what's my security policy doing to my help desk w/ chris swan
TRANSCRIPT
November 15, 2016
What’s My Security Policy Doing to My Help Desk?
Chris Swan (@cpswan), CTO Global Infrastructure Services, CSC
2 November 15, 2016© 2016 Computer Sciences Corporation
Chris Swan – why me?
Combat Systems Engineer - Royal Navy
Security R&D – Credit Suisse
CTO Security - UBS
CTO – Cohesive Networks
CTO, Global Infrastructure
Services - CSC
@cpswan
3 November 15, 2016© 2016 Computer Sciences Corporation
Agenda
• Operational Data Mining and the 3rd DevOps Way
• The #1 issue
• A parable about 802.1X
• Finding a better way
© 2016 Computer Sciences Corporation
Setting the scene:The 3 DevOps Ways andOperational Data Mining
5 November 15, 2016© 2016 Computer Sciences Corporation
The 3 ways
1.Flow
2.Feedback
3.Continual Learning
& Experimentation
6 November 15, 2016© 2016 Computer Sciences Corporation
Operational Data Mining (ODM) takes ‘data exhaust’ from service management and ancillary systems
‘Exhausting’ by Ben Salter https://flic.kr/p/8VTaMe
7 November 15, 2016© 2016 Computer Sciences Corporation
Operational Data Mining focusses on the 3rd Way
1.Flow
2.Feedback
3.Continual Learning
& Experimentation
8 November 15, 2016© 2016 Computer Sciences Corporation
Data helps us find the constraints, then tells us what to do with them
‘Narrow’ by gwire https://flic.kr/p/4d3N4
9 November 15, 2016© 2016 Computer Sciences Corporation
Constraint unblocking helps provide better flow and feedback
1.Flow
2.Feedback
3.Continual Learning
& Experimentation
10 November 15, 2016© 2016 Computer Sciences Corporation
Data provides a means of empowerment to front line staff
“I knew that,
I knew that we needed to do that”
© 2016 Computer Sciences Corporation
So let’s start with the #1 issue
12 November 15, 2016© 2016 Computer Sciences Corporation
#1 - Password reset related issues
Account Login Tickets
31%
Escalated to Other Queues
No Resolving Action
Required1
Other, Completed by Service Desk
Service Desk Incident TicketsAugust 2014 – August 2015n = 67k tickets
AD Accounts34%
Rater Portal Accounts
Mainframe Accounts
Other Accounts
Account Reset TicketsAugust 2014 – August 2015n = 21k tickets
1. There are primarily calls chasing other previously opened tickets
For incidents were the Service Desk
is the resolver of the incident,
account issues represent the vast
majority of these tickets
The Service Desk typically spends 5-
10 min of effort on each of these
reset tickets, although occasionally
tickets are re-opened again later if the
user calls back a 2nd or 3rd time.
13 November 15, 2016© 2016 Computer Sciences Corporation
AD account lockout issues:Multiple incidents in the past year by user
14 November 15, 2016© 2016 Computer Sciences Corporation
AD account lockout issues: 3+ incidents in the past year
15 November 15, 2016© 2016 Computer Sciences Corporation
Service desk volume for AD account locking tickets:Users with the same problem 3+ times in last year
16 November 15, 2016© 2016 Computer Sciences Corporation
A deeper analysis reveals that users often experience these repeat issues in quick succession
• Of those users that have the same issue multiple times, these multiple occurrences often occur in quick succession
• This, along with additional observations in the ticket notes, indicates that the help desk is often not resolving the underlying issue behind the incident which thus subsequently generates more incidents
• Users are often connected to different support personnel on each call, thus the Service Desk often does not notice that they are just constantly unlocking accounts for the same users and thus not actually fixing the root cause of the issue
© 2016 Computer Sciences Corporation
A parable about WiFi authentication:Why 802.1X for BYOD can be a really bad idea
18 November 15, 2016© 2016 Computer Sciences Corporation
It all seems so simple
19 November 15, 2016© 2016 Computer Sciences Corporation
When ‘one password’ lets you down
I
have
the
old
password
Password
reset
© 2016 Computer Sciences Corporation
Finding a better way
21 November 15, 2016© 2016 Computer Sciences Corporation
First it was CESG in the UK
Source: http://www.theregister.co.uk/2016/05/05/stop_resetting_your_password_says_uk_spy_network/
22 November 15, 2016© 2016 Computer Sciences Corporation
Then NIST in the US
Source: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
23 November 15, 2016© 2016 Computer Sciences Corporation
This isn’t a withdrawal from password security
24 November 15, 2016© 2016 Computer Sciences Corporation
My colleagues produced a white paper on this topic
Source: http://assets1.csc.com/cybersecurity/downloads/THE_PROBLEM_WITH_P4__W0RDS_.pdf
25 November 15, 2016© 2016 Computer Sciences Corporation
Let’s not pretend that this is an easy fix
26 November 15, 2016© 2016 Computer Sciences Corporation
When systems and culture collide
© 2016 Computer Sciences Corporation
Wrapping up
28 November 15, 2016© 2016 Computer Sciences Corporation
Summary
• Operational Data Mining and the 3rd DevOps Way
• The #1 issue
• A parable about 802.1X
• Finding a better way
© 2016 Computer Sciences Corporation
Thanks to the sponsors and supporters
November 15, 2016
November 15, 2016
© 2016 Computer Sciences Corporation
Time for questions?
November 15, 2016