you don’t need a better car, you need to learn - first · you don’t need a better car, you need...

45
Siemens AG 2017 siemens.com You don’t need a better car, you need to learn how to drive On the Importance of Cyber-Defense Line Automation Enrico Lovat, Florian Hartmann, Philipp Lowack

Upload: buidien

Post on 12-Sep-2018

216 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

siemens.com

You don’t need a better car, you need to learn

how to drive

On the Importance of Cyber-Defense Line Automation

Enrico Lovat, Florian Hartmann, Philipp Lowack

Page 2: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 3

Who are we?

<picture for Siemens CERT>

Page 3: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 4

You don’t need a better car, you need to learn how to drive

What this talk is about

• What we did

• What we learn in the process

What this talk is NOT about

• Cars

• Step-by-step tutorial on how to fix things

• Code

• Vendor bashing

A tool can make you faster. But you need many tools

The “glue” in-between tools is as important as the tools themselves.

Page 4: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017 siemens.com

Example

Page 5: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 6

Example use case: Malware via email

• How can the user report a suspicious email?

• How do you analyze it?

• Is it a targeted attack or mass malware?

• Did the user click on the attachment?

• Who is the Infosec responsible for the user?

• How do you prevent the attached malware from

exfiltrating data from infected machines?

• How can you make sure similar infections are

detected?

• How can you prevent other clients from being

infected by the same malware?

• …

Page 6: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 7

The old way

Inbox

Reports

mails

Sandbox

Analyze

attachments

SIEM (ProxyLogs)

Search for

Indicators/URLs

Ticket

Tracker

Issue Tickets

Proxy

Solution 1

Active

Directory Corporate

Employee

Directory

Virus

Total

Analyze

Results

Investigation

Vetting Extract potential

C&C URLs

Page 7: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017 siemens.com

Evolution 1 - Scripts

Page 8: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 9

Evolution 1 - Scripts

Reputation

Services

Virus

Total

Sinkhole

(C)ISO

List

Proxy

Solution 1

Proxy

Solution 2

Active

Directory Corporate

Employee

Directory

Manual step

Automated step

Mail DB

Reports

mails

Sandbox

Analyze

attachments

Vetting Extract potential

C&C URLs SIEM

(ProxyLogs)

Search for

Indicators/URLs

Investigation

Analyze

Results

Ticket

Tracker

Issue Tickets

TI

Platform

Store and cross-ref.

Indicators/URLs

Page 9: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 10

Scripts: pros and cons

• Scripts allow analysts to perform their tasks faster

• Script written by an analyst can be reused by the

other analysts

• Scripting requires good understanding of the

tools/service used only few can edit the scripts

• Each analyst has a different favorite scripting

language hard to script against others’ scripts

Page 10: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017 siemens.com

Evolution 2 - API

Page 11: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 12

Evolution 2 - API

Mail DB

Sandbox Vetting

Tool SIEM

(ProxyLogs)

Ticket

Tracker

Remediation

Ticket Tool

TI

Platform

Virus

Total

Reputation

Services

Active

Directory Corporate

Employee

Directory

(C)ISO

List

Proxy

Solution 2

Proxy

Solution 1

Central

blacklist Sinkhole

Anti

Virus

Manual step

Automated step

Reports mails

Analyze attachments

Extract potential

C&C URLs

Search for

Indicators/URLs

Analyze

Results

Issue Tickets

Store and cross-ref.

Indicators/URLs

Page 12: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 13

API: documentation

Page 13: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 14

API: pros

• Simplicity: while not everybody can script against

an LDAP server, any developer knows how to

query a REST API.

• Flexibility: once one REST API for a tool has been

developed by an analyst, everybody can script

against it using his/her language of preference

• Abstraction: Coding against a REST API allows to

easily exchange the “backend”, e.g. replacing a

commercial tool with an open source one, as long

as it implements the same interface

• Authentication: wrapping the original interface

into a custom API allows for better identity

management (e.g. handle different authentications)

Page 14: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 15

API: Extra pros

Global Search

Page 15: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 16

API: Extra pros - Maltego integration

Page 16: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 17

API: Extra pros - Vetting interface

Page 17: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017 siemens.com

Example - revisited

Page 18: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 19

Example: How do we handle it today

Analysis of the email

Analysis of email attachment

Manual vetting of analysis results

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Report as SPAM/Malware

In-house developed Outlook plugin.

