Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Summit 2017 cyber delivery v4 long version

704 views

Published on

IT technology trends - infrastructure, organization, middleware , development, cyber security - LONG

Published in: Technology
  • Be the first to comment

Summit 2017 cyber delivery v4 long version

  1. 1. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 1 Modern delivery & cyber for enterprise IT Long version presentation
  2. 2. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 2 What is happening in delivery & cyber?
  3. 3. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 3 But after the tsunami we expect stable weather
  4. 4. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 4 Mainstream platform for enterprise IT • How most new applications are built and operate A B
  5. 5. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 5 From A to B • Monolithic web applications based on Rest developed in water fall based on relational dbms distributed and configured with automation tools (puppet, chef, ansible) run on virtualized environment (compute) and traditional storage and network secured with 30 (or so) tools • Microservices, stateless, agile built, devops Rest /GrapQL web applications built on nosql or sql dbms and containers operated with container orchestrators based APaaS on top of private/public cloud or directly on commodity servers with virtualization enabled by SDN, SDS secured with software defined perimeter architecture and HW based security TL;DRToo Long; Didn’t Read
  6. 6. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 6 Now let’s go step by step
  7. 7. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 7 Enterprise IT different fronts Traditional IT New internal customers Clients Today Tomorrow Next phaseTactic Strategic
  8. 8. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 8 Let’s start
  9. 9. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 9 Basic theme Cost reduction and efficiency Fast delivery of solutions Like software vendor – Instagram- facebook I Today Tomorrow Next phaseTactic Strategic
  10. 10. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 10 Basic challenges Aging workforce Legacy (niche) vendors raise price Keeping availability- reliability Most of budget is operations=maintenance Shadow IT Integrating cloud and on premise data and processes Top and agile functionality in changing technology world Today Tomorrow Next phase Tactic Strategic
  11. 11. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 11 Before we conclude: what about our legacy?
  12. 12. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 12 STKI on Legacy platforms • Last longer than anyone expected • The slope to oblivion: – New technology arrives. It looks immature but gain momentum. – Legacy vendors raise prices – Shortage in newyoung personnel – Less support to 3rd parties (example – security 3rd parties) – Important functionalitystandards missing – Availability performance -unresolved issues
  13. 13. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 13 STKI on Legacy platforms: when do I stop?
  14. 14. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 14 Agenda organization, processes and skills DC and infrastructure middleware development and architecturecyber security
  15. 15. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 15 Staffing, organization, skills, operations Development organization is copy of LOB Traditional infrastructure org. (server, storage, network, PC, …) Part of traditional IT Mashup development and infrastructure organization Development and Devops team are responsible for production Everybody is developer Different CAB (change advisory board) Today Tomorrow Next phase Tactic Strategic
  16. 16. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 16 Traditional infra. organization System Network DC Storage
  17. 17. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 17 What we need for new organization at operationsinfrastructure? Publichybrid cloud Private cloud Converged infrastructure Hyper-converged infrastructure Devops Containers-docker
  18. 18. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 18 The best way – one team!!
