This document summarizes James McKinlay's presentation on "Cyber Hygiene at speed and scale - How to Clean a Datacenter". The presentation discusses the benefits of implementing vulnerability assessment and management (VMaaS) in managed datacenters to improve security. It recommends starting with quick wins like installing VMaaS agents, building a knowledgebase of patches, and linking VMaaS to configuration management databases. Long-term, security automation could be expanded to correlate software assets, maintain baselines, query systems, and collect security details. The takeaway is that datacenter operators should prioritize basic security hygiene and work with managed service providers to integrate more proactive security measures.

1. Cyber Hygiene at speed and scale
– How to Clean a Datacenter
James Mckinlay – CSO Praetorian Consulting International

2. #whoami
 Electoral Role
 Landline
 Broadband
 Mobile Phone
 Gas Electric
 TV licence
 Passport
 Inland Revenue
 High Street Bank
 Online Retailers
 Online webmail
 Companies House
 Online accountant
 Births & Marriages Register
 Hospital records / GP records
Husband, Father, Son
Cyber Consulting <-IT Security <- IT Solutions
https://uk.linkedin.com/in/jmck4cybersecurity
 Shares / Child ISA
 Pension
 Car Insurance
 House Insurance
 Flight Records (ARINC)
 Mortgage
 Postcode Address File
 University Records
 Water / Utilities
 Council Tax
 Driving Licence
 Car registration / car tax
 Equifax Experian Callcredit

3. #riskAssessment
http://www.lkcyber.com/
http://www.slideshare.net/lkcyber/self-check

4. @CisoAdvisor
Actual Agenda
* Very quick look at datacentre issues
* My take on “Good Cyber Hygiene”
* Once more unto the breach
* Takeaways
“Everything should be
as simple as it can be,
but not simpler”

5.  (1) Before we go any further, I feel I should first
point out that everything I’m about to say is
obviously just my personal opinion, which you
are of course entitled to take with the
appropriate pinch of salt. I would expect that if
you asked someone else who was considering
the same points, they might have very different
things that they are looking for.
 (2) I am not currently in a UK Datacenter
 (but …...)
Disclaimer

6. * Section 1:
Data centres
Revolution Quote 1:
“You will not be able to stay
home, brother.
You will not be able to plug in,
turn on and cop out.
You will not be able to lose
yourself on skag and
Skip out for beer during
commercials,
Because the revolution will not
be televised.”
- Gil Scott-Heron (1949 –2011)

7. Co-location
(power & comms)
Co-location
(DRP site)
Managed Service
(physical)
Corporate Servers
(in house)
Managed Service
(virtual)
Cloud
(Public / Private)
19th Hole == DC3

8. Co-location
(power & comms)
Co-location
(DRP site)
Managed Service
(physical)
Corporate Servers
(in house)
Managed Service
(virtual)
Cloud
(Public / Private)
19th Hole == DC3
Managed Service
(physical)
Corporate Servers
(in house)
Managed Service
(virtual)

9. Co-location
(power & comms)
Co-location
(DRP site)
Managed Service
(physical)
Corporate Servers
(in house)
Managed Service
(virtual)
Cloud
(Public / Private)
19th Hole == DC3
Cloud
(Public / Private)

11. Tier what ?
Tier 1: Guaranteeing
99.671% availability.
Tier 2: Guaranteeing
99.741% availability.
Tier 3: Guaranteeing
99.982% availability.
Tier 4: Guaranteeing
99.995% availability.
Availability over
Security
The more secure you are,
physical, environmental,
configuration management,
change management,
release management,
infosec signoff ....
The better the availability !

12. DC Problems
External (public)
DDoS on one customer affects all
customers on a shared subnet
External (partners)
Third Party supplier access allows
route into Managed Services and
customer data
Internal (bau)
Managed Services network not
secured adequately
Managed Services network not split
from corporate network
Internal (strategic)
Mergers & Acquisitions
Business Transformation

13. Hold the front page

14. * Section 2:
Cyber Hygiene
Revolution quote 2:
“The first revolution is when you
change your mind about how
you look at things, and see there
might be another way to look at
it that you have not been
shown. What you see later on is
the results of that, but that
revolution, that change that
takes place will not be
televised.”
- Gil Scott-heron (1949 –2011)

15. Not talking about 27001 here
ISO 27002 can be traced back to the British Standard 7799, which
was published in 1995.
Originally written by the DTI, after several revisions ISO took it on as
ISO/IEC 17799.
There was a second part to BS 7799 which formed the
implementation of an ISMS.
This element was what ISO 27001 became in November 2005
(therefore named ISO 27001:2005)