Selected email is sent (as attachment) to a particular mailbox.

Mail reported as spam

Page 19: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 20

Example: How do we handle it today

MALST (MALware mailingliST)

In-house developed tool to monitor inbox and analyze received emails

Set of scripts + WebGUI

Mail reported as spam

Analysis of email attachment

Manual vetting of analysis results

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Analysis of the email

Page 20: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 21

Example: How do we handle it today

MALST (MALware mailingliST)

In-house developed tool to monitor inbox and analyze received emails

Set of scripts + WebGUI

Mail reported as spam

Analysis of email attachment

Manual vetting of analysis results

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Analysis of the email

Page 21: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 22

Example: How do we handle it today

CMAP Mail reported as spam

Analysis of the email

Manual vetting of analysis results

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Analysis of email attachment

Page 22: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 23

Example: How do we handle it today

CMAP

Cuckoo sandbox + In-house developed GUI and additional analyses

Mail reported as spam

Analysis of the email

Manual vetting of analysis results

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Analysis of email attachment

Page 23: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 24

Example: How do we handle it today

Threat Intelligence Vetting Interface

Custom WebGUI for vetting.

It retrieves indicators from sandbox analysis, filters and enriches them,

applies tags and push back the changes to TI database.

Mail reported as spam

Analysis of the email

Analysis of email attachment

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Manual vetting of analysis results

Page 24: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 25

Example: How do we handle it today

Threat Intelligence Vetting Interface

Custom WebGUI for vetting.

It retrieves indicators from sandbox analysis, filters and enriches them,

applies tags and push back the changes to TI database.

Mail reported as spam

Analysis of the email

Analysis of email attachment

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Manual vetting of analysis results

Page 25: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 26

Example: How do we handle it today

MANTIS MISP

In-house developed tool, supporting STIX/TAXII

New MISP-centric architecture

Sandbox

(CMAP)

Vetting

(TI VI)

TI DB

(MISP)

Mail reported as spam

Analysis of the email

Analysis of email attachment

Manual vetting of analysis results

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Threat intelligence processing

Page 26: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 27

Example: How do we handle it today

MANTIS MISP

In-house developed tool, supporting STIX/TAXII

New MISP-centric architecture

Sandbox

(CMAP)

Vetting

(TI VI)

TI DB

(MISP)

Mail reported as spam

Analysis of the email

Analysis of email attachment

Manual vetting of analysis results

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Threat intelligence processing

Page 27: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 28

Example: How do we handle it today

Historic log search Mail reported as spam

Analysis of the email

Analysis of email attachment

Manual vetting of analysis results

Threat intelligence processing

Issuing of remediation tickets

Tracking of remediation status

Historic search in proxy logs

Page 28: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 29

Example: How do we handle it today

Remediation tickets In-house developed tool to easily handle creation of remediation tickets

Mail reported as spam

Analysis of the email

Analysis of email attachment

Manual vetting of analysis results

Threat intelligence processing

Historic search in proxy logs

Tracking of remediation status

Issuing of remediation tickets

Page 29: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 30

Example: How do we handle it today

Request Tracker Opens source ticketing system + many customizations

Mail reported as spam

Analysis of the email

Analysis of email attachment

Manual vetting of analysis results

Threat intelligence processing

Historic search in proxy logs

Issuing of remediation tickets

Tracking of remediation status

Page 30: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017 siemens.com

Evolution 3 – What’s next?

Page 31: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 33

What’s next?

Manual step

Automated step

Mail DB

Sandbox Vetting

Tool SIEM

(ProxyLogs)

Ticket

Tracker

Remediation

Ticket Tool

TI

Platform

Virus

Total

Reputation

Services

Active

Directory Corporate

Employee

Directory

(C)ISO

List

Proxy

Solution 2

Proxy

Solution 1

Central

blacklist Sinkhole

Anti

Virus

Reports mails

Analyze attachments

Extract potential

C&C URLs

Search for

Indicators/URLs

Analyze

Results

Issue Tickets

Store and cross-ref.

