Mercator: Mapping the information system
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 542 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/61966 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Texture mappingElectronic program guidePhysical systemTerm (mathematics)Axonometric projectionInformationSelf-organizationRepresentation (politics)Control flowMachine visionDigital signalContinuous functionData managementView (database)System programmingGraph (mathematics)Group actionComponent-based software engineeringInformation securityEvent horizonDependent and independent variablesElectronic program guideMultiplication signMappingHospital information systemTexture mappingView (database)InformationInformation systemsAnalytic continuationMeasurementDigitizingKey (cryptography)Graph (mathematics)Different (Kate Ryan album)Group actionAuthorizationTerm (mathematics)Representation (politics)Open sourceSelf-organizationGame controllerElement (mathematics)Operations support systemInformation systemsMachine visionPhysical systemConnectivity (graph theory)AngleInformation securityTheory of relativitySet (mathematics)Projective planeWeb applicationVideo gameConformal mapEvent horizonCybersexHacker (term)CollaborationismDependent and independent variablesOpen setDiagramComputer animation
04:31
Function (mathematics)InformationAddress spacePhysical systemSystem programmingView (database)Process (computing)SoftwareComponent-based software engineeringService (economics)Level (video gaming)System administratorElectronic mailing listLogicPartition (number theory)Computer networkOperations support systemTexture mappingCapability Maturity ModelInformation securityDigital signalElement (mathematics)Maxima and minimaTouchscreenTime domainFinitary relationLink (knot theory)Server (computing)Total S.A.Letterpress printingQuicksortProbability density functionDrop (liquid)Object (grammar)Data managementForm (programming)Data modelLocal GroupMathematical analysisExplosionSanitary sewerDatabaseConfiguration spaceWebsiteElectronic meeting systemGamma functionMacro (computer science)TrailChannel capacityVulnerability (computing)Event horizonSheaf (mathematics)Level (video gaming)Macro (computer science)Information securityChannel capacityMaxima and minimaMappingTraffic reportingPhysical systemMathematical analysisOperations support systemInformationLink (knot theory)View (database)Electronic mailing listData managementProcess (computing)Server (computing)TouchscreenObject (grammar)Functional (mathematics)DigitizingSystem administratorLogicSoftwareCartesian coordinate systemTable (information)Content (media)Virtueller ServerGroup actionDataflowElement (mathematics)2 (number)Graph (mathematics)Projective planeDifferent (Kate Ryan album)Text editorInformation systemsData modelService (economics)MathematicsPublic key certificateTerm (mathematics)NetzwerkverwaltungUniform resource locatorType theoryForm (programming)Capability Maturity ModelVirtual LANTotal S.A.NumberOperating systemBuildingComponent-based software engineeringComplete metric spaceWeb 2.0Computer animation
13:06
Link (knot theory)Channel capacityData managementVulnerability (computing)Computer networkInformation securityEvent horizonInformationSheaf (mathematics)Directory serviceWindows RegistryOpen sourceCartesian coordinate systemChannel capacityComputer hardwareVulnerability (computing)Table (information)Representational state transferConfiguration spaceVirtual machineTask (computing)Open sourceInformation systemsQuery languageKeyboard shortcutNumberLink (knot theory)Type theoryMathematical analysisEvent horizonInformation securityServer (computing)Windows RegistryView (database)CASE <Informatik>NeuroinformatikPhysical systemScripting languageProcess (computing)Theory of relativityInformationSoftwareMessage passingDatabaseExtension (kinesiology)Moment (mathematics)PlanningPhysicalismWordDescriptive statisticsData managementSystem callEndliche ModelltheorieArtificial neural networkMetric systemUniverse (mathematics)IdentifiabilityMaterialization (paranormal)Latent heat2 (number)AdditionComputer fileComputer animation
21:41
Program flowchart
Transcript: English(auto-generated)
00:10
Hi, there. I'm Didier. I'm a technology information security enthusiast. I started my career as an information security ninja, defending information against cyber threat using my Jedi skills.
00:23
However, I also have another side to me that comes out at night, that of a beloved hacker. I love using my skills to support the value of open source and firmly believe in it. I believe that technology can be used to improve people's life, but it can only be done if we work together and share our knowledge.
