Simon Arnell

I am the COO and Co-Founder at Configured Things, a startup specialising in enabling technologies for Smart Cities and the federated Internet of Things. Configured Things was a member of the 2018 GCHQ/NCSC Cyber Accelerator

I was the co-founder and non-executive director at Configured Things, a startup specialising in enabling technologies for Smart Cities and the federated Internet of Things. Configured Things was a member of the 2018 GCHQ/NCSC Cyber Accelerator

At DXC I was responsible for the EMEA Security CTO office. In this role I scouted for new security technologies that could assist DXC's clients in addressing their risks. I led customer POCs for SOAR projects, architected DXC's Zero Trust advisory service and built and ran DXC's Discovery Workshops. In addition, I was responsible for the annual cyber security predictions report, a risk management level perspective with suggested mitigations for how to safely navigate one's business through a changing threat landscape. I also have authored many papers and spoken at a number of conferences at DXC to build out our market presence. Following HPE Enterprise Services' 2017 spin-merge with CSC, my employer changed once again, it became DXC Technology. I was initially responsible for mapping the various partnering relationships the legacy organisations maintained and understanding what was necessary for the new organisation. In this capacity I owned the New Technology Overview program, a horizon scanning service that reflected the shifting needs of the market and proposed partnerships that would allow DXC to capitalise on these changes, whilst match-making potential partners with salespeople with particular requirements.

Due to the HP Inc. and Hewlett-Packard Enterprise split, my employer changed, however I continued to commercialise the DNS Analytics intellectual property. I ran two customer proofs of concept to test the solution in the real-world. I selected a Nordic telecoms equipment manufacturer and a Nordic nuclear power operator to pilot the technology and architect the solution around. This proved to be a great success as a detective control and was publicly unveiled at HP Protect '15. Having introduced a means of detection that could dramatically shift the mean time to detect an incident with the DNS analytics technology, I began to appreciate this was moot, as the response times were still dire, customers did not have the means to orchestrate and reconfigure their estates dynamically in response to a security incident. This is where my work on Software Defined Networking for Security and Network Security Function Virtualization began. I co-developed IP to rapidly respond to incidents with investigative and preventative measures from the network using OpenFlow, this was successfully prototyped on the HP Labs network to react to anomalous activity

I was responsible for presenting the company's strategy and services to customers who visited our London and Bristol Customer Engagement Centres. I began to sponsor the commercialisation of a research project that was monitoring HP's internal network for anomalous Domain Name System (DNS) traffic, identifying misconfigured and compromised devices. I expanded the monitoring from the internal network onto HP's public cloud allowing it to rapidly detect compromised tenants, personally porting the architecutre from the original one gigabit per second based design and scaling to the ten gigabit per second requirement of our public cloud, requiring me to rewrite the C++ Field Programmable Gate Array-based software to cope with the dramatic hardware changes necessary to monitor a public cloud

Having developed intellectual property during my time in HP Labs, I transfered myself and the technology into the security business unit to understand how it could be applied to the business. Using corporate R&D funding I sponsored a project with our Brazil team to scale and build a management framework around the modelling tooling, this allowed our Managed Security Service to perform proofs of concept of collecting data from the customer estates and providing them with a proactive and benchmarked risk assessment with respect to their Identity and Access Management and Vulnerability and Threat Management processes. This role also allowed me to act as a conduit to identify and transfer technology developed in our corprorate research labs into the security business. I also architected and piloted HP's Cloud Risk and Controls Assessment, a set of tools built around the Cloud Security Alliance's Cloud Control Matrix and an internal risk assesment to provide customers with an impact analysis of their planned cloud migrations

I was seconded to National Grid to understand the threats in the Operational Technology environments, exploring the potential mitigations of virtual machines on trusted platforms to improve overall systems security with respect to security and staff productivity, in addition the impact of password policies was assesed and reported on. I was based at the National Electricity Control site and performed extensive field work with University College London consisting of staff interviews at the National Gas Control site, UK Headquarters and US Headquarters.

I was seconded to Merrill Lynch to research the applicability and potential impact of Digital Rights Mangagment to the bank's security, costs and productivity. As part of this project I also facilitated and conducted interviews with the bank's staff and University College London to understand the socio-technical issues of the science of security. Beyond the Trust Economics project, I also assisted the bank with governence, risk and compliance exercises such as performing a policy gap anaylsis during its merger of Merrill Lynch with Bank of America, developing a Secure Development Lifecycle and consulting the line of business' technical teams to assist with security concerns.