  19. 19. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 19 Recommended mashup (product) organization System Network DC Storage Production faults Sizing- architecture DR Cloud
  20. 20. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 20 Also possible (short term) • One team (for converged, cloud, etc.) , with skills differentiated, into the same department • Also have security people integrated System Network DC Storage Private Cloud Network Storage System
  21. 21. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 21 IT Infra structure BI LoB1 LoB2 LoB3 OCIO Development organization: break the functional silos. Use agilelean CEO Innovation CDO IT LoB1 LoB2 LoB3 Silo1 Silo2 Silo3 Source: Deloitte Sequential project phases with different skill groups Multi skilled, result oriented teams
  22. 22. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 22 Delivery skills and staffing • Everybody (infrastructure, delivery) is a software developer (scripts) • implementing SDLC (source control, versioning, testing, agile, etc.) • Delivery staffing might decline by 25% • Storage will decline more • Systemserver will decline less • Fragmented IT will experience less decline in staffing
  23. 23. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 23 Devops vs. CAB (change advisory board) Availability of IT Change management (CAB) “Let them Devops” but approve the process (not specific change): • Which tests are needed before prod? • Which types of change don’t need CAB? (most of changes…) What about Devops? Head of operationsinfrastructure responsibility:
  24. 24. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 24 Agenda organization, processes and skills DC and infrastructure middleware development and architecturecyber security
  25. 25. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 25 DC-Infrastructure layers Trend towards hosting- Traditional Virtualization- storage – networking Third party maintenance – new option Traditional PC Hybrid cloud Converged Infrastructure Software defined datacenter – SDS, SDN Devops VDI-TC Intel RSA Cloud only Containers (docker) based operations and Devops Hyper-converged infrastructure Browser PC Software defined perimeter networking OCP, ODDC open source HW + GPU Today Tomorrow Next phase Tactic Strategic
  26. 26. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 26 Converged infrastructure proven benefits • Time to market from (many) months to weeks • Especially in integration and acceptance testing • Easier maintenance and updates • Traditionally firmware update is done when error happens • Traditionally upgrade of one component leads to other upgrades Big servers + big storage + network
  27. 27. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 27 Hyper-converged Infrastructure • Currently best fit for branches, SME, specific projects • Performance and flexibility lags traditional infrastructure • 40G DC networks will push Hyper-converged to main stream usage • Network is part of hyper-converged vendor offering or part of client’s DC Server + storage Server + storage Server + storage
  28. 28. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 28 Storage as separate entity is evolving • Flash is standard • Active-Active is matured • Organizations should explore object storage as part of their software defined storage journey
  29. 29. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 29 NVME based storage: no more SCSI
  30. 30. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 30 3D Xpoint storage 3D XPoint is a non- volatile memory (NVM) technology Next phase of fast storage Intel and Micron technology Not in production yet Compared to NAND 10x lower latency 4x writes 3x reads improvement
  31. 31. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 31 cost Speed LowHigh High Low Source: Kaminario
  32. 32. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph • Logical architecture for efficiently building and managing Cloud-Scale Infrastructure • Provides the simplest path to a Software Defined Datacenter Intel® Rack Scale Architecture (RSA) 32 Increase performance per TCO$ & accelerate cloud adoption Simplified Platform Management Disaggregate Pool & Compose Compute, Network & Storage
  33. 33. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph Bare-Metal as a Service Customer A Customer C Customer B • Next phase of Cloud Computing • Leverage RSA and hardware orchestration to fully customize servers • Move both legacy & performance critical workloads to the Cloud • Cloud economics for Bare-Metal infrastructure • Consolidate internal IT
  34. 34. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 34 Software defined perimeter Connectivity based on a need-to-know model identity is verified before access to application is granted Black Cloud: deny all SDN application Replace the “NAC” concept “tighten the belt” Initiating Host SDP Controller Accepting Host Data
  35. 35. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 35 Agenda organization, processes and skills DC and infrastructure middleware development and architecturecyber security
  36. 36. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 36 Facebook’s graphQL • The client says to the server:
  37. 37. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 37
  38. 38. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 38
  39. 39. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 39 Cloud integration alternatives: • Write code that access the API • Reach the API via ESB + adaptor
  40. 40. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 40 what Swagger, Raml Standards for API documentations Common documentation specification language for describing API’s . Provides all the information necessary to describe RESTful or other APIs. API economy API economy is emerging as innovative force in growing companies Swagger definition a specification for defining the interface of a REST web service API mashup enablers how why now Upgrade to tools that support standard API documentations such as Raml or Swagger
  41. 41. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 41 Using API’s in IDE’s
  42. 42. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 42 Swagger basic example • For basic function http://host/greetings/hello/world that returns 'Hello world‘, basic swagger will be: { "swaggerVersion": "1.2", "apis": [ { "path": "http://localhost:8000/listings/greetings", "description": "Generating greetings in our application." } ] } More at: https://github.com/OAI/OpenAPI- Specification/wiki/Hello-World- Sample
  43. 43. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 43 Agenda organization, processes and skills DC and infrastructure middleware development and architecturecyber security
  44. 44. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 44 Development and architecture Legacy code, MicrosoftJAVA and Web Traditional ALM Little test automation Long term projects Only web HTML5 and mobile (mainly native) Agile Microservices Test automation Focus on MVP – minimum viable product Mobile native apps Agile Microservices Container based development Test automation is must Serverless Today Tomorrow Next phaseTactic Strategic
  45. 45. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 45 Microservices architecture Source: http://martinfowler.com/
  46. 46. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 46 Microservices Business agility Combine several technologies in the same project Better scale, more robust Runs in containers Might cause latency
  47. 47. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 47 Stateless development • When app falls – you simply start it • Intermediate state (data) should be stored in persistent area (DB, disk) • Application should run “as is” in dev-test-prod-cloud
  48. 48. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 48 Development languages • Client (web) in javascript with angular, react, meteor, amber or redux (and more…) frameworks • Server in .net, java, nodejs, python, php, ruby, go, or scala (and more…) languages • Client to server (to infra) in Rest/GraphQL communication
  49. 49. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 49 What are Linux Containers ? • Linux Containers (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a single control host (LXC host).
