cyber security in evolving enterprise environments technet international 09 adrian r hartman, phd...
TRANSCRIPT
Cyber Securityin Evolving
Enterprise Environments
TechNet International 09
Adrian R Hartman, PhDSenior Manager & Architect
LGS Innovations, Bell Labs29 October 2009
All Rights Reserved © LGS Innovations, LLC 229 October 2009
• LGS is an independent entity of Alcatel-Lucent
• Focused on serving U. S. Government
• 500+ experienced professionals across varied disciplines
• Government R&D
• Direct access to the world-class innovation of Bell Labs
• LGS & Alcatel-Lucent (ALU) provide a comprehensive portfolio of Government Enterprise Security Products / Services
All Rights Reserved © LGS Innovations, LLC 329 October 2009
Agenda
• The Cyber Security Problem• Cyber Security Vision & Technologies
All Rights Reserved © LGS Innovations, LLC 429 October 2009
Evolution in Government Enterprise Networks & Services
FROM TO
Separated switched circuit voice/video & IP data networks
Broadband converged, All IP, multimedia next generation networks
Location-centric interconnected enterprise services & perimeter defenses
Regionalized Network Service Centers (using virtual architectures) including military systems
In house managed applications, data storage & IT services
Networked / Cloud Computing (SaaS, PaaS, IaaS) & Web 2.0+ Services
Enterprise services with limited extranet collaboration / sharing
Global collaboration with customers / partners including social networking web sites, wikis & blogs
Separate vertical industry networks and infrastructure control systems
Global networked Information Systems encompassing: infrastructure, e-Gov, health care, finance, commercial, etc
Wired networks with mobile extensions Ubiquitous user centric services with diverse terminals & 3G/4G Mobility
All Rights Reserved © LGS Innovations, LLC 529 October 2009
Faster Exploitation, Propagation, Botnets, DDOS - SPAM on the Rise
Months
Days
Weeks
2006 2007 2008
Exploits Now at Zero Day
Vulnerabilities Exploited Faster
SPAM: 90% of Emails in 12/08
Botnet Launched DDOS on the Rise
Sources: CERT/CC, Symantec, NVD, Cisco
Government agenciesReported ~13,000 cyber
security incidents toDHS in FY08,
triple the numberfrom two years earlier.
Government agenciesReported ~13,000 cyber
security incidents toDHS in FY08,
triple the numberfrom two years earlier.
2006 2008200820042005
Hours
Seconds
Minutes
Threats Propagating Faster
All Rights Reserved © LGS Innovations, LLC 629 October 2009
Why is the Problem So Hard?
• The Enemy is Everywhere – Nation-State Actors– Non-State Actors
• Terrorists & Organized Crime• Ad-Hoc Networks of “Hactivist”
– Cyber Threat now “Business” driven– Barriers to Entry are low globally
• Complicated multinational law enforcement• There are plenty of added perimeter Security Solutions
– Firewalls, IDS, IPS– But are the boxes configured properly?
• Do they work together?• The Government has Special Requirements & Regulations
– Multiple levels of security / coalition sharing
Government Networks are becoming more complex / vulnerableIncursions on Military Networks were up 55% Last Year
Government Networks are becoming more complex / vulnerableIncursions on Military Networks were up 55% Last Year
All Rights Reserved © LGS Innovations, LLC 729 October 2009
The Current Approach Adds Perimeter & Defense-in-Depth Protection
Perimeter Protection add on security will not be sufficientPerimeter Protection add on security will not be sufficient
• Current Government approaches are limited– Can we continue to address the increasing threats
• Growing numbers of vulnerabilities & patches?
• Is signature based virus / malware detection enough
– How are out sourced services protected?– How are insider threats dealt with?
• Some deliberate and • Some unintentional (memory sticks)
– Where is the perimeter in mobile networking?– How does this approach address malicious code
embedded in software?• There are known problems with the supply chain
All Rights Reserved © LGS Innovations, LLC 829 October 2009
Agenda
• The Cyber Security Problem• Cyber Security Vision & Technologies
All Rights Reserved © LGS Innovations, LLC 929 October 2009
How Do You Get Ahead of the Curve?
