Summit 2017 cyber delivery v4 long version

Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 1
Modern delivery &
cyber for enterprise IT
Long version
presentation

What is happening in delivery & cyber?

But after the tsunami we expect stable weather

Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
4
Mainstream platform for enterprise IT
• How most new applications are built and operate
A B

5
From A to B
• Monolithic web applications based on
Rest developed in water fall based on
relational dbms distributed and configured
with automation tools (puppet, chef,
ansible) run on virtualized environment
(compute) and traditional storage and
network secured with 30 (or so) tools
• Microservices, stateless, agile built, devops Rest
/GrapQL web applications built on nosql or sql
dbms and containers operated with container
orchestrators based APaaS on top of private/public
cloud or directly on commodity servers with
virtualization enabled by SDN, SDS secured with
software defined perimeter architecture and HW
based security
TL;DRToo Long; Didn’t Read

6
Now let’s go step by step

7
Enterprise IT different fronts
Traditional IT
New internal
customers
Clients
Today
Tomorrow
Next phaseTactic
Strategic

8
Let’s start

9
Basic theme
Cost reduction
and efficiency
Fast delivery of
solutions
Like software
vendor –
Instagram-
facebook I
Today
Tomorrow
Next phaseTactic
Strategic

10
Basic challenges
Aging workforce
Legacy (niche) vendors
raise price
Keeping availability-
reliability
Most of budget is
operations=maintenance
Shadow IT
Integrating cloud
and on premise
data and
processes
Top and agile
functionality in
changing
technology world
Today
Tomorrow
Next phase
Tactic
Strategic

11
Before we conclude: what about our legacy?

12
STKI on Legacy platforms
• Last longer than anyone expected
• The slope to oblivion:
– New technology arrives. It looks immature but gain momentum.
– Legacy vendors raise prices
– Shortage in newyoung personnel
– Less support to 3rd parties (example – security 3rd parties)
– Important functionalitystandards missing
– Availability performance -unresolved issues

13
STKI on Legacy platforms: when do I stop?

14
Agenda
organization, processes and skills
DC and infrastructure
middleware
development and architecturecyber security

15
Staffing, organization, skills, operations
Development
organization is copy
of LOB
Traditional
infrastructure org.
(server, storage,
network, PC, …)
Part of traditional IT
Mashup development
and infrastructure
organization
Development and
Devops team are
responsible for
production
Everybody is
developer
Different CAB
(change advisory
board)
Today
Tomorrow
Next phase
Tactic
Strategic

16
Traditional infra. organization
System Network DC Storage

17
What we need for new organization at
operationsinfrastructure?
Publichybrid cloud
Private cloud
Converged infrastructure
Hyper-converged
infrastructure
Devops
Containers-docker

18
The best way – one team!!

19
Recommended mashup (product) organization
System Network DC Storage
Production
faults
Sizing-
architecture
DR
Cloud

20
Also possible (short term)
• One team (for converged, cloud, etc.) , with skills differentiated, into
the same department
• Also have security people integrated
System Network
DC
Storage Private
Cloud
Network
Storage
System

21
IT
Infra
structure
BI LoB1 LoB2 LoB3
OCIO
Development organization: break the
functional silos. Use agilelean
CEO
Innovation CDO IT LoB1 LoB2 LoB3
Silo1 Silo2 Silo3
Source: Deloitte
Sequential project phases with
different skill groups
Multi skilled,
result oriented teams

22
Delivery skills and staffing
• Everybody (infrastructure, delivery) is a software
developer (scripts)
• implementing SDLC (source control, versioning, testing, agile, etc.)
• Delivery staffing might decline by 25%
• Storage will decline more
• Systemserver will decline less
• Fragmented IT will experience less decline in staffing

23
Devops vs. CAB (change advisory board)
Availability of IT Change management (CAB)
“Let them Devops” but approve the process (not specific change):
• Which tests are needed before prod?
• Which types of change don’t need CAB? (most of changes…)
What about Devops?
Head of operationsinfrastructure responsibility:

