Sodelovanje na 19. konferenci Telekomunikacije · 2018-11-19 · 2018-10-25 | Automation: Towards...
Transcript of Sodelovanje na 19. konferenci Telekomunikacije · 2018-11-19 · 2018-10-25 | Automation: Towards...
2018-10-25 | Automation: Towards addressing telco challenges | Page 1
|Sanjay Nagaraj| & |Kenneth Manner| |Ericsson AB / BA-TEB| |2018-11-14|
Sodelovanje na 19. konferenci Telekomunikacije
Security Advances in Automation: Towards Addressing Telco Challenges
2018-10-25 | Automation: Towards addressing telco challenges | Page 2
Who are we?
Sanjay Nagaraj — PhD in business management from Royal Tech (Sweden)
/Stanford University (USA); MBA in Strategic Management
Univ. of San Diego (USA)
— Experience: FMCG / Telecoms. Ericsson (Sales, Services; Security; Media consultancy; Network Strategy; Financial & Business Modelling)
— Analysis Group/McGill/ McKinsey (Management Consultancy)
— Space: Marketing, Strategic Management, Value Management
— Industry Segment: FMCG; Telecoms
— Over 26 years experience in business Management, Integrated Marketing, Case modelling. Ran the multi million € advisory programs for telco and vertical industries (encompassing, Category Management, Commercial Strategy, Value Creation for access networks, and VAS).
— Professional Memberships: AMA; Nordic Brand Association, ACR, JCR
Kenneth Manner— BEng in Information Technique from Arcada Helsinki,
eMBA in Finance, from Swedish Business School
of Helsinki
— Experience: Ericsson (Sales; Services; Security; Innovation and Business development, Financial Modelling; Product management; Program and Project management; Product Development; & Line Management
— Space: Finance, Product and Commercial Management
— Industry Segment: Telecoms, Vertical Sectors
— Over 26 years experience in Product development, Product management, Business Innovation and Development, Sales for telco and vertical industries. Being part of the telco transformation in 2G, 3G, 4G towards IoT and 5G. Implemented lean/agile development in a multi country environment, driving lean startup and DevOps thinking and mindset.
2018-10-25 | Automation: Towards addressing telco challenges | Page 3
Presentation contents
00. A wake-up
01. Landscape
02. End-2-end security management
03. Features and some use cases
04. VC-i: Propositions and case analysis
2018-10-25 | Automation: Towards addressing telco challenges | Page 4
Wake-up call
…. Globally, CSP’s are waking up to the risks created by vulnerabilities ….
…. Automating operations in security domain, in order to be able to rapidly and economically deploying it to infrastructure and, as well as to save operational costs is becoming an imperative ….
2018-10-25 | Automation: Towards addressing telco challenges | Page 5
”By 2020 Security and Technology risks
reporting becomes mandatory ”
Source: Gartner
Ericsson Internal | 2018-02-21
”We neede-2-e Security Management
in order to meet our security goals”
CURRENT MOST IMPORTANT OBJECTIVE
01Landscape
- Security environment - Accountability- Network segment & attack Scenarios
2018-10-25 | Automation: Towards addressing telco challenges | Page 8
Security Environment
Global & Environment
▪ Businesses and investments in security ▪ Global alliance and partnership▪ Operational synergies and economies of scale ▪ Enhancements of cyber security portfolio
Telecom Industry
▪ Linking security strategy to business initiatives▪ Data is both an asset and a liability ▪ Legal and regulatory compliance - GDPR▪ Focus on next generation networks and security▪ ML is a new way to address security practice
Value Chains & Business Models
▪ Operators broaden portfolios ▪ E2E security solutions dominate value ▪ Automation becoming a dominant factor in security
management▪ Security operations in SaaS
Technology & Competition
▪ Automated configuration, monitoring, and analytics ▪ Remediation to update security controls▪ Products and Solutions▪ Buying decisions are based on trust in the integrity of the
supplier
2018-10-25 | Automation: Towards addressing telco challenges | Page 9
01Primer and Overview
AccountabilityLeaders and Accountability
• Loss of market share and reputation
• Legal exposure
• Audit failure
• Fines & criminal charges
• Financial loss
