This document contains slides from a presentation on modern delivery and cybersecurity for enterprise IT. The presentation covers many topics including organizational changes needed to adopt new technologies like microservices, containers, and cloud computing. It discusses moving from traditional monolithic applications to microservices architectures and container-based development. The slides also address infrastructure changes like converged, hyper-converged, and software-defined infrastructure. Middleware, development practices, and security topics are also covered at a high-level.
Artificial intelligence in the post-deep learning era
Modern Delivery & Cyber for Enterprise IT
1. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 1
Modern delivery &
cyber for enterprise IT
Long version
presentation
2. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 2
What is happening in delivery & cyber?
3. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 3
But after the tsunami we expect stable weather
4. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
4
Mainstream platform for enterprise IT
• How most new applications are built and operate
A B
5. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
5
From A to B
• Monolithic web applications based on
Rest developed in water fall based on
relational dbms distributed and configured
with automation tools (puppet, chef,
ansible) run on virtualized environment
(compute) and traditional storage and
network secured with 30 (or so) tools
• Microservices, stateless, agile built, devops Rest
/GrapQL web applications built on nosql or sql
dbms and containers operated with container
orchestrators based APaaS on top of private/public
cloud or directly on commodity servers with
virtualization enabled by SDN, SDS secured with
software defined perimeter architecture and HW
based security
TL;DRToo Long; Didn’t Read
6. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
6
Now let’s go step by step
7. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
7
Enterprise IT different fronts
Traditional IT
New internal
customers
Clients
Today
Tomorrow
Next phaseTactic
Strategic
8. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
8
Let’s start
9. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
9
Basic theme
Cost reduction
and efficiency
Fast delivery of
solutions
Like software
vendor –
Instagram-
facebook I
Today
Tomorrow
Next phaseTactic
Strategic
10. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
10
Basic challenges
Aging workforce
Legacy (niche) vendors
raise price
Keeping availability-
reliability
Most of budget is
operations=maintenance
Shadow IT
Integrating cloud
and on premise
data and
processes
Top and agile
functionality in
changing
technology world
Today
Tomorrow
Next phase
Tactic
Strategic
11. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
11
Before we conclude: what about our legacy?
12. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
12
STKI on Legacy platforms
• Last longer than anyone expected
• The slope to oblivion:
– New technology arrives. It looks immature but gain momentum.
– Legacy vendors raise prices
– Shortage in newyoung personnel
– Less support to 3rd parties (example – security 3rd parties)
– Important functionalitystandards missing
– Availability performance -unresolved issues
13. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
13
STKI on Legacy platforms: when do I stop?
14. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
14
Agenda
organization, processes and skills
DC and infrastructure
middleware
development and architecturecyber security
15. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
15
Staffing, organization, skills, operations
Development
organization is copy
of LOB
Traditional
infrastructure org.
(server, storage,
network, PC, …)
Part of traditional IT
Mashup development
and infrastructure
organization
Development and
Devops team are
responsible for
production
Everybody is
developer
Different CAB
(change advisory
board)
Today
Tomorrow
Next phase
Tactic
Strategic
16. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
16
Traditional infra. organization
System Network DC Storage
17. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
17
What we need for new organization at
operationsinfrastructure?
Publichybrid cloud
Private cloud
Converged infrastructure
Hyper-converged
infrastructure
Devops
Containers-docker
18. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
18
The best way – one team!!
19. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
19
Recommended mashup (product) organization
System Network DC Storage
Production
faults
Sizing-
architecture
DR
Cloud
20. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
20
Also possible (short term)
• One team (for converged, cloud, etc.) , with skills differentiated, into
the same department
• Also have security people integrated
System Network
DC
Storage Private
Cloud
Network
Storage
System
21. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
21
IT
Infra
structure
BI LoB1 LoB2 LoB3
OCIO
Development organization: break the
functional silos. Use agilelean
CEO
Innovation CDO IT LoB1 LoB2 LoB3
Silo1 Silo2 Silo3
Source: Deloitte
Sequential project phases with
different skill groups
Multi skilled,
result oriented teams
22. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
22
Delivery skills and staffing
• Everybody (infrastructure, delivery) is a software
developer (scripts)
• implementing SDLC (source control, versioning, testing, agile, etc.)
