Given the criticality of information technology to both event organizers and attendees, one area of acute concern was cyber security. Here too, the computer, communications and event data systems operated as planned throughout the fortnight. As we now know, failure to disrupt the digital side of the games wasn't for lack of trying and the reason provides some apt security lessons for enterprise IT.
As the IT partner for the International Olympic Committee (IOC), Atos has been supplying infrastructure, applications and security for the last eight games. Representatives of the company shared its experiences during presentations at the recent McAfee FOCUS security conference. With growing use of mobile devices, apps, social networks, online streaming, data collection and analytics, the cyber security task gets bigger each year. Indeed, Rio marked the first Olympics more people watched online rather than on TV. However, technology also makes the job easier, and Rio was the first time Atos ran some of its security systems on cloud infrastructure.
Unbeknownst to most of us and a testament to a job well done, the games also withstood one of the largest sustained DDoS attacks, at 540 Mbps, and logged over 500 million cyber security events, double the number from London in 2012; all designed to disrupt the event and steal information. For comparison, the IoT DDoS attacks that knocked Brian Krebs' site offline in September peaked at between 555 and 623 Mbps, and while DynDNS did not reveal the exact size of the attack that disrupted its customers, it was probably comparable.
Somehow, the Rio infrastructure withstood multiple attacks of this scale for over two weeks. Furthermore, as Atos security strategist Javier Gonzalez pointed out at FOCUS, the threats they prepared for didn't only come from external attackers, but insiders and credentialed contractors. The risk wasn't just service disruption, but Olympic brand reputation, data integrity and compliance with multinational privacy laws. Coping with such a task was an enormous task spanning 18 months that involved identifying almost a thousand risk scenarios and culminated with more than 200,000 hours of testing.
Strategy: assessment and design
A project of this scale required Atos to be systematic, Gonzalez explained. That started by developing a security plan that required understanding the risks, identifying critical systems and data, defining relevant security metrics and establishing baselines for normal activity. Next came developing security policies, procedures and controls where Atos started with the ISO27001 security framework and then adapted ISO27002 to meet its unique needs.
Turning the strategy and policies into an operational security program required Atos to develop measurements and associated infrastructure to provide a continuous view of its security posture, a data collection and analysis platform that could evaluate the millions of security alerts and telemetry to assess risk, design and build the network infrastructure to provide the appropriate security domains and control points and create an operations center to run the whole thing and respond to incidents.
Risk identification and assessment is essential to developing the appropriate controls and the subsequent process of identifying potential threats and risks, developing mitigation plans, building audit processes, putting it into operation and optimizing operational efficiency. Indeed, the myriad threats and scope of the Olympics are undoubtedly the reason Atos ended up creating so many scenarios requiring thousands of hours of testing.
Defense in depth and security operations
Gonzalez says Atos followed standard security practice of building a defense that covered three primary areas — application code, infrastructure and people. It required developers to follow security best practices such as encrypting data and connections. IT infrastructure was built with several network and server layers for different classes of software, with a central identity and access management system to enforce the policy of least privilege in which users have tightly defined roles that are only allowed to perform certain functions. To augment technologically-enforced policy, Atos also established security and data management training for operations people and used technical rehearsals and surveillance to both test and validate adherence to policies.
Operating and monitoring a security system of the scale deployed at Rio requires a high level of automation which Atos centralized in a security information and event management (SIEM) system. Challenged with making sense of over 20,000 security event types and handling 15 million alerts per day, it used McAfee SIEM software to aggregate, filter, correlate and continuously prioritize telemetry with threats of different severities automatically feeding into predefined incident management processes and a ticketing system.
Post hoc analysis
Although each Olympics is a one-time event, a security project of that scale provides many lessons in what worked and how to make improvements. Gonzalez set out how Atos performed a post hoc security review that covered four areas:
- The effects of security on visitors, workers, services and business processes.
- Implications of security on business results.
- Gap analysis to find potential security holes using various ISO and NIST standards and processes.
- Risk analysis to identify, evaluate and treat previously unknown risks and threats.
He said that insights from the Olympics will feed Atos' enterprise security services such as hosted SOC (security operations center), security incident response team (SIRT), consulting and end-user security like DLP, client security, identity and access management.
Few organizations will ever face a security challenge as large, complex and conspicuous as the Olympics. However, the strategic approach and operational techniques used to protect such a vast event provide useful lessons for enterprise IT. While the level of process formalism employed by Atos — such as adherence to detailed and cumbersome ISO standards — isn't required in smaller organizations, they do show the value of having of taking a systematic approach to security design by using situational analysis to drive technical and operational specifics.
Atos' experience also demonstrates the value of security data collection, analysis and automated event prioritization. Critical insights will be lost within vast amounts of security data unless sophisticated data analytics can be used. Seemingly unrelated events on different systems may all be part of a sophisticated attack, and it is impossible to find those correlations without aggregating all security data. Furthermore, applying machine learning and predictive analytics to security data repositories helps in several ways by suggesting improved defenses, prioritizing incident severity, reducing incident response time and ultimately predicting imminent attacks.
After incidents like the DynDNS attack or the endless string of PoS credit card breaches, cyber security can seem like a hopeless task. Atos' successful efforts at the Rio games show that a combination of rigor, planning, technology and training can give the advantage to cyber defenders.