Martin Huddleston: No Service Management, No Security

Editor's Notes

1. No service management No cyber security   Cyber Security is no different from any other management activity, the theory is straight forward and well known, execution is very difficult. Research carried out by a joint UK/US team identified that one key element of high quality Cyber security is world class service management as the majority of controls used to secure a system lie within the Service management realm. Martin will outline the background to the research and share the results that identify how service management controls fit within a Cyber security life cycle. Building on this work Martin will show how we need to think more about effectiveness and continuous improvement rather than compliance to give us the best chance of staying ahead of the attackers. Plan Assume people know what service management is (3 legged stool), what is cyber security re operational resilience maturity to agile defence agile operations resource prioritisation agility, raising process and performance maturity to be able to be agile to be able to perform. What makes cyber security execution difficult? [Threat agility, attack right once, defence right every time] [ Failure of protection, resort to Resilience/recovery][Evolution of systems / defences] NATO / MOD background, maturity models for agility. What is high quality Cyber Security and what role is Service Management playing – heat map/statistics/re-use. Demonstrate how service management controls fit in the CyberSecurity Lifecycle. [iData CPNI/NCSC kill chain, ATT&CK steps/lifecycle, A/D/P/D/R/R] Effectiveness & continual improvement (noting ISO20000-1:2018 has dropped CSI), agility to stay ahead of attackers, DevSecOps [re recent UK/US/Canada Airforce investments in agile process] [ coding securely at pace] [issue for GitHub and ReadHat’s new owners re opensource]
2. Service Management Reminder Threats, Threat Agility What does good look like in Cyber Security
3. Financial Fraud/Extortion, Resource Acquisition, Competitive IP Theft, Reputational Damage, Black-mail, State Sponsored Attacks… NCSC: Sept Threat brief on Supply Chain . NCSC is developing its approach to this issue and stated in October 2018 that the risk in the supply chain is:- • An increase in pace and number of cyber security incidents • No increase in severity • Vulnerabilities are old and can be patched • Attacks do not require use of high-end skills • Supply chain at risk, with suppliers being the first source of the compromise. NCSC’s approach also recommends:- • Promoting cloud-based hosting technology for the vast majority of users • To change the focus from sites to systems • Exploring models for examining and recording cyber security of common suppliers • Promoting NIS across all CNI sectors (not just ones regulated by NIS) and major businesses to improve security in the supply chain • Piloting a new Active Cyber Defence “Supplier Check” inspection of external web site as proxy for internal cyber posture. Current ‘Live’ Means Used by Attackers Social engineered attacks on the person e.g. Phishing, Vishing, Whaling, etc Speed and agility e.g. opportunistic ransomware, machine to machine network exploitation – SAMSAM, WannaCry, etc Supply chain and sources of code and API security e.g. Ccleaner, MageCart (TicketMaster, BA et al), FaceBook, etc Resource acquisition in parasitic processes e.g. DDOS bots, crypto mining, scam hosting https://duo.com/decipher/magecart-group-refines-attacks-nabs-more-sites Much of Magecart’s previous attacks focused on compromising third-party providers. The group would inject its malicious code into libraries and scripts provided by third-party providers, thus ensuring that any website using that provider’s code would be executing the attack code. For example, Magecart has targeted websites running outdated and unpatched versions of Magento, an open-source ecommerce platform written in PHP. Recent figures suggest that over 7,300 stores have been affected by the MagentoCore card skimming code.