16. So many to choose from
 ACPO (DFIR)
 AusDSD (ISPF) (ROSI)
 CBEST
 CIS (BM) (SM) (CSC)
 COBIT4 & 5
 CSA CCM
 CPNI / CESG / CERT-UK
 Carnegie Mellon CERT
 EN16945 (NATS)
 First.org
 FCA
 Gov.hk
 HMG
 ISO
Standards,
Frameworks and
Good Practice guides
 ISC2
 ISF-SOGP
 ISM3 Maturity Model
 ISSAF
 Microsoft
 NARUC (Utilities)
 NESA-IAS
 NIST
 OWASP
 PAS-49
 PCIDSS
 SANS
 Secure Pay Europe (ECB)
 SOC I & SOC II reporting

17. So many questions
What if someone had reviewed them
all and made a list of the Top 100
Cyber Security Questions to ask ?
Cyber Security Perspectives
http://usahuawei.com/wp-content/uploads/2014/12/Top100-cyber-security-requirements.pdf

18. So to my favourites
AusDSD T35
NSA T10
NSA Managed Network
T20 CCv6

19. bestest bestest favourite
NSA
Adversary Obstruction
https://www.youtube.com/watch?v=bDJb8WOJYdA
https://www.iad.gov/iad/library/reports/nsa-methodology-for-adversary-obstruction.cfm

20. Inside favourite
NSA
Adversary Obstruction
https://www.iad.gov/iad/library/reports/nsa-methodology-for-adversary-obstruction.cfm
1. Protect Credentials
2. Segregate Networks and Functions
3. Implement Host Intrusion Prevention System (HIPS) Rules
4. Centralize logging of all events
5. Take Advantage of Software Improvement
6. Implement Application Whitelisting
7. Install and correctly use EMET
8. Public Services Utilization
9. Use a Standard Baseline
10.Data-at-Rest and Data-in-Transit Encryption
11.Use Anti-Virus File Reputation Services

21. Chart and project plan
AusDSD T35

22. Also C-Y-A
DPA98
GDPR

23. * Section 3:
Once more unto the ...
Revolution quote 3:
“There can't be any large-scale
revolution until there's a personal
revolution, on an individual
level. It's got to happen inside
first.”
- Jim Morrison (1943 - 1971)

24. New agenda
Why it sits well with DC-MS
Speed and scale
Security Operations
First Steps & Roadmap

25. Service Delivery
Why it sits well with DC-MS
Work
packages
CAB
CMDB
tickets
Service
description
Software library
RCA
Problem
Management
SLA

26. VisualOps
Why it sits well with DC-MS

27. Secure Configuration
Management
Why it sits well with DC-MS

28. DevSecOps
speed and scaleSpeed and scale

29. Concepts
Easy to deploy, easy to operate
MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite
sysadmins to add it to a base deployment without fear of breaking the entire production network. All
parameters are built into the agent at compile time, including the list and ACLs of authorized
investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long
as our keys are safe on your investigator's laptop, no one will break into the agents.
Fast and asynchronous
MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and
relies on Go channels to prevent components from blocking. Running actions and commands are
stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't
depend on long-running processes.
Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on
agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a
minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.
Strong security primitives
Privacy and security are paramount. Agents never send raw data back to the platform, but only reply
to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus
preventing a compromise from taking over the entire infrastructure.

31. Gareth Rushgrove @ Puppet Labs

32. Is it fast ?
Does it scale ?
Does it use python?

33. Secure continuous delivery?
Security Automation?
Pipeline, CI, API, Monitoring?

34. New thinking
speed and scaleSpeed and scale
Data
Centre Cloud

35. Build your own ?
speed and scaleSpeed and scale

36. SOC thinking
Security operations

37. Secret Sauce

38. First Steps – quick wins
First Steps
Managed data centre is perfect situation to install an run VMaaS
Managed data centre is perfect situation to build a knowledgebase of awkward patches
SOC members are perfect researchers for remediation work following VMaaS
Managed data centre is perfect situation to link VMaaS to CMDB and CAB
SCM operations are perfect for testing remediation work

39. First Steps – quick wins
Future Steps
SCM can correlate software asset records
SCM can maintain baseline security
SCM can query system for files, hashes, registry entries
SCM can collect local admin details
SCM can collect local USB usage

40. Summary
 It is in a Data Centre’s best interest to be more secure because that helps availability !!
 IT Ops, Security Ops and Security Management (compliance) need to work closer together
 SOC / SecOps doesn’t have to be about incident response in can also be incident prevention
 If you have outsourced hosting and infrastructure management – why not add VMaaS and
Remediation activities !

41. Takeaways
 Take “Fix the basics” seriously we’ve had years to get this
 Get started if you haven’t already
 Use what has been learnt from years of vulnerability
assessment and patch management and device hardening
 Tailor it to your organisation (size and maturity)
 Learn from other disciplines (collaborate or die)
 Challenge Managed Service providers to do more security
Network with likeminded peers

42. Time is precious
thank you for yours
James