- Email: [email protected]
Olympian view on a Herculean task — security at Athens 2004
n e w s
Olympian view on a Herculean task — security at Athens 2004 Joe O’Halloran
T
o all companies the ramifications of a breach are extremely serious. Yet some companies can hide the fact. The providers of IT for this year's Olympics Games in Athens certainly do not fall into this category. Since 1998, Schlumberger Sema has been Worldwide Olympics IT partner and has to integrate and manage the vast IT infrastructure of a Games. This includes accreditation, sports entries and qualification, transportation, accommodation, real time results, information to broadcasters and media, the Games' Internet and the Intranet for media, judges, athletes and sponsors. The job at hand is vast. The IT infrastructure has to cover 60 venues, for 28 sports with 37 disciplines and 30 events with 200,000 competitors. To do this Schlumberger Sema will be using 32 critical applications, using 900 servers with 10,500 workstations and 400 printers. The company also says that its network will be the most secure according to budget allocated. It needs to be. The IT team — comprising 3,235 staff plus 12,000 trainees by Games time — expects to deal with over 200,000 alerts per day. The company has one chance to get things right; breaches to the Olympics network are the stuff of nightmares. The Games can't be rerun and events retimed. An estimated combined global TV audience of 30 million people will cast a harsh judgement on those who failed to
Infosecurity Today January/February 2004
lock down the Olympics. With so much at stake, Schlumberger's security risk manager Dayle Wheeler is, yet, relaxed. Responsible for defining and implementing the security procedures as well as running a managed security service, Wheeler has put in place a three layer information security management apparatus that encompasses the process, people and technological aspects of security management. Security metrics will be obtained from an awareness campaign which also includes a large risk assessment element. Wheeler will be using a security dashboard that delivers solutions for response management, incident
analysis and reporting and forensic analysis. The management system is a direct result of the experience of the Salt Lake Winter Games in 2002. The biggest lessons, says Wheeler, were related to awareness, governance and process. : "Today we have a couple of hundred of staff and that goes up to 3,500 by Games time. Within this time this time frame there is no time to create some form of an IT security or culture per se, so a lot of the training and a lot of the policies and procedures and the focus of governance is 'this is what you do, this is what you've got to know, this is how you do it.'" Wheeler feels that there will be no time to impose security governance structures in accordance with any of the international standards such as ISO17799. He argues that what is more appropriate is what he calls a quick point and time security strategy. He defines this accordingly: “we highlight to everybody this is what we want; this is what we expect and this how we are going to do it, that's it.” Even though Schlumberger Sema has a nontraditional business working model, governance and procedure are crucial; there are very clearly defined policies and contingencies depending on the type of attack and Wheeler would argue that workflow is analysed far greater than in most commercial environments. He explains: "Most [commercial] companies are happy to know 60
Dayle Wheeler: relaxed
with the intentions of cutting down false positives and negatives in terms of alerts. This frees up time and resources and the key is a Security Information Manager (SIM). Wheeler explains how the solution will be used: "If you take any form of SIM and you default deploy it with a default rules set you will go down from a million alerts to 100 alerts. Most companies find that fairly acceptable. In an event, not quite. When you have seconds to provide input to business management to make a decision —do I switch off the Internet? Yes or no? — you need to know exactly what's going on." In Salt Lake City, circumstances arose where certain things had to be switched off even though the full picture of the scenario was not known. By using an enhanced SIM for Athens, such occurrences should be less likely as the intention is to build in more credible information filters. Says Wheeler: "The default SIM itself is not going to give you any from of heightened security levels. I've studied the network, studied exactly how applications communicate and when and I've taken all that information and built up rules. We've taken the knowledge gathered from Salt Lake City, and Locking down the Olympics taken these to the tools for an intelligent security solution." Despite his awesome to 80% of what is going on in a network. In an responsibility, Wheeler emits an air of quite Olympic event that is not enough; we need to confidence in his team's ability to do the know 100% of what is going on, for both server Herculean job at hand. He believes that he'll do this job by some cool calculation and assessment and client." Schlumberger Sema looks at security rather than splurge on all the tools that are technology in terms of both control and available. He says: "You should evaluate monitoring. Wheeler admits freely that he has requirements from a business perspective and the not invested in state of the art control technology security plan has to set the security according to — just very good, tried and tested solutions — the business perspective." The whole world will but has gone cutting edge in terms of control be watching to see if he called it right.