4. Unseen, performing, cost effective – sounds like service management …Compliance is not Enough, How High the Bar, What Performance and what Effectiveness, What Agility, changing the Bar Anticipating the Threats / Vulnerabilities, Continual Optimisation, ATT&CK / Intel, AutomationCommoditisationCloudUtility SecurityJust a characteristic of Digital Service, a feature of service & service management. Like any athlete the organisation needs to perform, every time, which is hard, sustaining performance is all about service management, including delivering agile services, where the service is cyber security. What it is not is conformance to ISO/IEC 27001 or ISO/IEC 20000-1 or any ‘compliance’ standard It is much more than process in sense of process quality improvement Sustaining outcomes, Sustaining and Adapting, Optimising to the dynamic, more than People, Process, Technology – sustaining is about TEPIMOIL / Leadership … don’t conflate ‘Governance’ with ‘Performance’ – operational agility is hard, but service management has always sought to deliver 3 legged stool of balancing stakeholders, resources and performance/quality/output – we know there are never enough resources, not just for security, resources and prioritisation are the order of the day Performance vs compliance, visualise the High Jump, but how high the bar?
5. Back ground ‘Time Based Security’ book by Wynn Schwartau on, Bob Ayers Director at DoD Information Systems Security Programme and team at US DOD DISA, Circa 1997: Protection > Detection + Reaction. ‘Risk Avoidance’ cultures are doomed to failure. Security risk cannot be designed out.
6. 5 basic cyber controls that everyone should adhere to Boundary firewalls and internet gateways Secure configuration Access control Malware protection Patch management Top 5 Capabilities by Frequency: Define Security Configuration Baselines Establish Policies to Secure Target System Establish Policies to Secure Information Identify Minimum System Security Requirements Secure Data and Network Management Top 6 Capabilities used for ITIL V3 Delivery Incident Management Risk Management Supplier Management Service Asset & Configuration Management Cyber Policy Event Management
7. Top 5 Capabilities by frequency: Information Security Health Checks / Audits Secure Data and Network Management Accounting and Audit Controls Incident Management Top 6 ITIL V3 Capabilities excluded: Information Security Incident Management Supplier Management Risk Management Service Continuity Plan Metrics / Improvement Opportunity Identification
8. https://duo.com/decipher/magecart-group-refines-attacks-nabs-more-sites https://www.zdnet.com/article/british-airways-cyberattack-data-theft-bigger-than-we-first-thought/ 10 Steps: Incident Management Risk Management Supplier Management Service Asset & Configuration Management Cyber Policy Event Management ASD: Service Asset & Configuration Management 2 Change Management Event Management Incident Management 2 Release and Deployment Management Risk Management 2 NIST: Information Security Incident Management 3 Supplier Management 2 Risk Management 3 Service Continuity Plan Metrics / Improvement Opportunity Identification Aggregate: Cyber Policy 2 Information Security 2 Cyber Strategy Metrics / Improvement Opportunity Identification Risk Management 4 Access Management
9. Change language to Cyber Defence, not passive cyber security, but proactive defence. Increasing in dependencies is a growing risk With every new cyber security standards, we are seeing greater complexity/dependencies Statistics on complexity, re grown in number of mappings per capability, would be a string indicator of the fundamental need for automation in capability interactions. Could conclude from this why SM and SIAT in particular, remains and will grow in importance. A future with us now in a tangled Web AI’s growing and essential impact on service management, the complexity & scale issue But Not all good, new class of problems Prevent: keeping down the AI weeds from choking the internet and digital services Detect: preventing cyber ‘bad’ actors from weaponizing the AI weeds Recover/Respond: cleaning up the AI weeds. https://www.weforum.org/reports/the-global-risks-report-2018 A Tangled Web Artificial intelligence “weeds” proliferate, choking off the performance of the internet What if the adverse impact of artificial intelligence (AI) involves not a super-intelligence that takes control from humans but “AI weeds”—low-level algorithms that slowly choke off the internet? Algorithms are already proliferating. As they increase in sophistication—as we become more reliant on code that writes code, for example—explosive growth becomes more likely. A divergence could open between the code we have created and our capacity to track and control it. The tragedy of the commons means we often let chronic problems with dispersed responsibilities fester. Think of plastic in the ocean. A trend towards reduced internet efficiency would undermine service delivery in countless businesses. It could hobble the Internet of Things. It would frustrate users. If the problem became significant enough, it could prompt some governments to wall off parts of the internet. If malicious actors found ways to proliferate or weaponize the AI weeds, they could do extensive damage. As the global demands placed on the internet increase in scale and sophistication, digital hygiene is likely to become a more pressing concern for end-users. The development of overarching norms, regulations and governance structures for AI will be crucial: without a robust and enforceable regulatory framework, there is a risk that humans will in effect be crowded out from the internet by the proliferation of AI. Service Management or Cyber Security, or does it matter, just Secure Digital SM?
