This document summarizes James McKinlay's presentation on "Cyber Hygiene at speed and scale - How to Clean a Datacenter". The presentation discusses the benefits of implementing vulnerability assessment and management (VMaaS) in managed datacenters to improve security. It recommends starting with quick wins like installing VMaaS agents, building a knowledgebase of patches, and linking VMaaS to configuration management databases. Long-term, security automation could be expanded to correlate software assets, maintain baselines, query systems, and collect security details. The takeaway is that datacenter operators should prioritize basic security hygiene and work with managed service providers to integrate more proactive security measures.
1. Cyber Hygiene at speed and scale
– How to Clean a Datacenter
James Mckinlay – CSO Praetorian Consulting International
2. #whoami
Electoral Role
Landline
Broadband
Mobile Phone
Gas Electric
TV licence
Passport
Inland Revenue
High Street Bank
Online Retailers
Online webmail
Companies House
Online accountant
Births & Marriages Register
Hospital records / GP records
Husband, Father, Son
Cyber Consulting <-IT Security <- IT Solutions
https://uk.linkedin.com/in/jmck4cybersecurity
Shares / Child ISA
Pension
Car Insurance
House Insurance
Flight Records (ARINC)
Mortgage
Postcode Address File
University Records
Water / Utilities
Council Tax
Driving Licence
Car registration / car tax
Equifax Experian Callcredit
4. @CisoAdvisor
Actual Agenda
* Very quick look at datacentre issues
* My take on “Good Cyber Hygiene”
* Once more unto the breach
* Takeaways
“Everything should be
as simple as it can be,
but not simpler”
5. (1) Before we go any further, I feel I should first
point out that everything I’m about to say is
obviously just my personal opinion, which you
are of course entitled to take with the
appropriate pinch of salt. I would expect that if
you asked someone else who was considering
the same points, they might have very different
things that they are looking for.
(2) I am not currently in a UK Datacenter
(but …...)
Disclaimer
6. * Section 1:
Data centres
Revolution Quote 1:
“You will not be able to stay
home, brother.
You will not be able to plug in,
turn on and cop out.
You will not be able to lose
yourself on skag and
Skip out for beer during
commercials,
Because the revolution will not
be televised.”
- Gil Scott-Heron (1949 –2011)
8. Co-location
(power & comms)
Co-location
(DRP site)
Managed Service
(physical)
Corporate Servers
(in house)
Managed Service
(virtual)
Cloud
(Public / Private)
19th Hole == DC3
Managed Service
(physical)
Corporate Servers
(in house)
Managed Service
(virtual)
9. Co-location
(power & comms)
Co-location
(DRP site)
Managed Service
(physical)
Corporate Servers
(in house)
Managed Service
(virtual)
Cloud
(Public / Private)
19th Hole == DC3
Cloud
(Public / Private)
10.
11. Tier what ?
Tier 1: Guaranteeing
99.671% availability.
Tier 2: Guaranteeing
99.741% availability.
Tier 3: Guaranteeing
99.982% availability.
Tier 4: Guaranteeing
99.995% availability.
Availability over
Security
The more secure you are,
physical, environmental,
configuration management,
change management,
release management,
infosec signoff ....
The better the availability !
12. DC Problems
External (public)
DDoS on one customer affects all
customers on a shared subnet
External (partners)
Third Party supplier access allows
route into Managed Services and
customer data
Internal (bau)
Managed Services network not
secured adequately
Managed Services network not split
from corporate network
Internal (strategic)
Mergers & Acquisitions
Business Transformation
14. * Section 2:
Cyber Hygiene
Revolution quote 2:
“The first revolution is when you
change your mind about how
you look at things, and see there
might be another way to look at
it that you have not been
shown. What you see later on is
the results of that, but that
revolution, that change that
takes place will not be
televised.”
- Gil Scott-heron (1949 –2011)
15. Not talking about 27001 here
ISO 27002 can be traced back to the British Standard 7799, which
was published in 1995.
Originally written by the DTI, after several revisions ISO took it on as
ISO/IEC 17799.