Indicators/URLs

Page 32: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 34

What’s next?

Manual step

Automated step

Ma

il

D

B

San

dbo

x

Vetting

Tool SIEM (ProxyLogs)

Tick

et

Tra

cker

Remediation

Ticket Tool

TI

Plat

for

m

V

i

r

u

s

T

o

t

a

l

R

e

p

u

t

a

t

i

o

n

S

e

r

v

i

c

e

s

A

c

t

i

v

e

D

i

r

e

c

t

o

r

y

C

o

r

p

o

r

a

t

e

E

m

p

l

o

y

e

e

D

i

r

e

c

t

o

r

y

(

C

)

I

S

O

L

i

s

t

P

r

o

x

y

S

o

l

u

t

i

o

n

2

P

r

o

x

y

S

o

l

u

t

i

o

n

1

C

e

n

t

r

a

l

b

l

a

c

k

l

i

s

t

S

i

n

k

h

o

l

e

A

n

t

i

V

i

r

u

s

Reports mails

Analyze attachments

Extract potential

C&C URLs

Search for

Indicators/URLs

Analyze Results

Issue Tickets

Store and cross-ref.

Indicators/URLs

Ma

il

D

B

San

dbo

x

Vetting

Tool

SIEM (ProxyLogs)

Tick

et

Tra

cker

Remediation

Ticket Tool

TI

Plat

for

m

V

i

r

u

s

T

o

t

a

l

R

e

p

u

t

a

t

i

o

n

S

e

r

v

i

c

e

s

A

c

t

i

v

e

D

i

r

e

c

t

o

r

y

C

o

r

p

o

r

a

t

e

E

m

p

l

o

y

e

e

D

i

r

e

c

t

o

r

y

(

C

)

I

S

O

L

i

s

t

P

r

o

x

y

S

o

l

u

t

i

o

n

2

P

r

o

x

y

S

o

l

u

t

i

o

n

1

C

e

n

t

r

a

l

b

l

a

c

k

l

i

s

t

S

i

n

k

h

o

l

e

A

n

t

i

V

i

r

u

s

Reports mails

Analyze attachments

Extract potential

C&C URLs

Search for

Indicators/URLs

Analyze Results

Issue Tickets

Remediation

Ticket Tool

Ma

il

D

B

San

dbo

x

Vetting

Tool SIEM (ProxyLogs)

Tick

et

Tra

cker

Remediation

Ticket Tool

TI

Plat

for

m

V

i

r

u

s

T

o

t

a

l

R

e

p

u

t

a

t

i

o

n

S

e

r

v

i

c

e

s

A

c

t

i

v

e

D

i

r

e

c

t

o

r

y

C

o

r

p

o

r

a

t

e

E

m

p

l

o

y

e

e

D

i

r

e

c

t

o

r

y

(

C

)

I

S

O

L

i

s

t

P

r

o

x

y

S

o

l

u

t

i

o

n

2

P

r

o

x

y

S

o

l

u

t

i

o

n

1

C

e

n

t

r

a

l

b

l

a

c

k

l

i

s

t

S

i

n

k

h

o

l

e

A

n

t

i

V

i

r

u

s

Reports mails

Analyze attachments

Extract potential

C&C URLs

Search for

Indicators/URLs

Analyze Results

Issue Tickets

Store and cross-ref.

Indicators/URLs

Ma

il

D

B

San

dbo

x

Vetting

Tool SIEM (ProxyLogs)

Tick

et

Tra

cker

Remediation

Ticket Tool

TI

Plat

for

m

V

i

r

u

s

T

o

t

a

l

R

e

p

u

t

a

t

i

o

n

S

e

r

v

i

c

e

s

A

c

t

i

v

e

D

i

r

e

c

t

o

r

y

C

o

r

p

o

r

a

t

e

E

m

p

l

o

y

e

e

D

i

r

e

c

t

o

r

y

(

C

)

I

S

O

L

i

s

t

P

r

o

x

y

S

o

l

u

t

i

o

n

2

P

r

o

x

y

S

o

l

u

t

i

o

n

1

C

e

n

t

r

a

l

b

l

a

c

k

l

i

s

t

S

i

n

k

h

o

l

e

A

n

t

i

V

i

r

u

s

Reports mails

Analyze attachments

Extract potential

C&C URLs

Search for

Indicators/URLs

Analyze Results

Issue Tickets

Store and cross-ref.

