sodelovanje na 19. konferenci telekomunikacije · 2018-11-19 · 2018-10-25 | automation: towards...


Who are we?

Sanjay Nagaraj — PhD in business management from Royal Tech (Sweden)

/Stanford University (USA); MBA in Strategic Management

Univ. of San Diego (USA)

— Experience: FMCG / Telecoms. Ericsson (Sales, Services; Security; Media consultancy; Network Strategy; Financial & Business Modelling)

— Analysis Group/McGill/ McKinsey (Management Consultancy)

— Space: Marketing, Strategic Management, Value Management

— Industry Segment: FMCG; Telecoms

— Over 26 years experience in business Management, Integrated Marketing, Case modelling. Ran the multi million € advisory programs for telco and vertical industries (encompassing, Category Management, Commercial Strategy, Value Creation for access networks, and VAS).

— Professional Memberships: AMA; Nordic Brand Association, ACR, JCR

Kenneth Manner— BEng in Information Technique from Arcada Helsinki,

eMBA in Finance, from Swedish Business School

of Helsinki

— Experience: Ericsson (Sales; Services; Security; Innovation and Business development, Financial Modelling; Product management; Program and Project management; Product Development; & Line Management

— Space: Finance, Product and Commercial Management

— Industry Segment: Telecoms, Vertical Sectors

— Over 26 years experience in Product development, Product management, Business Innovation and Development, Sales for telco and vertical industries. Being part of the telco transformation in 2G, 3G, 4G towards IoT and 5G. Implemented lean/agile development in a multi country environment, driving lean startup and DevOps thinking and mindset.


Presentation contents

00. A wake-up

01. Landscape

02. End-2-end security management

03. Features and some use cases

04. VC-i: Propositions and case analysis


Wake-up call

…. Globally, CSP’s are waking up to the risks created by vulnerabilities ….

…. Automating operations in security domain, in order to be able to rapidly and economically deploying it to infrastructure and, as well as to save operational costs is becoming an imperative ….


”By 2020 Security and Technology risks

reporting becomes mandatory ”

Source: Gartner

Ericsson Internal | 2018-02-21

”We neede-2-e Security Management

in order to meet our security goals”

CURRENT MOST IMPORTANT OBJECTIVE

01Landscape

- Security environment - Accountability- Network segment & attack Scenarios


Security Environment

Global & Environment

▪ Businesses and investments in security ▪ Global alliance and partnership▪ Operational synergies and economies of scale ▪ Enhancements of cyber security portfolio

Telecom Industry

▪ Linking security strategy to business initiatives▪ Data is both an asset and a liability ▪ Legal and regulatory compliance - GDPR▪ Focus on next generation networks and security▪ ML is a new way to address security practice

Value Chains & Business Models

▪ Operators broaden portfolios ▪ E2E security solutions dominate value ▪ Automation becoming a dominant factor in security

management▪ Security operations in SaaS

Technology & Competition

▪ Automated configuration, monitoring, and analytics ▪ Remediation to update security controls▪ Products and Solutions▪ Buying decisions are based on trust in the integrity of the

supplier


01Primer and Overview

AccountabilityLeaders and Accountability

• Loss of market share and reputation

• Legal exposure

• Audit failure

• Fines & criminal charges

• Financial loss

• Loss of data confidentiality, integrity and/or availability

• Violation of employee privacy

• Violation of privacy

• Loss of customer trust

• Loss of brand reputation

CEO CFO/COO CIO/CISO CHRO CMO

S E C U R I T Y --- S T R A T E G Y


Network SegmentsHow does it relate to operators

Dynamic environment and DevSecOps accelerating cycles


02End-2-end security management

— Baselines

— Closing the gaps

— Security Lifecyle

— Manager & orchestration

— Our Approach


Towards Addressing Telco Challenges

Competitive Advantage▪ Operational transformation

▪ DevSecOp and cross-functional synergies

▪ Prime Integrator

▪ Universal standardized frameworks

Challenges ▪ Networks and assets are more vulnerable to attacks

▪ Brand and image

▪ Churn

▪ Revenue

▪ Customer Experience

Value creation▪ Addressable security use case

▪ Tailored and quantifiable propositions

▪ Comparative analysis (As is – To be scenarios)

▪ Specific KPI’s objectives

Solutions & Services


Security baselines

1. hardening of assets and configuration of security functions

2. continuous monitoring of compliance of both assets and configuration of security function.

3. privacy compliance monitoring

4. security analytics

5. assessment of system vulnerabilities

6. fraud analytics to identify fraudulent subscriber behavior in telco net


Shortest Distance Management & Orchestration Actionable format & contextual Safeguard revenues Minimize risks

Closing the Security Gap

Codify manual process Path to automation

Threat Intelligence

Exposure to threats imely, accurate, and relevant

Autonomics Embed to enable

Self healing & compliance

Obtain Store

Security Analytics

Find

Apply

Automation benefit is an avenue to improve efficiency


Managing security lifecycle According to ETSI NFV specifications (NFV SEC013) and NIST Cyber Security Framework

ETSI NFV specifications (NFV SEC013)

1

Identify 2

Protect

3

Detect

4

Respond

5

Recover

NIST CYBER SECURITY framework


Security management & orchestration

Sec. Policies— CIS Benchmark

— ISO 27001

— ISO 27017

— NIST

— Vendor hardening guidelines

— Corporate securityinstructions

— Other

Ericsson Security Manager

Configuration Compliance Analytics

— Disable inactive users

— Password change frequency

— Set security zones

— Disable telnet

— Enable logs

— Others

— Is default access enabled?

