cyber security
TRANSCRIPT
North Carolina Federal Advanced Technologies Symposium May 9, 2013
Cyber Security Panel
Hosted by: Office of Senator Richard Burr NC Military Business Center NC Military Foundation Institute for Defense & Business University of North Carolina System
Reception Sponsor:
Bronze Sponsor:
Science of Security Configuration Analytics– Know your network!
Professor Ehab Al-Shaer, Director of Cyber Defense Network Assurability Center
University of North Carolina Charlotte [email protected]
www.cyberdna.uncc.edu
Cyber Security Panel NC Federal Advanced technologies Symposium
May 9, 2013
About CyberDNA Research
• Vision: Making Cybersecurity measurable, provable and usable • Research Team:
– Multi-disciplinary team of 11 faculty members and 35 PhD students Areas – security, networking, data mining, economics, power and control, behavior science/HCI.
• Active Funding: > 8.2M from NSF, NSA, ARO, AFRL, DHS, Bank of America, BB&T, DTCC, Duke Energy, Cisco, Intel
• Prof. Al-Shaer was featured as Subject Matter Expert (SME) in Security Configuration Analytics and Automation [DoD Information Assurance Newsletter, 2011].
• NSF Industry/University Collaborative Research Center on (Security) Configuration Analytics and Automation (CCAA) Lead by UNC Charlotte and George Mason Univ – Members include NSA, NIST, Bank of America, BB&T, DTCC, MITRE, Northrop Grumman
• Tools and Technology transfer projects for Cisco, Intel, Duke Energy, .. • Research Long and solid track record on many areas particularly
– Security configuration analytics (verification and synthesis) for enterprise, cloud and smart grid
– Security metrics and risk estimation – Agility and resiliency for Cyber, clouds and Cyber-Physical
4
Why Cybersecurity is Hard?
• Attack Detection (alone) Can not Deliver
– Learning-based = Knowing the attack OR Knowing the Deviation Threshold Easily Evadable
– Insufficient for attack avoidance
• Cybersecurity = Attack Prediction
• Attack Prediction is a Hard Problem
– Learning-driven vs. Prediction-driven
• Feature selection vs. information integration & analytics
– Scalable and accurate models of both system behavior and adversary strategies.
– System complexity and adversary sophistication are increasingly growing.
6
The Need for Security Configuration
Analytics
• December 2008 report from Center for Strategic and International Studies
"Securing Cyberspace for the 44th Presidency" states that "inappropriate
or incorrect security configurations were responsible for 80% of Air Force
vulnerabilities"
• May 2008 report from Juniper Networks "What is Behind Network Downtime?" states that "human factors [are] responsible for 50 to 80 percent of network device outages".
• BT/Gartner[3] has estimated that 65% of cyber-attacks exploit systems
with vulnerabilities introduced by configuration errors. The Yankee
Group[4] has noted that configuration errors cause 62% of network
downtime.
• A 2009 report[5] by BT and Huawei discusses how service outages caused
by “the human factor” themselves cause more than 30% of network
outages, “a major concern for carriers and causes big revenue-loss.
7 Ehab Al-Shaer , Science of Security Configuration
Complexity of Configuration Analytics
• Scale – thousands of devices and million of rules.
• Distributed, yet Inter-dependent Devices and Rules.
• Policy semantic gap -- device roles (e.g., Rule-order semantics vs. recursive ACL, single-trigger vs. multi-trigger policies)
• Multi-level and multi-layer Network configuration
– Overlay networks, groups/domains in cloud (e.g., EC2/VPC, security groups)
– network access control, OS, application level etc
• Dynamic changes in networks and threat
• Security design trade-offs: risk vs mission, usability, cost, and performance
[Source: Security Analytics and Automation, DoD IA Newsletter, Oct 2011]
7
8
NSF Center on Security Analytics & Automation– The Big Picture
ANALYTICS
Predominately Manual Management Practices
Defensive Actions
Logs and Sensor Data
Security Requirements
& Policies
Enterprise Polices &
Configuration
MEASURABLE SECURITY Analytics & Automation
AU
TOM
ATE
D
DEF
ENSE
RESILIENCY
CO
ST-EFFECTIV
E H
AR
DEN
ING
Analytics Automation
Integration
action
System
9
Policy Violation
Threat
Prediction
Risk Estimation
ConfigChecker: Security Analytics Magic Box [ICNP09]
Risk Mitigation
Attack Diagnosis
Agility Actions
Resiliency measure
ConfigChecker
Golden Technology Services
© 2012 Golden Technology Services
_________________________________________________________________________
GOLDEN TECHNOLOGY SERVICES Delivering Business Impact with Advanced Technology Solutions
_________________________________________________________________________
© 2012 Golden Technology Services
Cyber attacks are increasingly impacting both private sector and U.S.