24
Agenda
middleware

25
DC-Infrastructure layers
Trend towards hosting-
Traditional Virtualization-
storage – networking
Third party maintenance
– new option
Traditional PC
Hybrid cloud
Converged
Infrastructure
Software defined
datacenter – SDS, SDN
Devops
VDI-TC
Intel RSA
Cloud only
Containers (docker)
based operations
and Devops
Hyper-converged
infrastructure
Browser PC
Software defined
perimeter
networking
OCP, ODDC open
source HW + GPU
Today
Tomorrow
Next phase
Tactic
Strategic

26
Converged infrastructure proven benefits
• Time to market from (many) months to weeks
• Especially in integration and acceptance testing
• Easier maintenance and updates
• Traditionally firmware update is done when error happens
• Traditionally upgrade of one component leads to other upgrades
Big servers + big storage + network

27
Hyper-converged Infrastructure
• Currently best fit for branches, SME, specific projects
• Performance and flexibility lags traditional infrastructure
• 40G DC networks will push Hyper-converged to main stream usage
• Network is part of hyper-converged vendor offering or part of client’s DC
Server + storage
Server + storage
Server + storage

28
Storage as separate entity is evolving
• Flash is standard
• Active-Active is matured
• Organizations should explore object storage as part of their software
defined storage journey

29
NVME based storage: no more SCSI

3D Xpoint storage
3D XPoint is a non-
volatile memory
(NVM) technology
Next phase of
fast storage
Intel and
Micron
technology
Not in
production
yet
Compared to
NAND 10x lower
latency
4x writes 3x
reads
improvement

31
cost
Speed
LowHigh
High
Low
Source: Kaminario

• Logical architecture for
efficiently building and
managing Cloud-Scale
Infrastructure
• Provides the simplest path to a
Software Defined Datacenter
Intel® Rack Scale Architecture (RSA)
32
Increase performance per TCO$ & accelerate cloud adoption
Simplified Platform
Management
Disaggregate
Pool & Compose
Compute, Network & Storage

Bare-Metal as a Service
Customer A
Customer C
Customer B
• Next phase of Cloud Computing
• Leverage RSA and hardware
orchestration to fully customize
servers
• Move both legacy &
performance critical workloads
to the Cloud
• Cloud economics for Bare-Metal
infrastructure
• Consolidate internal IT

Software defined perimeter
Connectivity based
on a need-to-know
model
identity is verified
before access to
application is
granted
Black Cloud:
deny all SDN
application
Replace the
“NAC”
concept
“tighten the
belt” Initiating
Host
SDP
Controller
Accepting
Host
Data

35
Agenda
middleware

36
Facebook’s graphQL
• The client says to the server:

37

38

39
Cloud integration alternatives:
• Write code that access the API
• Reach the API via ESB + adaptor

40
what
Swagger, Raml
Standards for API documentations
Common documentation specification
language for describing API’s . Provides all the
information necessary to describe RESTful or other
APIs.
API economy
API economy is emerging as innovative force in growing
companies
Swagger definition
a specification for defining the
interface of a REST web
service
API mashup enablers
how
why
now
Upgrade to tools that support standard API
documentations such as Raml or Swagger

41
Using API’s in IDE’s

42
Swagger basic example
• For basic function http://host/greetings/hello/world that returns 'Hello
world‘, basic swagger will be:
{ "swaggerVersion": "1.2", "apis": [ {
"path": "http://localhost:8000/listings/greetings",
"description": "Generating greetings in our application."
} ] }
More at:
https://github.com/OAI/OpenAPI-
Specification/wiki/Hello-World-
Sample

43
Agenda
middleware

44
Development and architecture
Legacy code,
MicrosoftJAVA and
Web
Traditional ALM
Little test
automation
Long term projects
Only web HTML5 and
mobile (mainly native)
Agile
Microservices
Test automation
Focus on MVP –
minimum viable
product
Mobile native
apps
Agile
Microservices
Container based
development
Test automation is
must
Serverless
Today
Tomorrow
Next phaseTactic
Strategic