— Are tenants isolated?

— Vulnerabilitiespatched?

— Others

— Events

— Logs

— Notifications

— Subscriber info

— Others

Assets

Configuration

FW IAM

IDS Other

Secured Context— E2E view & control

— Automatic configuration

— Automatic compliance verification

— Real-time policy breach & unknown threat detection

— Vulnerability mgmt

— Integrity mgmt

GRC


SECURE DEVOPS (DEVSECOPS)• DevOps operations driven configurations, deployments

and developments

• Continuous delivery & deployment with feedback loop

• DevOps security tools as security enablers for DevOps operations, deployments and developments

SECURE OPERATIONS• Security and privacy awareness and adaptiveness

• Maintaining the compliance to the applications’ security policies

• Actionable insights to the changing threat landscape

SECURE DEVELOPMENT• Developing the right security functions

• Assuring that security works as expected

• Documentation for secure operations

• Services for secure use

Our approach

Cycle times shortening High RPM Security Manager

SRM

DevSecOps way of working needed for secure development, deployment and operations

03Use cases


UC1: Baseline AutomationEnforcing and monitoring policies

Ericsson policy catalog with pre-tested policy families, policies and controls

67%COMPLIANCE

• Node X

• Node Y

• Node Z

Policy sets based on the policy catalog

Assets, asset groups, security domains

Automated policy set enforcement

Continuous compliance monitoring

Analytics and Reporting

Events

Policy Set for Security Domain 1Family-01 Access Control

Restrict invalid logon attempts

Create and enable warning banners

Set automatic termination of user session

Family-02 Identification and Authentication

Password ageing

Enforce minimum password complexity

Family-03 Configuration management

Disable unused services

Time synchronization with UTC clock

Family-04 Audit and Accountability (AU)

Enable auditing events

Family-04C My own additional policy family

04C-001 Logging of user activities on interface X

Policy CatalogFamily-02 Identification and Authentication

IA-01 Password ageing

Family-02 Identification and AuthenticationPolicy Password ageing

Description Policy to enforce password lifetime

Reference NIST SP800-53r4 IA-5 (d)

ISO 27001:2013, ISO27002:2013 (A.9.2)

CIS benchmark

EU GDPR Articles 32, 33, 35

Ericsson Baseline Security Requirements

Controls Default Value

Password Min Age 7 (days)

Password Max Age 90 (days)

Days-Psswd Expiry 7

100%COMPLIANCE

• Node X

• Node Y

• Node Z

Policy Catalog – Policy FamilyFamily-01 Access Control (AC)

Family-02 Identification & Authentication (IA)

Family-03 Configuration Management (CM)

Family-04 Audit and Accountability (AU)

Family-05 System & Comms Protection(SC)

Family-06 Systems & info Integrity (SI)

Family-07 Privacy Policy (PP)

Family-08 IoT Security (IoT)

Family-09 Contingency (CP)

Family-10 Incident Response Policy

Family-11 Risk Assessment Policy


UC2:Vulnerability management

Dashboard

Prioritized vulnerability status based on vulnerability information and asset criticality

Trigger vulnerability scans towards selected assets

Vulnerability feeds

External vulnerability

feeds

EricssonPSIRT

Vulnerability scan reports

Vulnerability Scanner

Mapping of vulnerabilities to the assetsEnhanced CVSS scoringProcessing scanner outputs

Rule-based Analytics

Ericsson Security Manager


Automation dashboard

100%COMPLIANCE

Node 1

Node 2

Node 3

100%COMPLIANCE

Node 1

Node 2

Node 3

98%COMPLIANCE

Node 1

Node 2

Node 3

Automatic or manual re-enforcement of the policy

Violation to “SSH timeout configuration” policy in MTAS (malicious or mistake)




X


04VC-i

- Proposition sample

- Case analysis

VC-i < Business logic

BUSINESS JUSTIFICATION

Holistic Workflow

1. A business justification is built by modeling the “proposition chunks” that make up the Implementation Map

2. The implementation map provides the cost and the imperatives enable the quantification of the benefits

3. In total providing the Operating Free Cash Flow impact – in a waterfall chart

IMPERATIVESTARGET

OPERATING

MODEL

IMPROVEMENT

MAP


46.645 2.52 1.93 1.44 9.82 14.89 5.95 46,669

2.000

12.000

22.000

32.000

42.000

52.000

OpFCF Cumulative (original) Auto Config of Security Policies Real time compliance policycheck

Continous Monitoring Cost reduction from securitybreaches

Churn Reduction (Fraud) Churn Reduction (SvsDisruption)

OpFCF Cumulative (improved)

OpF

CF

USD

milli

ons

Collective OpFCF Improvement (over 5 yr period, 2018-2023)


Takeaway

Trusted business

Trusted operations

Trusted deployment

Trusted HW & SW

Service providers to be trusted by customers and that enterprises can build trusted business together with them.

Trusted operations of the network and all enterprise processes running on top of it

A trusted network architecture and configuration against the network and the devices that connect to it

Ensuring trust from the bottom with security & privacy functions, characteristics & HW/SW root of trust in every part of the network


Thank You Ericsson.com/security

sodelovanje na 19. konferenci telekomunikacije · 2018-11-19 · 2018-10-25 | automation: towards...

Documents