• Delivery staffing might decline by 25%
• Storage will decline more
• Systemserver will decline less
• Fragmented IT will experience less decline in staffing
23. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
23
Devops vs. CAB (change advisory board)
Availability of IT Change management (CAB)
“Let them Devops” but approve the process (not specific change):
• Which tests are needed before prod?
• Which types of change don’t need CAB? (most of changes…)
What about Devops?
Head of operationsinfrastructure responsibility:
24. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
24
Agenda
organization, processes and skills
DC and infrastructure
middleware
development and architecturecyber security
25. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
25
DC-Infrastructure layers
Trend towards hosting-
Traditional Virtualization-
storage – networking
Third party maintenance
– new option
Traditional PC
Hybrid cloud
Converged
Infrastructure
Software defined
datacenter – SDS, SDN
Devops
VDI-TC
Intel RSA
Cloud only
Containers (docker)
based operations
and Devops
Hyper-converged
infrastructure
Browser PC
Software defined
perimeter
networking
OCP, ODDC open
source HW + GPU
Today
Tomorrow
Next phase
Tactic
Strategic
26. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
26
Converged infrastructure proven benefits
• Time to market from (many) months to weeks
• Especially in integration and acceptance testing
• Easier maintenance and updates
• Traditionally firmware update is done when error happens
• Traditionally upgrade of one component leads to other upgrades
Big servers + big storage + network
27. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
27
Hyper-converged Infrastructure
• Currently best fit for branches, SME, specific projects
• Performance and flexibility lags traditional infrastructure
• 40G DC networks will push Hyper-converged to main stream usage
• Network is part of hyper-converged vendor offering or part of client’s DC
Server + storage
Server + storage
Server + storage
28. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
28
Storage as separate entity is evolving
• Flash is standard
• Active-Active is matured
• Organizations should explore object storage as part of their software
defined storage journey
29. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
29
NVME based storage: no more SCSI
30. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 30
3D Xpoint storage
3D XPoint is a non-
volatile memory
(NVM) technology
Next phase of
fast storage
Intel and
Micron
technology
Not in
production
yet
Compared to
NAND 10x lower
latency
4x writes 3x
reads
improvement
31. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
31
cost
Speed
LowHigh
High
Low
Source: Kaminario
32. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
• Logical architecture for
efficiently building and
managing Cloud-Scale
Infrastructure
• Provides the simplest path to a
Software Defined Datacenter
Intel® Rack Scale Architecture (RSA)
32
Increase performance per TCO$ & accelerate cloud adoption
Simplified Platform
Management
Disaggregate
Pool & Compose
Compute, Network & Storage
33. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
Bare-Metal as a Service
Customer A
Customer C
Customer B
• Next phase of Cloud Computing
• Leverage RSA and hardware
orchestration to fully customize
servers
• Move both legacy &
performance critical workloads
to the Cloud
• Cloud economics for Bare-Metal
infrastructure
• Consolidate internal IT
34. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 34
Software defined perimeter
Connectivity based
on a need-to-know
model
identity is verified
before access to
application is
granted
Black Cloud:
deny all SDN
application
Replace the
“NAC”
concept
“tighten the
belt” Initiating
Host
SDP
Controller
Accepting
Host
Data
35. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
35
Agenda
organization, processes and skills
DC and infrastructure
middleware
development and architecturecyber security
36. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
36
Facebook’s graphQL
• The client says to the server:
37. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
37
38. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
38
39. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
39
Cloud integration alternatives:
• Write code that access the API
• Reach the API via ESB + adaptor
40. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
40
what
Swagger, Raml
Standards for API documentations
Common documentation specification
language for describing API’s . Provides all the
information necessary to describe RESTful or other
APIs.
API economy
API economy is emerging as innovative force in growing
companies
Swagger definition
a specification for defining the
interface of a REST web
service
API mashup enablers
how
why
now
Upgrade to tools that support standard API
documentations such as Raml or Swagger
41. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
41
Using API’s in IDE’s
42. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
42
Swagger basic example
• For basic function http://host/greetings/hello/world that returns 'Hello
world‘, basic swagger will be:
{ "swaggerVersion": "1.2", "apis": [ {
"path": "http://localhost:8000/listings/greetings",
"description": "Generating greetings in our application."