00:43
That's why I'm also a strong advocate of collaboration and openness in the technology industry. So, may the open source be with you. I will present a project we've made at the hospital where I work during the COVID crisis. Hospital information system is really complex.
01:03
It's more than 3,000 applications, 4,000 virtual machines, 2,000 people working in a critical infrastructure, 7 days a week, 24 hours a day to save people's life. To secure this environment, we need a global view of all elements that compose the information system to obtain a better readability and thus a better control.
01:26
So we start to build a cartography based on the ANSI guide mapping the information system. But when we looked for a truth, we didn't find one that fills our needs. Then the COVID crisis comes, all IT projects were stopped or at least slowed down,
01:44
so we took this time to work these tools Mercator. Mercator helps organizations mapping the information system in order for them to meet the operational requirements of cybersecurity. It helps to build a map in five simple practical steps. It can be used by any organization, irrespective of the type, size,
02:03
maturity, in terms of cybersecurity or complexity of the information system. It's an open source and can be used by any organization in the public or private sector alike. So what is Mercator? Mercator is a web application that allows you to manage the mapping
02:20
of the information system as described in the information system mapping guide from the ANSI. What is mapping? Mapping is a way to represent the information system of an organization as well as its connection with the outside world. The term mapping refers to a schematic representation of a set of information.
02:41
Mapping is different from inventory. Typically, you manage your asset in different inventory, but you don't know the relations between them and the importance of relations between all the information. In mapping, we will try to have a complete view from the outside world, from business requirements down to your application, your servers,
03:02
and your physical inventories and your IT rules. So Mercator, the cartographer, is the author of the Mercator projection, which is a conformal projection. It keeps the angles. It's very useful in the sailing in the 70s century.
03:20
Why mapping? Mapping is essential to control the information system. It allows you to have a knowledge of all the components of your information system and to obtain a better understanding of it by presenting it in a different view. It's allowed to fulfill the fourth challenge of digital security. It's to control the information system. The cartography allows you to have a common and shared vision
03:43
of the information system within the organization. It protects the information system. Mercator mapping makes it possible to identify the most critical and most explicit system to anticipate possible attack paths on this system and to implement an adequate measure to ensure their protections.
04:02
It's a defense of the information systems. Mapping makes a more effective response in an event of an incident or a digital attack to qualify the impact and predict the consequence of the defensive actions taken. And then the information system resilience. Mapping makes it possible to identify the organization's key activities
04:20
to define a business continuity plan. And it's essential tools for crisis management, whether digital or not. The map is composed of three main assets. It's defined in different views.
04:41
First, you have your ecosystem view that represents the entities of the system with which the information interacts to fulfill its functions. These are your providers, your partners, your customers. Then you have the business view of the information system that presents the information through the main process and information.
05:01
Then all your processes, your activities, your actors. Then you have the application view that describes the software component of the information system, the service they provide and the flow of information between them. Then you have the administration view. This is the list of scope and privilege of users and administrators.
05:22
User infrastructure. The logical infrastructure view illustrates network partitioning, including the definitions of IP address, VLAN, filtering and routing functions. And then you have the physical infrastructure that describes the physical equipments that are used by the information system.
05:42
Your mapping can be built in three steps. And at each of these steps, there is a level of granularity for which you fulfill some of this information or some of these objects. The minimal granularity level one, you have all the initial elements essential for digital operations, for security operations.
06:01
At level two, the second level of granularity, you have the digital security oriented for the mapping. The vital information system must have a mapping which is at minimum at this level. And at level three, there is a fine granularity. We have a comprehensive and detailed mapping that incorporates all digital security requirements.
06:24
This is the main screen of the applications. We have on the top the different maturity or three maturity levels. You have a breakdown of all your objects by demand. And then you have a global proportional view of all your assets of your cartography. We have on the left on the top your sound panel.
06:42
On the top panel, you have the views, previous documentation. And on the left panel, you have all the data entry. Mercator computes the maturity level. An item, an asset in the cartography is complete if we have all the information, all the related information within M, with other assets.
07:04
For example, an asset in the cartography is not confirmed. There is no distribution, no responsibility, no type. Or there is no link between other assets. For example, an entity without relations, a process without operations. An application does not support any process or a server without applications.
