[00:00.000 --> 00:07.000]  Hi there, I'm Guidier. I'm a technology information security enthusiast. I started my career as
[00:16.480 --> 00:21.160]  an information security ninja, defending information against cyber threats using my
[00:21.160 --> 00:27.760]  Jedi skills. However, I also have another side to me that comes out at night, that of
[00:27.760 --> 00:32.680]  a relevant hacker. I love using my skills to support the value of open source and fairly
[00:32.680 --> 00:37.920]  believe in it. I believe that technology can be used to improve people's lives, but it
[00:37.920 --> 00:43.920]  can only be done if we work together and share our knowledge. That's why I'm also a strong
[00:43.920 --> 00:49.960]  advocate of collaboration and openness in the technology industry. So may the open source
[00:49.960 --> 00:56.960]  be with you. I will present a project we've made at the hospital where I work during the
[00:56.960 --> 01:03.960]  COVID crisis. Hospital information system is really complex. It's more than 3,000 applications,
[01:05.280 --> 01:11.360]  4,000 virtual machines, 2,000 people working in a critical infrastructure, seven days a
[01:11.360 --> 01:18.160]  week, 24 hours a day to save people's lives. To secure this environment, we need a global
[01:18.160 --> 01:23.800]  view of all elements that compose the information system to obtain a better readability and
[01:23.800 --> 01:29.960]  do a better control. So we start to build a cartography based on the ANSI guide mapping
[01:29.960 --> 01:35.080]  the information system. But when we look at our tools, we didn't find one that fills
[01:35.080 --> 01:42.080]  our needs. Then the COVID crisis comes, all IT projects were stopped or at least slowed
[01:42.640 --> 01:49.240]  down, so we took this time to work these tools, Mercator. Mercator helps organization mapping
[01:49.240 --> 01:55.120]  the information system in order for them to meet operational requirements of cyber security.
[01:55.120 --> 02:01.480]  It helps to build a map in five simple practical steps. It can be used by any organization
[02:01.480 --> 02:07.200]  irrespective of the type, size, maturity in terms of cyber security or complexity of
[02:07.200 --> 02:12.080]  the information system. It's an open source. It can be used by any organization in public
[02:12.080 --> 02:19.400]  or private sector alike. So what is Mercator? Mercator is a web application that allows
[02:19.400 --> 02:23.280]  you to manage the mapping of the information system as described in the information system
[02:23.280 --> 02:28.920]  mapping guide from the ANSI. What is mapping? Mapping is a way to represent the information
[02:28.920 --> 02:36.080]  system of an organization as well as its connection with the outside world. The term mapping
[02:36.080 --> 02:42.400]  refers to a schematic representation of a set of information. Mapping is different from
[02:42.400 --> 02:48.400]  inventory. Typically, you manage your asset in different inventory, but you don't know
[02:48.400 --> 02:54.000]  the relations between them and the importance of relations between all these information.
[02:54.000 --> 02:59.120]  In mapping, we will try to have a complete view from the outside world, from business
[02:59.120 --> 03:05.080]  requirements, down to your application, your server, and your physical inventories and
[03:05.080 --> 03:11.960]  your IT rooms. So Mercator is a cartographer. He's the author of the Mercator Projection,
[03:11.960 --> 03:16.520]  which is a conformal projection. It keeps the angles. It's very useful in the sailing
[03:16.520 --> 03:24.880]  in the 70s century. Why mapping? Mapping is essential to control the information system.
[03:24.880 --> 03:29.160]  It allows you to have a knowledge of all the components of your information system to obtain
[03:29.160 --> 03:35.400]  a better understanding of it by presenting it under different view. It's allowed to fulfill
[03:35.400 --> 03:40.680]  the fourth challenge of digital security is to control the information system. The cartography
[03:40.680 --> 03:46.560]  allows you to have a common and shared vision of the information system within the organization.
[03:46.560 --> 03:51.960]  It protects the information system. Mercator mapping makes it possible to identify the
[03:51.960 --> 03:57.400]  most critical and most exposed system to anticipate possible attack paths on this system and to
[03:57.400 --> 04:02.960]  implement an adequate measure to ensure their protections. It's a defense of the information
[04:02.960 --> 04:08.680]  systems. Mapping makes it make a more effective response in an event of an incident or a digital
[04:08.680 --> 04:14.760]  attack to qualify the impact and predict the consequence of the defensive actions taken.
