The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.
I’ve spent the last year building and hardening policies using the ITIL (Information Technology Infrastructure Library) framework (Links to an external site.) as my team I and I worked on a SOC 2 (Links to an external site.)audit and certification. Our ITSM (Information Technology Service Management) (Links to an external site.) platform is ServiceNow (SNOW) (Links to an external site.). The ServiceNow platform is responsible for managing and automating all aspects of service management for us and our customers, this includes incidents, requests, changes, problems, knowledge, etc… We use a ton of tools in our development and operations (DevOps) toolchain to drive agile development models, automated testing, automated deployments, measurement, self-healing, etc…
Source: Rich Bocchinfuso
During our system design, we made a deliberate decision to separate our ITOM (Information Technology Infrastructure Operations) platform from our ITSM platform. Our element management tools, our instrumentation, out ITOM tooling which manages event correlation, alert management and escalation and out ITSM platforms are all decoupled. We had a good reason for doing this which focused on flexibility, the best tool for the job with the ability to integrate. Fast forward a few years and we may look to lever ServiceNow ITOM because it is quickly elevating to a best-in-class ITOM tool.
I found it interesting that Ronda R. Henning defined an “incident” as anything that is abnormal on a system. When I think about an incident using the ITIL framework definition I think about as something which has the potential to cause a service disruption. While abnormal activity may trigger an event or an alert this does not mean an incident will be created. The example of Henning provides of Joe being on the system at midnight might trigger an event or an alert, but this event or alert would be trapped by our ITOM system, identified as benign and would not be elevated to an incident.
A simple graphical representation of the ITIL service management framework:
Source: Rich Bocchinfuso
In this weeks lecture, Rhona R. Henning also mentions syslog and event logging. This is often referred to as security information and event management (SIEM) (Links to an external site.). The idea is to aggregate and analyze events across the enterprise to gain better clarity on what is occurring, the root cause, etc. As an Open Source proponent, I have built this capability on the ELK (Elasticsearch, Logstash, and Kibana), but Splunk is also a popular SIEM. SIEM has become in intergral IT operations tool.
For continuous monitoring, specific to security we use a number of tools ranging from SIEM, to Lynis (Links to an external site.) system audits to OpenVAS (Links to an external site.) and Qualys (Links to an external site.) vulnerability scans. We use Common Vulnerabilities and Exposures (CVE) (Links to an external site.) and Common Weakness Enumeration (CWE) classifications to make decisions on criticality and reaction time.
Source: Rich Bocchinfuso
We have witnessed an evolution that has evolved from traditional infrastructure –> converged infrastructure –> hyper-converged infrastructure –> composable infrastructure, this evolution has dramatically improved our ability to instrument, monitor, automate and selfheal infrastructure. (Thome, 2017)
Traditional Infrastructure: Decoupled discrete infrastructure consisting of servers, storage, and networking components.
Converged Infrastructure: An integrated solution which bundles compute, storage and networking into a system which addresses a particular workload or solution such as virtualized desktops or a database application.
Hyper-converged Infrastructure: Compute, storage, and networking integrated into a single solution. Hyper-converged infrastructure is often driven by integrated hardware and software-defined technologies.
Composable Infrastructure: Build on converged and hyper-converged technologies thought enhanced software-defined intelligence, unified API (Application Programmable Interfaces) to “compose” and automate the infrastructure.
One of my favorite visualizations of self-healing infrastructure is the Netflix vizceral (Links to an external site.) network visualization of the networking automagically detecting a failure and rerouting traffic.
I mention this because, in contrast to what Ronda R. Henning states in this weeks lecture, I believe the advent of composable infrastructure and the increased use of machine learning (ML), deep learning (DL) and artificial intelligence (AI) has moved us closer to being able to automagically do more.
Composable infrastructure has given way to A/B testing (Links to an external site.), blue-green deployments (Links to an external site.), rapidly iterating and continuous delivery (Links to an external site.) over rigid release cycles. These advances IMO are largely attributable to composable infrastructure, some call this software-defined. Composable infrastructure is fundamentally driven by software, the agility of software-defined everything, exposed APIs, a focus on usability and orchestration has dramatically changed how we consume, instrument, monitor and selfheal information technology infrastructure.
Lastly, PagerDuty released their Incident Response framework and process (Links to an external site.) to the Open Source community and it provides a great starting point to begin for building an Incident Response framework.
