Good-cyber-hygiene-at-scale-and-speed
0 likes342 views
This document summarizes James McKinlay's presentation on "Cyber Hygiene at speed and scale - How to Clean a Datacenter". The presentation discusses the benefits of implementing vulnerability assessment and management (VMaaS) in managed datacenters to improve security. It recommends starting with quick wins like installing VMaaS agents, building a knowledgebase of patches, and linking VMaaS to configuration management databases. Long-term, security automation could be expanded to correlate software assets, maintain baselines, query systems, and collect security details. The takeaway is that datacenter operators should prioritize basic security hygiene and work with managed service providers to integrate more proactive security measures.
Good-cyber-hygiene-at-scale-and-speed
- 1. Cyber Hygiene at speed and scale – How to Clean a Datacenter James Mckinlay – CSO Praetorian Consulting International
- 2. #whoami Electoral Role Landline Broadband Mobile Phone Gas Electric TV licence Passport Inland Revenue High Street Bank Online Retailers Online webmail Companies House Online accountant Births & Marriages Register Hospital records / GP records Husband, Father, Son Cyber Consulting <-IT Security <- IT Solutions https://uk.linkedin.com/in/jmck4cybersecurity Shares / Child ISA Pension Car Insurance House Insurance Flight Records (ARINC) Mortgage Postcode Address File University Records Water / Utilities Council Tax Driving Licence Car registration / car tax Equifax Experian Callcredit
- 4. @CisoAdvisor Actual Agenda * Very quick look at datacentre issues * My take on “Good Cyber Hygiene” * Once more unto the breach * Takeaways “Everything should be as simple as it can be, but not simpler”
- 5. (1) Before we go any further, I feel I should first point out that everything I’m about to say is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect that if you asked someone else who was considering the same points, they might have very different things that they are looking for. (2) I am not currently in a UK Datacenter (but …...) Disclaimer
- 6. * Section 1: Data centres Revolution Quote 1: “You will not be able to stay home, brother. You will not be able to plug in, turn on and cop out. You will not be able to lose yourself on skag and Skip out for beer during commercials, Because the revolution will not be televised.” - Gil Scott-Heron (1949 –2011)
- 7. Co-location (power & comms) Co-location (DRP site) Managed Service (physical) Corporate Servers (in house) Managed Service (virtual) Cloud (Public / Private) 19th Hole == DC3
- 8. Co-location (power & comms) Co-location (DRP site) Managed Service (physical) Corporate Servers (in house) Managed Service (virtual) Cloud (Public / Private) 19th Hole == DC3 Managed Service (physical) Corporate Servers (in house) Managed Service (virtual)
- 9. Co-location (power & comms) Co-location (DRP site) Managed Service (physical) Corporate Servers (in house) Managed Service (virtual) Cloud (Public / Private) 19th Hole == DC3 Cloud (Public / Private)
- 11. Tier what ? Tier 1: Guaranteeing 99.671% availability. Tier 2: Guaranteeing 99.741% availability. Tier 3: Guaranteeing 99.982% availability. Tier 4: Guaranteeing 99.995% availability. Availability over Security The more secure you are, physical, environmental, configuration management, change management, release management, infosec signoff .... The better the availability !