45
Microservices architecture
Source: http://martinfowler.com/

Microservices
Business agility Combine several
technologies in
the same project
Better scale,
more robust
Runs in
containers
Might cause
latency

47
Stateless development
• When app falls – you simply start it
• Intermediate state (data) should be stored in persistent
area (DB, disk)
• Application should run “as is” in dev-test-prod-cloud

48
Development languages
• Client (web) in javascript with angular, react, meteor, amber or redux
(and more…) frameworks
• Server in .net, java, nodejs, python, php, ruby, go, or scala (and
more…) languages
• Client to server (to infra) in Rest/GraphQL communication

49
What are Linux Containers ?
• Linux Containers (LXC) is an operating-system-level virtualization method for
running multiple isolated Linux systems (containers) on a single control host (LXC
host).

50
Virtual Machine Vs. Containers
OS
HW

51
What is Docker ?
• Docker is an open-source project that automates the deployment of applications
inside software containers, by providing an additional layer of abstraction and
automation of operating-system-level virtualization on Linux. (Wikipedia)

52
Why it Works: Separation of Concerns……
Source: files.meetup.com/11185112/Docker-Meetup-
jan-2015-Final.ppt

53
Containers basics
• Image: ready to use, read only container file
• Container: specific image that is running (with
“docker run” command). Able to run several
containers based on the same image

54
docker run
which image to run
other parameters (which program to run on
the image, etc.)

55
Which containers are running?
• docker ps

56
Docker Hub

57
Pulling down the image

58
Defining new image
• Defining new image with “dockerfile
• FROM docker/whalesay:latest
• RUN apt-get -y update && apt-get install -y
fortunes
• CMD /usr/games/fortune -a | cowsay
APT-GET is linux installation utility
CMD – which program to run

59
Creating new image based on dockerfile
• C:Userspinidocker2>docker build -t docker-demo-stki-2 .

60
List of docker images
docker-demo-stki-2

61
Container schedulers and orchestration

62
About containers
Containers bundle your app code,
dependencies, configuration in a unit,
abstracting your app from infrastructure
Operations: easier to deploy across dev,
test, and prod environments. Less errors
Developers: faster, independent
development.
Better scale updown (time to
provision 10th of second)
Perfect fit for microservices and
Devops
Standard way for ISV to distribute their
SW
Broad adoption by ISV, cloud, and
infrastructure
New procurement model
serverCPUCorecontainer

63
The floor is shaking

64
VMWARE and containers
VIC : each container runs in its own micro vm (dedicated kernel) using memory clone technology
named vmfork that spin the micro vm fast and efficiently
Typical containers:

65
Microsoft and containers
Scott Guthrie
Windows Subsystem for Linux (WSL) is a
compatibility layer for running Linux
binary executables ….natively on
Windows 10 …. WSL provides a Linux-
compatible kernel interface developed
by Microsoft (containing no Linux kernel
code)

66
Duck Test

67
Do you know this Linux machine?

68
Mainstream platform for enterprise IT
Web - Rest/GrapQL
Microservices
Stateless
Agile & lean
Devops and infrastructure as
code
SQL or noSQL
Container (Docker)
Operated by container schedulers
(kubernetes, etc.)

69
B$ questions about mainstream:
• Will run on bare metal or on cloud
computing platform (Openstack, VMWARE-VRA,
etc.)?

70
Kubernetes (containers) enables cloud interoperability

71
The Openstack train
Telecos
Service providers
Huge enterprise IT
Israeli enterprise IT

72
B$ questions about mainstream:
• Will run and be configured natively or
delivered via APaaS/XPaaS (Openshift, Cloud-
Foundry, Bluemix, etc.)?