government information networks and systems
May 15, 2013 11
Sources: IBM Corporation, PwC
_________________________________________________________________________
© 2012 Golden Technology Services
Proof points: Targeted attacks shake businesses & governments
May 15, 2013 12
Source: IBM Corp., 2011 Year-End X-Force Trend and Risk Report.
_________________________________________________________________________
© 2012 Golden Technology Services
The Power of Cyber Knowing
• Everyday, cyber thieves run their reconnaissance on networks and servers, and afterward know more about an organization’s IT security than they do.
• How Can The Cyber Thieves Know More About a Business IT Security Than They Do?
– They are super intelligent and their IT budget is significantly larger than most. – They know there is limited to no risk of them ever being identified or caught. – Their goal is simple - either to steal money, intellectual assets or both. – Due to advertising, they have developed a work-around to bypass all of the readily
available and known IT security products and services - yes, all of them. – Lastly, some of the security solutions used are manufactured or developed by some of
the nation states. • The Market Needs To Add an Additional Security Layer to Their Network
– The market needs a service that is innovative in dealing with these very aggressive cyber actors and threats.
– The market needs a tool that is 100% designed, manufactured and assembled with integrity and trust in the US.
– The market needs a tool and service that are not advertised. This is important for US national security, and financial services companies and others.
_________________________________________________________________________
© 2012 Golden Technology Services
Yet most U.S. SMBs can improve their online security practices
May 15, 2013 14 Source: “2012 National Small Business Study,” National Cyber Security Alliance, Sept. 2012
_________________________________________________________________________
© 2012 Golden Technology Services
What Are You Going To Do?
1) “Online Cyber Training” - training, risk assessment and policy management tools that prepare employees for the current threat environment. • More than 50% of all security incidents originate from successful social engineering efforts. • Training, testing and tracking the workforce offers a high return on investment. • Training can be completed from anywhere, anytime, including at home. • The FTC Safeguards Rule mandates the creation of a Written Information Security Program (WISP). • Service contains a comprehensive library of Data Security Policies that can be used as templates for the development of an organization’s WISP.
2) Cyber Detection - automatically detects and terminates threats that evade signatures and blacklists. • Can find previously unknown and hidden threats within hours of deployment. • Monitors servers, desktops, iOS and Android devices – employees & contractors • Provides an alert so action can be taken immediately.
3) IP Address Blocking - blocks 3 million vetted and blacklisted IP addresses • Blocks bi-directionally – Web Portal for each appliance to see what is being blocked • Newly identified and vetted IP addresses are sent up to 4 times an hour to customer
CYBER SECURITY
• Intrusion detection - focused on protecting against attack vectors based on software or hardware vulnerabilities.
• Firewall configuration, patch management, anti-virus technologies and intrusion detection log monitoring.
• Masquerade Threat - access through the use of stolen, highjacked or forged logon IDs and passwords.
• Security gaps in programs, or through bypassing the authentication mechanism.
