cyber security in evolving enterprise environments technet international 09 adrian r hartman, phd...

Cyber Securityin Evolving

Enterprise Environments

TechNet International 09

Adrian R Hartman, PhDSenior Manager & Architect

LGS Innovations, Bell Labs29 October 2009

All Rights Reserved © LGS Innovations, LLC 229 October 2009

• LGS is an independent entity of Alcatel-Lucent

• Focused on serving U. S. Government

• 500+ experienced professionals across varied disciplines

• Government R&D

• Direct access to the world-class innovation of Bell Labs

• LGS & Alcatel-Lucent (ALU) provide a comprehensive portfolio of Government Enterprise Security Products / Services


Agenda

• The Cyber Security Problem• Cyber Security Vision & Technologies


Evolution in Government Enterprise Networks & Services

FROM TO

Separated switched circuit voice/video & IP data networks

Broadband converged, All IP, multimedia next generation networks

Location-centric interconnected enterprise services & perimeter defenses

Regionalized Network Service Centers (using virtual architectures) including military systems

In house managed applications, data storage & IT services

Networked / Cloud Computing (SaaS, PaaS, IaaS) & Web 2.0+ Services

Enterprise services with limited extranet collaboration / sharing

Global collaboration with customers / partners including social networking web sites, wikis & blogs

Separate vertical industry networks and infrastructure control systems

Global networked Information Systems encompassing: infrastructure, e-Gov, health care, finance, commercial, etc

Wired networks with mobile extensions Ubiquitous user centric services with diverse terminals & 3G/4G Mobility


Faster Exploitation, Propagation, Botnets, DDOS - SPAM on the Rise

Months

Days

Weeks

2006 2007 2008

Exploits Now at Zero Day

Vulnerabilities Exploited Faster

SPAM: 90% of Emails in 12/08

Botnet Launched DDOS on the Rise

Sources: CERT/CC, Symantec, NVD, Cisco

Government agenciesReported ~13,000 cyber

security incidents toDHS in FY08,

triple the numberfrom two years earlier.

Government agenciesReported ~13,000 cyber

security incidents toDHS in FY08,

triple the numberfrom two years earlier.

2006 2008200820042005

Hours

Seconds

Minutes

Threats Propagating Faster


Why is the Problem So Hard?

• The Enemy is Everywhere – Nation-State Actors– Non-State Actors

• Terrorists & Organized Crime• Ad-Hoc Networks of “Hactivist”

– Cyber Threat now “Business” driven– Barriers to Entry are low globally

• Complicated multinational law enforcement• There are plenty of added perimeter Security Solutions

– Firewalls, IDS, IPS– But are the boxes configured properly?

• Do they work together?• The Government has Special Requirements & Regulations

– Multiple levels of security / coalition sharing

Government Networks are becoming more complex / vulnerableIncursions on Military Networks were up 55% Last Year

Government Networks are becoming more complex / vulnerableIncursions on Military Networks were up 55% Last Year


The Current Approach Adds Perimeter & Defense-in-Depth Protection

Perimeter Protection add on security will not be sufficientPerimeter Protection add on security will not be sufficient

• Current Government approaches are limited– Can we continue to address the increasing threats

• Growing numbers of vulnerabilities & patches?

• Is signature based virus / malware detection enough

– How are out sourced services protected?– How are insider threats dealt with?

• Some deliberate and • Some unintentional (memory sticks)

– Where is the perimeter in mobile networking?– How does this approach address malicious code

embedded in software?• There are known problems with the supply chain


Agenda

• The Cyber Security Problem• Cyber Security Vision & Technologies


How Do You Get Ahead of the Curve?

2. Threat Tolerant Network DesignNetworks that Operate in the Presence of Malicious Software

3. Application Security and Web 2.0+ Approaches Protect the Privacy and Integrity of Consumer Generated Data

1. Holistic Approach to Security Security Throughout the Security Life Cycle

Cyber Security Vision


1. Holistic Approach to Security

• Security Throughout Life Cycle– Lowers Life Cycle Cost

• The cost of security incidents are often enormous

• Risk Based Assessments (solutions needs to be affordable)– Automated Certification and Accreditation

• Recognizes Inherent Need for Mobility– Apply wireless security technology

• Behavior-Based Monitoring of Network Operations– Detection of sophisticated zero day targeted attacks– Security Event Management (SEM)

• Identifies Network Anomalies (Dynamic Behavior Analysis)

• Determines if Requirements (Policies) are being met

The Perimeter is in New Places… Threats Come From the InsideThis Requires a System Level View of Vulnerabilities

The Perimeter is in New Places… Threats Come From the InsideThis Requires a System Level View of Vulnerabilities


Applying value-chain thinking to security

Increasing Lifecycle Value with Built in, Standards Compliant Security

Increased Security Transparency and Reduced Risk to the Buyer & End-User


Comprehensive Security AnalysisApplying the X.805 Security Model

Comprehensive End-to-End View of Network SecurityExisting International Industry Standard Framework

Security Perspective (3 Layers 3 Planes 8 Dimensions)