  50. 50. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 50 Virtual Machine Vs. Containers OS HW
  51. 51. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 51 What is Docker ? • Docker is an open-source project that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux. (Wikipedia)
  52. 52. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 52 Why it Works: Separation of Concerns…… Source: files.meetup.com/11185112/Docker-Meetup- jan-2015-Final.ppt
  53. 53. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 53 Containers basics • Image: ready to use, read only container file • Container: specific image that is running (with “docker run” command). Able to run several containers based on the same image
  54. 54. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 54 docker run which image to run other parameters (which program to run on the image, etc.)
  55. 55. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 55 Which containers are running? • docker ps
  56. 56. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 56 Docker Hub
  57. 57. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 57 Pulling down the image
  58. 58. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 58 Defining new image • Defining new image with “dockerfile • FROM docker/whalesay:latest • RUN apt-get -y update && apt-get install -y fortunes • CMD /usr/games/fortune -a | cowsay APT-GET is linux installation utility CMD – which program to run
  59. 59. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 59 Creating new image based on dockerfile • C:Userspinidocker2>docker build -t docker-demo-stki-2 .
  60. 60. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 60 List of docker images docker-demo-stki-2
  61. 61. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 61 Container schedulers and orchestration
  62. 62. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 62 About containers Containers bundle your app code, dependencies, configuration in a unit, abstracting your app from infrastructure Operations: easier to deploy across dev, test, and prod environments. Less errors Developers: faster, independent development. Better scale updown (time to provision 10th of second) Perfect fit for microservices and Devops Standard way for ISV to distribute their SW Broad adoption by ISV, cloud, and infrastructure New procurement model serverCPUCorecontainer
  63. 63. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 63 The floor is shaking
  64. 64. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 64 VMWARE and containers VIC : each container runs in its own micro vm (dedicated kernel) using memory clone technology named vmfork that spin the micro vm fast and efficiently Typical containers:
  65. 65. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 65 Microsoft and containers Scott Guthrie Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables ….natively on Windows 10 …. WSL provides a Linux- compatible kernel interface developed by Microsoft (containing no Linux kernel code)
  66. 66. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 66 Duck Test
  67. 67. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 67 Do you know this Linux machine?
  68. 68. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 68 Mainstream platform for enterprise IT Web - Rest/GrapQL Microservices Stateless Agile & lean Devops and infrastructure as code SQL or noSQL Container (Docker) Operated by container schedulers (kubernetes, etc.)
  69. 69. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 69 B$ questions about mainstream: • Will run on bare metal or on cloud computing platform (Openstack, VMWARE-VRA, etc.)?
  70. 70. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 70 Kubernetes (containers) enables cloud interoperability
  71. 71. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 71 The Openstack train Telecos Service providers Huge enterprise IT Israeli enterprise IT
  72. 72. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 72 B$ questions about mainstream: • Will run and be configured natively or delivered via APaaS/XPaaS (Openshift, Cloud- Foundry, Bluemix, etc.)?