• Insider Threat – valid credentials or permissions (bad actor)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY 16
INTRUSION DETECTION • Traditional protection technologies have matured
• National Vulnerability Database (http://nvd.nist.gov) vulnerability disclosures across the industry in 1H2011 were down 37.1% from 2H2008[1]
• Class of tools
• e-Sentinel
• Host Based Security System
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY 17
Vu
lne
rab
ility
Dis
clo
sure
s
MASQUERADE THREAT
• Recent trends indicate that stealing or forging log-in credentials has become a common methodology for achieving unauthorized access
• User Behavior
• Identify deviations from expected behavior
• Access to applications over system access
• Utilize logs to monitor behavior
• New class of tools
INSIDER THREAT
• Bad Actors
• User Behavior (threshold of bad behavior)
• Identify deviations from expected behavior
• Access to applications over system access
• Access to Multifunction-Printers
• Utilize logs to monitor behavior
• New class of tools
THREAT CLASSES
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY 18
C-SAMS
CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY 19
• Cyber Defense
• Insider / Masquerade Threat Focus: Identity theft; Exfiltration; Credential amplification
• Whitelist Oriented: When are there observable shifts in agent behavior from “normal” to “abnormal”?
• Model-driven:
• Enterprise Architecture
• Business Process Modeling
• Business Process Execution Language (BPEL)
• Web Ontology Language (OWL)
CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY 20
Actual Behaviors
GCCC Merged Log Files
End User
Publishes Events That Indicate
Behavior Outside the Norm
Detects Anomalous Behavior by
Comparing Expected vs. Actual
Legacy
Future CSV
21
About Signalscape
Signalscape offers security solutions and vulnerability
analysis to the DoD, Law Enforcement, and Cyber
Communities.
Our expertise ranges from miniature single board wireless
solutions for one-time mission critical applications to fully
integrated wireless surveillance, tracking, and data transport
platforms.
Specifically, Signalscape specializes in Audio and Video
Wireless Data Detection, Collection, and Transport
including:
• Wireless Sensors (Audio and Video)
• Mobility Systems (Cellular Data Transport)
• Software Defined Radio (SDR)
Visit us at www.signalscape.com.
Challenges Facing DoD, LE, and Cyber Communities
Two issues facing DoD, Law Enforcement, and Cyber Communities
include:
• Detecting and analyzing audio and video streams embedded in
massive amounts of wireless network traffic (both encrypted and
unencrypted)
• Deploying Smart, Wireless, Audio and Video Sensors
Signalscape provides Wireless Video Collection and Analytics
capabilities both from a defensive and offensive point of view.
Specifically two key wireless video topics of interest to the IC and Cyber
Community:
• Video Detection and Vulnerability Analysis
• Video Sensing
22
Video Detection and Vulnerability Analysis • Packet payload inspection (if unencrypted)
• Detection of encrypted audio and video streams via traffic pattern
classification algorithms based on machine learning
• Network vulnerability analysis
Video Sensing • Smart Sensing – On-board analytics and storage
• Power Management – Avoid transmission until sensor detects event
of interest
• Utilize time-shifted transmission
• Post collection egress (log in and download data at less than real-
time speeds)
23
24
Wireless Audio/Video Security Platform (WASP)
• Wireless (900 MHz, 2.4 GHz, cellular) retrieval of HD video, HD
images and audio
• On-board ARM processor plus DSP to run application software
in parallel with video algorithms.
• CDMA/GSM Wireless Link
• 2.4GHz Wireless Link (higher data rates, third-party product
integration)
• IP Gateway Infrastructure
• DVR Capability (record, playback on-demand)
• Camera analytics (face detection, wide dynamic range
processing, motion detection)
WASP System Architecture
25
RF to IP Video
Gateway WASP
Ethernet INTERNET
Satellite Internet
Terminal
LoS
IP Radio
Local User
Remote Users
OnWire Capabilities
Area of Expertise
• Identity, Access, & Federation
Management
• Federated Trust (SAML/XSLT/
Web Services)
• 2-Factor Authentication
• PKI / Smart Cards
Professional Services
• Systems Engineering
• Development
• Integration Services
• Consulting Services
26
Cloud Services
• Federated SSO
• Identity and Access
Management as a Service
• Consulting Services
Gartner’s Nexus of “Forces”
The Gartner Group has coined the phrase Nexus of Forces to refer to four technology areas having a profound affect on IT
The forces of the Nexus are intertwined to create a user-driven ecosystem of modern computing.