2. Threat Tolerant Network DesignNetworks that Operate in the Presence of Malicious Software
3. Application Security and Web 2.0+ Approaches Protect the Privacy and Integrity of Consumer Generated Data
1. Holistic Approach to Security Security Throughout the Security Life Cycle
Cyber Security Vision
All Rights Reserved © LGS Innovations, LLC 1029 October 2009
1. Holistic Approach to Security
• Security Throughout Life Cycle– Lowers Life Cycle Cost
• The cost of security incidents are often enormous
• Risk Based Assessments (solutions needs to be affordable)– Automated Certification and Accreditation
• Recognizes Inherent Need for Mobility– Apply wireless security technology
• Behavior-Based Monitoring of Network Operations– Detection of sophisticated zero day targeted attacks– Security Event Management (SEM)
• Identifies Network Anomalies (Dynamic Behavior Analysis)
• Determines if Requirements (Policies) are being met
The Perimeter is in New Places… Threats Come From the InsideThis Requires a System Level View of Vulnerabilities
The Perimeter is in New Places… Threats Come From the InsideThis Requires a System Level View of Vulnerabilities
All Rights Reserved © LGS Innovations, LLC 1129 October 2009
Applying value-chain thinking to security
Increasing Lifecycle Value with Built in, Standards Compliant Security
Increased Security Transparency and Reduced Risk to the Buyer & End-User
All Rights Reserved © LGS Innovations, LLC 1229 October 2009
Comprehensive Security AnalysisApplying the X.805 Security Model
Comprehensive End-to-End View of Network SecurityExisting International Industry Standard Framework
Security Perspective (3 Layers 3 Planes 8 Dimensions)
Comprehensive End-to-End View of Network SecurityExisting International Industry Standard Framework
Security Perspective (3 Layers 3 Planes 8 Dimensions)
Ac
ce
ss
Ma
na
ge
me
nt
Infrastructure Security
Applications Security
Services Security
End User Security
Control/Signaling Security
Management Security
THREATS
VULNERABILITIES
ATTACKSDa
ta C
on
fid
en
tia
lity
Co
mm
un
ica
tio
n S
ec
uri
ty
Inte
gri
ty
Av
ail
ab
ilit
y
Pri
va
cy
Au
the
nti
ca
tio
n
No
n -re
pu
dia
tio
n
Security PlanesA
cc
es
s C
on
tro
l
Infrastructure Security
Applications Security
Services Security
End User SecurityControl/Signaling Security
Management Security
THREATS
VULNERABILITIES
8 Security Dimensions
ATTACKSDa
ta C
on
fid
en
tia
lity
Co
mm
un
ica
tio
n S
ec
uri
ty
Da
ta I
nte
gri
ty
Av
ail
ab
ilit
y
Pri
va
cy
Au
the
nti
ca
tio
n
No
n -re
pu
dia
tio
n
Security Planes
Vulnerabilities Can Exist In Each Layer, Plane, Dimension
Security Layers
Power
Environment
Hardware
Software Payload Human
Networks Policy
All Rights Reserved © LGS Innovations, LLC 1329 October 2009
Security Event Management
Filter, Pattern Match, Message Map
Local to Global Name Mapping, Grouping
Correlation Asset
Analyze and Suppress
ThresholderRate, Value, Time
B
12 3
4
A
C D
56 7
8
E F
H G
Domain A
Domain Z
LUBB
ALBB
OL
OMS
OL
OMS
OMS
OMS
Topology Data
Viewing Descriptions
Alarms
Customer / Mission Data
(Requirements & Policies)
Request Additional Data,Take Action
Network IDS Host IDS Firewalls AAA OS logs Routers Vulnerability Scanners Anti-Virus
Dynamic Behavior Analysis
All Rights Reserved © LGS Innovations, LLC 1429 October 2009
2. Inherent Threat Tolerance
• Design Networks to Tolerate Inevitable Malware / Backdoors / Timebombs
– Software Assurance Technology• Protect Enterprise Office Applications / Operating
Systems– Ability to Operate Networks in Degraded Mode
• Graceful Degradation of Prioritized Traffic – Behavior-Based Monitoring of Network Operations
• BotNet Detection and Mitigation• Tight Access Control to Identify Sources of Malware
• Wireless Network Protection Technology• Protect 3G/4G Wireless Networks – users share
limited RF bandwidth• Minimize client security software on the mobile