Continuous Delivery. (n.d.). Retrieved September 27, 2018, from https://continuousdelivery.com/
Fowler, M. (2010, March 1). Bliki: BlueGreenDeployment. Retrieved September 26, 2018, from https://martinfowler.com/bliki/BlueGreenDeployment.html
Greene, J. (n.d.). The Essential Guide to ITIL Framework and Processes. Retrieved September 26, 2018, from https://www.cherwell.com/library/essential-guides/essential-guide-to-itil-framework-and-processes/
Henning, R. R. (n.d.). Security Operations, Part 2. Retrieved September 27, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU04VjEvRGF0YS9tb2R1bGUueG1s
Netflix. (2016, October 28). Vizceral. Retrieved September 26, 2018, from https://youtu.be/JctsPpgEsVs
Netflix. (2018, September 05). Netflix/vizceral. Retrieved September 26, 2018, from https://github.com/Netflix/vizceral
PagerDuty, P. (n.d.). PagerDuty/incident-response-docs. Retrieved September 26, 2018, from https://github.com/PagerDuty/incident-response-docs/blob/master/docs/index.md
Rawat, S. (2018, June 08). A/B Testing – The Complete Guide | VWO. Retrieved September 26, 2018, from https://vwo.com/ab-testing/
Rouse, M. (n.d.). What is security information and event management (SIEM)? – Definition from WhatIs.com. Retrieved September 26, 2018, from https://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM
SDxCentral. (n.d.). What is Software Defined Everything (SDx) – Defined. Retrieved September 26, 2018, from https://www.sdxcentral.com/cloud/definitions/software-defined-everything-sdx-part-1-definition/
Thome, G. (2017, June 29). Just What the Heck Is Composable Infrastructure, Anyway? Retrieved September 26, 2018, from https://www.itprotoday.com/business-resources/just-what-heck-composable-infrastructure-anyway
This past week was an Interesting week in tech, with the Facebook security breach and Jim Cramer in San Francisco @ Dreamforce interviewing some of the silicon valley goliaths. One interesting interview I thought I would share was Cramer’s interview with Kevin Mandia, CEO of FireEye.
Andrew, we live in interesting times where it seems just about every enterprise has the need to adopt an Agile approach and a DevOps culture. The move/fail fast paradigm seems to be powering the innovators in the tech industry, but let’s face it, there are a few FANNG (Links to an external site.) companies. There is a ton of pressure to move and innovate faster, and many believe the path to success is to mimic the Netflix culture, easier said than done. Most organizations have a legacy to tend to which impedes the pivot. The “Subscription Economy” (Links to an external site.) and the age of cloud and cloud-first strategies is upon us, but we are starting to see some equilibrium and a shift to a “cloud-smart strategy”. (Staff, 2018)
Heath, N. (2015, August 24). Should you follow Netflix and run your business from the public cloud? Retrieved September 30, 2018, from https://www.techrepublic.com/article/should-you-follow-netflix-and-run-your-business-from-the-public-cloud/
Staff, R. (2018, September 27). Moving Beyond a ‘Cloud First’ Strategy | VMware Radius. Retrieved September 30, 2018, from https://www.vmware.com/radius/moving-beyond-a-cloud-first-strategy/?src=so_5a314d05ddb83&cid=70134000001SkJd
Scott, careful with all that talk about security only being there to keep the bad guys out and the fact that it’s not if you get attacked, but rather when because you’re sounding like Richard Stallman (Goffman, 2018), not a bad thing. 🙂
Philosophically I agree with many of Stallman’s views, but security is not just about the bad guys. When I think about IAM (Identity and Access Management) (Stroud, n.d.). I think about least privilege, protecting the system from human error, logging, auditing, etc… as much if not more than I think about authentication as a padlock.
I think we will continue to see machine learning play a role in advancing automated incident response, where the plan, process, and procedures are codified, where we take an algorithmic approach to response. Moving to an open model where were the system governs the response aids us in governing transparency because IMO the term “disclosure” is open to far too much interpretation for my liking and this is not helping the situation.
Goffman, K. (2018, January 11). Richard Stallman : Last of The True Hackers? (MONDO 2000 flashback 1989). Retrieved September 30, 2018, from http://www.mondo2000.com/2018/01/11/richard-stallman-last-true-hackers-mondo-2000-flashback-1989/
Stroud, F. (n.d.). IAM – Identity and Access Management. Retrieved September 30, 2018, from https://www.webopedia.com/TERM/I/iam-identity-and-access-management.html
Carmen, do you think the two individuals at Uber acted unilaterally?
- Fact: Many organizations pay hacker ransom demands.
- Fact: Many organizations who pay hacker ransom demands and get their data back don’t disclose the hack. Those who hack for financial gain (e.g., ransomware) are an honorable bunch because if they didn’t deliver, organizations would stop paying the ransoms and the business of ransomware would collapse.
- Fact: Disclosure of a hack impacts the hacked organization’s reputation so debates within organizations around the globe are happening. These debates include to disclose or not disclose, what constitutes disclosure, how nebulous can the disclosure be, when to disclose, etc… The answers to all these questions more often than not are to disclose at little as possible, to be as nebulous as possible and to disclose at a time when the disclosure is least damaging.
Uber is not alone in how they disclosed. Equifax (Isidore, 2017) delayed their breach disclosure while insiders participated in a stock sell-off. What happened? Absolutely nothing, but somehow Elon Musk is demonized because he tweets that he has secured funding to Tesla private. Right and wrong isn’t a game of inches, but influence often is. In Elon Musk’s case, the short-sellers controlled the influence.
Isidore, C. (2017, September 8). Equifax’s delayed hack disclosure: Did it break the law? Retrieved September 30, 2018, from https://money.cnn.com/2017/09/08/technology/equifax-hack-disclosure/index.html