Comprehensive End-to-End View of Network SecurityExisting International Industry Standard Framework

Security Perspective (3 Layers 3 Planes 8 Dimensions)

Ac

ce

ss

Ma

na

ge

me

nt

Infrastructure Security

Applications Security

Services Security

End User Security

Control/Signaling Security

Management Security

THREATS

VULNERABILITIES

ATTACKSDa

ta C

on

fid

en

tia

lity

Co

mm

un

ica

tio

n S

ec

uri

ty

Inte

gri

ty

Av

ail

ab

ilit

y

Pri

va

cy

Au

the

nti

ca

tio

n

No

n -re

pu

dia

tio

n

Security PlanesA

cc

es

s C

on

tro

l

Infrastructure Security

Applications Security

Services Security

End User SecurityControl/Signaling Security

Management Security

THREATS

VULNERABILITIES

8 Security Dimensions

ATTACKSDa

ta C

on

fid

en

tia

lity

Co

mm

un

ica

tio

n S

ec

uri

ty

Da

ta I

nte

gri

ty

Av

ail

ab

ilit

y

Pri

va

cy

Au

the

nti

ca

tio

n

No

n -re

pu

dia

tio

n

Security Planes

Vulnerabilities Can Exist In Each Layer, Plane, Dimension

Security Layers

Power

Environment

Hardware

Software Payload Human

Networks Policy


Security Event Management

Filter, Pattern Match, Message Map

Local to Global Name Mapping, Grouping

Correlation Asset

Analyze and Suppress

ThresholderRate, Value, Time

B

12 3

4

A

C D

56 7

8

E F

H G

Domain A

Domain Z

LUBB

ALBB

OL

OMS

OL

OMS

OMS

OMS

Topology Data

Viewing Descriptions

Alarms

Customer / Mission Data

(Requirements & Policies)

Request Additional Data,Take Action

Network IDS Host IDS Firewalls AAA OS logs Routers Vulnerability Scanners Anti-Virus

Dynamic Behavior Analysis


2. Inherent Threat Tolerance

• Design Networks to Tolerate Inevitable Malware / Backdoors / Timebombs

– Software Assurance Technology• Protect Enterprise Office Applications / Operating

Systems– Ability to Operate Networks in Degraded Mode

• Graceful Degradation of Prioritized Traffic – Behavior-Based Monitoring of Network Operations

• BotNet Detection and Mitigation• Tight Access Control to Identify Sources of Malware

• Wireless Network Protection Technology• Protect 3G/4G Wireless Networks – users share

limited RF bandwidth• Minimize client security software on the mobile

terminals

Technologies Resistant to the Effects of Malware / Threats are NeededTechnologies Resistant to the Effects of Malware / Threats are Needed


Software Diversity

• Protect networks against large-scale attacks– Construct diverse instances (“shuffles”) of a program that are:

• Not all vulnerable to the same attack

• But are functionally equivalent

– Make it hard to design a successful attack:• Prevent an attack that is successful against one computer from

spreading to other computers

– Extend polymorphic code shuffling research to consider program structure

• Formal mathematical methods used to change code signature by:

– Identifying independent code blocks– Rearranging the blocks – While maintaining functionality


BotNet Detection and Mitigation

Infection Detection

slowdown (t1)

untrusted download (t2)

role of host changed (t3)

(t1 > t3 > t2)

symptomsroles

reputation

Owner: Jon Doe Virulence: 0.87

Symptoms:Host slowed down at t1 - Downloaded exe from

untrusted hosts -- at time t2 from

192.168.1.10 (30KB) -- at time t2’ from

192.168.3.12 (194KB)

- Change in host role -- role changed from

web/mail client to p2p-node at time t3

Infection Report for 10.10.2.10

Direct link to packet data

Manual download from source

Which hosts downloaded or uploaded the payload?

Retroactive Query

Downloaded:- 10.10.2.10 from 192.168.1.10 at time t2- 10.10.2.34 from 192.168.52.26 at time t4- 10.10.2.34 from 192.168.52.26 at time t5

Uploaded: - 10.10.2.54 uploaded to 192.168.52.26 at time t3

Retroactive Query Results

recover evid

ence

Restrict all network access Restrict outbound access

Containment

OR

•Detects symptoms / behaviors

–Not signatures

•Utilizes existing forensic analysis technology developed / operational at Polytechnic University

–Hierarchical Bloom filter technology permits months of data to be stored for queries

•Detects Botnets using current & historical network traffic / host data

•Provides multiple Botnet detection and collaboration mechanisms

•Provides targeted mitigation recommendations


RNCRNC

Wireless Network Security (Aware)

RNC InternetBTS

AwareDetector

RNCRNCPDSN HomeAgent

AwareCentral

WirelessCore

Aware Detector• Provides traffic assessment to assist in network &

end user service quality protection• Wireless 3G/4G Network Anomaly Behavior

Detector (Bell Labs algorithms)• Monitors individual subscriber session behavior• Calculates “cost” of behavior relative to real-time

capacity in the network• Observes Mobile-to-Mobile & Internet-to-Mobile

traffic

Aware Central• Security Event Viewer for reports,

alarms, network awareness and forensics

• Element / configuration manager for Detectors & Mitigation Appliances for Security Event Management

