the association between capacity management, cybersecurity...
TRANSCRIPT
![Page 1: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/1.jpg)
The Association between Capacity Management, Cybersecurity, and
Insider Threat
Chris Greco, PMP, PMI-ACP, CISSP, ITIL
![Page 2: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/2.jpg)
Assumptions
• Every computer has at least one user • Every user accesses the computer through a
series of access controls • Every access control has at least one method
of authentication (two preferred) • Every one of these authentication methods
have an effect on capacity • Every capacity change incorporates a set of
risks
![Page 3: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/3.jpg)
Background of Speaker
• Over 35 years of project management experience combined with 15 years of IT experience
• Speaker at CMG on a variety of topics • In 2006, presented the topic of capacity and
security • In that presentation, showed that capacity will
grow exponentially in the next 10 years due to security concerns
![Page 4: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/4.jpg)
Stunning Statistics
• 2010: 60% of respondents to survey stated they would take anything from their prior employer, including information
• 2012: Former NSA contractor takes information from computers (insider threat)
• 2013: Hacking continues, and in some cases, originates within companies (insider threats)
• 2016: Insider Threats presents a very real and present danger to companies and governments
![Page 5: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/5.jpg)
How Does This Relate to Capacity?
• Let’s do the logic • There are approximately 7 billion people in
the world • If half own and use a computer (3.5 billion)
then they have at least one password • The password may contain upwards of 15
characters • If each character of that password is a byte,
then you have 53 Gigabytes of information
![Page 6: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/6.jpg)
That’s Not Bad At All
• Nope, not bad, then you start to add it all up • You have a “forgotten password” feature where
you store 3 questions and answers for each user • The questions are standard (but still need to be
stored) and the answers vary • If the answers have an average of 10 characters
(which in my opinion is underestimated) then you have about 105 Gigabytes of information
![Page 7: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/7.jpg)
But It is Not Over Yet!
• If the entity employs multi-factor authentication, then it becomes even more complicated
• You have to store phone numbers of the users, and issue random numbers for verifications
• To store phone numbers will be to increase your data storage by at least 10 bytes, which would be an additional 35 Gigabytes
![Page 8: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/8.jpg)
The Sum And The Consequences
• 53 + 105 + 35 = 173 Gigabytes • And that is for only one password for one
application (or one application access) • The reason for this introduction is to say that
there is a rise in the authentication requirement
• As a user, your responsibility is to ensure your passwords are strong
• The infrastructure manager has to do the rest
![Page 9: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/9.jpg)
The Growth of Authentication
• In the beginning, the password was the only authentication needed for access
• Then multi-factor authentication required more – Something you know – password – Something you have – cellphone (or a “fob”) – Something you are – biometrics
• This has required more capacity to store all this data
![Page 10: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/10.jpg)
Authentication And The Numbers
• Assumptions – Your company has 1000 employees – Each of these employees have strong passwords
(i.e. 10 characters, different character sets) – Your company has also incorporated biometrics
(“something you are”) which is one fingerprint • The password will be approximately 21
kilobytes, and the fingerprint will be approximately 1 megabyte
![Page 11: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/11.jpg)
What Is the Problem?
• So far, given the previous slide, everything is not bad at all
• However, there are some other issues you need to consider – The storage of past passwords (don’t want users
using the same password for everything – The storage of USERIDs (at least 7 characters) – The storage of more than one fingerprint (increase
by approximately 1 MB each time)
![Page 12: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/12.jpg)
Access By Application
• Of course most of us have access to applications or single sign on (SSO), so the storage is not a problem (right?)