[04:14.760 --> 04:19.560]  And then the information system resilience. Mapping makes it possible to identify the organization's
[04:19.560 --> 04:25.800]  key activities to define a business continuity plan and use the same essential tools for
[04:25.800 --> 04:39.320]  crisis management whenever digital or not. The map is composed of three main assets defined
[04:39.320 --> 04:45.880]  in different view. First you have your ecosystem view that represents the entities of our system
[04:45.880 --> 04:50.840]  which with the information interact to fulfill these functions. These are your providers,
[04:50.840 --> 04:57.400]  your partners, your customers. Then you have the business view of the information system
[04:57.400 --> 05:02.600]  that represents the information through the main process and information. Then all your
[05:02.600 --> 05:07.800]  process, your activities, your actors. Then you have the application view that describes
[05:07.800 --> 05:12.360]  the software component of the information system, the service they provide and the flow
[05:12.360 --> 05:17.440]  of information between them. Then you have the administration view. This is the list
[05:17.440 --> 05:24.280]  of scope and privilege of user and administrators. You have the infrastructure, the logical infrastructure
[05:24.280 --> 05:30.480]  view illustrates the network partitioning including the definitions of IP address, V-land, filtering
[05:30.480 --> 05:34.160]  and routing functions. And then you have the physical infrastructure that describes the
[05:34.160 --> 05:44.920]  physical equipment that are used by the information system. Your mapping can be built in three
[05:44.920 --> 05:51.720]  steps and at each of these steps there is a level of granularity which will fulfill some
[05:51.720 --> 05:56.360]  of these information or some of these objects. The minimal grade T level 1 you have also
[05:56.360 --> 06:02.840]  initial element essential for digital operations, for security operations. At level 2, the second
[06:02.840 --> 06:09.640]  level of granularity, you have a digital security oriented for the mapping. The vital information
[06:09.640 --> 06:15.320]  system must have a mapping which is at minimum at this level. And at level 3, you have the
[06:15.320 --> 06:19.480]  findability, you have a comprehensive and detailed mapping that incorporates all digital
[06:19.480 --> 06:26.640]  security requirements. This is the main screen of the applications. We have on the top the
[06:26.640 --> 06:31.520]  different maturity or three maturity levels. You have a breakdown of all your object by
[06:31.520 --> 06:39.640]  domain and then you have all global proportional view of all your assets of your cartography.
[06:39.640 --> 06:44.400]  We have on the left on the top your sun panel. On the top panel you have the views for documentation
[06:44.400 --> 06:53.040]  and on the left panel you have all the data entry. Mercator computes the maturity level.
[06:53.040 --> 07:00.000]  An item, an asset in the cartography is complete if we have all the information, all the related
[07:00.000 --> 07:08.920]  information within M, with other assets. For example, an asset in the cartography is not
[07:08.920 --> 07:14.800]  conformed. There is no research, no responsibility, no type or there is no link between other
[07:14.800 --> 07:20.440]  assets. For example, an entity without relations, a process without operations, an application
[07:20.440 --> 07:25.560]  does not support any process or a server without applications. Then it computes the maturity
[07:25.560 --> 07:30.760]  level. That is the conforming asset divided by the total number of assets and the percentage
[07:30.760 --> 07:37.360]  represents the effort to be compliant. So the more the better.
[07:37.360 --> 07:42.960]  So you have a lot of lists. In the asset you have about 20 different types of assets.
[07:42.960 --> 07:49.600]  You can form all types of assets, you can sort, export them, copy. You have a lot of
[07:49.600 --> 07:57.400]  form to fulfill. Rich form with RTF. You can define the link between objects. There is
[07:57.400 --> 08:02.880]  a role management within that is implemented within Mercator. You can define within your
[08:02.880 --> 08:10.160]  IT team the obligation to fulfill the cartography in different teams. For example, you have the
[08:10.160 --> 08:15.120]  network team that will fulfill all information related to the server. You have the operating
[08:15.120 --> 08:19.920]  system team that will fulfill the virtual server. You have the application manager that
[08:19.920 --> 08:25.440]  will explain the application and where they are installed. So you can divide this different
[08:25.440 --> 08:30.920]  role within the applications. There is a history of change. Whenever something is changed,
[08:30.920 --> 08:36.720]  it's automatically traced in the applications. So this is the data model. So you have your
[08:36.720 --> 08:43.760]  entities and your relations. An entity supports different processes that define business processes
[08:43.760 --> 08:52.600]  and activities operations. Process use operations. At the middle you have the application that
[08:52.600 --> 08:57.000]  are divided in group. Application is set on virtual servers. And these virtual servers
[08:57.000 --> 09:03.560]  are on physical servers. Mercator drives the dependencies between the objects. You have
[09:03.560 --> 09:07.440]  the object in a hierarchical view. You can view your macro process, your process, your
[09:07.440 --> 09:13.240]  activities, which are also why your network, your VLAN and your server is in this VLAN.