10
Olympian view on a Herculean task — security at Athens 2004 Joe O’Halloran
T
o all companies the ramifications of a breach are extremely serious. Yet some companies can hide the fact. The providers of IT for this year's Olympics Games in Athens certainly do not fall into this category. Since 1998, Schlumberger Sema has been Worldwide Olympics IT partner and has to integrate and manage the vast IT infrastructure of a Games. This includes accreditation, sports entries and qualification, transportation, accommodation, real time results, information to broadcasters and media, the Games' Internet and the Intranet for media, judges, athletes and sponsors. The job at hand is vast. The IT infrastructure has to cover 60 venues, for 28 sports with 37 disciplines and 30 events with 200,000 competitors. To do this Schlumberger Sema will be using 32 critical applications, using 900 servers with 10,500 workstations and 400 printers. The company also says that its network will be the most secure according to budget allocated. It needs to be. The IT team — comprising 3,235 staff plus 12,000 trainees by Games time — expects to deal with over 200,000 alerts per day. The company has one chance to get things right; breaches to the Olympics network are the stuff of nightmares. The Games can't be rerun and events retimed. An estimated combined global TV audience of 30 million people will cast a harsh judgement on those who failed to
Infosecurity Today January/February 2004
lock down the Olympics. With so much at stake, Schlumberger's security risk manager Dayle Wheeler is, yet, relaxed. Responsible for defining and implementing the security procedures as well as running a managed security service, Wheeler has put in place a three layer information security management apparatus that encompasses the process, people and technological aspects of security management. Security metrics will be obtained from an awareness campaign which also includes a large risk assessment element. Wheeler will be using a security dashboard that delivers solutions for response management, incident
analysis and reporting and forensic analysis. The management system is a direct result of the experience of the Salt Lake Winter Games in 2002. The biggest lessons, says Wheeler, were related to awareness, governance and process. : "Today we have a couple of hundred of staff and that goes up to 3,500 by Games time. Within this time this time frame there is no time to create some form of an IT security or culture per se, so a lot of the training and a lot of the policies and procedures and the focus of governance is 'this is what you do, this is what you've got to know, this is how you do it.'" Wheeler feels that there will be no time to impose security governance structures in accordance with any of the international standards such as ISO17799. He argues that what is more appropriate is what he calls a quick point and time security strategy. He defines this accordingly: “we highlight to everybody this is what we want; this is what we expect and this how we are going to do it, that's it.” Even though Schlumberger Sema has a nontraditional business working model, governance and procedure are crucial; there are very clearly defined policies and contingencies depending on the type of attack and Wheeler would argue that workflow is analysed far greater than in most commercial environments. He explains: "Most [commercial] companies are happy to know 60
Dayle Wheeler: relaxed
with the intentions of cutting down false positives and negatives in terms of alerts. This frees up time and resources and the key is a Security Information Manager (SIM). Wheeler explains how the solution will be used: "If you take any form of SIM and you default deploy it with a default rules set you will go down from a million alerts to 100 alerts. Most companies find that fairly acceptable. In an event, not quite. When you have seconds to provide input to business management to make a decision —do I switch off the Internet? Yes or no? — you need to know exactly what's going on." In Salt Lake City, circumstances arose where certain things had to be switched off even though the full picture of the scenario was not known. By using an enhanced SIM for Athens, such occurrences should be less likely as the intention is to build in more credible information filters. Says Wheeler: "The default SIM itself is not going to give you any from of heightened security levels. I've studied the network, studied exactly how applications communicate and when and I've taken all that information and built up rules. We've taken the knowledge gathered from Salt Lake City, and Locking down the Olympics taken these to the tools for an intelligent security solution." Despite his awesome to 80% of what is going on in a network. In an responsibility, Wheeler emits an air of quite Olympic event that is not enough; we need to confidence in his team's ability to do the know 100% of what is going on, for both server Herculean job at hand. He believes that he'll do this job by some cool calculation and assessment and client." Schlumberger Sema looks at security rather than splurge on all the tools that are technology in terms of both control and available. He says: "You should evaluate monitoring. Wheeler admits freely that he has requirements from a business perspective and the not invested in state of the art control technology security plan has to set the security according to — just very good, tried and tested solutions — the business perspective." The whole world will but has gone cutting edge in terms of control be watching to see if he called it right.
10