filtering

NOT STARTED

VirusTotal

  • File/URL/hash analysis workflows

  • API integration for automated scanning

  • YARA rule creation and hunting

  • Community intelligence gathering

  • Private scanning capabilities (Enterprise tier evaluation)

Incident response acceleration, malware triage, hash reputation checks

NOT STARTED

URLScan.io

  • URL behavior analysis

  • Phishing investigation workflows

  • Screenshot-based threat hunting

  • DOM analysis for obfuscated threats

  • API integration for bulk scanning

Phishing response, suspicious link analysis, user-reported URL validation

NOT STARTED

AbuseIPDB

  • IP reputation lookups

  • Reporting malicious IPs

  • Threat feed integration

  • Geolocation correlation

  • API integration with firewall/IPS

Network traffic analysis, firewall rule optimization, incident attribution

NOT STARTED

10.3. Extended Detection & Response (XDR)

Platform Learning Objectives Business Value Status

XDR Platform (Microsoft Defender XDR / Palo Alto Cortex)

  • Unified security console architecture

  • Cross-domain threat correlation (endpoint, network, cloud, email)

  • Automated threat hunting workflows

  • Playbook development for common incidents

  • Integration with existing security stack (ISE, Defender, Firewall)

  • SOAR capabilities evaluation

Reduced mean time to detect (MTTD), automated incident response, unified security operations

NOT STARTED

Platform Selection Pending: CHLA currently uses Microsoft Defender for Endpoint. Evaluate if expanding to full Microsoft Defender XDR (includes Office 365, Identity, Cloud Apps) meets requirements before considering third-party XDR platforms.

10.4. Security Information & Event Management (SIEM)

Platform Learning Objectives Business Value Status

IBM QRadar SIEM

  • Log source configuration (ISE, Firepower, AD, Azure)

  • Custom rule development (AQL - Ariel Query Language)

  • Correlation rule tuning

  • Offense investigation workflows

  • Custom dashboard creation

  • Integration with Claroty XDome (OT security)

  • Reference set management (whitelists, threat feeds)

  • Report automation

  • API-based automation (Python/REST)

Centralized security monitoring, compliance reporting (HIPAA, HITRUST), threat detection across hybrid infrastructure

NOT STARTED

CRITICAL DEPENDENCY: QRadar is CHLA’s enterprise SIEM. Operational proficiency is essential for:

  • Pentest finding correlation

  • Compliance audit response

  • Incident investigation

  • NetFlow analysis (research network traffic patterns)

  • ISE RADIUS log correlation

10.5. Learning & Implementation Priorities

10.5.1. Phase 1: Immediate (Next 30 Days)

Tool Focus Area Priority

AbuseIPDB

IP reputation checks during incident response

HIGH

VirusTotal

Hash/URL lookups for malware triage

HIGH

Cisco Talos

Threat feed integration research

MEDIUM

10.5.2. Phase 2: Short-Term (Next 90 Days)

Platform Focus Area Priority

IBM QRadar SIEM

  • ISE log source configuration

  • Custom rules for 802.1X failures

  • Linux workstation activity dashboards

CRITICAL

URLScan.io

Phishing investigation workflows

MEDIUM

10.5.3. Phase 3: Long-Term (Next 180 Days)

Platform Focus Area Priority

XDR Platform

  • Architecture evaluation

  • Proof-of-concept deployment

  • Integration with existing stack

MEDIUM

VirusTotal Enterprise

Private scanning evaluation for sensitive files

LOW

10.6. Success Metrics

Metric Target

Threat Intelligence Lookups/Week

>50 (AbuseIPDB + VirusTotal + Talos)

QRadar Proficiency

Ability to investigate incidents independently without vendor support

SIEM Custom Rules Created

≥5 rules for CHLA-specific use cases (Linux 802.1X, posture failures, dACL violations)

