cyber security

North Carolina Federal Advanced Technologies Symposium May 9, 2013

Cyber Security Panel

Hosted by: Office of Senator Richard Burr NC Military Business Center NC Military Foundation Institute for Defense & Business University of North Carolina System

Reception Sponsor:

Bronze Sponsor:

Science of Security Configuration Analytics– Know your network!

Professor Ehab Al-Shaer, Director of Cyber Defense Network Assurability Center

University of North Carolina Charlotte [email protected]

www.cyberdna.uncc.edu

Cyber Security Panel NC Federal Advanced technologies Symposium

May 9, 2013

http://www.cyberdna.uncc.edu/

About CyberDNA Research

• Vision: Making Cybersecurity measurable, provable and usable • Research Team:

– Multi-disciplinary team of 11 faculty members and 35 PhD students Areas – security, networking, data mining, economics, power and control, behavior science/HCI.

• Active Funding: > 8.2M from NSF, NSA, ARO, AFRL, DHS, Bank of America, BB&T, DTCC, Duke Energy, Cisco, Intel

• Prof. Al-Shaer was featured as Subject Matter Expert (SME) in Security Configuration Analytics and Automation [DoD Information Assurance Newsletter, 2011].

• NSF Industry/University Collaborative Research Center on (Security) Configuration Analytics and Automation (CCAA) Lead by UNC Charlotte and George Mason Univ – Members include NSA, NIST, Bank of America, BB&T, DTCC, MITRE, Northrop Grumman

• Tools and Technology transfer projects for Cisco, Intel, Duke Energy, .. • Research Long and solid track record on many areas particularly

– Security configuration analytics (verification and synthesis) for enterprise, cloud and smart grid

– Security metrics and risk estimation – Agility and resiliency for Cyber, clouds and Cyber-Physical

4

Why Cybersecurity is Hard?

• Attack Detection (alone) Can not Deliver

– Learning-based = Knowing the attack OR Knowing the Deviation Threshold Easily Evadable

– Insufficient for attack avoidance

• Cybersecurity = Attack Prediction

• Attack Prediction is a Hard Problem

– Learning-driven vs. Prediction-driven

• Feature selection vs. information integration & analytics

– Scalable and accurate models of both system behavior and adversary strategies.

– System complexity and adversary sophistication are increasingly growing.

6

The Need for Security Configuration

Analytics

• December 2008 report from Center for Strategic and International Studies

"Securing Cyberspace for the 44th Presidency" states that "inappropriate

or incorrect security configurations were responsible for 80% of Air Force

vulnerabilities"

• May 2008 report from Juniper Networks "What is Behind Network Downtime?" states that "human factors [are] responsible for 50 to 80 percent of network device outages".

• BT/Gartner[3] has estimated that 65% of cyber-attacks exploit systems

with vulnerabilities introduced by configuration errors. The Yankee

Group[4] has noted that configuration errors cause 62% of network

downtime.

• A 2009 report[5] by BT and Huawei discusses how service outages caused

by “the human factor” themselves cause more than 30% of network

outages, “a major concern for carriers and causes big revenue-loss.

http://en.wikipedia.org/wiki/Deep_configuration_assessment

http://en.wikipedia.org/wiki/Cyber_attack





7 Ehab Al-Shaer , Science of Security Configuration

Complexity of Configuration Analytics

• Scale – thousands of devices and million of rules.

• Distributed, yet Inter-dependent Devices and Rules.

• Policy semantic gap -- device roles (e.g., Rule-order semantics vs. recursive ACL, single-trigger vs. multi-trigger policies)

• Multi-level and multi-layer Network configuration

– Overlay networks, groups/domains in cloud (e.g., EC2/VPC, security groups)

– network access control, OS, application level etc

• Dynamic changes in networks and threat

• Security design trade-offs: risk vs mission, usability, cost, and performance

[Source: Security Analytics and Automation, DoD IA Newsletter, Oct 2011]

7

8

NSF Center on Security Analytics & Automation– The Big Picture

ANALYTICS

Predominately Manual Management Practices

Defensive Actions

Logs and Sensor Data

Security Requirements

& Policies

Enterprise Polices &

Configuration

MEASURABLE SECURITY Analytics & Automation

AU

TOM

ATE

D

DEF

ENSE

RESILIENCY

CO

ST-EFFECTIV

E H

AR

DEN

ING

Analytics Automation

Integration

action

System

9

Policy Violation

Threat

Prediction

Risk Estimation

ConfigChecker: Security Analytics Magic Box [ICNP09]

Risk Mitigation

Attack Diagnosis

Agility Actions

Resiliency measure

ConfigChecker

Golden Technology Services

© 2012 Golden Technology Services

_________________________________________________________________________

GOLDEN TECHNOLOGY SERVICES Delivering Business Impact with Advanced Technology Solutions

_________________________________________________________________________


Cyber attacks are increasingly impacting both private sector and U.S.

government information networks and systems

May 15, 2013 11

Sources: IBM Corporation, PwC

_________________________________________________________________________


Proof points: Targeted attacks shake businesses & governments

May 15, 2013 12

Source: IBM Corp., 2011 Year-End X-Force Trend and Risk Report.

_________________________________________________________________________


The Power of Cyber Knowing

• Everyday, cyber thieves run their reconnaissance on networks and servers, and afterward know more about an organization’s IT security than they do.

• How Can The Cyber Thieves Know More About a Business IT Security Than They Do?

– They are super intelligent and their IT budget is significantly larger than most. – They know there is limited to no risk of them ever being identified or caught. – Their goal is simple - either to steal money, intellectual assets or both. – Due to advertising, they have developed a work-around to bypass all of the readily

available and known IT security products and services - yes, all of them. – Lastly, some of the security solutions used are manufactured or developed by some of

the nation states. • The Market Needs To Add an Additional Security Layer to Their Network

– The market needs a service that is innovative in dealing with these very aggressive cyber actors and threats.

– The market needs a tool that is 100% designed, manufactured and assembled with integrity and trust in the US.

– The market needs a tool and service that are not advertised. This is important for US national security, and financial services companies and others.

_________________________________________________________________________


Yet most U.S. SMBs can improve their online security practices

May 15, 2013 14 Source: “2012 National Small Business Study,” National Cyber Security Alliance, Sept. 2012

_________________________________________________________________________


What Are You Going To Do?

1) “Online Cyber Training” - training, risk assessment and policy management tools that prepare employees for the current threat environment. • More than 50% of all security incidents originate from successful social engineering efforts. • Training, testing and tracking the workforce offers a high return on investment. • Training can be completed from anywhere, anytime, including at home. • The FTC Safeguards Rule mandates the creation of a Written Information Security Program (WISP). • Service contains a comprehensive library of Data Security Policies that can be used as templates for the development of an organization’s WISP.

2) Cyber Detection - automatically detects and terminates threats that evade signatures and blacklists. • Can find previously unknown and hidden threats within hours of deployment. • Monitors servers, desktops, iOS and Android devices – employees & contractors • Provides an alert so action can be taken immediately.

3) IP Address Blocking - blocks 3 million vetted and blacklisted IP addresses • Blocks bi-directionally – Web Portal for each appliance to see what is being blocked • Newly identified and vetted IP addresses are sent up to 4 times an hour to customer

CYBER SECURITY

• Intrusion detection - focused on protecting against attack vectors based on software or hardware vulnerabilities.

• Firewall configuration, patch management, anti-virus technologies and intrusion detection log monitoring.

• Masquerade Threat - access through the use of stolen, highjacked or forged logon IDs and passwords.

• Security gaps in programs, or through bypassing the authentication mechanism.