07:24
Then it computes the maturity level. That is the conforming asset divided by the total number of assets. And the percentage represents the effort to be compliant. So the more, the better. So we have a lot of lists. In the asset, we have about 20 different types of assets.
07:43
And you control all the types of assets. You can sort, export them, hide, colon, copy. We have a lot of forms to fulfill. So each form is STF. You can define the link between objects. There is a role management that is implemented within Mercator.
08:01
We find that you can define within your IT team the obligation to fulfill the cartography in different teams. For example, you have the network team that will fulfill all information related to the server. You have the operating system team that will fulfill the virtual server. And you have application manager that will explain the application
08:21
and where they are installed. And so you can divide these different roles within the applications. There is a history of change. Whenever something is changed, it's automatically traced in the applications. So this is a data model. So you have your entities and your relations. An entity supports different processes
08:41
that define business processes and activities, operations, process use operations. At the middle, you have applications that are divided in groups. Applications are installed on virtual servers. And these virtual servers are on physical servers.
09:00
Mercator drives dependencies between the objects. You have the object in an irrational view. You can view your macro process, your process, your activities, which are also via your network, your VLAN, and your server within this VLAN. You can also view the physical infrastructure, the building, the rooms, the server, the physical server, and the bed.
09:22
Mercator draws also the physical network schema. You can define the physical link between the different elements. And you can view where they are installed. You can also explore the cartography. You select an object. You double click on the object. And it pops all links between all these objects. And you can explore all your cartography
09:41
and view what are the different links between all your assets. The main interest in the cartography is to generate reports. So the first major report that the cartography can do is the information system mapping report. It's a complete work document where you have all your assets
10:00
of your information system. In the hospital, my hospital is 600 pages, imagine. And in this report, you can explore the cartography by clicking on the link. You have an application. You can view who uses this application, or where the application is, on which virtual server it is installed, on the physical server, to which building. And you can follow the link within the work document.
10:23
You can generate a list of supported entities in the application. You have all your application, your entities, and what application they are using. Application by group. You have all your application by group. You can view, is it a web application, is it an internal application, who supports, where is it installed,
10:41
on which physical server, you have a list of all your applications. You have a list of all your physical servers, what is the size of the server, where is it installed, how many disks, RAM is it using, and you can also make projections year by year and see how is it growing. You can analyze your security needs on different objects.
11:02
It's a list. So this application normalizes the link between macro process, process, application, database, and information. You have this on the list. You can view here if you have correctly placed your security need in terms of confidentiality, integrity, traceability, and availability by denormalizing it.
11:22
You can view your logical server configurations, list of logical servers with a configuration, what operating system, what is installed on this logical server, who is responsible of it, and so on. And you finally have the inventory of all your physical infrastructure, a list of all your physical equipment. You can take this list, go in the IT room,
11:43
and check if it's correctly installed in the correct place and correctly labeled if you have equipment that are not in the list. So this is an example of information system mapping report with a table of contents. You have your schema, and you can start browsing through the information system.
12:04
This is an example of the physical inventory with your site, your room, your building, and your examples. This is an analysis of your security needs. So you denormalize a link between macro process, process, application, database, and you can analyze difference
12:21
in the requirement between each subject. You can try to change me to the cartographies over the last few months. You can track the update of the Mac, and you can demonstrate to an editor.com that your mapping is updated. For example, if you have in December some new application that comes, you should have seen some change in the cartography by the different teams.
12:47
Mercator helps you in the ESO27001 certifications for the inventory of assets, for the ownership of assets, for the labeling of information, location protection of assets, change management. You can see why a change impacts other assets.
13:03
Which other assets does it impact? Capacity management, you have a view every year. You can take a view every year of what is your capacity. You can do vulnerability management because you know what type of operating system application you are using, and you can search and see what types of vulnerabilities are present in your inventory.
13:24
You can do segregation of networks, security and supply agreements, assessment of information in security events. In case you have a security event, you can quickly search in your cartography, or I heard about this, and you can directly search and generate cartography. You type a word. If this word appears in the name, descriptions of type of equipment,
13:44
automatically you get the information. I will give you information processing resource. You know how many servers are using what application, so and so can do it really easily. The application is available on GitHub.