- 12. DC Problems External (public) DDoS on one customer affects all customers on a shared subnet External (partners) Third Party supplier access allows route into Managed Services and customer data Internal (bau) Managed Services network not secured adequately Managed Services network not split from corporate network Internal (strategic) Mergers & Acquisitions Business Transformation
- 13. Hold the front page
- 14. * Section 2: Cyber Hygiene Revolution quote 2: “The first revolution is when you change your mind about how you look at things, and see there might be another way to look at it that you have not been shown. What you see later on is the results of that, but that revolution, that change that takes place will not be televised.” - Gil Scott-heron (1949 –2011)
- 15. Not talking about 27001 here ISO 27002 can be traced back to the British Standard 7799, which was published in 1995. Originally written by the DTI, after several revisions ISO took it on as ISO/IEC 17799. There was a second part to BS 7799 which formed the implementation of an ISMS. This element was what ISO 27001 became in November 2005 (therefore named ISO 27001:2005)
- 16. So many to choose from ACPO (DFIR) AusDSD (ISPF) (ROSI) CBEST CIS (BM) (SM) (CSC) COBIT4 & 5 CSA CCM CPNI / CESG / CERT-UK Carnegie Mellon CERT EN16945 (NATS) First.org FCA Gov.hk HMG ISO Standards, Frameworks and Good Practice guides ISC2 ISF-SOGP ISM3 Maturity Model ISSAF Microsoft NARUC (Utilities) NESA-IAS NIST OWASP PAS-49 PCIDSS SANS Secure Pay Europe (ECB) SOC I & SOC II reporting
- 17. So many questions What if someone had reviewed them all and made a list of the Top 100 Cyber Security Questions to ask ? Cyber Security Perspectives http://usahuawei.com/wp-content/uploads/2014/12/Top100-cyber-security-requirements.pdf
- 18. So to my favourites AusDSD T35 NSA T10 NSA Managed Network T20 CCv6
- 19. bestest bestest favourite NSA Adversary Obstruction https://www.youtube.com/watch?v=bDJb8WOJYdA https://www.iad.gov/iad/library/reports/nsa-methodology-for-adversary-obstruction.cfm
- 20. Inside favourite NSA Adversary Obstruction https://www.iad.gov/iad/library/reports/nsa-methodology-for-adversary-obstruction.cfm 1. Protect Credentials 2. Segregate Networks and Functions 3. Implement Host Intrusion Prevention System (HIPS) Rules 4. Centralize logging of all events 5. Take Advantage of Software Improvement 6. Implement Application Whitelisting 7. Install and correctly use EMET 8. Public Services Utilization 9. Use a Standard Baseline 10.Data-at-Rest and Data-in-Transit Encryption 11.Use Anti-Virus File Reputation Services
- 21. Chart and project plan AusDSD T35
- 23. * Section 3: Once more unto the ... Revolution quote 3: “There can't be any large-scale revolution until there's a personal revolution, on an individual level. It's got to happen inside first.” - Jim Morrison (1943 - 1971)
- 24. New agenda Why it sits well with DC-MS Speed and scale Security Operations First Steps & Roadmap
- 25. Service Delivery Why it sits well with DC-MS Work packages CAB CMDB tickets Service description Software library RCA Problem Management SLA
- 26. VisualOps Why it sits well with DC-MS
- 27. Secure Configuration Management Why it sits well with DC-MS
- 28. DevSecOps speed and scaleSpeed and scale
- 29. Concepts Easy to deploy, easy to operate MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents. Fast and asynchronous MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes. Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds. Strong security primitives Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.
- 31. Gareth Rushgrove @ Puppet Labs
- 32. Is it fast ? Does it scale ? Does it use python?
- 33. Secure continuous delivery? Security Automation? Pipeline, CI, API, Monitoring?
- 34. New thinking speed and scaleSpeed and scale Data Centre Cloud
- 35. Build your own ? speed and scaleSpeed and scale
- 37. Secret Sauce
- 38. First Steps – quick wins First Steps Managed data centre is perfect situation to install an run VMaaS Managed data centre is perfect situation to build a knowledgebase of awkward patches SOC members are perfect researchers for remediation work following VMaaS Managed data centre is perfect situation to link VMaaS to CMDB and CAB SCM operations are perfect for testing remediation work
- 39. First Steps – quick wins Future Steps SCM can correlate software asset records SCM can maintain baseline security SCM can query system for files, hashes, registry entries SCM can collect local admin details SCM can collect local USB usage
- 40. Summary It is in a Data Centre’s best interest to be more secure because that helps availability !! IT Ops, Security Ops and Security Management (compliance) need to work closer together SOC / SecOps doesn’t have to be about incident response in can also be incident prevention If you have outsourced hosting and infrastructure management – why not add VMaaS and Remediation activities !
- 41. Takeaways Take “Fix the basics” seriously we’ve had years to get this Get started if you haven’t already Use what has been learnt from years of vulnerability assessment and patch management and device hardening Tailor it to your organisation (size and maturity) Learn from other disciplines (collaborate or die) Challenge Managed Service providers to do more security Network with likeminded peers
- 42. Time is precious thank you for yours James