10. Aggregate analysis to assess whether appetite to take risk is being applied uniformly and if systems are connected whether risk is being appropriately managed, e.g. is system M connected to system N, in which case system effectiveness might be that of M not N. This diagram currently not routinely produced by CDCAT but by subsequent consultancy. Discuss continual maturity improvement, road to effectiveness is about sustaining high performance to agile attackers to make it hard for them so they try elsewhere. Capability improvement is about knowing where to invest to get the most bang for buck, take for example the 4 ITIL processes identified. In a world of cloud services, extended API’s down an opaque supply or service chain, where attackers can live off the land of the slightest configuration mismatch exploiting emergent behaviour, then to know the capability maturity and quantify the effectiveness calibrated to an absolute scale is to instil trust and or decide what risk measures are needed from the business perspective. E.g. to take out appropriate cyber insurance but understand insurers rightly place obligations on you to be mature in your resilience operation, a partnership in financial mitigations.
11. Reasons to be proactive: Money Reputation Livelihood Safety Survival Explain resilience and stress induced by Cyber, conflict of maturity levels, agile tends to Level 2 ‘Developing’ whilst Cyber Security tends to Level 4 ‘Manage outcomes by metrics’. Future business architectures ‘build this in’ by design but at a cost compensated for by future benefits, i.e. the opportunity. Security and proactive resilience isn’t free. Business evolutions and resilience is evolving to change what is ‘normal’ in business design. Aim is now to provide a framework and risk analysis system that supports the agility needed Discuss the status of regulators approach to harm and expectations on managing risk in financial service. Discuss state of the art in autonomics, e.g. telecoms 5G and zero-touch provisioning, role of service management in carrier grade services delivery including security effectiveness to better than 5x9’s availability. Right almost every time – the means to digitally secure systems in the face of human fallibility and inevitable mis-configurations of complex services. Influence of 5G autonomic technologies, e.g. zero touch provisioning. Forensics: premera-blue breach data destruction https://www.zdnet.com/article/premera-blue-cross-accused-of-destroying-evidence-in-data-breach-lawsuit/ see also SANS NewsBites Vol. 20 Num. 070 : California Establishes Election Cybersecurity Office; Five Eyes Want to Access Encrypted Communications; California Approves Net Neutrality Bill for the commentary. [CDCAT Q2: CDCAT Application: Capabilities folder]. Need in recovery operations to forensically archive data/equipment to ensure legal duties of care. Automation, cenx/ericsson closed loop control and 5G cdcat lvl 3,4,5 automated control identification, predicting where it will be needed next re mapping is a process of process design to achieve cyber defence but using IA, CNO and SM. https://www.fiercetelecom.com/telecom/ericsson-boosts-closed-loop-automation-capabilities-deal-to-buy-cenx cdcat lvl 3,4,5 automated control identification. this is an example where that automation is bubbling up
12. Service Managers can and need to “step up” to secure networks, Good cyber security is dependent on good service management, Effective security is a “team sport”, automate for repeatable outcomes, get to grips with configuration risk. Most breaches are due to insider issues [in fact historical human error and misconfiguration, ref VDBIR] – need for more testing, DevSecOps. Compliance alone means accepting successful attacks Baseline your current maturity effectiveness and empower you business conversations in the value of cyber risk – quantify it using real world calibration. Maturity of implementation is the only way to effective security.