14:00
It's under open source. It's situated in three hospitals in Luxembourg and 10 hospitals in France. Three have a message from French municipalities. We have, for the moment, 10 contributors. We have a roadmap. We have tons of ID for the extension of Mercator. Our main ID for the moment is treatment plan.
14:22
The treatment registry is an obligation by the GDPR. You have all the treatment that must be in a registry. Crisis directory, whenever you have an incident, you would like if Mercator is not available because there is an incident. If it's on a paper, even on paper, what are the essential assets?
14:40
What are the call phone number of your provider? What are their email address? And we plan to make a link with Monarch. Monarch is Luxembourgish risk analysis methodology. So we can start by your asset and extract a model for risk analysis to analyze your risk.
15:03
Okay, so thank you. Okay, do we have some questions in the room?
15:30
Thank you. So I've got a question related to application and operating specific assets and files. So you've mentioned vulnerability management and I wanted to ask,
15:41
are you consuming software below materials in this specific tool? And second question in addition to that would be how do you consume that data, if so? So thank you. Okay, so for the moment, you have to enter all your assets by hand. There is no automatic tools that can explain
16:02
who are your provider, what are your main business process, what are your inventory or physical inventory. There is no automatic tool, artificial intelligence that can do it for you. So for the moment, you have to enter it by hand. If you have already some Excel sheet
16:20
with this document, there is an API, a REST API, which you can use to enter or extract the information. And the three other second questions. Did I open to both? Any other questions over there? I saw some question on metrics asking what was the URI for Mercator.
16:45
Ah, it's there. UL. They are using for URI, so I'm universal resource identifier. I don't know what context. So no other questions?
17:01
No, there's one. Okay. Hi. First of all, thank you for the talk. It's not much of a question, but more like a comment. Following what the other guy asked or talked about, because basically the issue I see is how to populate the application.
17:21
So basically you need to connect some whole Mercator with your CMDB or to explore your network. I don't know, for instance, if it could be with Blue Hunt or whatever. I don't know. OS query could help also. So how do you see that kind of connection? How could you bind Mercator
17:41
with those tools that are already existing? Is there a way, or are you already thinking to create some API, or I don't know what, could be like some magical way to interconnect those things? Yes. So for the moment, we have a REST API. You can fulfill any table
18:00
that are in the Mercator database with any inventory you already have in place. So we can make the link and update these tables automatically. For the moment, we use it, for example, for the configures of our virtual machine. Every few months, we update Mercator with the configuration of virtual machines,
18:21
so we don't have to do it manually because this is a boring task that has not a lot of value. But most of the time, you have to do it manually because this information exists nowhere. For example, how many users is it in this application? Is it a critical application? What kind of application is it?
18:41
Who uses it? What is the FTO or FPO of these applications? All these questions have to be fulfilled manually, and it's really important information you have to enter because you want to know then, okay, what are my critical applications? What are my critical business processes? This is a critical process, but you choose a non-critical application. Is it normal?
19:01
You have to think about it to build this complete view of your information system using a cartography. Okay, so one more question.
19:23
One question which is related to the other one. There are available open source inventory tools that you can use to automatically populate hardware and software inventory by just installing an agent on computers or using
19:41
one agent which does remote inventory and use these agents and push the information into your tool. Are you considering using this kind of software? Yes. There are so many tools that does network inventories and tools that
20:01
we do not plan to, for the moment, to build ourselves connectors with these tools. We try to, for the moment, to improve the But as I say, there is an API. If you have an inventory and you want to populate this in Mercator, there is a REST API, so only push. We have in the documentation
20:21
a few examples of usage of the API in C, in Python, in Bash, and so on. So it's really simple to build a script from your inventories you have to populate the Mercator database. But as I say, there are so many tools that you don't want to be linked with the tools with specific
20:41
automated tools to fulfill the Mercator. Also, these automatic tools fulfill less than 10% of the job you have to do to complete your cartography. Because most of the work you have to do is probably things you do not have already. And you cannot automate this process
21:01
of completing the cartography. There is no artificial intelligence that can explain to you what are your critical processes, what are your critical entities, what relation you have with them, what are your critical applications, what are the RTO and FPO of these applications. This is something you have to do by hand.
21:23
Okay, some more questions. We can enter earlier, so thank you for your talk. Thank you.