There was a second part to BS 7799 which formed the
implementation of an ISMS.
This element was what ISO 27001 became in November 2005
(therefore named ISO 27001:2005)
16. So many to choose from
ACPO (DFIR)
AusDSD (ISPF) (ROSI)
CBEST
CIS (BM) (SM) (CSC)
COBIT4 & 5
CSA CCM
CPNI / CESG / CERT-UK
Carnegie Mellon CERT
EN16945 (NATS)
First.org
FCA
Gov.hk
HMG
ISO
Standards,
Frameworks and
Good Practice guides
ISC2
ISF-SOGP
ISM3 Maturity Model
ISSAF
Microsoft
NARUC (Utilities)
NESA-IAS
NIST
OWASP
PAS-49
PCIDSS
SANS
Secure Pay Europe (ECB)
SOC I & SOC II reporting
17. So many questions
What if someone had reviewed them
all and made a list of the Top 100
Cyber Security Questions to ask ?
Cyber Security Perspectives
http://usahuawei.com/wp-content/uploads/2014/12/Top100-cyber-security-requirements.pdf
18. So to my favourites
AusDSD T35
NSA T10
NSA Managed Network
T20 CCv6
20. Inside favourite
NSA
Adversary Obstruction
https://www.iad.gov/iad/library/reports/nsa-methodology-for-adversary-obstruction.cfm
1. Protect Credentials
2. Segregate Networks and Functions
3. Implement Host Intrusion Prevention System (HIPS) Rules
4. Centralize logging of all events
5. Take Advantage of Software Improvement
6. Implement Application Whitelisting
7. Install and correctly use EMET
8. Public Services Utilization
9. Use a Standard Baseline
10.Data-at-Rest and Data-in-Transit Encryption
11.Use Anti-Virus File Reputation Services
23. * Section 3:
Once more unto the ...
Revolution quote 3:
“There can't be any large-scale
revolution until there's a personal
revolution, on an individual
level. It's got to happen inside
first.”
- Jim Morrison (1943 - 1971)
24. New agenda
Why it sits well with DC-MS
Speed and scale
Security Operations
First Steps & Roadmap
25. Service Delivery
Why it sits well with DC-MS
Work
packages
CAB
CMDB
tickets
Service
description
Software library
RCA
Problem
Management
SLA
29. Concepts
Easy to deploy, easy to operate
MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite
sysadmins to add it to a base deployment without fear of breaking the entire production network. All
parameters are built into the agent at compile time, including the list and ACLs of authorized
investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long
as our keys are safe on your investigator's laptop, no one will break into the agents.
Fast and asynchronous
MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and
relies on Go channels to prevent components from blocking. Running actions and commands are
stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't
depend on long-running processes.
Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on
agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a
minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.
Strong security primitives
Privacy and security are paramount. Agents never send raw data back to the platform, but only reply
to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus
preventing a compromise from taking over the entire infrastructure.
38. First Steps – quick wins
First Steps
Managed data centre is perfect situation to install an run VMaaS
Managed data centre is perfect situation to build a knowledgebase of awkward patches
SOC members are perfect researchers for remediation work following VMaaS
Managed data centre is perfect situation to link VMaaS to CMDB and CAB
SCM operations are perfect for testing remediation work
39. First Steps – quick wins
Future Steps
SCM can correlate software asset records
SCM can maintain baseline security
SCM can query system for files, hashes, registry entries
SCM can collect local admin details
SCM can collect local USB usage
40. Summary
It is in a Data Centre’s best interest to be more secure because that helps availability !!
IT Ops, Security Ops and Security Management (compliance) need to work closer together
SOC / SecOps doesn’t have to be about incident response in can also be incident prevention
If you have outsourced hosting and infrastructure management – why not add VMaaS and
Remediation activities !
41. Takeaways
Take “Fix the basics” seriously we’ve had years to get this
Get started if you haven’t already
Use what has been learnt from years of vulnerability
assessment and patch management and device hardening
Tailor it to your organisation (size and maturity)
Learn from other disciplines (collaborate or die)
Challenge Managed Service providers to do more security
Network with likeminded peers