• The baseline storage still has to occur, as well as the possibility of placing certain folders under access
• Every folder or document that has access must also have an access control
![Page 13: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/13.jpg)
Simulated Access Control
• The following diagram shows a simulated access to one document by a set of users
• This is just a simulation, but one can imagine the amount of storage that would be required to keep the passwords or other access current
• You may have an Access Control List (ACL) but that means you have to store at least the following: – Name (or employee number or other ID) – USERID – PASSWORD – Other access controls including versions of the documents
![Page 14: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/14.jpg)
Access Chart for Single Document
![Page 15: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/15.jpg)
A Quick Review
• Your storage has to accommodate for the following security protections – Something you know (passwords, passcodes, userid) – Something you have (fobs, cellphone numbers,
random number generator) – Something you are (biometrics including fingerprints,
iris scans, facial recognition) • All of this just to ensure authorized access • This does nothing to prevent insider threat if not
done in combination with other measusres
![Page 16: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/16.jpg)
Insider Threat
• Insider Threat is nothing new • Disgruntled employees have existed as long as
there are companies • In the past, they sometimes took office supplies,
or other things of value • Now, they could take something of great value –
information! • How do you stop this insidious practice? • You will NEVER stop Insider Threat (in my
opinion) but you can try to prevent and detect it
![Page 17: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/17.jpg)
Capacity Management and Insider Threat
• Storage of user identifying information – Every user takes up space in the storage formula – The amount of information will vary
• What we need to discuss is how to detect and/or prevent insider threat
• What are the various forms of data you store in order to implement an insider threat detection/prevention?
![Page 18: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/18.jpg)
Logic Behind Detecting Insider Threat
• Let’s assume again that you have 1000 employees
• Each of these employees has access to 1000 documents in various folders on the servers
• You, as the computer security manager, have a “feeling” that there is information being pilfered from the system
• In order to confirm that feeling with data you have to monitor activity on those servers
![Page 19: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/19.jpg)
What Should We Consider?
• If we wanted to employ an “insider threat” detection (or outside threat for that matter) we would want to consider the following: – Number of machines (one machine per person) – Number of servers – Number of firewalls (inside and outside DMZ)
• You would also have to consider how many months (or years) you would want to keep the data
![Page 20: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/20.jpg)
Just One Example
• http://www.buzzcircuit.com/tag/siem-storage-calculator/ is just one site for measuring the amount of storage necessary
• Using this site and inserting the number 10 for all the hardware choices, along with 6 months for storage requirements
• The amount of storage you would need would be approximately 3 Terabytes of raw data and 5 Terabytes of application storage
![Page 21: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/21.jpg)
Changing the Attributes
• If you increase the number of servers from 10 to 50, you increase the storage requirement by 2 Terabytes
• If you use the average medium sized company of 200 employees, you increase the number of computers to 200 with 10 servers (1 per 20 computers)
• This would mean that you would have to START with several Terabytes of storage just to retain it for 6 months!
![Page 22: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/22.jpg)
Sample of Storage Requirements (For Different # of Servers)
0
50
100
150
200
250
300
6 MonthsRetention (1
ofEverything)
1 YearRetention (1
ofEverything)
6 MonthsRetention(1+ FW, R,
SW, DB, Etc)
1 YearRetention(1+ FW, R,
SW, DB, Etc)
6 MonthsRetention
(10 ofEverything)
1 YearRetention
(10 ofEverything)
Tera
byte
s
2520151051
![Page 23: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/23.jpg)
What About Processing?
• According to source it takes 4 instructions to add two numbers
• It takes average 400 characters in a log entry • 400 X 4 = 1600 • 50 EPS per Firewall or Windows Server • 3 Windows Server = 150 EPS • 150 X 1600 = 240,000 Instructions/second • Intel Core i7 (5960X) = 238,000 MIPS • Looks doable, but analysis will take millions of
instructions
https://en.wikipedia.org/wiki/Instructions_per_second
![Page 24: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/24.jpg)
Knowing the Terms
• A term with which you may be familiar is Security Information and Event Management (SIEM) storage.
• This is an application that gathers information and detects outliers for further analysis
• Although it has been in use for years, many companies are spending 1000s if not 100000s of dollars on obtaining and maintaining these applications
![Page 25: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/25.jpg)
A Real-Life Example
• In 2012-2013 there was an individual that was in a sensitive position
• The individual was part of the Federal Government and had access to very critical information
• The individual is now living in a foreign country after stealing sensitive national security information
![Page 26: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/26.jpg)
Questions to Consider
• What if the individual was slowly gaining access to information that was “derivative” to his duties?
• What if the individual had flash drives and DVDs on his desk?
• What if the individual was asking questions of users on gaining access to other type of information?
• Finally, what if there were people who saw this signs and did nothing?
![Page 27: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/27.jpg)
Could He Have Been Detected By SIEM?