[09:13.240 --> 09:18.400]  You can also view the physical infrastructure with the building, the rooms, the servers,
[09:18.400 --> 09:25.200]  the physical server on the bed. Mercator draws also the physical network schema. You can
[09:25.200 --> 09:32.040]  define the physical link between the different elements and you can view where they are installed.
[09:32.040 --> 09:36.360]  You can also explore the cartography. You select an object. You double click on the object
[09:36.360 --> 09:41.240]  and it pops all links between all these objects. And you can explore all your cartography and
[09:41.240 --> 09:48.720]  view what are the different links between all your assets. The main interest in the
[09:48.720 --> 09:53.920]  cartography is to generate reports. So the first major report that the cartography can
[09:53.920 --> 09:59.640]  do is the information system mapping report. It's a complete work document where you have
[09:59.640 --> 10:05.560]  all your assets of your information system. In the hospital, my hospital is 600 pages,
[10:05.560 --> 10:11.800]  imagine. And in this report, you can explore the cartography by clicking on the link. You
[10:11.800 --> 10:15.480]  have an application. You can view who uses this application or where is the application
[10:15.480 --> 10:19.520]  on which virtual server it is installed, on the physical server, on which building and
[10:19.520 --> 10:25.240]  you can follow the link within the world documents. You can generate a list of supported entities
[10:25.240 --> 10:29.760]  and their application. You have all your applications, your entities and what application they are
[10:29.760 --> 10:36.360]  used. They are using. Application by group. You have all your application by group. You
[10:36.360 --> 10:41.200]  can view is it a web application, is it an application, who supports, where is it installed,
[10:41.200 --> 10:45.000]  on which physical server. You have a list of all your applications. You have a list
[10:45.000 --> 10:50.920]  of all your physical servers. What is the size of the server? Where is it installed?
[10:50.920 --> 10:56.320]  How many disks? What is it using? And you can also make projections year by year and
[10:56.320 --> 11:02.040]  see how is it growing. You can analyze your security needs on different objects. It's
[11:02.040 --> 11:08.480]  a list. So the application denormalize the link between macro process, process, application,
[11:08.480 --> 11:13.240]  database and information. You have this on the list. You can view here if you have correctly
[11:13.240 --> 11:19.000]  placed your security need in terms of confidentiality, integrity, traceability and availability
[11:19.000 --> 11:25.720]  by denormalizing it. You can view your logical server configurations. List of logical servers
[11:25.720 --> 11:29.880]  they configuration. What operating system? What is installed on this logical server?
[11:29.880 --> 11:35.720]  Who is responsible of it? And so on. And you can finally have the inventory of all your
[11:35.720 --> 11:41.440]  physical infrastructure. List of all your physical equipments. You can take this list,
[11:41.440 --> 11:45.840]  go in the IT room and check if it's correctly installed in the correct place and correctly
[11:45.840 --> 11:53.040]  labeled. If you have equipment that are not in the list. So this is an example of information
[11:53.040 --> 12:00.080]  system mapping report with a table of contents. You have your schema and you can start browsing
[12:00.080 --> 12:07.440]  through the information system. This is an example of the physical inventory with your
[12:07.440 --> 12:14.240]  site, your room, your building and your examples. This is an analysis of your security needs.
[12:14.240 --> 12:18.480]  So you denormalize the link between macro process, process, application, database and
[12:18.480 --> 12:26.040]  you can analyze the difference in the requirement between each subject. You can track the change
[12:26.040 --> 12:30.960]  made to the cartography from the last three months. You can track the update of the MAC.
