Martin Huddleston: No Service Management, No Security
•Download as PPTX, PDF•
2 likes•346 views
Cyber security is no different from any other management activity, the theory is straight forward and well known, but the execution is very difficult. Interestingly, recent research carried out by a UK/ NATO industry team identified that one key element of high quality cyber security is world class service management as the majority of controls used to secure a system lie within the service management realm. So how do you effectively encompass cyber security into service management? In this presentation Martin outlines the background to the research and shares the results that identify how service management controls fit within a cyber security life cycle. Then, building on this work, Martin showcases how we need to think more about effectiveness and continuous improvement rather than compliance to give us the best chance of staying ahead of the attackers.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Martin Huddleston: No Service Management, No Security
Similar to Martin Huddleston: No Service Management, No Security (20)
More from itSMF UK
More from itSMF UK (20)
Recently uploaded
Recently uploaded (20)
Martin Huddleston: No Service Management, No Security
- 1. 1 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved apmg-international.com CYBER SECURITY No Service Management, No Cyber Security 20th November 2018 Martin Huddleston, Head of Cyber CDCAT® is the registered trade mark of The Secretary of State for Defence, Dstl
- 2. 2 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved What we will cover • The Service Management Risk Balance • The Threat • What Good Cyber Security Looks Like • Analytics – Cyber Security through the Service Management Lens • Real world Case Studies of High Frequency Use Process in Threat Prevention • A Tangled Web • What it means to be ‘Effective’, meeting appetite to take risk • Digital Services Growth – Service Management Futures • Takeaways
- 3. 3 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Service Management Reminder – Risk Balance This Photo by Unknown Author is licensed under CC BY-ND •Resources •Quality / Performance (including cyber security) •Stakeholder interests
- 4. 4 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Threat Actor Motivations, Means and Agility Financial Fraud / Extortion Resource Acquisition Competitive IPTheft Reputational Damage Blackmail State SponsoredAttacks Social engineered attacks on the person / groups Speed and agility in opportunities of the moment Supply chain, 3rd party code and API security Resource acquisition and parasitic processes
- 5. 5 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Modern Day Dog-Fight – Attacker Lifecycle Elements • Privilege Escalation • Opportunity Identification • Attacker DevSecOps • Reconnaissance • Initial Access • Execution • Persistence • Defence Evasion • Credential Access • Discovery • Lateral Movement • Collection • Exfiltration • Command and Control • Attack Assurance This Photo by Unknown Author is licensed under CC BY-NC-ND
- 6. 6 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved • Service Management Integrated Standard(s) & Frameworks • Proportionate Performance to Impacts, Agile to Context and Appetite to Take Risk • Per Asset and per Threat Performance • Cyber Value and Effectiveness Measurable So What Does Good Cyber Security Look Like?
- 7. 7 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Good Cyber Security – 2009 ‘Confiker’ Impact • UK MoD needed means to assess systems cyber defence preparedness • MoDChief ScientificAdvisor asked Dstl to establish “What good looks like” • Dstl could not find a suitable commercial product • MOD / Dstl developed know - how to enable it to:- Systematically collect evidence Make evidence based investment decisions Do this at pace and scale CDCAT® is the registered trademark of The Secretary of State for Defence. © Crown copyright, 2015; Crown Database Rights, 2015
- 8. 8 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved • Operational Resilience • 2 Lifecycles in Risk Balance Cyber Defence Service Management • Multi-standard Support 159 Capabilities, NATO*/MOD Derived Protect / Defend / Operate satisfaction of ALL included standards Integrated Control System for Cyber Security
- 9. 9 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Modern Day Dog-Fight – Defender Lifecycles / Phases * Compared to US NIST Cyber Security Framework – Identify, Protect, Detect, Respond Recover “Security is not merely a ‘state’ but a process that consists of 3 fundamental components: Protection, Detection and Reaction” -Bob Ayes, US DoD, 1998 • Strategy • Design • Transition Incl. DevSecOps • Operation • Continual Improvement • Assess* • Deter • Protect • Detect • Respond • Recover This Photo by Unknown Author is licensed under CC BY-NC-ND
- 10. 10 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved So What of Service Management? Analytics – Cyber Security through the Service Management Lens A Capability Based Assessment