  73. 73. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 73 Containers security
  74. 74. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 74 Agenda organization, processes and skills DC and infrastructure middleware development and architecturecyber security
  75. 75. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 75 Cyber security vs. Information Security Information Security Cyber security
  76. 76. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 76 Cyber security vs. Information Security And the winner is: Cyber security
  77. 77. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 77 Cyber, internal politics, organization and roles
  78. 78. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 78
  79. 79. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 79 STKI on cyber organization:
  80. 80. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 80 Cyber organization principals • Dedicated cyber operations team • Dedicated cyber guidance team • Dedicated cyber control team
  81. 81. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 81 Cyber organization and roles • Dedicated cyber operations team – Security analysts that take action • Deepest cyber knowledge but also multidisciplinary (T-people) • Responsible for the SIEM-SOC rules • Practical guidance for the rest of IT (development, infra, PC, network, etc.) • Tight link to operations (part of operations = part of CAB) • Outsourcing the security analysts is not trivial – Cyber operations team (FW, EPP, patches, DBMS, development) – Permission team
  82. 82. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 82 Cyber organization and roles • Dedicated cyber guidance team – “Head above water” – Regulations – Risk management methodology – Business priorities
  83. 83. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 83 Cyber organization and roles • Dedicated cyber control team – Independent of operations and guidance
  84. 84. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 84 Conflicts in cyber • No Objectives + No Measurement = conflicts !!
  85. 85. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 85 Add cyber metrics to operations
  86. 86. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 86
  87. 87. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 87 Israel National Cyber ​​Authority standardization act (in process)
  88. 88. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph ‫אבטחה‬ ‫רמת‬‫בקרות‬ / ‫הגנה‬‫טכנולוגיות‬ ‫קריטיות‬ ‫מימוש‬ ‫רמת‬ ‫אבטחה‬ 1 - )1-3( ‫נמוך‬ ‫קריטיות‬ ‫בקרות‬ - )1-3( ‫נמוך‬ 1 ‫שכלול‬ ‫מוצרים‬ ‫לדוגמא‬ ‫רמת‬ ‫בשלות‬ ‫אחוז‬ ‫מימוש‬ ‫מצב‬ ‫הארגון‬ )‫(ממוצע‬ ‫אחוז‬ ‫בשלות‬ ‫יחסי‬ ‫אחוז‬ ‫מימוש‬ ‫מצב‬ ‫הארגון‬ ‫(קריטיות‬ )‫בקרה‬ ‫קיים‬ ‫לא‬ ‫הטמעה‬ ‫טכנולוגית‬ ‫(התקנת‬ )‫המוצר‬ ‫הטמעה‬ ‫לוגית‬ ‫הגדרות‬ ‫עפ"י‬ ‫הגדרות‬ )‫יצרן‬ ‫פריסה‬ ‫בארגון‬ ‫(אחוז‬ ‫הפריסה‬ ‫בכלל‬ )‫הארגון‬ ‫מבדקי‬ ‫חדירה‬ ‫והגדרות‬ ‫פרטניות‬ ‫מותאמות‬ - ‫לארגון‬ ‫אופטומיזציה‬ ‫תחזוקה‬ ‫שוטפת‬ ‫שלב‬‫שלב‬‫שלב‬‫שלב‬‫שלב‬ IT-‫תוכנית-הגנה‬0%30%60%70%90%100%12345 ‫וניטור‬‫שליטה‬‫ניהול‬‫כלי‬1.1115100%73%75% 1.11SIEM320%HPArcsight11100%20.0% 1.12‫במערכות‬ Log‫הגדרת‬320%1170%14.0% 1.13SystemChangeManagement320%Tufin,algosec1190%18.0% 1.14DLP-‫מידע‬ ‫דלף‬213%Websense,SecureIsland110%0.0% 1.15‫אנומליות‬‫לזיהוי‬‫מערכות‬17%lightcyber1190%6.0% 1.16‫מידע‬ ‫אבטחת‬‫מערכות‬ ‫גיבויי‬‫ניהול‬213%BACKBOX1190%12.0% 1.17‫סייבר‬‫תחקור‬17%Wirex1170%4.7% ‫חיצונית‬‫הגנה‬1.2314100%173%76% 1.21Firewall321%CheckPoint,Paloalto1160%12.9% 1.22AntiSpam/EmailProtection214%Fortinet1160%8.6% 1.23Webfiltering321%Websense1190%19.3% 1.24SSLVPN214%Juniper1160%8.6% 1.25WAF321%F5,Imperva11100%21.4% 1.26SandBox17%FireEye1170%5.0% ‫רשת‬1.3213100%148%47% 1.31IPS/IDS215%PaloAlto110%0.0% 1.32NAC18%1170%5.4% ‫להטמעה‬ ‫עדיפות‬ ‫(סדרי‬ ‫הטמעה‬‫שלבי‬ )‫בארגון‬ 0% 20% 40% 60% 80% ‫יטה‬‫ל‬ ‫ול‬‫ה‬‫י‬‫נ‬ ‫י‬‫ל‬‫כ‬ ‫ור‬‫ט‬‫י‬‫נ‬‫ו‬ ‫ית‬‫נ‬‫ו‬ ‫י‬‫ח‬‫הגנה‬ ‫ת‬ ‫ר‬ ‫י‬‫ת‬‫ר‬ ‫ה‬ ‫ק‬‫ות‬‫נ‬‫תח‬ ‫י‬‫ד‬‫י‬‫י‬‫נ‬ ‫י‬‫ר‬‫י‬ ‫מכ‬ ‫יה‬‫י‬ ‫יק‬‫ל‬ ‫א‬‫הגנת‬ ‫י‬‫נ‬‫ו‬‫ת‬‫הנ‬ ‫הגנת‬ ‫ידע‬‫מ‬ ‫ות‬‫ה‬‫הזד‬ ‫ות‬‫א‬ ‫והר‬ ‫ידרה‬‫ס‬