73
Containers security

74
Agenda
middleware

75
Cyber security vs. Information Security
Information Security Cyber security

76
Cyber security vs. Information Security
And the winner is: Cyber security

77
Cyber, internal politics, organization and roles

78

79
STKI on cyber organization:

80
Cyber organization principals
• Dedicated cyber operations team
• Dedicated cyber guidance team
• Dedicated cyber control team

81
Cyber organization and roles
• Dedicated cyber operations team
– Security analysts that take action
• Deepest cyber knowledge but also multidisciplinary (T-people)
• Responsible for the SIEM-SOC rules
• Practical guidance for the rest of IT (development, infra, PC, network, etc.)
• Tight link to operations (part of operations = part of CAB)
• Outsourcing the security analysts is not trivial
– Cyber operations team (FW, EPP, patches, DBMS, development)
– Permission team

82
• Dedicated cyber guidance team
– “Head above water”
– Regulations
– Risk management methodology
– Business priorities

83
• Dedicated cyber control team
– Independent of operations and guidance

84
Conflicts in cyber
• No Objectives + No Measurement =
conflicts !!

85
Add cyber metrics to operations

86

87
Israel National Cyber Authority
standardization act (in process)

‫אבטחה‬ ‫רמת‬‫בקרות‬ / ‫הגנה‬‫טכנולוגיות‬
‫קריטיות‬
‫מימוש‬
‫רמת‬
‫אבטחה‬
1 - )1-3(
‫נמוך‬
‫קריטיות‬
‫בקרות‬
- )1-3(
‫נמוך‬ 1
‫שכלול‬
‫מוצרים‬
‫לדוגמא‬
‫רמת‬
‫בשלות‬
‫אחוז‬
‫מימוש‬
‫מצב‬
‫הארגון‬
)‫(ממוצע‬
‫אחוז‬
‫בשלות‬
‫יחסי‬
‫אחוז‬
‫מימוש‬
‫מצב‬
‫הארגון‬
‫(קריטיות‬
)‫בקרה‬
‫קיים‬ ‫לא‬
‫הטמעה‬
‫טכנולוגית‬
‫(התקנת‬
)‫המוצר‬
‫הטמעה‬
‫לוגית‬
‫הגדרות‬
‫עפ"י‬
‫הגדרות‬
)‫יצרן‬
‫פריסה‬
‫בארגון‬
‫(אחוז‬
‫הפריסה‬
‫בכלל‬
)‫הארגון‬
‫מבדקי‬
‫חדירה‬
‫והגדרות‬
‫פרטניות‬
‫מותאמות‬
- ‫לארגון‬
‫אופטומיזציה‬
‫תחזוקה‬
‫שוטפת‬
‫שלב‬‫שלב‬‫שלב‬‫שלב‬‫שלב‬
IT-‫תוכנית-הגנה‬0%30%60%70%90%100%12345
‫וניטור‬‫שליטה‬‫ניהול‬‫כלי‬1.1115100%73%75%
1.11SIEM320%HPArcsight11100%20.0%
1.12‫במערכות‬ Log‫הגדרת‬320%1170%14.0%
1.13SystemChangeManagement320%Tufin,algosec1190%18.0%
1.14DLP-‫מידע‬ ‫דלף‬213%Websense,SecureIsland110%0.0%
1.15‫אנומליות‬‫לזיהוי‬‫מערכות‬17%lightcyber1190%6.0%
1.16‫מידע‬ ‫אבטחת‬‫מערכות‬ ‫גיבויי‬‫ניהול‬213%BACKBOX1190%12.0%
1.17‫סייבר‬‫תחקור‬17%Wirex1170%4.7%
‫חיצונית‬‫הגנה‬1.2314100%173%76%
1.21Firewall321%CheckPoint,Paloalto1160%12.9%
1.22AntiSpam/EmailProtection214%Fortinet1160%8.6%
1.23Webfiltering321%Websense1190%19.3%
1.24SSLVPN214%Juniper1160%8.6%
1.25WAF321%F5,Imperva11100%21.4%
1.26SandBox17%FireEye1170%5.0%
‫רשת‬1.3213100%148%47%
1.31IPS/IDS215%PaloAlto110%0.0%
1.32NAC18%1170%5.4%
‫להטמעה‬ ‫עדיפות‬ ‫(סדרי‬ ‫הטמעה‬‫שלבי‬
)‫בארגון‬
0%
20%
40%
60%
80%
‫יטה‬‫ל‬ ‫ול‬‫ה‬‫י‬‫נ‬ ‫י‬‫ל‬‫כ‬
‫ור‬‫ט‬‫י‬‫נ‬‫ו‬
‫ית‬‫נ‬‫ו‬ ‫י‬‫ח‬‫הגנה‬
‫ת‬ ‫ר‬
‫י‬‫ת‬‫ר‬
‫ה‬ ‫ק‬‫ות‬‫נ‬‫תח‬ ‫י‬‫ד‬‫י‬‫י‬‫נ‬ ‫י‬‫ר‬‫י‬ ‫מכ‬
‫יה‬‫י‬ ‫יק‬‫ל‬ ‫א‬‫הגנת‬
‫י‬‫נ‬‫ו‬‫ת‬‫הנ‬ ‫הגנת‬
‫ידע‬‫מ‬
‫ות‬‫ה‬‫הזד‬
‫ות‬‫א‬ ‫והר‬
‫ידרה‬‫ס‬