- 11. 11 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved 10 Steps to Cyber Security – Capability Count 0 5 10 15 20 25 30 35 1 11 21 31 41 51 61 71 81 91 101 CapabilityRe-useCount Capability Order (by a rank) 10 Steps to Cyber Security 0 5 10 15 20 25 30 35 1 11 21 31 41 51 61 71 81 91 101 CapabilityRe-useCount Capability Order (by frequency rank) 10 Steps – Excl. ITIL®V3 Top Four Gaps: 1) Incident Management 2) Risk Management 3) Supplier Management 4) Service Asset & Configuration Management Top Four: 1) Define Security Configuration Baselines 2) Establish Policies to Secure Target System 3) Establish Policies to Secure Information 4) Identify Minimum System Security Requirements
- 12. 12 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved US NIST Cyber Security Framework – Capability Count 0 10 20 30 40 50 60 70 1 11 21 31 41 51 61 71 81 91 101 111 121 131 CapabilityRe-useCount Capability Order (by frequency rank) NIST CSF V1.1 0 10 20 30 40 50 60 70 1 11 21 31 41 51 61 71 81 91 101 111 121 131 CapabilityRe-useCount Capability Order (by frequency rank) NIST CSF V1.1 excl. ITIL V3 Top Four: 1) Information Security 2) Health Checks / Audits 3) Secure Data and Network Management 4) Accounting and Audit Controls Top Four Gaps: 1) Information Security 2) Incident Management 3) Supplier Management 4) Risk Management
- 13. 13 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Poll of Top Service Management Capabilities - Impact MageCart Indidents Ticketmaster, British Airways et al. Supplier Management Top ITIL® Capabilities Service Asset & Configuration Management Incident Management Risk Management
- 14. 14 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Facebook Incident “This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017…hackers were using the site's API to automate the process of grabbing users' profile information” Supplier Management Top ITIL® Capabilities Service Asset & Configuration Management Incident Management Risk Management Poll of Top Service Management Capabilities - Impact
- 15. 15 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Supplier Management Top ITIL® Capabilities Service Asset & Configuration Management Incident Management Risk Management SamSam Incidents – Healthcare Sector “Modus operandi is to gain access to an organization’s network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible and presenting the organization with a single ransom demand” Poll of Top Service Management Capabilities - Impact
- 16. 16 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Service Management in Complex System Risk – “A Tangled Web” • Change language to Cyber Defence, not passive cyber security, but proactive defence. • Increasing dependencies is a growing risk With every new cyber security standards, we are seeing greater complexity • A future is with us now AI’s essential impact on service management, the complexity & scale issue • But not all good. A new class of problems and a new Service Management: Prevent: keeping down the AI weeds from choking the internet and digital services Detect: for cyber ‘bad’ actors from weaponizing the AI weeds Recover/Respond: cleaning up the AI weeds.
- 17. 17 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Continual Improvement - Operational Risk Measurement e.g. Supply / Service Chain Security Effectiveness These assets are individual systems / services that have had cyber defence assessment and effectiveness measurement calibrated to real- world performance data These allow you to decide a risk appetite and actions to accept, treat, transfer or avoid the risk as a portfolio Overall Effectiveness with Maturity Levels
- 18. 18 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Control System Trends in Digital Services Growth Leading to a changing face for Operational Resilience and Management of Harm Process Quality Only Compliance Driven Passive BC & DR Response & Recovery Driven Reactive Intelligence, Analytics & Agility Driven Proactive Self Healing, re- Provisioning, After-care AutonomicAdhoc
- 19. 19 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Takeaways 1. Service Managers can “step up” to secure networks, effective security is a ‘team’ sport - consider your high frequency processes first 2. The need for more operational testing, SIAM*, DevSecOps and of complex systems is inevitable - consider your ‘Release and Deployment’ processes 3. Baseline your current maturity effectiveness to empower your business conversations in valuing cyber risk - quantify it with the business exposure *SIAM – Service Integration and Management
- 20. 20 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved Questions
- 21. 21 apmg-international.com © Copyright APMG Group 2018, All Rights Reserved +44 (0) 1494 452450 servicedesk@apmgroupltd.com linkedin.com/company/apm-group apmg-international.com @Cyber_APMG @APMG_Inter facebook.com/APMGinternationalLTD Keeping in touch © APMG International Ltd. 2018. All rights reserved.