[12:30.960 --> 12:36.080]  I can demonstrate to an auditor that comes at your mapping update. For example, if you
[12:36.080 --> 12:41.760]  have in December some new application that comes, you should have seen some change in
[12:41.760 --> 12:51.760]  the cartography by the different teams. Mercator helped you in the ESA 270001 certifications.
[12:51.760 --> 12:56.560]  For the inventory of assets, for the ownership of assets, for the labeling of information,
[12:56.560 --> 13:02.360]  location protection of assets, change management. You can see why a change or impact of the
[13:02.360 --> 13:07.800]  asset. What other assets does it impact? Capacity management. You have a view every year. You
[13:07.800 --> 13:12.680]  can take a view every year of what is your capacity. You can do vulnerability management
[13:12.680 --> 13:18.320]  because you know what type of operating system application you are using and you can search
[13:18.320 --> 13:24.840]  and see what type of vulnerability is present in your inventory. You can do segregation
[13:24.840 --> 13:30.920]  of networks, security and supply agreements, assessment of information in security events.
[13:30.920 --> 13:35.320]  In case you have a security event, you can quickly search in your cartography. I heard
[13:35.320 --> 13:39.800]  about this and you can directly get a certain generic cartography. You type a word. If this
[13:39.800 --> 13:45.720]  word appears in the name, descriptions of type of equipment, automatically you get the
[13:45.720 --> 13:52.920]  information. Availability of information processing resource. You know how many servers are using
[13:52.920 --> 13:59.000]  what application and so on. So you can do it really easily. The application is available
[13:59.000 --> 14:05.160]  in GitHub. It's an open source. It's used in three hospitals in Luxembourg and 10 hospitals
[14:05.160 --> 14:12.480]  in France. Three admissives from French municipalities. We have for the moment 10 contributors. We
[14:12.480 --> 14:18.880]  have a roadmap. We have tons of ID for the extension of Mercator. Our main ID for the
[14:18.880 --> 14:26.200]  moment is a treatment plan. The treatment registry is an obligation by the GDPR. You
[14:26.200 --> 14:31.520]  have all the treatment that must be in your registry. A crisis directory. Whenever you
[14:31.520 --> 14:36.160]  have an incident, you would like if Mercator is not available because there is an incident.
[14:36.160 --> 14:42.080]  If it's on a paper, even on paper, what are the essential assets? What are the code phone
[14:42.080 --> 14:49.760]  number of your provider? What are their email address? And we plan to make a link with Monarch.
[14:49.760 --> 14:56.840]  Monarch is Luxembourgish risk analysis methodology. So we can start by your asset and extract
[14:56.840 --> 15:05.360]  a model of risk analysis to analyze correctly your risk. Okay. So thank you.
[15:05.360 --> 15:30.280]  Okay. Do we have some questions in the room?
[15:30.280 --> 15:35.680]  Thank you. So I've got a question related to application and operating specific assets
[15:35.680 --> 15:41.440]  and files. So you've mentioned vulnerability management. And I wanted to ask, are you consuming
[15:41.440 --> 15:47.200]  software of materials in this specific tool? And second question in addition to that would
[15:47.200 --> 15:52.120]  be how do you consume that data? If so, thank you.
[15:52.120 --> 16:00.440]  Okay. So for the moment, you have to enter all your assets by hand. There is no automatic
[16:00.440 --> 16:06.400]  tools that can explain who are your provider, what are your main business process, what
[16:06.400 --> 16:13.280]  are your inventory or physical inventory. There is no automatic tools or artificial intelligence
[16:13.280 --> 16:18.040]  that can do it for you. So for the moment, you have to enter it by hand. If you have
[16:18.040 --> 16:25.320]  already some Excel sheet with this document, there is an EPI, a REST EPI, which you can
[16:25.320 --> 16:32.640]  use to enter or extract the information. I don't remember the second question. Did I
[16:32.640 --> 16:41.160]  open to both? Any other questions somewhere? I saw some question on metrics asking what
[16:41.160 --> 16:52.840]  was the URI for Mercator? Uh, it's there. UL? They're using for URI, so I'm a universal
[16:52.840 --> 17:01.840]  resource identifier. I don't know what context. Okay. So no other questions? There's one.
