In this episode, we the information system mapping tool Mercator with Didier Barzin, a CISO at a hospital in Luxembourg. Discover how Mercator revolutionizes the way organizations map their complex information systems. From hospitals to universities and even the banking sector. Mercator helps manage and protect vast networks by creating dynamic, comprehensive maps that replace outdated Excel sheets. Join us as we explore the challenges and innovations in information security and the impact of Mercator on various industries.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, open source security is talking to Didier, who I’m going to let you introduce yourself because I’m really excited for this project you have, because this is a space I have absolutely no knowledge of. So Didier, take it away and let us know who you are and why you’re here.

Didier (00:13) So hello, I’m Didier Barzin I’m a CISO in hospital in Luxembourg and I have made a project for mapping the information system. The idea of this project comes from a guide from the ANSSI

which is equivalent to an organization in France to manage information security. It gave me the guide mapping the information system. And when I read this book, find this document, I find it fantastic. Then I searched for an implementation. There were no implementations at that time that satisfied me. It was about five years ago. ⁓

The problem that I was facing is that our organization, also, becomes more and more bigger. It’s not uncommon to find an organization, a hospital with few hundred applications, thousand virtual machines, networks, physical rooms, so on. And when you are a CISO you have to protect all these information systems.

To protect it, you have to get a knowledge of what is important, who uses it, what is connected to what, what speaks to what, how is it connected. And so you start going to your different teams, you go to the network team, you go to the infrastructure team, and they’re all managing Excel sheets.

This is the tool they use to collect all these sheets and you start looking at this and then you find gaps between the sheets. There is a machine and there is an application. The application is not in the list of other applications. You have an application that you don’t know where it is installed. When you go to the doctor or to the nurse or to the department, they talk about applications that are not in the list of applications. ⁓ You cannot secure that.

Josh Bressers (01:34) Yes.

Didier (02:02) kind of environment. That’s why I realized that I really needed to create a map. And then the COVID comes. And they start, they say to people, please don’t come to the hospital if you are not absolutely needed. And so I started having time to build the tools I really needed, the tools I always wanted to have. So I started developing Mercator and

start working correctly, then I share it with my other colleagues in other hospitals in Luxembourg that I put ⁓ this project on GitHub and it starts working and there are more more users that use these tools.

So the basic idea of Mercator is to create a map of the information system that in place of putting the object in a separate list is free to create a graph of all objects that compose your information system. Then you know when you have an application who is responsible for this application, how many users are in this application, who is responsible for the management of this thing.

application with the support, where is it installed, what logical server, this logical server whether it is in some physical server and so on. And we have a complete graph object, there are about 20 or 30 different types of objects that are created in this graph and that allow us in the IT teams between the different peoples to share this information to update it to maintain all this knowledge.

And it really started from the top, the ecosystem view, we have our providers and the relationship we have with them, down to the physical objects, the servers, the rooms, and really the equipment in the rooms. And it really helped us to maintain all these informations. It is used in a lot of different…

in order to measure from ISO 27001, example inventory of information, proper use information, classification of information, location and protection of equipment and so on. It really helped in ISO 27001, it really helped us to put all this process in place.

Josh Bressers (04:25) Sure. Okay. So I, that’s a lot to unpack. And I’m going to start with my, I guess, initial reaction. You reached out to me and said, Hey, I have this project. I’m a CISO at a hospital. And this is something now I’ve, I’ve never been in a hospital environment. I’ve spoken with various people at hospitals, be it security people or, you know, IT people, or even doctors and nurses.

The amount of equipment that exists in a hospital is mind boggling. And it’s not even just that there’s a lot of equipment to keep track of. There’s also like useful lifespans of the equipment. Like the old adage of like, don’t run NMAP on this network because you’ll crash the CAT scan machine, right? That’s the one everyone, I know someone that’s literally done that before they got yelled at. It’s like bananas, right? Okay, so this is why I wanted to talk to you though, because…

I have absolutely no knowledge about this sort of environment and what it means and how it works. And so I thought this is a perfect example where I can learn from someone who actually knows what they’re doing and hopefully a lot of other people can too. So let’s rewind a little bit. And you talked about just kind of inventories of stuff, right? When, so you said all of the different departments are, were, well, I don’t know if are or were is the correct.

word to use in this instance, but they were using Excel to track inventories. So I’m curious, what does a world look like where you have Excel to track inventories and then you as the security person has to try to create actionable output from a bunch of horrible spreadsheets.