Editor's Notes
- No service management No cyber security Cyber Security is no different from any other management activity, the theory is straight forward and well known, execution is very difficult. Research carried out by a joint UK/US team identified that one key element of high quality Cyber security is world class service management as the majority of controls used to secure a system lie within the Service management realm. Martin will outline the background to the research and share the results that identify how service management controls fit within a Cyber security life cycle. Building on this work Martin will show how we need to think more about effectiveness and continuous improvement rather than compliance to give us the best chance of staying ahead of the attackers. Plan Assume people know what service management is (3 legged stool), what is cyber security re operational resilience maturity to agile defence agile operations resource prioritisation agility, raising process and performance maturity to be able to be agile to be able to perform. What makes cyber security execution difficult? [Threat agility, attack right once, defence right every time] [ Failure of protection, resort to Resilience/recovery][Evolution of systems / defences] NATO / MOD background, maturity models for agility. What is high quality Cyber Security and what role is Service Management playing – heat map/statistics/re-use. Demonstrate how service management controls fit in the CyberSecurity Lifecycle. [iData CPNI/NCSC kill chain, ATT&CK steps/lifecycle, A/D/P/D/R/R] Effectiveness & continual improvement (noting ISO20000-1:2018 has dropped CSI), agility to stay ahead of attackers, DevSecOps [re recent UK/US/Canada Airforce investments in agile process] [ coding securely at pace] [issue for GitHub and ReadHat’s new owners re opensource]
- Service Management Reminder Threats, Threat Agility What does good look like in Cyber Security
- Financial Fraud/Extortion, Resource Acquisition, Competitive IP Theft, Reputational Damage, Black-mail, State Sponsored Attacks… NCSC: Sept Threat brief on Supply Chain . NCSC is developing its approach to this issue and stated in October 2018 that the risk in the supply chain is:- • An increase in pace and number of cyber security incidents • No increase in severity • Vulnerabilities are old and can be patched • Attacks do not require use of high-end skills • Supply chain at risk, with suppliers being the first source of the compromise. NCSC’s approach also recommends:- • Promoting cloud-based hosting technology for the vast majority of users • To change the focus from sites to systems • Exploring models for examining and recording cyber security of common suppliers • Promoting NIS across all CNI sectors (not just ones regulated by NIS) and major businesses to improve security in the supply chain • Piloting a new Active Cyber Defence “Supplier Check” inspection of external web site as proxy for internal cyber posture. Current ‘Live’ Means Used by Attackers Social engineered attacks on the person e.g. Phishing, Vishing, Whaling, etc Speed and agility e.g. opportunistic ransomware, machine to machine network exploitation – SAMSAM, WannaCry, etc Supply chain and sources of code and API security e.g. Ccleaner, MageCart (TicketMaster, BA et al), FaceBook, etc Resource acquisition in parasitic processes e.g. DDOS bots, crypto mining, scam hosting https://duo.com/decipher/magecart-group-refines-attacks-nabs-more-sites Much of Magecart’s previous attacks focused on compromising third-party providers. The group would inject its malicious code into libraries and scripts provided by third-party providers, thus ensuring that any website using that provider’s code would be executing the attack code. For example, Magecart has targeted websites running outdated and unpatched versions of Magento, an open-source ecommerce platform written in PHP. Recent figures suggest that over 7,300 stores have been affected by the MagentoCore card skimming code.