[17:01.840 --> 17:10.600]  Okay. Hi. First of all, thank you for the talk. It's not much of a question, but more
[17:10.600 --> 17:17.160]  like a comment. Following what the other guy asked or talk about, because basically the
[17:17.160 --> 17:23.840]  issue I see is how to populate the application. So basically you need to connect some whole
[17:23.840 --> 17:29.120]  Mercator with your CMDB or to explore your network. I don't know, for instance, if it
[17:29.120 --> 17:35.920]  could be with BlueHunt or whatever, I don't know, OSQuery could help also. So how do you
[17:35.920 --> 17:42.760]  see that kind of connection? How could you bind Mercator with those tools that are already
[17:42.760 --> 17:49.760]  existing? Is there a way or are you already thinking to create some API or I don't know
[17:49.760 --> 17:57.160]  what could be like some magical way to interconnect those things? Yes. So for the moment we have
[17:57.160 --> 18:04.680]  a REST EPI. You can fulfill any table that are in the Mercator database with any inventory
[18:04.680 --> 18:10.760]  you already have in place. So you can make the link and update these tables automatically.
[18:10.760 --> 18:16.920]  For the moment we use it, for example, for the configures of virtual machines. Every few
[18:16.920 --> 18:22.200]  months we update Mercator with the configuration of virtual machines. So we don't have to do
[18:22.200 --> 18:30.960]  it manually because this is a boring task that has not a lot of value. But most of the
[18:30.960 --> 18:35.480]  time you have to do it manually because this information exists nowhere. For example, how
[18:35.480 --> 18:40.600]  many users is it in this application? Is it a critical application? What kind of application
[18:40.600 --> 18:46.080]  is it? Who uses it? What is the REST EPI of this application? All these questions have
[18:46.080 --> 18:50.520]  to be fulfilled manually and it's a really important information. You have to enter because
[18:50.520 --> 18:55.320]  you want to know then, okay, what are my critical applications? What are my critical business
[18:55.320 --> 19:01.320]  process? This is a critical process but you choose a non-critical application. Is it normal?
[19:01.320 --> 19:08.640]  You have to think about it to build this complete view of your information system using a cartography.
[19:08.640 --> 19:26.960]  Okay, so one more question. One question which is related to the other one. They are available
[19:26.960 --> 19:34.000]  open source inventory tools that you can use to automatically populate hardware and software
[19:34.000 --> 19:43.720]  inventory by just installing an agent on computers or using one agent which does remote inventory
[19:43.720 --> 19:50.280]  and use these agents and push the information into your tool. Are you considering using
[19:50.280 --> 20:00.640]  this kind of software? Yes, there are so many tools that does network inventories and tools
[20:00.640 --> 20:06.880]  that we do not plan to, for the moment, to build ourselves connectors with these tools.
[20:06.880 --> 20:12.560]  We try to, for the moment, to improve the Mercator tools by itself. But as I said, there
[20:12.560 --> 20:17.920]  is an API. If you have an inventory and you want to populate this in Mercator, well, there
[20:17.920 --> 20:23.360]  is a REST API. So, only push. We have in the documentation a few examples of usage of the
[20:23.360 --> 20:30.480]  API in C, in Python, in Bash, and so on. So, it's really simple to build a script from your
[20:30.480 --> 20:35.240]  inventory you have to populate the Mercator database. But as I said, there are so many
[20:35.240 --> 20:42.040]  tools that you don't want to be linked with the tools with specific automated tools to
[20:42.040 --> 20:47.440]  fulfill the Mercator. And it's also, it's, also these automatic tools fulfill less than
[20:47.440 --> 20:54.160]  10% of the job you have to do to complete your cartography. Because most of the work
[20:54.160 --> 21:01.000]  you have to do is probably things you don't have already. And you cannot automate this
[21:01.000 --> 21:07.120]  process of completing the cartography. You cannot, there is no artificial intelligence
[21:07.120 --> 21:12.000]  that can explain you what are your critical process, what are your critical entity, what
[21:12.000 --> 21:16.080]  is the relation you have with them, what are your critical applications, what are the RTO
[21:16.080 --> 21:23.080]  and FPO of these applications. So, this is something you have to do by hand.
[21:23.080 --> 21:29.720]  Okay, some more questions or we can end earlier. So, thank you for your talk.
[21:29.720 --> 21:47.560]  Thank you.