• Loss of data confidentiality, integrity and/or availability
• Violation of employee privacy
• Violation of privacy
• Loss of customer trust
• Loss of brand reputation
CEO CFO/COO CIO/CISO CHRO CMO
S E C U R I T Y --- S T R A T E G Y
2018-10-25 | Automation: Towards addressing telco challenges | Page 10
Network SegmentsHow does it relate to operators
Dynamic environment and DevSecOps accelerating cycles
2018-10-25 | Automation: Towards addressing telco challenges | Page 11
02End-2-end security management
— Baselines
— Closing the gaps
— Security Lifecyle
— Manager & orchestration
— Our Approach
2018-10-25 | Automation: Towards addressing telco challenges | Page 12
Towards Addressing Telco Challenges
Competitive Advantage▪ Operational transformation
▪ DevSecOp and cross-functional synergies
▪ Prime Integrator
▪ Universal standardized frameworks
Challenges ▪ Networks and assets are more vulnerable to attacks
▪ Brand and image
▪ Churn
▪ Revenue
▪ Customer Experience
Value creation▪ Addressable security use case
▪ Tailored and quantifiable propositions
▪ Comparative analysis (As is – To be scenarios)
▪ Specific KPI’s objectives
Solutions & Services
2018-10-25 | Automation: Towards addressing telco challenges | Page 13
Security baselines
1. hardening of assets and configuration of security functions
2. continuous monitoring of compliance of both assets and configuration of security function.
3. privacy compliance monitoring
4. security analytics
5. assessment of system vulnerabilities
6. fraud analytics to identify fraudulent subscriber behavior in telco net
2018-10-25 | Automation: Towards addressing telco challenges | Page 14
Shortest Distance Management & Orchestration Actionable format & contextual Safeguard revenues Minimize risks
Closing the Security Gap
Codify manual process Path to automation
Threat Intelligence
Exposure to threats imely, accurate, and relevant
Autonomics Embed to enable
Self healing & compliance
Obtain Store
Security Analytics
Find
Apply
Automation benefit is an avenue to improve efficiency
2018-10-25 | Automation: Towards addressing telco challenges | Page 15
Managing security lifecycle According to ETSI NFV specifications (NFV SEC013) and NIST Cyber Security Framework
ETSI NFV specifications (NFV SEC013)
1
Identify 2
Protect
3
Detect
4
Respond
5
Recover
NIST CYBER SECURITY framework
2018-10-25 | Automation: Towards addressing telco challenges | Page 16
Security management & orchestration
Sec. Policies— CIS Benchmark
— ISO 27001
— ISO 27017
— NIST
— Vendor hardening guidelines
— Corporate securityinstructions
— Other
Ericsson Security Manager
Configuration Compliance Analytics
— Disable inactive users
— Password change frequency
— Set security zones
— Disable telnet
— Enable logs
— Others
— Is default access enabled?
— Are tenants isolated?
— Vulnerabilitiespatched?
— Others
— Events
— Logs
— Notifications
— Subscriber info
— Others
Assets
Configuration
FW IAM
IDS Other
Secured Context— E2E view & control
— Automatic configuration
— Automatic compliance verification
— Real-time policy breach & unknown threat detection
— Vulnerability mgmt
— Integrity mgmt
GRC
2018-10-25 | Automation: Towards addressing telco challenges | Page 17
SECURE DEVOPS (DEVSECOPS)• DevOps operations driven configurations, deployments
and developments
• Continuous delivery & deployment with feedback loop
• DevOps security tools as security enablers for DevOps operations, deployments and developments
SECURE OPERATIONS• Security and privacy awareness and adaptiveness
• Maintaining the compliance to the applications’ security policies
• Actionable insights to the changing threat landscape
SECURE DEVELOPMENT• Developing the right security functions
• Assuring that security works as expected
• Documentation for secure operations
• Services for secure use
Our approach
Cycle times shortening High RPM Security Manager
SRM
DevSecOps way of working needed for secure development, deployment and operations
03Use cases
2018-10-25 | Automation: Towards addressing telco challenges | Page 19
UC1: Baseline AutomationEnforcing and monitoring policies
Ericsson policy catalog with pre-tested policy families, policies and controls
67%COMPLIANCE
• Node X
• Node Y