• Insider Threat – valid credentials or permissions (bad actor)

@2013 SECURBORATION, INC. COMPANY

PROPRIETARY 16

INTRUSION DETECTION • Traditional protection technologies have matured

• National Vulnerability Database (http://nvd.nist.gov) vulnerability disclosures across the industry in 1H2011 were down 37.1% from 2H2008[1]

• Class of tools

• e-Sentinel

• Host Based Security System


PROPRIETARY 17

Vu

lne

rab

ility

Dis

clo

sure

s

http://nvd.nist.gov/

MASQUERADE THREAT

• Recent trends indicate that stealing or forging log-in credentials has become a common methodology for achieving unauthorized access

• User Behavior

• Identify deviations from expected behavior

• Access to applications over system access

• Utilize logs to monitor behavior

• New class of tools

INSIDER THREAT

• Bad Actors

• User Behavior (threshold of bad behavior)

• Identify deviations from expected behavior

• Access to applications over system access

• Access to Multifunction-Printers

• Utilize logs to monitor behavior

• New class of tools

THREAT CLASSES


PROPRIETARY 18

C-SAMS

CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)


PROPRIETARY 19

• Cyber Defense

• Insider / Masquerade Threat Focus: Identity theft; Exfiltration; Credential amplification

• Whitelist Oriented: When are there observable shifts in agent behavior from “normal” to “abnormal”?

• Model-driven:

• Enterprise Architecture

• Business Process Modeling

• Business Process Execution Language (BPEL)

• Web Ontology Language (OWL)

CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)


PROPRIETARY 20

Actual Behaviors

GCCC Merged Log Files

End User

Publishes Events That Indicate

Behavior Outside the Norm

Detects Anomalous Behavior by

Comparing Expected vs. Actual

Legacy

Future CSV

21

About Signalscape

Signalscape offers security solutions and vulnerability

analysis to the DoD, Law Enforcement, and Cyber

Communities.

Our expertise ranges from miniature single board wireless

solutions for one-time mission critical applications to fully

integrated wireless surveillance, tracking, and data transport

platforms.

Specifically, Signalscape specializes in Audio and Video

Wireless Data Detection, Collection, and Transport

including:

• Wireless Sensors (Audio and Video)

• Mobility Systems (Cellular Data Transport)

• Software Defined Radio (SDR)

Visit us at www.signalscape.com.

Challenges Facing DoD, LE, and Cyber Communities

Two issues facing DoD, Law Enforcement, and Cyber Communities

include:

• Detecting and analyzing audio and video streams embedded in

massive amounts of wireless network traffic (both encrypted and

unencrypted)

• Deploying Smart, Wireless, Audio and Video Sensors

Signalscape provides Wireless Video Collection and Analytics

capabilities both from a defensive and offensive point of view.

Specifically two key wireless video topics of interest to the IC and Cyber

Community:

• Video Detection and Vulnerability Analysis

• Video Sensing

22

Video Detection and Vulnerability Analysis • Packet payload inspection (if unencrypted)

• Detection of encrypted audio and video streams via traffic pattern

classification algorithms based on machine learning

• Network vulnerability analysis

Video Sensing • Smart Sensing – On-board analytics and storage

• Power Management – Avoid transmission until sensor detects event

of interest

• Utilize time-shifted transmission

• Post collection egress (log in and download data at less than real-

time speeds)

23

24

Wireless Audio/Video Security Platform (WASP)

• Wireless (900 MHz, 2.4 GHz, cellular) retrieval of HD video, HD

images and audio

• On-board ARM processor plus DSP to run application software

in parallel with video algorithms.

• CDMA/GSM Wireless Link

• 2.4GHz Wireless Link (higher data rates, third-party product

integration)

• IP Gateway Infrastructure

• DVR Capability (record, playback on-demand)

• Camera analytics (face detection, wide dynamic range

processing, motion detection)

WASP System Architecture

25

RF to IP Video

Gateway WASP

Ethernet INTERNET

Satellite Internet

Terminal

LoS

IP Radio

Local User

Remote Users

OnWire Capabilities

Area of Expertise

• Identity, Access, & Federation

Management

• Federated Trust (SAML/XSLT/

Web Services)

• 2-Factor Authentication

• PKI / Smart Cards

Professional Services

• Systems Engineering

• Development

• Integration Services

• Consulting Services

26

Cloud Services

• Federated SSO

• Identity and Access

Management as a Service

• Consulting Services

Gartner’s Nexus of “Forces”

The Gartner Group has coined the phrase Nexus of Forces to refer to four technology areas having a profound affect on IT

The forces of the Nexus are intertwined to create a user-driven ecosystem of modern computing.