terminals
Technologies Resistant to the Effects of Malware / Threats are NeededTechnologies Resistant to the Effects of Malware / Threats are Needed
All Rights Reserved © LGS Innovations, LLC 1529 October 2009
Software Diversity
• Protect networks against large-scale attacks– Construct diverse instances (“shuffles”) of a program that are:
• Not all vulnerable to the same attack
• But are functionally equivalent
– Make it hard to design a successful attack:• Prevent an attack that is successful against one computer from
spreading to other computers
– Extend polymorphic code shuffling research to consider program structure
• Formal mathematical methods used to change code signature by:
– Identifying independent code blocks– Rearranging the blocks – While maintaining functionality
All Rights Reserved © LGS Innovations, LLC 1629 October 2009
BotNet Detection and Mitigation
Infection Detection
slowdown (t1)
untrusted download (t2)
role of host changed (t3)
(t1 > t3 > t2)
symptomsroles
reputation
Owner: Jon Doe Virulence: 0.87
Symptoms:Host slowed down at t1 - Downloaded exe from
untrusted hosts -- at time t2 from
192.168.1.10 (30KB) -- at time t2’ from
192.168.3.12 (194KB)
- Change in host role -- role changed from
web/mail client to p2p-node at time t3
Infection Report for 10.10.2.10
Direct link to packet data
Manual download from source
Which hosts downloaded or uploaded the payload?
Retroactive Query
Downloaded:- 10.10.2.10 from 192.168.1.10 at time t2- 10.10.2.34 from 192.168.52.26 at time t4- 10.10.2.34 from 192.168.52.26 at time t5
Uploaded: - 10.10.2.54 uploaded to 192.168.52.26 at time t3
Retroactive Query Results
recover evid
ence
Restrict all network access Restrict outbound access
Containment
OR
•Detects symptoms / behaviors
–Not signatures
•Utilizes existing forensic analysis technology developed / operational at Polytechnic University
–Hierarchical Bloom filter technology permits months of data to be stored for queries
•Detects Botnets using current & historical network traffic / host data
•Provides multiple Botnet detection and collaboration mechanisms
•Provides targeted mitigation recommendations
All Rights Reserved © LGS Innovations, LLC 1729 October 2009
RNCRNC
Wireless Network Security (Aware)
RNC InternetBTS
AwareDetector
RNCRNCPDSN HomeAgent
AwareCentral
WirelessCore
Aware Detector• Provides traffic assessment to assist in network &
end user service quality protection• Wireless 3G/4G Network Anomaly Behavior
Detector (Bell Labs algorithms)• Monitors individual subscriber session behavior• Calculates “cost” of behavior relative to real-time
capacity in the network• Observes Mobile-to-Mobile & Internet-to-Mobile
traffic
Aware Central• Security Event Viewer for reports,
alarms, network awareness and forensics
• Element / configuration manager for Detectors & Mitigation Appliances for Security Event Management
• Mitigation plan through IPS/Firewall, Mobile Quarantine of abusive users
All Rights Reserved © LGS Innovations, LLC 1829 October 2009
Laptop Guardian
• Agent: Intelligent data card, plugs into the end-user mobile host, terminates IPsec tunnel to Gateway, includes 3G interface (HSDPA, EV-DOrA) for ubiquitous connectivity
• Gateway: Enhanced remote access server, deploys at the edge of the enterprise network
• Driver: Software package, installs on the end-user mobile host
• Management Server: Management software platform, installs on general-purpose enterprise server
33GG MMooddeemm MMeemmoorryy BBaatttteerryy SSooffttwwaarree PPrroocceessssoorr
Evros Agent Evros Gateway
VVPPNN PPoolliicciieess IITT AApppplliiccaattiioonnss
WiFi
3G
LAN
1 2
3
Evros Driver
Evros Management Server
4
•Protects the mobile laptop & applications with
hardened wireless agent
•Automates VPN connection to the Enterprise
•Protects the mobile laptop & applications with
hardened wireless agent