89
Too many cyber tools …
EDR endpoint
detection &
response
Code scanning
tools
Authentication Bio
Authentication
CASB (cloud
access)
Data
Classification
Data Masking Database
Security
DDOS Deception
Honeypot
DLP Email Security
(email gateway)
Encryption Endpoint
Security
Firewall
Fraud
Prevention
Incident
Response
IPS MDM MAM -
mobile device
management
PAM –
Privileged
access
management
Network Access
- NAC
Secure Email
Gateway
Web security -
Secure Web
Gateway
SIEM Web
Application
Firewall

90
Cyber security personnel
‫מדף‬ ‫תוכנת‬=
‫תוכנה‬
‫על‬ ‫ארת‬ ‫נ‬
‫המדף‬

Conclusion – something needs to change
Market consolidation Game changer technology

92
The nightmare: zero day attack
• Attack exploiting undisclosed computer-software
vulnerability

93
Categorization of cyber (zero day?) defense
approaches
Anomaly detection (prod and
sandbox, network-endpoint,
application-business level)
Honeypots Deception
HW security (Intel’s SGX,
ARM’s trusted zone CPU)
Format changing
(‫,הלבנה‬ secured browsing)
Technology “tricks”
(morphisec, IBM’s ROP solution)
Pattern of malicious activity
(basic example – user entry but much
too fast)

94
Moving Target Defense
• Moving-target (MT) techniques seek to randomize system
components (IEEE)
• Tricks + Deception

95
Moving Target Defense
• What is moving (changing)?
– Memory addresses, Heap structure
– User names credentials
– Physical location
– Code Obfuscation - change the exec file
• How fast?
– Every time the program runs
– While the program is running
• Detection level

Intel Software Guard Extension (SGX)
Current architecture:
App.exe code
App.exe data
OS
User process
F.Schuster et al. “VC3: trustworthy data analytics in the cloud using SGX,” 36th IEEE Symposium on
Security & Privacy,
App.exe data

Intel Software Guard Extension (SGX)
• ENCLAVE?
• Hardware-based
protection
• User level execution
• E-init (compare
measurements of
enclave) App.exe code
App.exe data
OS
Enclave
Enclave code
Enclave data
User process
User process
App.exe
F.Schuster et al. “VC3: trustworthy data analytics in the cloud using SGX,” 36th IEEE Symposium on
Security & Privacy

FTE ratios are not trivial – cyber roles map
Cyber
guidance
Cyber
analysts
Infrastructure
development
Service desk
HR
NOC
outsourcing
cyber department