Didier (06:13) First you have to put this spreadsheet in these tools and start verifying that it is up to date and corresponds to reality.

That’s your main objective. first you ask people to enter it or you enter it with… And then you start reviewing it, understanding what it is, how it is connected, who is responsible for all these equipments, how they are connected, what they are doing, what is the creasy DC of a business process they are serving. There are some equipments that you can… They can fail for few days, but equipments that one or two hours of failure is a catastrophe.

So you have to identify all these type of equipment and then you have to protect them, separate them in different specific networks and verify that they are in this specific network to protect them and separate all these equipments.

Josh Bressers (07:07) Okay, so that just, that is not a concept I’ve ever had to deal with where you have different networks or different equipment. So in your tool, it Mercator, is that correct? I wanna make sure I’m not just pronouncing it. Mercator, close enough, right? So do you have the ability to scan the networks for systems or do you trust the data that’s entered that it’s, someone said it’s on this network, so we’re gonna say it’s on this network.

Didier (07:19) Yeah, I’m not getting too much of it.

It’s really difficult to automate your cartography. It’s a manual process.

There are no solutions, is no artificial intelligence, no network scanning that can do it for you. It’s really manual and the role of the CISO, the role of the IT teams is to verify these inventories up to date. Most of the time you do it manually, you get a list, you get a report and you compare it. You can compare it to a network scan. It’s a good input, you check that there is no IP address that are not on the list or no…

Josh Bressers (07:42) Okay.

Didier (08:12) that

should not be on this VLAN, that’s good, but then you have to physically go to some department to check the equipment that is present, check in IT rooms that we do at least once a year to verify that it corresponds to what is supposed to be present there.

Josh Bressers (08:30) Holy cow, that’s gotta be a job going around. So your security team goes out and verifies the equipment once a year.

Didier (08:32) Thanks.

Cheers.

Yes, we do it. It’s not only physical, but also logical. You extract the list of all your virtual machines, your cloud environments, and you compare it to what is Mercator. Then you start asking why is it different? This virtual machine that disappeared, why? There is a new virtual machine, What business support is… What application are installed there? What are we supporting this?

Josh Bressers (08:41) Wow.

Didier (09:09) It helps us a lot to have an understanding of all the information system. And then we also identify flows between applications. We identify network tools and you can also get down to physical cables. If you want. And then Mercator can draw for you your physical network as it’s supposed to be.

Josh Bressers (09:09) my goodness.

my goodness.

Right, right. Yes. I, your pictures are very pretty in the tool. know I scrolled through your GitHub page, which I’ll put a link to the GitHub and all that stuff in the, in the show notes. The graphs are amazing. And so I, I’m going to ask a question and excuse me for sounding like an idiot, but before you had a graph like this, you didn’t have a graph of your network. Did you?

Didier (09:59) Yes, yes, we had a graph of our networks, of course. Before Mercator, we already had graphs. And they still maintain graphs, network graphs, but Mercator helped us to have another view of it. They still maintain the classical network graph. And I may understand it’s a…

Josh Bressers (10:02) No, I’m saying before Mercator, did you make- you made graphs?

Okay.

Okay.

Didier (10:23) It’s a complete paradox to move to what they have to do to Mercator. I accept they still maintain, but I see lot of errors in these graphs. They make them by themselves.

Josh Bressers (10:35) I can imagine. Yeah. yeah. For sure. Well, and you think, I imagine if you’re, have a graph and you have Excel and you have all these other tools, humans were trying to keep them in sync where now you’re using the inventory to build the graph, which is removing a manual step and humans obviously make mistakes constantly.

Holy cow.