- Unseen, performing, cost effective – sounds like service management …Compliance is not Enough, How High the Bar, What Performance and what Effectiveness, What Agility, changing the Bar Anticipating the Threats / Vulnerabilities, Continual Optimisation, ATT&CK / Intel, Automation Commoditisation Cloud Utility Security Just a characteristic of Digital Service, a feature of service & service management. Like any athlete the organisation needs to perform, every time, which is hard, sustaining performance is all about service management, including delivering agile services, where the service is cyber security. What it is not is conformance to ISO/IEC 27001 or ISO/IEC 20000-1 or any ‘compliance’ standard It is much more than process in sense of process quality improvement Sustaining outcomes, Sustaining and Adapting, Optimising to the dynamic, more than People, Process, Technology – sustaining is about TEPIMOIL / Leadership … don’t conflate ‘Governance’ with ‘Performance’ – operational agility is hard, but service management has always sought to deliver 3 legged stool of balancing stakeholders, resources and performance/quality/output – we know there are never enough resources, not just for security, resources and prioritisation are the order of the day Performance vs compliance, visualise the High Jump, but how high the bar?
- Back ground ‘Time Based Security’ book by Wynn Schwartau on, Bob Ayers Director at DoD Information Systems Security Programme and team at US DOD DISA, Circa 1997: Protection > Detection + Reaction. ‘Risk Avoidance’ cultures are doomed to failure. Security risk cannot be designed out.
- 5 basic cyber controls that everyone should adhere to Boundary firewalls and internet gateways Secure configuration Access control Malware protection Patch management Top 5 Capabilities by Frequency: Define Security Configuration Baselines Establish Policies to Secure Target System Establish Policies to Secure Information Identify Minimum System Security Requirements Secure Data and Network Management Top 6 Capabilities used for ITIL V3 Delivery Incident Management Risk Management Supplier Management Service Asset & Configuration Management Cyber Policy Event Management
- Top 5 Capabilities by frequency: Information Security Health Checks / Audits Secure Data and Network Management Accounting and Audit Controls Incident Management Top 6 ITIL V3 Capabilities excluded: Information Security Incident Management Supplier Management Risk Management Service Continuity Plan Metrics / Improvement Opportunity Identification
- https://duo.com/decipher/magecart-group-refines-attacks-nabs-more-sites https://www.zdnet.com/article/british-airways-cyberattack-data-theft-bigger-than-we-first-thought/ 10 Steps: Incident Management Risk Management Supplier Management Service Asset & Configuration Management Cyber Policy Event Management ASD: Service Asset & Configuration Management 2 Change Management Event Management Incident Management 2 Release and Deployment Management Risk Management 2 NIST: Information Security Incident Management 3 Supplier Management 2 Risk Management 3 Service Continuity Plan Metrics / Improvement Opportunity Identification Aggregate: Cyber Policy 2 Information Security 2 Cyber Strategy Metrics / Improvement Opportunity Identification Risk Management 4 Access Management
- Change language to Cyber Defence, not passive cyber security, but proactive defence. Increasing in dependencies is a growing risk With every new cyber security standards, we are seeing greater complexity/dependencies Statistics on complexity, re grown in number of mappings per capability, would be a string indicator of the fundamental need for automation in capability interactions. Could conclude from this why SM and SIAT in particular, remains and will grow in importance. A future with us now in a tangled Web AI’s growing and essential impact on service management, the complexity & scale issue But Not all good, new class of problems Prevent: keeping down the AI weeds from choking the internet and digital services Detect: preventing cyber ‘bad’ actors from weaponizing the AI weeds Recover/Respond: cleaning up the AI weeds. https://www.weforum.org/reports/the-global-risks-report-2018 A Tangled Web Artificial intelligence “weeds” proliferate, choking off the performance of the internet What if the adverse impact of artificial intelligence (AI) involves not a super-intelligence that takes control from humans but “AI weeds”—low-level algorithms that slowly choke off the internet? Algorithms are already proliferating. As they increase in sophistication—as we become more reliant on code that writes code, for example—explosive growth becomes more likely. A divergence could open between the code we have created and our capacity to track and control it. The tragedy of the commons means we often let chronic problems with dispersed responsibilities fester. Think of plastic in the ocean. A trend towards reduced internet efficiency would undermine service delivery in countless businesses. It could hobble the Internet of Things. It would frustrate users. If the problem became significant enough, it could prompt some governments to wall off parts of the internet. If malicious actors found ways to proliferate or weaponize the AI weeds, they could do extensive damage. As the global demands placed on the internet increase in scale and sophistication, digital hygiene is likely to become a more pressing concern for end-users. The development of overarching norms, regulations and governance structures for AI will be crucial: without a robust and enforceable regulatory framework, there is a risk that humans will in effect be crowded out from the internet by the proliferation of AI. Service Management or Cyber Security, or does it matter, just Secure Digital SM?