Cyber roles map
Regulations
Top management
cyber risk management
high level policy
awareness
Cyber
guidance
Cyber
analysts
Infrastructure
development
Service desk
HR
analyst - response team,
define siem rules
‫בקרי‬
practical policy
(development, suppliers,
identity)
permission (operations - not policy)
cyber tools: FW, dlp, encryption,
DBMS FW, EPP (AV), deception
cyber related tools: patch
management, networking, hardening,
privileged account management, email
security, data masking, authentication
NOC
outsourcing

100
Cyber personnel
• Number of employees divided to total number of cyber related IT
personnel for non-regulated orgs (regulations is less than 50% of cyber
budget):
• First level soc personnel not included (mainly soc service in non-
regulated orgs.)
Source: STKI
# employees / #
cyber personnel
Per FTE
65625 percentile
1125Median
179275 percentile

101
Cyber personnel: operational/guidance
• Number of operational cyber personnel divided to cyber guidance
personnel for non regulated orgs (regulations is less 50% of cyber
budget):
Source: STKI
# operational / #
guidance
Per FTE
1.5825 percentile
2.00Median
2.7575 percentile

102
Cyber personnel
• Number of employees (that use computers) divided to total number of cyber related
IT personnel for regulated orgs (regulations over 50% of cyber budget):
• Cyber personnel include: guidance, cyber analysts, cyber operations, permissions
team
• First level soc personnel not included, insurance agents (not employees) are not
included
Source: STKI
# employees / #
cyber personnel
Per FTE
10625 percentile
133Median
15875 percentile

103
Cyber personnel - guidance
• Number of employees (that use computers) divided to total number
of cyber guidance personnel for regulated orgs (regulations over
50% of cyber budget):
Source: STKI
# employees /
# cyber
guidance
Per FTE
33825 percentile
410Median
109575 percentile
Insurance agents (not employees) are not counted but still get service

104
Cyber personnel – first level SOC
• Options for first level SOC operations mode:
– In sourcing : 1-2 FTE at work hours, 1 FTE at night. Total is about 6-9 FTE
– In sourcing: 1-2 FTE at work hours, at night - part of NOC. Total is about
3-4 FTE
– Outsourcing mode - 0 FTE.
Source: STKI

105
Cyber personnel – cyber analysts
• Number of employees (that use computers) divided to total number of
cyber analysts personnel for regulated orgs (regulations over 50% of
cyber budget):
• Regulated organizations will have minimum 2 cyber analysts (part of
SOC or guidance). External response team might be used when needed.
Source: STKI
# employees / #
cyber analysts
Per FTE
60025 percentile
667Median
100075 percentile

106
Cyber personnel - operations
• Number of employees (that use computers) divided to total number of cyber
operations personnel for regulated orgs (regulations over 50% of cyber budget):
• Example for cyber operations activities: FW, network security, email security, DBMS
firewall, encryption, authentication, security patches, hardening, etc.
• In many cases part of infrastructure technology teams (networking, sytem, PC, etc).
Source: STKI
# employees / #
cyber operations
Per FTE
21725 percentile
285Median
50075 percentile

107
Cyber personnel – permissions team
• Number of employees (that use computers) divided to total number of
permissions team personnel for regulated orgs (regulations over 50%
of cyber budget):
• Permissions team might be part of service desk, security guidance or
security operations
Source: STKI
# employees / #
permissions team
Per FTE
46525 percentile
600Median
66775 percentile

108
Before we conclude - some questions
How do you measure my progress?
What do you measure (example:
Devop metrics)? What are your KPI’s?
Do you give enough priority to “the new
mainstream” ?

109
Summary- Let’s ride the tsunami wave!
But focus on where you want to go!!

That’s it.
Thank you!
110

Summit 2017 cyber delivery v4 long version

More Related Content

What's hot

Viewers also liked

Similar to Summit 2017 cyber delivery v4 long version

More from Pini Cohen

Recently uploaded

Summit 2017 cyber delivery v4 long version