• Could a SIEM have detected this intruder? – Access to information might have been outliers only if
he did not access them daily – The SIEM will not “observe” the person’s behavior
beyond their computer access and log entries
• People did question the insider threat, but if they are able to “tell a good story” they get a pass
• It takes people to report questionable behavior in order to place confirmation on the monitoring
![Page 28: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/28.jpg)
Another Real-Life Example
• Let’s say data showed that an individual was using different Social Security Numbers to open businesses (same name, different numbers)
• The person in question was tracked and questioned
• Individual was able to tell a good story • Finally, let’s say It took a relative to come forward
in order for the case to proceed to investigation
![Page 29: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/29.jpg)
Why Are We Using Machines to Monitor Humans?
• SIEM have the capability to gather information and then present this information in a manner that is usable to humans
• It seems that there may be other alternatives available to detect and prevent insider threat
• By using alternative approaches you might be able to reduce costs and share buy-in with your other employees
![Page 30: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/30.jpg)
Employees As Risks (Pessimistic)
• At the beginning of this presentation, we stated that there are 60% of employees willing to take something from their employer
• If you have 1000 employees, that would mean (nominally) that you have 600 of those employees that would be willing to steal something from the company
• However, there is an upside to this argument
![Page 31: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/31.jpg)
Using Employees as Security Monitors (Optimistic)
• If you have 20 employees you have 40 eyes and 40 ears that can help keep your company secure.
• There is nothing more powerful than peer pressure
• As a college instructor, placing the class on alert helped to eliminate cheating, because they knew the expectations, so they would keep everyone on their best behavior
![Page 32: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/32.jpg)
Some Ways to Deploy the Employees
• Limit Access (As long as the employees are in charge of their own functional area, they will take ownership)
• Educate employees about security – Password hygiene – Encourage understanding of technology
• Create a culture of security (probably the best recommendation and studies show that it does have an impact see https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon)
![Page 33: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/33.jpg)
Value Added Security
• There is nothing like having the employee take an active role in security
• Rather than trying to avoid or shortcut security, they will use “their” rules more seriously
• Employee generated access rosters will establish the employee as the on in charge of that aspect of security
• It also makes them accountable, which will provide them with a stake in that part of the mission
![Page 34: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/34.jpg)
Are Employees Reliable?
• Making someone accountable gives them a sense of purpose
• According to studies, purpose is something we all desire and are motivated to achieve (Elie Wiesel Nobel Prize winning book - Night)
• If people see a person with excessive access, DVDs and other insider threat factors, they should say something
• If they see and do nothing, they are not being accountable, and fail to do their purpose
![Page 35: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/35.jpg)
A Hybrid Approach
• Use a SIEM and make that part of the security infrastructure, but do not rely on it as the sole detection method
• Use an employee education to keep employees aware of the various security concerns
• Have an employee security network that helps their peers maintain security
• Create a culture of security through constant visibility and example
![Page 36: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/36.jpg)
Does Constant Exposure Help?
• A security officer at the Twin Towers conducted evacuation exercises and pointed out exits
• Then September 11, 2001 occurred • The security officer was credited with helping
more than 2600 people evacuate the building • The security officer died after he went back
inside to help others evacuate (https://en.wikipedia.org/wiki/Rick_Rescorla)
![Page 37: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/37.jpg)
What Does This Do To Capacity?
• Employee involvement can save Terabytes of storage
• In current economy, storage has to be protected, so the more the storage, the more the protection
• By keeping the security internal and observable, the capacity can be used for other things besides storing monitoring data
• The savings can be passed on to the employee as an incentive
![Page 38: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/38.jpg)
Summary
• Security is something that will never go away • Employers will constantly try to ensure that
employees are security conscious – Through access control – Through education methods
• Applications can monitor the employee and their access or
• The employees can “police” themselves and take charge of their environment
![Page 39: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/39.jpg)
References
Common Sense Guide to Prevention and Detection of Insider Threats (CERT), 2005 Buzzkill web site (calculate storage requirements for SIEM), referenced in the presentation
![Page 40: The Association between Capacity Management, Cybersecurity ...cmgcanada.altervista.org/presentations/2017 Oct pres/The Associati… · • Intel Core i7 (5960X) = 238,000 MIPS •](https://reader034.vdocuments.mx/reader034/viewer/2022050102/5f41024052ca4134197a8231/html5/thumbnails/40.jpg)
Any Questions?
https://www.linkedin.com/in/grectech
www.grectech.com
www.twitter.com/grectech
Business Phone: (443) 690 - 5037