Didier (10:56) Yes, and

it’s difficult to update it. And so in Mercator, we have also a little tool for…

drawing objects as it is in the cartography. It’s kind of a little editor. You can place your object that comes from the cartography. When you take an object, you can double click on the object and it opens all the links you have and you can place the object. And you can remove the object you don’t want to see in the graph. You can add nodes and so on. You can save it. And when you view the graph, you click on the object and directly you jump to the page where the definition of the object.

Josh Bressers (11:31) that’s cool.

Didier (11:31) This is

really a dynamic and also when you change something in the cartography you go to your map, you edit it and you say update and check all objects and objects disappear from the cartography, this schema. Names are changed, links are updated and so it’s bit automated graph management.

Josh Bressers (11:51) ⁓

that’s the dream. ⁓ that’s cool. That’s cool. Okay. So walk me through what, kind of a typical workflow looks like if, someone is looking to add a piece of equipment to your environment, like where do we start? How does Mercator come into play? What are like, what does the approval process look like? Because I’m completely ignorant of what happens in a hospital system. In my world, we just plug stuff in and we’re like, great, good job, everybody. We’re done. Right.

Didier (12:16) you

Yes, I see more more organizations that use, or API, there is a REST API in Mercator. And so they have the classic procurement system for giving a PC to someone or to create virtual machines or so on. And they have a process most of the time for doing it that is partly automated. And then at the end, there is a REST API, and you can push something in Mercator with this REST API. That’s one way. The other classical way is doing it through a

you select the object, tap you want to enter, you click add and you have to enter this information. It depends a little bit what is your level of maturity, is your level of integration with the tool.

Josh Bressers (13:03) Sure, sure. so, has your team approved the equipment before it gets entered into Mercator or is entering it in Mercator step one and then your team reviews or approves or whatever process that encompasses?

Didier (13:17) There is no approval process yet in Mercator. This is something we are working on and this is new ideas we are building. Most of the time these are the people that are responsible for the management of these equipments that enter it in Mercator to share it with other teams.

Josh Bressers (13:24) Okay.

Okay.

I see. So approval has happened elsewhere prior to this point. Okay. Okay. I gotcha. So can I ask what is that? That’s something you’re willing to share. Like what, does approval look like for a security in a hospital?

Didier (13:51) Also the traditional ticketing system we have with approval from the CIO, depending on the type of equipment we have to enter, there is different types of work flow.

Josh Bressers (14:10) That’s fair. That’s fair. Okay. So what about, what about compliance? So this is the other piece I suspect that, that is always interesting when we have tooling is you have to generate reports on a regular basis for auditors and well, probably a ton of governing bodies, I’m sure in the healthcare industry. So what about reporting with Mercator? What does that look like?

Didier (14:32) So yes, you can explore the score to various type of report out of Mercator. The first report that you can generate is a complete mapping of the information system. It’s one Word document with everything. And you have on this Word document the table of contents. You can click, you can go to the object, and all the objects are linked in the document. And so you can really browse all your ⁓ cartography in the Word documents.

Then you can have different reports, for example, the applications, all your applications with the criticities of the application, where is this installed, what is the provider, who is using it, the criticities, the RPO of application, all this kind of information. We have physical inventories, we can get a report. We have reports on…

we have reports on our logical server, the analysis of security equipment, the logical server configurations. We have some reports of the audit, when you can compute with Mercator a maturity model, a maturity level. And so it gets you the maturity level of all your equipment.

something I have not talked yet about. So Mercator is an idea that comes from the guide from the ANSSI. They’ve introduced a concept of granularity and maturity models. So when an object has no description, has no type,

object is not linked to another one, for example an application that serves no business process, an application that’s not installed on a server, ⁓ a logical server without a physical server is considered not conformed. And then we compute the number of conformed elements divided by the number total of elements and we have a percentage of maturity.

So we computed for the whole graph and then we have a dashboard with where are we, are we missing information, so what information are we missing and we try to kind of gamification of the cartography to get that 100 % to have all the information present in the map.

Josh Bressers (16:53) That is.

This is hard to do. Like, I don’t have anything close to this level of complexity, but I can relate to the difficulty of what you’re talking about. So your tool also says it tracks CVEs. Tell me about, like, vulnerability is right up my alley. So what does that mean?