• Node Z
Policy sets based on the policy catalog
Assets, asset groups, security domains
Automated policy set enforcement
Continuous compliance monitoring
Analytics and Reporting
Events
Policy Set for Security Domain 1Family-01 Access Control
Restrict invalid logon attempts
Create and enable warning banners
Set automatic termination of user session
Family-02 Identification and Authentication
Password ageing
Enforce minimum password complexity
Family-03 Configuration management
Disable unused services
Time synchronization with UTC clock
Family-04 Audit and Accountability (AU)
Enable auditing events
Family-04C My own additional policy family
04C-001 Logging of user activities on interface X
Policy CatalogFamily-02 Identification and Authentication
IA-01 Password ageing
Family-02 Identification and AuthenticationPolicy Password ageing
Description Policy to enforce password lifetime
Reference NIST SP800-53r4 IA-5 (d)
ISO 27001:2013, ISO27002:2013 (A.9.2)
CIS benchmark
EU GDPR Articles 32, 33, 35
Ericsson Baseline Security Requirements
Controls Default Value
Password Min Age 7 (days)
Password Max Age 90 (days)
Days-Psswd Expiry 7
100%COMPLIANCE
• Node X
• Node Y
• Node Z
Policy Catalog – Policy FamilyFamily-01 Access Control (AC)
Family-02 Identification & Authentication (IA)
Family-03 Configuration Management (CM)
Family-04 Audit and Accountability (AU)
Family-05 System & Comms Protection(SC)
Family-06 Systems & info Integrity (SI)
Family-07 Privacy Policy (PP)
Family-08 IoT Security (IoT)
Family-09 Contingency (CP)
Family-10 Incident Response Policy
Family-11 Risk Assessment Policy
2018-10-25 | Automation: Towards addressing telco challenges | Page 20
UC2:Vulnerability management
Dashboard
Prioritized vulnerability status based on vulnerability information and asset criticality
Trigger vulnerability scans towards selected assets
Vulnerability feeds
External vulnerability
feeds
EricssonPSIRT
Vulnerability scan reports
Vulnerability Scanner
Mapping of vulnerabilities to the assetsEnhanced CVSS scoringProcessing scanner outputs
Rule-based Analytics
Ericsson Security Manager
2018-10-25 | Automation: Towards addressing telco challenges | Page 21
Automation dashboard
100%COMPLIANCE
Node 1
Node 2
Node 3
100%COMPLIANCE
Node 1
Node 2
Node 3
98%COMPLIANCE
Node 1
Node 2
Node 3
Automatic or manual re-enforcement of the policy
Violation to “SSH timeout configuration” policy in MTAS (malicious or mistake)
Continuous compliance monitoring
Continuous compliance monitoring
Continuous compliance monitoring
X
2018-10-25 | Automation: Towards addressing telco challenges | Page 22
04VC-i
- Proposition sample
- Case analysis
VC-i < Business logic
BUSINESS JUSTIFICATION
Holistic Workflow
1. A business justification is built by modeling the “proposition chunks” that make up the Implementation Map
2. The implementation map provides the cost and the imperatives enable the quantification of the benefits
3. In total providing the Operating Free Cash Flow impact – in a waterfall chart
IMPERATIVESTARGET
OPERATING
MODEL
IMPROVEMENT
MAP
2018-10-25 | Automation: Towards addressing telco challenges | Page 24
46.645 2.52 1.93 1.44 9.82 14.89 5.95 46,669
2.000
12.000
22.000
32.000
42.000
52.000
OpFCF Cumulative (original) Auto Config of Security Policies Real time compliance policycheck
Continous Monitoring Cost reduction from securitybreaches
Churn Reduction (Fraud) Churn Reduction (SvsDisruption)
OpFCF Cumulative (improved)
OpF
CF
USD
milli
ons
Collective OpFCF Improvement (over 5 yr period, 2018-2023)
2018-10-25 | Automation: Towards addressing telco challenges | Page 25
Takeaway
Trusted business
Trusted operations
Trusted deployment
Trusted HW & SW
Service providers to be trusted by customers and that enterprises can build trusted business together with them.
Trusted operations of the network and all enterprise processes running on top of it
A trusted network architecture and configuration against the network and the devices that connect to it
Ensuring trust from the bottom with security & privacy functions, characteristics & HW/SW root of trust in every part of the network
2018-10-25 | Automation: Towards addressing telco challenges | Page 26
Thank You Ericsson.com/security