- Aggregate analysis to assess whether appetite to take risk is being applied uniformly and if systems are connected whether risk is being appropriately managed, e.g. is system M connected to system N, in which case system effectiveness might be that of M not N. This diagram currently not routinely produced by CDCAT but by subsequent consultancy. Discuss continual maturity improvement, road to effectiveness is about sustaining high performance to agile attackers to make it hard for them so they try elsewhere. Capability improvement is about knowing where to invest to get the most bang for buck, take for example the 4 ITIL processes identified. In a world of cloud services, extended API’s down an opaque supply or service chain, where attackers can live off the land of the slightest configuration mismatch exploiting emergent behaviour, then to know the capability maturity and quantify the effectiveness calibrated to an absolute scale is to instil trust and or decide what risk measures are needed from the business perspective. E.g. to take out appropriate cyber insurance but understand insurers rightly place obligations on you to be mature in your resilience operation, a partnership in financial mitigations.
- Reasons to be proactive: Money Reputation Livelihood Safety Survival Explain resilience and stress induced by Cyber, conflict of maturity levels, agile tends to Level 2 ‘Developing’ whilst Cyber Security tends to Level 4 ‘Manage outcomes by metrics’. Future business architectures ‘build this in’ by design but at a cost compensated for by future benefits, i.e. the opportunity. Security and proactive resilience isn’t free. Business evolutions and resilience is evolving to change what is ‘normal’ in business design. Aim is now to provide a framework and risk analysis system that supports the agility needed Discuss the status of regulators approach to harm and expectations on managing risk in financial service. Discuss state of the art in autonomics, e.g. telecoms 5G and zero-touch provisioning, role of service management in carrier grade services delivery including security effectiveness to better than 5x9’s availability. Right almost every time – the means to digitally secure systems in the face of human fallibility and inevitable mis-configurations of complex services. Influence of 5G autonomic technologies, e.g. zero touch provisioning. Forensics: premera-blue breach data destruction https://www.zdnet.com/article/premera-blue-cross-accused-of-destroying-evidence-in-data-breach-lawsuit/ see also SANS NewsBites Vol. 20 Num. 070 : California Establishes Election Cybersecurity Office; Five Eyes Want to Access Encrypted Communications; California Approves Net Neutrality Bill for the commentary. [CDCAT Q2: CDCAT Application: Capabilities folder]. Need in recovery operations to forensically archive data/equipment to ensure legal duties of care. Automation, cenx/ericsson closed loop control and 5G cdcat lvl 3,4,5 automated control identification, predicting where it will be needed next re mapping is a process of process design to achieve cyber defence but using IA, CNO and SM. https://www.fiercetelecom.com/telecom/ericsson-boosts-closed-loop-automation-capabilities-deal-to-buy-cenx cdcat lvl 3,4,5 automated control identification. this is an example where that automation is bubbling up
- Service Managers can and need to “step up” to secure networks, Good cyber security is dependent on good service management, Effective security is a “team sport”, automate for repeatable outcomes, get to grips with configuration risk. Most breaches are due to insider issues [in fact historical human error and misconfiguration, ref VDBIR] – need for more testing, DevSecOps. Compliance alone means accepting successful attacks Baseline your current maturity effectiveness and empower you business conversations in the value of cyber risk – quantify it using real world calibration. Maturity of implementation is the only way to effective security.