Information Security Management at the Olympics: Finding the Needle in the Haystack

Transcription

1 Information Security Management at the Olympics: Finding the Needle in the Haystack Markus J. Krauss VP Cloud Computing and Service Provider Chris Van Den Abbeele Solution Manager ISRM

2 Agenda Who is Atos, Who is Novell/NetIQ The Olympic Environment The IT project Information Security Methodology Trends in information security at the Olympics What s in it for me? 2

3 Atos and Novell/NetIQ 3

4 Who is Atos? Atos is an international information technology services company. Its business is turning client vision into results through the application of consulting, systems integration and managed operations. Atos is the Worldwide Information Technology Partner for the Olympic Games and has a client base of international blue-chip companies across all sectors. Atos is quoted on the Paris Eurolist Market and trades as Atos, Atos Worldline and Atos Consulting. 4

5 Atos and Siemens IT Solutions and Services 5

6 Atos and The Olympics Started supplying software for Barcelona 92 Contract with IOC awarded in 98 as Integrator The largest ever Sports IT related contract Reduce risks and reduce costs Two extensions, the current contract up to Games Salt Lake City, USA 02 Athens, Greece 04 Turin, Italy 06 Beijing, China 08 Vancouver, Canada 10 London, Great Britain 12 Sochi, Russia 14 Rio de Janeiro 16 6

7 The Olympics Environment accreditations (Beijing) 40 Venues/70+ Competition venues (Beijing) 7

8 The Scale of IT 8

9 The IT Project Highly visible and critical, no second chances This is an IT project with a deadline that does not move that does not move Complex mix of technology, processes and people with no room for error A risk-management driven project Massive testing program Knowledge capture industrialization integrate in Atos High Performance Security (AHPS) service, now available to all customers 9

10 Methodology: End-to-end Information Security UNDERSTAND Understand Business Requirements Identify normal Behavior ANALYZE Evaluate the Risk (based on scenario) BUILD Implement Architecture Define Security Metrics MEASURE Measure Security Posture Define criticality of Systems and Data Define controls (based on scenario) Assess Vulnerability Audit Enforce Security Controls Using Technology Enforce Monitoring Controls Using Technology RUN Respond to the Incident Monitor for abnormal Behavior Use adopted Real Time Risk Management Technology 10

11 Risk Modeling Scenarios: What How What for What: describes the threat How: defines which vulnerability is exploited to break into the target What for: describes the purpose of the attack Example of scenario: A worm is released in the CIS VLAN through OS vulnerability to disturb the commentators Validation of the scenarios: Penetration Testing (TR1 & TR2) Security Reviews (Internal AO project team) NetIQ Corporation. All rights reserved.

12 Impact Risk Mitigation Strategy Qualitative risk measurement Top down (scenarios) and bottom up approach (from IT) Consider the following controls for each scenario: preventive Preventive Sc 8 Detective Corrective detective Sc 17 Sc 2 Corrective These controls become the building blocks for: security policies procedures architecture monitoring Sc 19 Sc 4 Sc 20 Sc 1 Sc 22 Sc 11 Sc 12 Sc 3 Sc 21 Sc 16 Sc 6 Sc 18 Sc 5 Sc 14 Sc 7 Sc 9 Sc 10 Sc 15 Sc 13 Likelihood of Occurrence 12

13 Integrated Security Service Desk Configuration Management Incident Management Problem Management Release Management Change Management Service Level Management Financial Management Capacity Management IT Services Continuity Management Availability Management Information Security Training Input for Security Risk Management Incident Response Handling Process Security Monitoring Vulnerability and Patch Management Member of the CCB Level of Security Alarms Match Severity of the Incident Security Risk Management Input to Security Risk Management Input to Security Risk Management Input to Security Risk Management Information Security is not an extra domain Information Security is a transversal activity Information Security is integrated (embedded) with the rest of IT Operations 13

14 Testing and Training Applications go through exhaustive integration testing programs. Systems undergo technical tests where performance, load and fault performance are tested to their limit. Teams are trained following comprehensive programs to be ready to operate the systems and react to different scenarios according to the defined policies and procedures. 14

15 Operations The challenge: How to recognize real threats in 12,000,000 security events / day? How to understand over 20,000 security event types? 15

16 Operations The solution: Real Time Security Risk Management Implement a Security Information and Event Management (SIEM) solution Perform Intelligent Event Processing Active Filtering Aggregation & Correlation Prioritization Real Time Auditing Predefined Incident Management Process 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000-16

17 Results Security Information Reduction (Daily) 17

18 Results Security Information Reduction (Daily) No Business Impact 18

19 The Trend in Information Security at the Olympics 19

20 Security Monitoring Security monitoring per environment SIM v 2 - Correlation with business rules - Improved reporting - Improved performance Security Information Management providing: Collection, Filtering, Aggregation, Correlation, Prioritization across the different environments SIM v3 - Auto Audit integration - Auto learning rules - Multilayer processing Speed: As close as possible to real-time: from minutes to seconds Relevance: from 3 million events logged to 3 attempts prevented 20

21 Identity Management - Active Directory for Windows environment - LDAP for UNIX environment - Radius for Network environment - Oracle and SQL authent. for Apps and DB - IdM system implemented - Access control based on job description - Approval based on organizational structure - Directory synchronization: Active Directory to LDAP - Application authenticating against AD and LDAP IdM workflow fully integrated with Operational procedures Increase consistency: from environment based to job description based Decrease account creation time: from days to hours 21

22 Future Plans: Intelligent SIEM Identity Management Security Monitoring Security Event information in real time enriched with intelligence from Identity Management When we send a Security Guard to investigate, they are no longer looking for an IP address, they are looking for a face 22

23 Innovation 23

24 Innovation is about turning new ideas into real business value Our know-how and experience from the Olympics is integrated in our Atos High Performance Security (AHPS) service, which is now available to all customers As it is offered as a cloud service, it can provide value from day one 24

25 If you re facing any of these regulations Then see us on Atos High Performance Security UK: GPG-13 (Government) and PCI-DSS France: RGS (Référentiel Général de Sécurité') and PCI-DSS Germany: BSI, ISO2700x and PCI-DSS Netherlands: 'Code voor Informatiebeveiliging' (based on the standard ISO and the code of practice ISO 27002) Spain: LOPD (Organic Law for Data Protection), and ISO 2700x 25

26 If We Can Do it for The Olympic Games, Imagine What We Can Do For You! Thank you Markus J. Krauss VP Cloud Computing and Service Provider Chris Van Den Abbeele Solution Manager ISRM 26

27 Thank you Chris Van Den Abbeele Solution Manager ISRM Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud and Atos WorldGrid are registered trademarks of Atos SA. June Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos.