Cyber Security in the modern distributed enterprise: protecting Airbus

hello it is a pleasure to be part of this year's virtual besides Earth and event obviously due to the covert 19 situation it is not possible to be together in person this year but it is great to see the event still going ahead in virtual format and I hope that you can all still enjoy it online firstly I would like to wish you your family and your colleagues all the very best and that you stay safe during this global crisis what I would like to reflect on in this talk is the changing cybersecurity landscape that we've seen over the last few years and specifically from the lens of the defensive perspective of how you will go about

defending a large modern distributed enterprise hi I'm Kevin Jones I am the group chief information security officer at Arras and I am responsible for the cyber protection of Airbus globally and across divisions so we have a huge task to do what do I mean though by a cyber security in the modern distributed enterprise well let me take a bus as the example and you've all heard of Airbus as one of the world's largest commercial aircraft manufacturing but what you may not know is that Airbus is also Europe's largest helicopter manufacturer and we also have the defense and space division that makes military aircraft is Europe's largest satellites designer launch build and operator and we have a plethora of

security products including a cyber security business that provides high-grade cyber security to a lot of Europe's military we are truly a global enterprise we have about a hundred and thirty four thousand workforce globally which translates by the way into roughly 300,000 endpoints that we have to protect we operate in 35 countries and a hundred and eighty sites worldwide in addition to that we have approximately 12,000 suppliers the form part of our critical supply chain that we have to make sure keep their parts or their components or whatever their manufacturing and supplying to us flowing like most organizations of our size Airbus is also undergoing a significant digital transformation at the moment so as well as protecting all

of our different sites different locations all of our user group we're also making a significant transformation towards the adoption of cloud technologies much more as well in terms of our manufacturing plants and how we make them integrated with factory of the future and bring IOT devices into that particular environment in addition we're also looking at how we better use things like machine learning and artificial intelligence on our data and make it much more effective for the business so not only do we have a huge and significant landscape we're also going through an evolving and agile digital transformation all of which we have to protect from cyber threats so how do we do that how is cyber security organized

The Devil's well firstly cyber security nervous is not just about IT we operate distinctly in four pillars IT being obviously a very large and significant pillar with the IT landscape that we operate globally but it's also important that we consider the fact that Airbus is one of Europe's largest manufacturing companies we make aircraft satellites helicopters so protection of our manufacturing plants and our industrial environments also forms a key part of our cyber security program thirdly we operate around the cyber protection of the products themselves how do we protect them from cyber threats and finally the fourth part of our pillar or fourth pillar is people how do we go about protecting the people that operate in our environment and make

sure that they are a key part of our cyber defenses to do this we operate a federated cybersecurity organization which we think is relatively unique so it's worth touching on as the group sees oh I have accountability across and visibility across all of the divisions but each division has its own Caesar or divisional digital security officer as we call them because of the four pillar nature that we operate in now each division is legally accountable and runs their operations locally we will also then have local teams in engineering for example for our cyber protection of product we all have local teams in manufacturing for the cyber protection of the production lines but we have to have a way of coordinating

that so we centralized the reporting we centralized the coordination and we centralize the strategy if you like for how we're going to implement all across levels and that's what we termed the federated model now not many organizations today operate in that way before how a particular environment it's so far proving exceptionally effective we also have a corporate level key capabilities so we have things like risk management we have enterprise security architects that look all across the estate and we'll do our urban ISM as you like so they're the city planners of our infrastructure and make sure that we keep the standards everywhere that we will expect we also have a detection and response capability at corporate level

working with our I am colleagues to form effectively the cert and the Sauk so once we detect something unusual in the infrastructure the certain the Sauk will go about their escalation business and will then try and remediating mitigate or put controls in place and I'll come to some of that later on in the talk we also have a corporate level our own red team our evaluate testing so these are our pen testers our deep dive specialists that can reverse engineer and do code verification validation for us and they will do the red teaming activities they're the people that attack us for us to make sure that we have preempted the attack path and can already start working on

our mitigations and our detection x' in architecture and response and finally we have an innovation and scouting team that is very much forward looking into the future and is developing capabilities that an organization like Airbus needs to protect itself sometimes that can be unique customizations of technologies that already exist sometimes it can be completely new technology that is bespoke to Airbus and other times it can be just making sure we have the right knowledge that is relevant to our business we adopt a compliance regulation and a risk-based approach so some parts of our business are highly regulated their safety critical parts and therefore we have to follow the highest standards and make sure we're implementing security that is

pervasive in everything we do we are obviously required to be compliant to IT regulations like gdpr and other standards that we adopt to make sure that we are consistent in our cybersecurity approach and that we're able to consider ourselves adopting the best-in-class that the cyber security has to offer some security community has to offer on the risk-based side obviously everything we want to do has to adopt a risk-based model what are we doing to reduce that cyber risk for ours finally something I think that is important to note is that we adopt the cybersecurity ethos in Airbus is all about people process and technology preferably in that order so we don't just adopt the latest

state-of-the-art technologies we also want to make sure that our processes are right and that we're adopting a people centric approach to everything that we do some of that is fairly unique and is related to the scale in which we operate and some of it is just adopting best-in-class design for what we do I should say at this point the defender will always has to be going through a cybersecurity transformation as well but I want to switch my mindset slightly for a moment and when we're looking at how I would defend the network we should first look at how an attacker would come about attacking an organization like us and it's always useful to adopt the

methodologies that are already out there and I use the Cal chain example for that so I think it's worth going through that Cal chain for those of you who are not aware of it obviously at the beginning of an attack the adversary will do reconnaissance both prominently external to your infrastructure so that we started doing social media mining building capabilities around your your business learning how you work before they even touch your infrastructure then the reconnaissance moves towards shall I say external scanning of the networks and of the infrastructures so that's the point at which the adversary is trying to see what you have what your digital footprint is on the estate once that reconnaissance phase is actually adopted

is completed you will see the weaponization phase so this is when the adversary is picking what type of attack tools they want to use and they could be advanced tools that you can procure or they could be customized tools that the attacker is making for this specific type of mission then you go through the delivery phase and that's obviously where you want to get The Dropper or the malware or you want to be able to try and move laterally through the network to put your tools in the right place and you can also live off the land if you like so a lot of apt adversaries will use traditional network admin type tools in their modus operandi

then we want to do the exploitation phase so the exploitation is whatever type of privilege you can get depending on where you land in the infrastructure so you want to have a look to see what's on the internal estate you want to try and put your tools in gain privileges move laterally and really try and do the installation phase of your attack then you're doing either something like command and control to make sure you can keep that at that particular connection to the infrastructure all your executing whatever type of attack that you think it's going to be or you want it to be to have the impact um the actions and objectives then once they're complete whether that's data

exfiltration whether that's to cause damage or whatever that might be is notionally the last phase of the kill check if I'm being very honest with you an advanced diverse route will have an extra stage to the kill chain which is not traditionally spoken of and that advanced stage is what I would call the cleanup phase for the attacker how do you cover your tracks once you've completed all how do you move in such a way around the infrastructure that you want to be undetected however we've we've done a lot as a community to understand this particular attack path in this particular way that adversary's work and we also therefore have a significant number of tools in our

defenders toolkit and generally speaking we divide them into architecture or monitoring type of tools specifically all the process type of activities that we're going to go ahead and do so on the architecture side obviously when an adversary's lands on a box or in a web portal or something like that and we want to make it as difficult as possible for that adversary to a live on that box and be to try and move anywhere else in the infrastructure whether that's an endpoint whether that's whether that's a web server in a DMZ we want to make sure that we are always protected by architecture and there's a couple of new things that are coming in when we talk about architecture that are

really useful multi-factor authentication has been around for a while now quite some time and is actually really effective at making an adversary when they've stolen credentials from trying to be authenticated from a second device it's not foolproof you can still spoof a user into giving you the passcode or the key or clicking on the token that appears on their smart phone but it really helps with stolen credentials and if MFA's in place you can detect when you have failures in mfa as well and start reacting and responding to them there are however a much more modern and up-and-coming technique which is generally termed zero trust networking with zero trust architecture and that is when you

encapsulate around your network around your applications and around your data a real authentic ation check because you don't trust your network anymore and the idea of zero trust is obviously every time a user accesses a resource on your network you real authentic eight the user the problem with that is if you had to enter your username password all do an mfa challenge every time you access something you would soon give up it's not very user friendly so this is where zero trust uses and leverages machine learning techniques to learn about the user as that lot as that login happens it learns behavior for a user over a prolonged period of time and you can set parameters in your

infrastructure for things that user can do depending on the given trust level of that axis and I'll give you some concrete examples if a user logs in from a different country within moments of having logged in in your LAN on your network then there's probably something not trustworthy about that second and we might want to at that point flag a second challenge and MFA challenge to the user or if your policy states just block that access and won it in addition you can also do things like if a user is accessing resources they don't normally access there might be a valid business reason for that but you might just want to do a second MFA check just to make

sure but what about the endpoints itself what about where the attacker first lands well there's some good techniques here as well we've seen the adoption of things like micron virtualization so effectively putting a mini VM around each application there's some challenges to use a adoption for that but actually if the attacker has to break out of an application a VM even if they use something like a buffer overflow attack I think can install into the application it's very difficult to break out somewhere else into the box and similarly EDR techniques and tools are becoming very widely adopted the monitor all of the behavior on that box to see what is going on and can block certain

actions certain behaviors and report everything back to your sock or your skin operations to be able to respond accordingly we've also seen a prevalence of things like data loss prevention DLP tools that specifically look at the data that's held on that box or the data access that comes from that box or that user and again similarly any unusual behaviors can be blocked or a policy can state that you can't access this resource this data type or that area and specifically you can also do things like USB blocking or CD blocking or email blocking around data a deal piece is very very useful for syntactic and semantic matching of data types and you can really automate

the data that is on the box and the data that user can have access to and that's really good for both insider type attacks and also if the user has clicked on a phishing link downloaded something to their box it prevents a an external adversary than doing malicious things as well cloud security is a big thing we're seeing the emergence of things like cloud data focus we're seeing the emergence of clarity encryption techniques and the cloud operators themselves of really providing this as a service predominantly but it's up to any organization adopting the clouds that make sure firstly their cloud environments are secured properly and configured properly so there are automated tools to help you with that

that prevent the risk of cyber attack on your cloud and even then encrypting all your data when it's on the cloud is absolutely key but one of the most interesting areas I think that we've seen developing is the notion of deceptive wear so tools that will put fake credentials throughout your network throwing your endpoints through infrastructure to try and a slow down an attacker because they don't know if this credential is valid or not and B to operate effectively like a honey trap so that if one of these credentials is trying to be used somewhere else in your network you immediately know that something's not quite right and then finally looking ahead on the network

side we're seeing things like software-defined networking that has real potential to allow localized policies a much more fine-grained control over your network infrastructures on the security monitoring side this is obviously where we have things like security operators security orchestration and automation cm tools have been used with orchestration automation to make the first line much more automated to deal with the deluge of alerts that's coming in and obviously the more security tools that you put in place the more data you're getting into your security operation centers to detect the anomalies we're also seeing the emergence of a machine learning being applied to try and filter out the noise and the dualities and therefore you can concentrate much more on the

collective view of your systems and of what's going on and you can respond much much more quickly if you're automating the process in your security operation centers there are still challenges when it comes to things like for example industrial environments and how you integrate sock into dusty environment an abbess has already gone down that path deploying certain technologies and and improving our forensic readiness even in industrial environments that are not traditional IT environments as well so very much an important area I should say by the way therefore all the tools things like for example prop Mon and syslog are still valuable data types for this is for the sock but then you have to manage the

large data volumes that comes with that so even if an attacker does land on an end point the modern enterprise will have tools and techniques to try and prevent that movement and the relevant monitoring techniques to detect unusual behaviors in the infrastructure to try and move quickly however we still want to think like an attacker and this is where we have our own red team coming and our red team will do for example deep dive evaluations to find vulnerabilities in the products that we buy and the products that we make as well before lashing to make sure we have the highest standards of security the pentest team will perform pen tests across our entire state preferably as

early as possible in the development lifecycle with pre deployment testing as we want to go from that element and really thinking like an attacker having a dedicated red team and pen test makes a company much more secure because we're finding things before our systems go live and we're able to very quickly verify and work with the blue team's the defending teams to be able to work on hypotheses when we see alerts that might come in and finally just to conclude - that it's not just a technical view of the world we have to take and adopt a human centric cybersecurity approach and everything that we do and Evers has one of Europe's first dedicated research and

innovation teams to human centric cybersecurity so we look to make sure we have best-in-class awareness but also take techniques that are natural and normal to the aviation industry like black box thinking if an event occurs and we launch a investigation for example are we doing the right things we need to look back at every reason why we got to that stage of the investigation and take a real human view at it it's not a blame culture it's really looking at things through different lens and making sure we haven't missed anything so human-centric is really key and really important we do however still have challenges as an industry as a whole now looking outside of evers

firstly on the red team or pentest site I've been very specific that you have to think like an attacker we do a lot of work pen testing Web Apps but what does that mean how does that deliver value for the business and how does that translate into shall I say the impact it could have further down the line when you chain these things everything you do as a red team or pen test has to be done legally and it has to be done ethically engage the businesses that want to engage with you look for things like vulnerability disclosure policies but don't just go and pen test infrastructure without permissions so work with people or be

part of an in-house team or a team is contracted by a company to do that and really think about the system itself think holistically not just about the software stack in front of you think about what it's running on where it's going to be most importantly be part of the community second issue I think you have as a whole can be a whole community is security metrics and risk management generally speaking we're not very good at presenting risk metrics that make sense to a company and especially escalating that to the board so we need to really think carefully about how we present our work whether that is a results of a pen test and an audit or whether that is a

the current operational state or risk state of a business the biggest killer to all of us is complex systems of systems so how do we work with complexity how to manage that complexity as we integrate more and more through our environments think of the global scale at which airbus operates it's hugely complex and how do we manage that how do we control that and to a certain extent how do we automate our security as much as possible on the dates of classification site you can't protect what you don't know so really we need a lot of work on dates a classification to make sure we know where the data is and what type of theta

it is finally the other area I think is probably most important to look at is playbooks and incident response plans make sure that you have a playbook and an incident response plan that is appropriate make sure by the way a playbook is not a prescriptive this is exactly what you do it's these are the right people you call and you bring them in so generally speaking is that community need to share or play books look like what they are and upskill other organizations in how large players do it what I also want to look at is slightly beyond the perimeter so key message is we used to have this model of the security perimeter of an aspect be

under no illusions in the modern distributed enterprise the perimeter is gone the perimeter is dead we're now dealing with multiple suppliers data out counting suppliers networks interconnectivity between suppliers and our own portals we have cloud technologies we are really running more and more services so we need to think differently about how we protect our infrastructure and how we provide cyber security firstly application development as it's been done either by suppliers the applications we're buying and also the applications we're doing in-house that may live either in or outside of our perimeter we have to adopt best-in-class things like dev sec ops to be able to do that think about your cloud infrastructure in your cloud estate for most organizations how do we

protect that and we've seen a lot of the highly advertised data breaches that have occurred over the last four or five years have been because of cloud technologies not being secured by the supply chain is also a hugely important area for what we want to protect if you have data in your suppliers or data in to conspire interconnected with you you still have to protect that as part of your infrastructure and there is ways it means you could do that also physical security and extended enterprise so those that connect to you how do you protect your key assets physically when they're on your site without that you don't have good security and I will remind you that you need to do that

across all four pillars that we spoke about earlier so IT industrial and even if you're not a manufacturing company you will inevitably have things like logistics or heating and ventilation systems that are inter connected to your network now so consider those for those of you make something whether it's a product that is physical or whether it's a software product you need to think about that as well and people so finally I want to leave you quickly with some of my key takeaways things to remember when you're doing defense security firstly put cyber security at risk at the board level if possible you have to escalate security of your organization as high as possible to make sure that the board is

discussing it on a regular basis to get the support that you need in Airbus I do not sit in IT actually I sit under the chief security officer and I have a counterpart who is the head of I am IT cybersecurity and we work very closely together and together we present to the board always follow your data the modern district Enterprise your data is everywhere and you must follow the data wherever it goes consider IOT and infrastructure in your cybersecurity program it's a must for all organizations especially where you have new smart technology smart buildings heating and ventilation systems or even if you're using IOT sensors for various things around your operations that is part of your

cybersecurity program and that includes things that are not necessarily managed by IT in your estate monitor your supply chain and extended enterprise absolutely key if you're going to have an incident and it can come from your supply chain or incident on your supply chain can have major impact on your business find security matrix that makes sense and they're not necessarily IT security metrics but they might be depending on the type of organization you are think like an attacker in everything you do as a defender because that way you will end up being mature and make sure you're operating with state-of-the-art techniques and finally plan for a cyber incident and test that plan you've got to test it the first time you're testing

that plan is not in a real incident so you must be prepared and mature for your cyber defense so that's the view that I would like to give you from the defenders perspective I appreciate your time thank you very much for listening to me I would once again like to wish you all the best and stay safe during this time