} ] }
More at:
https://github.com/OAI/OpenAPI-
Specification/wiki/Hello-World-
Sample
43. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
43
Agenda
organization, processes and skills
DC and infrastructure
middleware
development and architecturecyber security
44. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
44
Development and architecture
Legacy code,
MicrosoftJAVA and
Web
Traditional ALM
Little test
automation
Long term projects
Only web HTML5 and
mobile (mainly native)
Agile
Microservices
Test automation
Focus on MVP –
minimum viable
product
Mobile native
apps
Agile
Microservices
Container based
development
Test automation is
must
Serverless
Today
Tomorrow
Next phaseTactic
Strategic
45. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
45
Microservices architecture
Source: http://martinfowler.com/
46. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 46
Microservices
Business agility Combine several
technologies in
the same project
Better scale,
more robust
Runs in
containers
Might cause
latency
47. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
47
Stateless development
• When app falls – you simply start it
• Intermediate state (data) should be stored in persistent
area (DB, disk)
• Application should run “as is” in dev-test-prod-cloud
48. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
48
Development languages
• Client (web) in javascript with angular, react, meteor, amber or redux
(and more…) frameworks
• Server in .net, java, nodejs, python, php, ruby, go, or scala (and
more…) languages
• Client to server (to infra) in Rest/GraphQL communication
49. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
49
What are Linux Containers ?
• Linux Containers (LXC) is an operating-system-level virtualization method for
running multiple isolated Linux systems (containers) on a single control host (LXC
host).
50. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
50
Virtual Machine Vs. Containers
OS
HW
51. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
51
What is Docker ?
• Docker is an open-source project that automates the deployment of applications
inside software containers, by providing an additional layer of abstraction and
automation of operating-system-level virtualization on Linux. (Wikipedia)
52. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
52
Why it Works: Separation of Concerns……
Source: files.meetup.com/11185112/Docker-Meetup-
jan-2015-Final.ppt
53. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
53
Containers basics
• Image: ready to use, read only container file
• Container: specific image that is running (with
“docker run” command). Able to run several
containers based on the same image
54. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
54
docker run
which image to run
other parameters (which program to run on
the image, etc.)
55. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
55
Which containers are running?
• docker ps
56. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
56
Docker Hub
57. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
57
Pulling down the image
58. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
58
Defining new image
• Defining new image with “dockerfile
• FROM docker/whalesay:latest
• RUN apt-get -y update && apt-get install -y
fortunes
• CMD /usr/games/fortune -a | cowsay
APT-GET is linux installation utility
CMD – which program to run
59. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
59
Creating new image based on dockerfile
• C:Userspinidocker2>docker build -t docker-demo-stki-2 .
60. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
60
List of docker images
docker-demo-stki-2
61. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
61
Container schedulers and orchestration
62. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
62
About containers
Containers bundle your app code,
dependencies, configuration in a unit,
abstracting your app from infrastructure
Operations: easier to deploy across dev,
test, and prod environments. Less errors
Developers: faster, independent
development.
Better scale updown (time to
provision 10th of second)
Perfect fit for microservices and
Devops
Standard way for ISV to distribute their
SW
Broad adoption by ISV, cloud, and
infrastructure
New procurement model
serverCPUCorecontainer
63. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
63
The floor is shaking
64. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
64
VMWARE and containers
VIC : each container runs in its own micro vm (dedicated kernel) using memory clone technology
named vmfork that spin the micro vm fast and efficiently
Typical containers:
65. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
65
Microsoft and containers
Scott Guthrie
Windows Subsystem for Linux (WSL) is a
compatibility layer for running Linux
binary executables ….natively on
Windows 10 …. WSL provides a Linux-
compatible kernel interface developed
by Microsoft (containing no Linux kernel
code)
66. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
66
Duck Test
67. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
67
Do you know this Linux machine?
68. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
68
Mainstream platform for enterprise IT
Web - Rest/GrapQL
Microservices
Stateless
Agile & lean
Devops and infrastructure as
code
SQL or noSQL
Container (Docker)
Operated by container schedulers
(kubernetes, etc.)
69. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
69
B$ questions about mainstream:
• Will run on bare metal or on cloud
computing platform (Openstack, VMWARE-VRA,
etc.)?
70. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
70
Kubernetes (containers) enables cloud interoperability
71. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
71
The Openstack train
Telecos
Service providers
Huge enterprise IT
Israeli enterprise IT
72. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
72
B$ questions about mainstream:
• Will run and be configured natively or
delivered via APaaS/XPaaS (Openshift, Cloud-
Foundry, Bluemix, etc.)?
73. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
73
Containers security
74. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
74
Agenda
organization, processes and skills
DC and infrastructure
middleware
development and architecturecyber security
75. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
75
Cyber security vs. Information Security
Information Security Cyber security
76. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
76
Cyber security vs. Information Security
And the winner is: Cyber security
77. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
77
Cyber, internal politics, organization and roles
78. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
78
79. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
79
STKI on cyber organization:
80. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
80
Cyber organization principals
• Dedicated cyber operations team
• Dedicated cyber guidance team
• Dedicated cyber control team
81. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
81
Cyber organization and roles
• Dedicated cyber operations team
– Security analysts that take action
• Deepest cyber knowledge but also multidisciplinary (T-people)
• Responsible for the SIEM-SOC rules
• Practical guidance for the rest of IT (development, infra, PC, network, etc.)
• Tight link to operations (part of operations = part of CAB)
• Outsourcing the security analysts is not trivial
– Cyber operations team (FW, EPP, patches, DBMS, development)
– Permission team
82. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
82
Cyber organization and roles
• Dedicated cyber guidance team
– “Head above water”
– Regulations
– Risk management methodology
– Business priorities
83. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
83
Cyber organization and roles
• Dedicated cyber control team
– Independent of operations and guidance
84. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
84
Conflicts in cyber
• No Objectives + No Measurement =
conflicts !!
85. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
85
Add cyber metrics to operations
86. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
86
87. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
87
Israel National Cyber Authority
standardization act (in process)
89. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
89
Too many cyber tools …
EDR endpoint
detection &
response
Code scanning
tools
Authentication Bio
Authentication
CASB (cloud
access)
Data
Classification
Data Masking Database
Security
DDOS Deception
Honeypot
DLP Email Security
(email gateway)
Encryption Endpoint
Security
Firewall
Fraud
Prevention
Incident
Response
IPS MDM MAM -
mobile device
management
PAM –
Privileged
access
management
Network Access
- NAC
Secure Email
Gateway
Web security -
Secure Web
Gateway
SIEM Web
Application
Firewall
90. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
90
Cyber security personnel
מדף תוכנת=
תוכנה
על ארת נ
המדף
91. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 91
Conclusion – something needs to change
Market consolidation Game changer technology
92. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
92
The nightmare: zero day attack
• Attack exploiting undisclosed computer-software
vulnerability
93. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
93
Categorization of cyber (zero day?) defense
approaches
Anomaly detection (prod and
sandbox, network-endpoint,
application-business level)
Honeypots Deception
HW security (Intel’s SGX,
ARM’s trusted zone CPU)
Format changing
(,הלבנה secured browsing)
Technology “tricks”
(morphisec, IBM’s ROP solution)
Pattern of malicious activity
(basic example – user entry but much
too fast)
94. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
94
Moving Target Defense
• Moving-target (MT) techniques seek to randomize system
components (IEEE)
• Tricks + Deception
95. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
95
Moving Target Defense
• What is moving (changing)?
– Memory addresses, Heap structure
– User names credentials
– Physical location
– Code Obfuscation - change the exec file
• How fast?
– Every time the program runs
– While the program is running
• Detection level
96. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 96
Intel Software Guard Extension (SGX)
Current architecture:
App.exe code
App.exe data
OS
User process
F.Schuster et al. “VC3: trustworthy data analytics in the cloud using SGX,” 36th IEEE Symposium on
Security & Privacy,
App.exe data
97. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 97
Intel Software Guard Extension (SGX)
• ENCLAVE?