• Information is the context for delivering enhanced social and mobile experiences.

• Mobile devices are a platform for effective social networking and new ways of work.

• Social links people to their work and each other in new and unexpected ways.

• Cloud enables delivery of information and functionality to users and systems.

User adoption of these technologies means that IT organizations must adapt their security posture to account for these forces.

27

Security Implications

28

Diagram Source: Gartner (June 2012)

Callouts Source: OnWire (April 2013)

Data Leakage

(corp data

migrates to

public cloud)

Data Leakage

(data cached

on device)

Unpredictable

platform type (user

chooses platform)

Unpredictable app

behavior (user

owns the app)

Blurring of work

and private data

Privacy Issues

Attack Target –

honeypot of data

Attack Target –

honeypot of data

Access

Control Issues

Phishing target

(large number

of

unsophisticated

users)

IAM Vision & OnWire’s Expertise

Key Themes

Standardized IAM

and Compliance Expand IAM vertically to provide identity &

access intelligence to the business; Integrate

horizontally to enforce user access to data, app,

and infrastructure

Secure Cloud, Mobile, Social

Collaboration Enhance context-based access control for

cloud, mobile and SaaS access, as well as

integration with proofing, validation &

authentication solutions

IAM Governance

and Insider Threat Continue to develop Privileged Identity

Management (PIM) capabilities and enhanced

Identity and Role management

IBM Security Products

Information

• InfoSphere Guardium

- Activity monitor, data encryption, vulnerability assessment

• Key Lifecycle Manager (managing signing and encryption keys)

Mobile

• Endpoint Management (Endpoint Manager for Mobile Devices)

• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity Manager)

• Network Security (Mobile Connect)

Cloud

• Application Security (Rational Appscan, Policy Manager)

• Infrastructure Security (Host Protection, Virtual Server Protection, Network Intrusion Prevention System)

• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity Manager)

Social

• QRadar Security Intelligence Platform

• Application Security (Rational Appscan, Policy Manager)

• IAM (Access Manager, Identity Manager, Federated Identity Manager)

30

Cyber Security: A New Domain for Intelligence Analysis M A R K VA S U D E VA N P R E S I D E N T V S I

About VSi • VSi, based in Winston-Salem, NC, specializes in web-based

intelligence and analytical software applications

• VSi’s MIDaS™, (U.S. Patents Nos. 6,877,006; 7,167,864; 7,720,861; 8,082,268) is a browser-based, ad-hoc, multi-dimensional analytical tool for users and analysts

• VSi’s patents have been licensed to IBM and Oracle

• VSi’s MIDaS™ links distributed disparate data sources to produce user-defined analytical views

• VSi’s MIDaS™ uses a fine-grained security model that implements multi-level security capability

• VSi’s MIDaS™ delivers its capabilities without writing any code

IDENTIFICATION OF PROBLEM – NOT A NEW PROBLEM ;

A NEW DOMAIN

• Analysis – Multi-INT Fusion: HUMINT, COMINT, IMINT ELINT

• Perimeter Security, Sensors – Access, Authentication and Authorization

• Pattern Analysis – Intrusion patterns

• Inference capability

• Information dissemination – Reporting

• Strategic and Tactical/Imminent threat assessment

• Collaboration – Functional Defeat Models

• Design of intrusion protection and vulnerability minimization

NEW TECHNOLOGY – MULTI-USE

• Re-use existing resources to develop new intelligence

• Analysis tools should be flexible to be used for multiple purposes – Intelligence Analysis; Target Centric Analysis; Threat Assessment

• Data source agnostic - Structured and Unstructured data fusion

• Collaborative “System-of-Systems” model development

• Analysis should focus on the requirements of the Analyst and Field Operator – Flexible ; Near Real Time

• Comprehensive visualization – Geospatial; Network-graph; temporal; 3D

• Multi-level security - Information dissemination; Reporting

WHAT DOES VSi’s MIDaS™ LOOK LIKE?