Didier (17:12) Yes, we have introduced, you can provide CPE, common platform enumeration, to some objects like applications, servers, and so on. And then it regularly checks if there is a CVE matching one of your CPE. And it does it based on that, but also based on the name of the applications. ⁓

classical problem we have in healthcare is that most of our applications used in the healthcare do not have a CVE yet. So they don’t have a CPE and so you cannot find them if something is popping. And so as we have hundreds of applications, we also search for CVE based on the name of the application.

Josh Bressers (18:02) Sure, sure, sure.

Didier (18:04) It generates every day some false positives, but it’s better to have some false positives than true negatives. ⁓

Josh Bressers (18:11) Yeah, yeah, for sure. And

you were using a tool called, I think it was called Vulnerability, no Vulnerability Lookup’s a new one. Yes.

Didier (18:17) ⁓ CVE Search is also

a project from the circle. ⁓

Josh Bressers (18:24) Right, which actually I talked to that crew a couple episodes ago, Cedric and Alexander, because you’re in Luxembourg, you said as well, as they are, which Luxembourg is turning out to be like a powerhouse of computer security, which I love. But yeah, this is one of the problems they’re trying to solve is yes, there aren’t CPEs for everything. The data sucks. There’s a lot of work to do, which is really cool because yes, you are correct. In your environment, I suspect false positives are better than false negatives.

Didier (18:27) Yes?

Josh Bressers (18:53) Generally speaking, right?

Didier (18:55) This is not too much, okay.

Josh Bressers (18:58) Yeah. man. ⁓ I just, I keep thinking about what you’re working on and what you’re doing. And it’s like, when I make a mistake, nothing happens. When you make a mistake, people are literally going to die. And I like, just can’t even imagine.

Didier (19:15) Yes, it’s difficult. I’ve discovered a usage for Mercator, which was not my first objective, is that ⁓ the help desk in the hospital is using Mercator a lot. Because we have a few hundred applications, and ⁓ when they are called during the night…

Josh Bressers (19:28) Yeah.

Didier (19:35) a is calling or a doctor is calling saying, application X is not working. And they never heard about it. And they don’t know what to do. So they go in Mercator, they look what is application X, who is using it, what business processes is proposing for it, what is the crucity of this application. And they know then if they have to call level two, who they have simply to create a ticket for Monday morning.

Josh Bressers (20:00) Holy cow. I never thought of that use case, but that’s brilliant. Cause yes, I mean, in any reasonable sized organization, hospital or not, the help desk doesn’t know everything going on. Cause there’s just too much to know. man, that’s a cool idea. I never thought of that. And okay. So let me, let me repeat back what you just said. So hopefully I’m understanding. So you’re saying help desk gets a report. They use Mercator.

to understand what the environment is we’re talking about. And obviously

If it’s a life and death system, they know they need to wake someone up. But if it’s not at all, something that can wait for the Monday or morning or whatever, wow, that is cool.

Didier (20:44) to take it.

Josh Bressers (20:48) And I suppose your level 2 people love it, because they’re not getting woken up in the middle of the night because the vending machine isn’t working correctly.

Didier (20:54) Yes, and they also find the information faster, they immediately can identify where is the database, on which server, which server may I have to restart. So they win a lot of time with using Mercator.

Josh Bressers (21:10) man, and that’s true too, cause they know where it is then. Because I know like, you know, the old joke of, there’s a server running somewhere. We can’t find it. And it was, was in the wall. Someone accidentally built a wall where the server, you know, that. Yeah. ⁓ my goodness. I know, right? I’ve done that before. It’s like my AWS bill has this charge on it, but I’m not quite sure where it’s coming from. Like, let’s try to figure this out. wow. That’s okay. So let me ask you about that though. So cloud.

Didier (21:24) It’s in the cloud somewhere.

Josh Bressers (21:39) Is does this handle like cloud situations as well then? Cause I mean the infrastructures we deal with now are way bigger than just like, you know, physical buildings and physical machines.