  89. 89. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 89 Too many cyber tools … EDR endpoint detection & response Code scanning tools Authentication Bio Authentication CASB (cloud access) Data Classification Data Masking Database Security DDOS Deception Honeypot DLP Email Security (email gateway) Encryption Endpoint Security Firewall Fraud Prevention Incident Response IPS MDM MAM - mobile device management PAM – Privileged access management Network Access - NAC Secure Email Gateway Web security - Secure Web Gateway SIEM Web Application Firewall
  90. 90. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 90 Cyber security personnel ‫מדף‬ ‫תוכנת‬= ‫תוכנה‬ ‫על‬ ‫ארת‬ ‫נ‬ ‫המדף‬
  91. 91. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 91 Conclusion – something needs to change Market consolidation Game changer technology
  92. 92. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 92 The nightmare: zero day attack • Attack exploiting undisclosed computer-software vulnerability
  93. 93. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 93 Categorization of cyber (zero day?) defense approaches Anomaly detection (prod and sandbox, network-endpoint, application-business level) Honeypots Deception HW security (Intel’s SGX, ARM’s trusted zone CPU) Format changing (‫,הלבנה‬ secured browsing) Technology “tricks” (morphisec, IBM’s ROP solution) Pattern of malicious activity (basic example – user entry but much too fast)
  94. 94. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 94 Moving Target Defense • Moving-target (MT) techniques seek to randomize system components (IEEE) • Tricks + Deception
  95. 95. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 95 Moving Target Defense • What is moving (changing)? – Memory addresses, Heap structure – User names credentials – Physical location – Code Obfuscation - change the exec file • How fast? – Every time the program runs – While the program is running • Detection level
  96. 96. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 96 Intel Software Guard Extension (SGX) Current architecture: App.exe code App.exe data OS User process F.Schuster et al. “VC3: trustworthy data analytics in the cloud using SGX,” 36th IEEE Symposium on Security & Privacy, App.exe data
  97. 97. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 97 Intel Software Guard Extension (SGX) • ENCLAVE? • Hardware-based protection • User level execution • E-init (compare measurements of enclave) App.exe code App.exe data OS Enclave Enclave code Enclave data User process User process App.exe F.Schuster et al. “VC3: trustworthy data analytics in the cloud using SGX,” 36th IEEE Symposium on Security & Privacy
  98. 98. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 98 FTE ratios are not trivial – cyber roles map Cyber guidance Cyber analysts Infrastructure development Service desk HR NOC outsourcing cyber department
  99. 99. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 99 Cyber roles map Regulations Top management cyber risk management high level policy awareness Cyber guidance Cyber analysts Infrastructure development Service desk HR analyst - response team, define siem rules ‫בקרי‬ practical policy (development, suppliers, identity) permission (operations - not policy) cyber tools: FW, dlp, encryption, DBMS FW, EPP (AV), deception cyber related tools: patch management, networking, hardening, privileged account management, email security, data masking, authentication NOC outsourcing
  100. 100. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 100 Cyber personnel • Number of employees divided to total number of cyber related IT personnel for non-regulated orgs (regulations is less than 50% of cyber budget): • First level soc personnel not included (mainly soc service in non- regulated orgs.) Source: STKI # employees / # cyber personnel Per FTE 65625 percentile 1125Median 179275 percentile