• Mitigation plan through IPS/Firewall, Mobile Quarantine of abusive users


Laptop Guardian

• Agent: Intelligent data card, plugs into the end-user mobile host, terminates IPsec tunnel to Gateway, includes 3G interface (HSDPA, EV-DOrA) for ubiquitous connectivity

• Gateway: Enhanced remote access server, deploys at the edge of the enterprise network

• Driver: Software package, installs on the end-user mobile host

• Management Server: Management software platform, installs on general-purpose enterprise server

33GG MMooddeemm MMeemmoorryy BBaatttteerryy SSooffttwwaarree PPrroocceessssoorr

Evros Agent Evros Gateway

VVPPNN PPoolliicciieess IITT AApppplliiccaattiioonnss

WiFi

3G

LAN

1 2

3

Evros Driver

Evros Management Server

4

•Protects the mobile laptop & applications with

hardened wireless agent

•Automates VPN connection to the Enterprise

•Protects the mobile laptop & applications with

hardened wireless agent

•Automates VPN connection to the Enterprise


3. Application Security & Web 2+ Approaches

• Secure the Applications– Security Concerns:

• RSS, AJAX (Asynchronous JavaScript and XML), Instant Messaging, Widgets / Gadgets

• Web 2.0 apps might initially have higher vulnerabilities than above

• Provide a “platform in the cloud” that makes proprietary data stored in applications securely accessible across Web 2.0 interfaces– In Government private cloud computing

• Meet Government Information Assurance requirements

– In Government public cloud computing

• Provide security standards transparency & SLAs audit support

• Establish how Government customer data integrity & privacy will be assured

• Consider segregating Government domains in the cloud


The Bottom Line…

• Today’s Networks are Different– Voice & Data -> Converged, Multimedia, All IP– Enterprise -> Web 2.0+ & Cloud Computing – Standard Content -> Consumer Generated Content– Fixed Users -> Mobile Users

• Today’s Adversaries are More Sophisticated– Threats extended to all networks connected to the

Global Information System

• Security Paradigm Shifts are Needed– Parameter Security -> Holistic Security– Threat Intolerance ->Threat Tolerance– Signature Based -> Behavior Based

4. KNOWLEDGE 3.PROCESS

1. NETWORK 2.PEOPLE


Adrian R HartmanSenior Manager and Architect

Solution EngineeringLGS, Bell Labs Innovations

[email protected]

15 Vreeland RoadFlorham Park, NJ 07932

mobile: 908-578-3679phone: 973-437-9868

www.lgsinnovations.com

Thank You… Any Questions?

Backup


Alcatel-Lucent Security Solutions

A Comprehensive Enterprise PortfolioA Comprehensive Enterprise Portfolio


Security Innovations for Next Generation Networks

ALU VPN/Firewall

(aka The Brick)

Security Consulting

Software Diversity

Secure ALU COTS

Networking Products

Laptop Guardian

Bell Labs Security Framework

X.805, ISO 18028

Vital ISA for Security Event Management

Bot Detection

Third Party Partner

Relationships

Security Assessments


Network Reconnaissance for Penetration Testing

Internet Probing, Mapping and Analysis

Remotely probe Internet connected networks

– Low probability of network disruption– Determine target network exposure,

vulnerabilities and weaknesses– Produce detailed analyses, network

maps and collected data– Propose Remediation

• Identify machines with vulnerabilities in the target network

– Web Servers, DNS Servers, Vulnerable Hosts

Provided as Output– Potential Targets, Paths to Target

Machines, Server Types, Vulnerabilities i.e. Open Ports

Network Reconnaissance Process


Kiviat Diagram X.805 Example: High Risk Zones / Plans for Remediation

X.805 Dimension % of Risk to Remediate

Access control 10

Authentication 12

Non-repudiation 0

Data confidentiality

8

Communication Security

10

Data Integrity 0

Availability 7

Privacy 14

0.91

0.90

0.93

0.92

0.94

0.92

0.90

0.95

0.42

0.71

0.47

0.60

0.75

0.59

0.56

0.41

0.00

0.10

0.20

0.65

0.52

0.53

0.35

0.61

0.52

0.30

0.40

0.50

0.60

0.70

0.80

0.90

1.00

Non

Access control

Authentication

repudiation

Data confidentiality

Communication Security

Data integrity

Availability

•Privacy

•Low Priority•Medium priority

•High priority•Current Levels - High

Area of high risk gaps

The red areas show high risk gaps for X.805 dimensions. Purple indicates the implementation status of high priority security capabilities.

The red areas show high risk gaps for X.805 dimensions. Purple indicates the implementation status of high priority security capabilities.

cyber security in evolving enterprise environments technet international 09 adrian r hartman, phd...

Documents

security security

comprehensive security

application security

cyber security incidents

cost of security incidents

government networks

faster slide

services enterprise