Incident Response Time Reduction

30% faster triage with integrated threat intelligence

10.7. Training Resources

Platform Resources

Cisco Talos

  • Talos Intelligence Blog (daily reading)

  • Talos Incident Response resources

  • Integration guides (ISE, Firepower, Umbrella)

QRadar

  • IBM QRadar Community Edition (lab environment)

  • QRadar Admin/Analyst certifications

  • Internal CHLA QRadar admin contacts

XDR

  • Microsoft Defender XDR documentation

  • Ninja training (Microsoft security track)

  • Vendor webinars and demos

Threat Intelligence

  • SANS threat intelligence courses

  • Recorded Future training

  • Open-source intelligence (OSINT) workshops

11. Appendix A: Infrastructure Reference

11.1. ISE Cluster Configuration

Node Hostname IP Address Role

PAN (Primary)

ppan.ise.chla.org

10.101.2.121

Policy administration

PAN (Secondary)

span.ise.chla.org

10.101.2.122

Policy administration (HA)

PSN-1

ise-psn-01.chla.org

10.101.2.131

Policy enforcement

PSN-2

ise-psn-02.chla.org

10.101.2.132

Policy enforcement

PSN-3

ise-psn-03.chla.org

10.248.11.134

Policy enforcement

PSN-4

ise-psn-04.chla.org

10.248.11.135

Policy enforcement

High Availability:

  • PAN active/standby failover (primary: 10.101.2.121, secondary: 10.101.2.122)

  • PSN load balancing via DNS round-robin

  • Database replication every 60 seconds

11.2. Active Directory Infrastructure

Domain Controller IP Address Role

chla-dc-01.la.ad.chla.org

10.112.118.141

Primary DC

chla-dc-02.la.ad.chla.org

10.112.118.143

Secondary DC

chla-pdc.la.ad.chla.org

10.100.11.28

PDC Emulator

chla-dc-03.la.ad.chla.org

10.100.11.27

Read-Only DC

11.3. Network Segmentation

VLAN Name Purpose

40

CHLA-IoT

Research workstations and NAS

999

Critical Auth Fallback

Non-compliant device quarantine

12. Appendix B: Glossary

ADCS

Active Directory Certificate Services - Microsoft PKI infrastructure

dACL

Downloadable Access Control List - Dynamic firewall rules pushed from ISE to network switches

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security - Certificate-based 802.1X authentication

ISE

Cisco Identity Services Engine - Network access control platform

LUKS

Linux Unified Key Setup - Full disk encryption for Linux

MAB

MAC Authentication Bypass - Network access based on MAC address (pre-certificate enrollment)

MSCHAPv2

Microsoft Challenge-Handshake Authentication Protocol version 2 - Password-based authentication (DEPRECATED)

PSN

Policy Service Node - ISE component that enforces network access policies

Zero-Trust

Security model requiring strict identity verification for every user/device regardless of network location

13. Appendix C: Contact Information

Name Role Contact

Evan Rosado

Senior Network Security Engineer

erosado@chla.usc.edu

Dr. Shahab Asgharzadeh

Research Scientist - Spatial Biology and Genomics Core

sasgharzadeh@chla.usc.edu

Xiangming Ding

Senior Bioinformatics Scientist

xding@chla.usc.edu

Dr. Pat Levitt

USC Faculty/Non Physician CWR Neurology CWR

plevit@chla.usc.edu

Sarah

Penetration Tester - Mandiant (Google Cloud Security)

(via engagement portal)

14. Document Revision History

Version Date Changes

1.0

2026-01-31

Initial monthly operations report for January 2026

Document Information

Document ID: MONTHLY-2026-01

Classification: INTERNAL USE ONLY

Distribution: CHLA InfoSec Leadership

Reporting Period: January 2026

Generated: 2026-01-31

Author: Evan Rosado (Senior Network Security Engineer)

Department: Information Security

Organization: Children’s Hospital Los Angeles

This document contains confidential information. Unauthorized distribution prohibited.