• Information is the context for delivering enhanced social and mobile experiences.
• Mobile devices are a platform for effective social networking and new ways of work.
• Social links people to their work and each other in new and unexpected ways.
• Cloud enables delivery of information and functionality to users and systems.
User adoption of these technologies means that IT organizations must adapt their security posture to account for these forces.
27
Security Implications
28
Diagram Source: Gartner (June 2012)
Callouts Source: OnWire (April 2013)
Data Leakage
(corp data
migrates to
public cloud)
Data Leakage
(data cached
on device)
Unpredictable
platform type (user
chooses platform)
Unpredictable app
behavior (user
owns the app)
Blurring of work
and private data
Privacy Issues
Attack Target –
honeypot of data
Attack Target –
honeypot of data
Access
Control Issues
Phishing target
(large number
of
unsophisticated
users)
IAM Vision & OnWire’s Expertise
Key Themes
Standardized IAM
and Compliance Expand IAM vertically to provide identity &
access intelligence to the business; Integrate
horizontally to enforce user access to data, app,
and infrastructure
Secure Cloud, Mobile, Social
Collaboration Enhance context-based access control for
cloud, mobile and SaaS access, as well as
integration with proofing, validation &
authentication solutions
IAM Governance
and Insider Threat Continue to develop Privileged Identity
Management (PIM) capabilities and enhanced
Identity and Role management
IBM Security Products
Information
• InfoSphere Guardium
- Activity monitor, data encryption, vulnerability assessment
• Key Lifecycle Manager (managing signing and encryption keys)
Mobile
• Endpoint Management (Endpoint Manager for Mobile Devices)
• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity Manager)
• Network Security (Mobile Connect)
Cloud
• Application Security (Rational Appscan, Policy Manager)
• Infrastructure Security (Host Protection, Virtual Server Protection, Network Intrusion Prevention System)
• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity Manager)
Social
• QRadar Security Intelligence Platform
• Application Security (Rational Appscan, Policy Manager)
• IAM (Access Manager, Identity Manager, Federated Identity Manager)
30
Cyber Security: A New Domain for Intelligence Analysis M A R K VA S U D E VA N P R E S I D E N T V S I
About VSi • VSi, based in Winston-Salem, NC, specializes in web-based
intelligence and analytical software applications
• VSi’s MIDaS™, (U.S. Patents Nos. 6,877,006; 7,167,864; 7,720,861; 8,082,268) is a browser-based, ad-hoc, multi-dimensional analytical tool for users and analysts
• VSi’s patents have been licensed to IBM and Oracle
• VSi’s MIDaS™ links distributed disparate data sources to produce user-defined analytical views
• VSi’s MIDaS™ uses a fine-grained security model that implements multi-level security capability
• VSi’s MIDaS™ delivers its capabilities without writing any code
IDENTIFICATION OF PROBLEM – NOT A NEW PROBLEM ;
A NEW DOMAIN
• Analysis – Multi-INT Fusion: HUMINT, COMINT, IMINT ELINT
• Perimeter Security, Sensors – Access, Authentication and Authorization
• Pattern Analysis – Intrusion patterns
• Inference capability
• Information dissemination – Reporting
• Strategic and Tactical/Imminent threat assessment
• Collaboration – Functional Defeat Models
• Design of intrusion protection and vulnerability minimization
NEW TECHNOLOGY – MULTI-USE
• Re-use existing resources to develop new intelligence
• Analysis tools should be flexible to be used for multiple purposes – Intelligence Analysis; Target Centric Analysis; Threat Assessment
• Data source agnostic - Structured and Unstructured data fusion
• Collaborative “System-of-Systems” model development
• Analysis should focus on the requirements of the Analyst and Field Operator – Flexible ; Near Real Time
• Comprehensive visualization – Geospatial; Network-graph; temporal; 3D
• Multi-level security - Information dissemination; Reporting
WHAT DOES VSi’s MIDaS™ LOOK LIKE?