Indicators/URLs

Vetting

Tool

TI

Plat

for

m

V

i

r

u

s

T

o

t

a

l

R

e

p

u

t

a

t

i

o

n

S

e

r

v

i

c

e

s

P

r

o

x

y

S

o

l

u

t

i

o

n

2

P

r

o

x

y

S

o

l

u

t

i

o

n

1

C

e

n

t

r

a

l

b

l

a

c

k

l

i

s

t

S

i

n

k

h

o

l

e

Reports mails

San

dbo

x

Vetting

Tool SIEM (ProxyLogs)

Tick

et

Tra

cker

Remediation

t Tool

TI

Plat

for

m

C

e

n

t

r

a

l

b

l

a

c

k

l

i

s

t

Extract potential

C&C URLs

Search for

Indicators/URLs

Store and cross-ref.

Indicators/URLs

SIEM (ProxyLogs)

Tick

et

Tra

cker

Remediation

t Tool

Page 33: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 35

What’s next?

Mail DB

Sandbox

Vetting

Tool

SIEM (ProxyLogs)

Ticket

Tracker Remediation

Ticket Tool

TI

Platform

Virus

Total

Reputation

Services

Active

Directory Corporate

Employee

Directory (C)ISO

List

Proxy

Solution 1

Central

blacklist

Sinkhole

Anti

Virus

Central

Workflow Engine

Employees

Analysts

Proxy

Solution 2

InfoSec

Officers

Page 34: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 36

What’s next?

INCIDENT HANDLING PLAYBOOK

In case of “Suspicious email reported”

Step 1: Analyze email and extract URLs

Step 2: Analyze sample in Sandbox

Step 3: If Threat Index > 10 then …

Central

Workflow Engine

Page 35: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017 siemens.com

Lessons Learned

Page 36: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 38

Lessons learned

Make it easy! Use the same interface to access your internal and external services/data sources.

Page 37: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 39

Lessons learned

Works for us ≠ Works for you Every company/institution is different

Page 38: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 40

Lessons learned

More than twice? Script it! Optimization accumulates over time!

Page 39: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 41

Lessons learned

Containerize your tools! Lowers setup overhead in the long run and provides

well-documented setup instructions for free.

Page 40: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 42

Lessons learned

Standardize your infrastructure! Try to stick to the same tool stack (programming language, frameworks, libraries).

Page 41: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 43

Lessons learned

Manage your user centrally! Easily offer other stakeholders in your company access to (some of) your tools.

Page 42: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 44

Lessons learned

Compromise (sometimes)! Find a tradeoff between adapting your tools to your processes and vice versa.

Page 43: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 45

Lessons learned

DIY but don’t DIY! Don't (always) implement your own tools, but rather use fitting open-source tools.

Page 44: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 46

Lessons learned

Make it easy! Use the same interface to access your internal and external services/data sources.

Works for us ≠ Works for you! Every company/institution is different.

If you have to do it more than twice, script it! Optimization accumulates over time!

Containerize your tools! Lowers setup overhead in the long run and provides well-documented setup instructions for free.

Standardize your infrastructure! Try to stick to the same tool stack (programming language, frameworks, libraries).

Manage your user centrally! Easily offer other stakeholders in your company access to (some of) your tools.

Compromise (sometimes)! Find a tradeoff between adapting your tools to your processes and vice versa.

Do it yourself but don’t do it yourself!: Don't (always) implement your own tools, but rather use open-source tools.

Page 45: You don’t need a better car, you need to learn - FIRST · You don’t need a better car, you need to learn ... Siemens AG 2017 Page 7 The old way ... Siemens AG 2017 Page 12 Evolution

Siemens AG 2017

Page 47

Enrico Lovat

Florian Hartmann

Philipp Lowack

Siemens CERT

CT RDA ITS CER-DE

Otto-Hahn-Ring 6

81739 München

[email protected]

[email protected]

[email protected]

[email protected]

https://www.cert.siemens.com

Questions?