• Hardware-based
protection
• User level execution
• E-init (compare
measurements of
enclave) App.exe code
App.exe data
OS
Enclave
Enclave code
Enclave data
User process
User process
App.exe
F.Schuster et al. “VC3: trustworthy data analytics in the cloud using SGX,” 36th IEEE Symposium on
Security & Privacy
98. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 98
FTE ratios are not trivial – cyber roles map
Cyber
guidance
Cyber
analysts
Infrastructure
development
Service desk
HR
NOC
outsourcing
cyber department
99. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph 99
Cyber roles map
Regulations
Top management
cyber risk management
high level policy
awareness
Cyber
guidance
Cyber
analysts
Infrastructure
development
Service desk
HR
analyst - response team,
define siem rules
בקרי
practical policy
(development, suppliers,
identity)
permission (operations - not policy)
cyber tools: FW, dlp, encryption,
DBMS FW, EPP (AV), deception
cyber related tools: patch
management, networking, hardening,
privileged account management, email
security, data masking, authentication
NOC
outsourcing
100. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
100
Cyber personnel
• Number of employees divided to total number of cyber related IT
personnel for non-regulated orgs (regulations is less than 50% of cyber
budget):
• First level soc personnel not included (mainly soc service in non-
regulated orgs.)
Source: STKI
# employees / #
cyber personnel
Per FTE
65625 percentile
1125Median
179275 percentile
101. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
101
Cyber personnel: operational/guidance
• Number of operational cyber personnel divided to cyber guidance
personnel for non regulated orgs (regulations is less 50% of cyber
budget):
Source: STKI
# operational / #
guidance
Per FTE
1.5825 percentile
2.00Median
2.7575 percentile
102. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
102
Cyber personnel
• Number of employees (that use computers) divided to total number of cyber related
IT personnel for regulated orgs (regulations over 50% of cyber budget):
• Cyber personnel include: guidance, cyber analysts, cyber operations, permissions
team
• First level soc personnel not included, insurance agents (not employees) are not
included
Source: STKI
# employees / #
cyber personnel
Per FTE
10625 percentile
133Median
15875 percentile
103. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
103
Cyber personnel - guidance
• Number of employees (that use computers) divided to total number
of cyber guidance personnel for regulated orgs (regulations over
50% of cyber budget):
Source: STKI
# employees /
# cyber
guidance
Per FTE
33825 percentile
410Median
109575 percentile
Insurance agents (not employees) are not counted but still get service
104. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
104
Cyber personnel – first level SOC
• Options for first level SOC operations mode:
– In sourcing : 1-2 FTE at work hours, 1 FTE at night. Total is about 6-9 FTE
– In sourcing: 1-2 FTE at work hours, at night - part of NOC. Total is about
3-4 FTE
– Outsourcing mode - 0 FTE.
Source: STKI
105. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
105
Cyber personnel – cyber analysts
• Number of employees (that use computers) divided to total number of
cyber analysts personnel for regulated orgs (regulations over 50% of
cyber budget):
• Regulated organizations will have minimum 2 cyber analysts (part of
SOC or guidance). External response team might be used when needed.
Source: STKI
# employees / #
cyber analysts
Per FTE
60025 percentile
667Median
100075 percentile
Insurance agents (not employees) are not counted but still get service
106. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
106
Cyber personnel - operations
• Number of employees (that use computers) divided to total number of cyber
operations personnel for regulated orgs (regulations over 50% of cyber budget):
• Example for cyber operations activities: FW, network security, email security, DBMS
firewall, encryption, authentication, security patches, hardening, etc.
• In many cases part of infrastructure technology teams (networking, sytem, PC, etc).
Source: STKI
# employees / #
cyber operations
Per FTE
21725 percentile
285Median
50075 percentile
107. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
107
Cyber personnel – permissions team
• Number of employees (that use computers) divided to total number of
permissions team personnel for regulated orgs (regulations over 50%
of cyber budget):
• Permissions team might be part of service desk, security guidance or
security operations
Source: STKI
# employees / #
permissions team
Per FTE
46525 percentile
600Median
66775 percentile
Insurance agents (not employees) are not counted but still get service
108. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
108
Before we conclude - some questions
How do you measure my progress?
What do you measure (example:
Devop metrics)? What are your KPI’s?
Do you give enough priority to “the new
mainstream” ?
109. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
109
Summary- Let’s ride the tsunami wave!
But focus on where you want to go!!
110. Pini Cohen’s work Copyright@2017. Do not remove source or attribution from any slide or graph
That’s it.
Thank you!
110