•Automates VPN connection to the Enterprise
All Rights Reserved © LGS Innovations, LLC 1929 October 2009
3. Application Security & Web 2+ Approaches
• Secure the Applications– Security Concerns:
• RSS, AJAX (Asynchronous JavaScript and XML), Instant Messaging, Widgets / Gadgets
• Web 2.0 apps might initially have higher vulnerabilities than above
• Provide a “platform in the cloud” that makes proprietary data stored in applications securely accessible across Web 2.0 interfaces– In Government private cloud computing
• Meet Government Information Assurance requirements
– In Government public cloud computing
• Provide security standards transparency & SLAs audit support
• Establish how Government customer data integrity & privacy will be assured
• Consider segregating Government domains in the cloud
All Rights Reserved © LGS Innovations, LLC 2029 October 2009
The Bottom Line…
• Today’s Networks are Different– Voice & Data -> Converged, Multimedia, All IP– Enterprise -> Web 2.0+ & Cloud Computing – Standard Content -> Consumer Generated Content– Fixed Users -> Mobile Users
• Today’s Adversaries are More Sophisticated– Threats extended to all networks connected to the
Global Information System
• Security Paradigm Shifts are Needed– Parameter Security -> Holistic Security– Threat Intolerance ->Threat Tolerance– Signature Based -> Behavior Based
4. KNOWLEDGE 3.PROCESS
1. NETWORK 2.PEOPLE
All Rights Reserved © LGS Innovations, LLC 2129 October 2009
Adrian R HartmanSenior Manager and Architect
Solution EngineeringLGS, Bell Labs Innovations
15 Vreeland RoadFlorham Park, NJ 07932
mobile: 908-578-3679phone: 973-437-9868
www.lgsinnovations.com
Thank You… Any Questions?
Backup
All Rights Reserved © LGS Innovations, LLC 2329 October 2009
Alcatel-Lucent Security Solutions
A Comprehensive Enterprise PortfolioA Comprehensive Enterprise Portfolio
All Rights Reserved © LGS Innovations, LLC 2429 October 2009
Security Innovations for Next Generation Networks
ALU VPN/Firewall
(aka The Brick)
Security Consulting
Software Diversity
Secure ALU COTS
Networking Products
Laptop Guardian
Bell Labs Security Framework
X.805, ISO 18028
Vital ISA for Security Event Management
Bot Detection
Third Party Partner
Relationships
Security Assessments
All Rights Reserved © LGS Innovations, LLC 2529 October 2009
Network Reconnaissance for Penetration Testing
Internet Probing, Mapping and Analysis
Remotely probe Internet connected networks
– Low probability of network disruption– Determine target network exposure,
vulnerabilities and weaknesses– Produce detailed analyses, network
maps and collected data– Propose Remediation
• Identify machines with vulnerabilities in the target network
– Web Servers, DNS Servers, Vulnerable Hosts
Provided as Output– Potential Targets, Paths to Target
Machines, Server Types, Vulnerabilities i.e. Open Ports
Network Reconnaissance Process
All Rights Reserved © LGS Innovations, LLC 2629 October 2009
Kiviat Diagram X.805 Example: High Risk Zones / Plans for Remediation
X.805 Dimension % of Risk to Remediate
Access control 10
Authentication 12
Non-repudiation 0
Data confidentiality
8
Communication Security
10
Data Integrity 0
Availability 7
Privacy 14
0.91
0.90
0.93
0.92
0.94
0.92
0.90
0.95
0.42
0.71
0.47
0.60
0.75
0.59
0.56
0.41
0.00
0.10
0.20
0.65
0.52
0.53
0.35
0.61
0.52
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
Non
Access control
Authentication
repudiation
Data confidentiality
Communication Security
Data integrity
Availability
•Privacy
•Low Priority•Medium priority
•High priority•Current Levels - High
Area of high risk gaps
The red areas show high risk gaps for X.805 dimensions. Purple indicates the implementation status of high priority security capabilities.
The red areas show high risk gaps for X.805 dimensions. Purple indicates the implementation status of high priority security capabilities.