  101. 101. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 101 Cyber personnel: operational/guidance • Number of operational cyber personnel divided to cyber guidance personnel for non regulated orgs (regulations is less 50% of cyber budget): Source: STKI # operational / # guidance Per FTE 1.5825 percentile 2.00Median 2.7575 percentile
  102. 102. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 102 Cyber personnel • Number of employees (that use computers) divided to total number of cyber related IT personnel for regulated orgs (regulations over 50% of cyber budget): • Cyber personnel include: guidance, cyber analysts, cyber operations, permissions team • First level soc personnel not included, insurance agents (not employees) are not included Source: STKI # employees / # cyber personnel Per FTE 10625 percentile 133Median 15875 percentile
  103. 103. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 103 Cyber personnel - guidance • Number of employees (that use computers) divided to total number of cyber guidance personnel for regulated orgs (regulations over 50% of cyber budget): Source: STKI # employees / # cyber guidance Per FTE 33825 percentile 410Median 109575 percentile Insurance agents (not employees) are not counted but still get service
  104. 104. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 104 Cyber personnel – first level SOC • Options for first level SOC operations mode: – In sourcing : 1-2 FTE at work hours, 1 FTE at night. Total is about 6-9 FTE – In sourcing: 1-2 FTE at work hours, at night - part of NOC. Total is about 3-4 FTE – Outsourcing mode - 0 FTE. Source: STKI
  105. 105. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 105 Cyber personnel – cyber analysts • Number of employees (that use computers) divided to total number of cyber analysts personnel for regulated orgs (regulations over 50% of cyber budget): • Regulated organizations will have minimum 2 cyber analysts (part of SOC or guidance). External response team might be used when needed. Source: STKI # employees / # cyber analysts Per FTE 60025 percentile 667Median 100075 percentile Insurance agents (not employees) are not counted but still get service
  106. 106. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 106 Cyber personnel - operations • Number of employees (that use computers) divided to total number of cyber operations personnel for regulated orgs (regulations over 50% of cyber budget): • Example for cyber operations activities: FW, network security, email security, DBMS firewall, encryption, authentication, security patches, hardening, etc. • In many cases part of infrastructure technology teams (networking, sytem, PC, etc). Source: STKI # employees / # cyber operations Per FTE 21725 percentile 285Median 50075 percentile
  107. 107. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 107 Cyber personnel – permissions team • Number of employees (that use computers) divided to total number of permissions team personnel for regulated orgs (regulations over 50% of cyber budget): • Permissions team might be part of service desk, security guidance or security operations Source: STKI # employees / # permissions team Per FTE 46525 percentile 600Median 66775 percentile Insurance agents (not employees) are not counted but still get service
  108. 108. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 108 Before we conclude - some questions How do you measure my progress? What do you measure (example: Devop metrics)? What are your KPI’s? Do you give enough priority to “the new mainstream” ?
  109. 109. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 109 Summary- Let’s ride the tsunami wave! But focus on where you want to go!!
  110. 110. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph That’s it. Thank you! 110

×