I worked in the Systems Security Lab in HP Labs Bristol as a post-doc researcher. As part of the UK government-funded Trust Economics project, the role saw me seconded to Bank of America Merrill Lynch and National Grid, developing discrete event simulations of stochastic systems' security models to statistically analyse the impact of threats, people, process and technology on an organistion's security to improve strategic decision-making

A summer internship at a user-generated content startup as a Quality Assurance Engineer that became a part-time role during my post-graduate studies. I was the sole quality assurance resource, responsible for ensuring quality of the user-generated content platform prodvided to major operators such as Three, O2, Vodafone. Yospace adopted agile methods and so I would attend the daily scrum meetings to understand project direction and escalate bugs. To improve effiency I implmented Bugzilla for issue tracking and CruiseControl for continuous integration. I devised an application of AI classifier to reduce the cost to the business of moderating users' comments on other users' content

A part-time role during my undergraduate studies. I supported a small campus network of approximately one thousand endpoints and two and a half thousand users. Due to a new college building being built a data centre migration was performed alongside transitions of Windows Server and Exchange 2000 to 2003. I was responsible for architecting and buildout of the desktop OS deployment solution, architecting a proposed 802.11g Wi-Fi deployment using 802.1x authentication of endpoints, and a Windows Active Directory consolidation project to support and manage the local feeder schools' IT.

This white paper provides a set of succinct and simplified high- level architectural principles designed for executive consumption. Applying these principles will allow executives to build digital resilience into the fabric of their enterprise, ensuring they can gain all of the advantages of the digital age while minimizing associated risks.

Digital transformation promises to deliver new business value but also introduces new security risks that demand equally new and innovative responses. Organizations on a digital transformation journey must make a parallel trip, one that integrates security and risk management into DevOps and Continuous Delivery (CD) processes.

A report authored with the help of colleagues at DXC, discussing what security risks and technology changes may feature in the year ahead and how to manage their impact to the enterprise.

Overcoming security questions about blockchain ecosystems will help ensure that blockchain continues to evolve in the financial services industry and matures into a disruptor in other businesses. This paper identifies security implications and potential threats, and offers 10 recommendations for embedding security into blockchain transactions.

Support IoT and digital change with cyber resilience across the enterprise.

Companies embracing digital transformation are looking to DevOps and agile development methods to accelerate the release of new applications. Unfortunately, in this need for speed, security is often left behind. This paper introduces process and language bridges to address the gulf between risk management, development and system operations teams.

A report authored with the help of colleagues at DXC, discussing what security risks and technology changes may feature in the year ahead and how to manage their impact to the enterprise.

Security Operations Centers (SOCs) rely on analysts to perform largely manual processes to carry out the various stages of the incident management lifecycle. These processes are time-intensive and typically require much context switching and hand-off between monitoring and operations analysts, introducing considerable delays into the resolution of incidents. With enterprise networks facing malware threats of increasing complexity and volume, this approach becomes unsustainable. It is crucial, therefore, to develop solutions that dependably automate and accelerate incident management tasks and only involve the limited pool of highly-trained and experienced analysts an organization can have at its disposal when truly necessary, where it matters. In this report we introduce SDN4S: a system and solution to minimize the time between incident detection and resolution by using automated countermeasures based on Software-Defined Networking (SDN). SDN4S creates incident-specific response workflows orchestrating actions and network-based countermeasures automatically upon receiving an alert, leading to faster and more predictable incident response. We describe the architecture and implementation of SDN4S, and report on the test deployment of the system on our research network.

The threat landscape is constantly evolving, creating new challenges for organizations and the need for continuous investments in security controls and incident management capabilities. A key problem organisations face is how to reduce the incident remediation time, once security issues have been detected, in order to minimize risks, disruption and losses. Central to this challenge is the heavy reliance on proprietary hardware for advanced detection and remediation, which results in high upfront capital expenditure and long lead times in an area where rapid response is critical. We present our vision and technical approach to address this issue, consisting of a Network Function Virtualisation (NFV)-based Security Analytics and Remediation solution, motivated from real-world experiences gathered while working with a large enterprise customer.

The business white paper “Awareness is only the first step: A framework for progressive engagement of staff in cyber security” is the product of collaboration between RISCS researchers and security awareness experts at Hewlett Packard Enterprise (HPE), with oversight by the UK government’s National Technical Authority for Information Assurance (CESG). Security communication, education, and training (CET) is meant to align employee behavior with the security goals of the organization, but it is not always designed in a way that can achieve this. The purpose of this paper is to set out a framework for security awareness that employees will actually engage with, and empower them to become the strongest link—rather than a vulnerability—in defending the organization. A set of steps, required to deliver effective security CET as a natural part of an organization’s engagement with employees at all levels, is outlined. Depending on different needs, many vehicles are available from security games, quizzes, and brainteasers—and possibly prizes—to encourage employees to test their knowledge and explore in a playful manner. The most important output is that different approaches are needed for routine security tasks, and those tasks require application of existing security skills to new situations. There are many creative ways to improve security behaviors and culture, but it is essential to engage people in the right way. Then they can convert learning into tangible action and new behavior. Security CET needs to be properly resourced and regularly reviewed and updated to achieve lasting behavior change.

Presented at the International Workshop on Quantitative Aspects in Security Assurance (QASA) 2012