Didier (21:50) So yes, it’s specific to hospital. In hospital, we have already air conditioning, powerful air conditioning. We also already have resilient electricity. So we have our own computer rooms.

and we are on two sides, so we have two computer rooms and there are one in the middle and the second one and due to miniaturization of servers now you have 100 virtual machines in one rack. This does not take most of size of it.

Josh Bressers (22:26) Wow, wow, that’s cool. Holy cow. I don’t, I feel like I don’t even know what to do at this point because you’ve given me this fire hose of information of all these ideas I’ve never even thought about in the past. This is just a mind boggling universe you live in, Didier Like, okay, rather than sit here and look like a deer in headlights in the camera, I’m going to give you the floor like.

Tell us what you think we need to know. Tell us what’s important. Tell us about your project. If people want to get involved, how can they contact you or Mercator or whatever. And let’s bring this one home.

Didier (23:07) So it’s an open source project. I’ve made it open source so most of people can benefit from it. I’ve learned a lot from other use cases people have given to me and they’ve given a lot of ideas on the GitHub and I find it really fantastic. I see more and more use cases.

other environments that I didn’t know, for universities, they start using it because they have also really complex environments with tons of people and tons of also, interestingly, some banking sector that is starting using it because due to Dora, they have an obligation to create mapping with all their applications, so I started using more and more this kind of view. ⁓

Josh Bressers (23:35) ⁓

I hadn’t thought of that but I’m gonna interrupt you for a moment is yeah, you’re right because universities are filled with and universities have the additional problem of People show up with who knows what that they plug into networks and connect to Wi-Fi and Wow. man, that’s cool

Didier (24:20) They also have a tool for organizations that have quite complex information systems.

Josh Bressers (24:27) Okay. Yeah. And you know, that’s, that’s the lesson, right? Is anyone operating a reasonably complicated environment? And you’re right. Historically, they’ve used spreadsheets to track this stuff. I mean, the joke that’s not actually a joke or even funny is that like the governments of the world run on Excel spreadsheets and they do, they totally do. And tooling like this is one of the ways we help with some of that. Cause I mean, heck governments have the same problem, right? Where you’ve got

you know, country-wide networks doing things. ⁓ my goodness, this is so cool. Part of me is sad I don’t have a use for this particular tool at this time in my career, and part of me is very happy I don’t have a use for this particular tool.

It’s hard work, but it’s cool. This is so cool. mean, this is the dream, right? This is the thing we should want to do where we take a tool that someone like you can start putting together and you apply open source to it and anyone can get involved. So, okay, so tell us about getting involved. What does that look like? If someone is interested, what’s step one?

Didier (25:32) Step one, so clone the GitHub and there is an installation procedures. We have a Docker version of Mercator and you can also install it in a traditional virtual machines. ⁓ These do not consume a lot of resources. It works on your Raspberry Pi or something like that, really small machines and you can building a team and mapping your information system.

Josh Bressers (25:58) Yeah, cool. And then what about contributing? Like patches welcome. Do you have a process for submitting PRs or whatever?

Didier (26:05) Yes, I

accept pull requests, yes of course. Contact me before to understand what you are planning to do, but you can discuss it. I have tons of open discussions already in the GitHub

Josh Bressers (26:10) Nice. Okay.

Yeah, it’s a pretty active GitHub. mean, I was, it looks good. Like you’re doing a good job. Well done Didier.

Didier (26:27) Yes,

I try to fix bugs as fast as possible, yes.

Josh Bressers (26:32) That’s cool. And I mean, that’s always the challenge, right? Is it’s always exciting to build the new features, but people need the bugs fixed. I know, I know how it is. Cool, man. Okay. I mean, I want to thank you. I have so much in my brain right now. I can’t even explain it. This has been such a cool conversation and I have learned so much and like, I’ll have to have you back someday to chat about this stuff because I feel like the more I learn, the less I know. So thank you so much.

Didier (26:40) Yes, ma’am.

Yeah.

Josh Bressers (27:00) for filling my brain with questions. This has been awesome.

Didier (27:05) Thank you, Josh.