Lessons from Star Trek: Towards Self Defending HostsPresentation Transcript
SELF-DEFENDING HOSTS: LESSONS FROM STAR TREK Brian O’Higgins CTO, Third Brigade
Reasoning with Computers
“Any sufficiently advanced
technology is indistinguishable
Arthur C. Clarke
"Profiles of The Future”, 1961
(Clarke's third law)
Planning for the Future
“ Prediction is very difficult,
especially about the future”
Planning for the Unknown
“… because as we know , there are known knowns ; there are things we know we know . We also know there are known unknowns ; that is to say we know there are some things we do not know . But there are also unknown unknowns -- the ones we don't know we don't know .”
Donald Rumsfeld (a man “in the know”)
Self Healing Hosts
Conclusions and research challenge
Trends Section 2 of 4
Recent changes in IT- big influence for security
Today’s toys become tomorrow’s tools
Microsoft’s push into security
It’s quiet out there, too quiet….
Malware “Firsts” ‘ Big’ attacks were common a few years ago Malware is becoming more stealthy now Elk Cloner Apple II 1981 1980 1990 2000 2007 Len Eidelman Coins ‘virus’ 1983 1 st PC boot Sector virus ‘ Brain’ 1986 1 st worm Morris Worm 1988 1 st poly-morphic virus 1990 1 st mass-hysteria Michangelo 1992 1 st macro virus ‘ concept’ 1995 CIH virus first version appears 1998 Melissa, Targets word and outlook 1999 ‘ I love you” Virus. Most costly. 2001 Code Red, Nimda 2001 SQL Slammer, Blaster 2003 Witty, Sasser 2003 Santy, 1 st web worm 2004 1 st MySpace worm 2006 WMF 1 st zero day 2005
Evolution of the Attacks
Investment in network controls stops simple mass attacks
Attacks now ‘move up the stack’, attack applications and users
Targeted attacks work, and are often unreported. Growing faster than mass attacks. Economic damage increases. (TJX)
Gartner says the cost of a sensitive data breach will increase 20%/yr through 2009.
Security Market Hamster Wheel Exploits occur Temporary Balance Bad guys innovate Consolidation Point Solutions
Vulnerability Cycle Discovery Crude Tools Users exploit Crude tools Automated scanning tools Widespread use Time Intruders move to New exploits www.cert.org 2005: average 6 days from discovery to exploit, average 54 days for a patch ( Symantec Internet Security Threat Report, 2005 ) Security holes don’t die, the half-life is 19 days after a patch is issued for critical vulnerabilities (48 days for internal systems) * Qualys Jan 2006 Hacking festival kicks off
Application Software = Achilles Heel
“ 75% of attacks now take place at the
application layer” Gartner, 2006
“ 4,375 vulnerabilities in the first 9 months of 2006. Web flaws are the 3 most common.” Mitre Corp, 09/2006
“ Customization of off-the-shelf software is
the weakest link in application security”.
“ By 2009, 80% of enterprises will fall victim to an application attack”.
Vulnerabilities Many ways to exploit a vulnerability with targeted attacks Web Server Microsoft, Apache, Netscape… Database Oracle, Microsoft, Sybase, IBM… Firewall Firewall Firewall App Server BEA, IBM, Oracle, Sun… Insider Authenticated Pre-authenticated OS Windows, Linux, Solaris OS OS
Cross Site Scripting (cross site request forgeries), bypass network defenses “Sleeping Giant” vulnerability Web Server Corporate Network Boundary Firewall + Network Intrusion Prevention
User browses (rules allow this)
Getting Harder to Defend
Skills gap – attackers vs. internal
Web 2.0 and futures
Non-programmers programming in scripting languages
Applications now cross firewall boundaries
The Good News: You don’t have to be perfect to be secure… just stay ahead of the crowd Choose 2: Qual Function Sched
Write better software
“ The reason people keep breaking into your computer is because software sucks”, - Richard Clarke
Secure development lifecycle and tools
Only for new code
Patch or re-write to repair defect
Deploy application with compensating controls
Always an acceptable choice, vs. patching which could be difficult or impossible. Host-based IPS plays a very important role.
Defining HIPS/HIDS: Intrusion Defense? HIPS A broad combination of techniques to detect and block attacks from exploiting the host Analysts IPS vendors Firewall vendors IDS vendors Anti-virus vendors NAC vendors
IPS Easier at the Host
Modern host-based IPS is a different story
Consider trying to spot the bad guy
In a crowded football stadium ?
On the street in front of your house ?
Trying to get into a door or window of your house?
Finer-grained filtering works.
It is much easier to spot the bad stuff trying to enter the host. Knowing the application context helps a lot!
An attack is an attack, internal or external
Protect IT assets from every threat, identified or potential
“it only takes one”: A single infected PC can take down an entire network
Start thinking about the applications, and work outwards. Not from the outside in.
Risk Section 3 of 4
Risk = more things can happen than will happen
Risk = probability of occurrence X consequence
Minimizing Risk Threat * Vulnerability Countermeasures Risk = * Value Don’t look at threat vs countermeasures. Consider vulnerability vs countermeasures. Maximize this Minimize this People or thing
Security in Balance Security $ low high high Cost of breaches Cost of security Total Cost Optimal Expenditure
New threats increase risk source: Bob Blakely, Burton Group (Re)Normalized Residual Risk 1 0 (Threat, Vulnerability) Product 1 Product 1 Risk Tax before new threat Product 1 Risk Tax after new threat
Compliance Balancing Act is Hard Suppliers Employees, Branch Offices Customers Streamlined Business Processes Access to Services & Information Extended Enterprise Information Security Governance Governance & Regulation HIPAA GLBA PCI Sarbanes-Oxley EU Data Protection Act FISMA Policies, Procedures, Operations MITS CA SB1386 PIPEDA SEC Regs NERC Others… Web
Compliant ≠ secure
Being secure sure helps compliance
SOX expenditures on IT deficiencies are less than 5% of compliance spend
(accounting policies, financial processes are the big items)
Requirement for web application protection
“ Ensure that all web-facing applications are protected against known attacks by…installing an application layer firewall in front of web-facing applications .”
Must have by July, 2008
Source: Burton Group OWASP Top 10 PCI 6.5 Sub-requirements VISA PABP A1 Unvalidated Input 6.5.1 Unvalidated input 5.5.1 Unvalidated input A2 Broken Access Control 6.5.2 Broken access control 5.5.2 Broken access control A3 Broken Authentication and Session Management 6.5.3 Broken authentication and session management 5.5.3 Broken authentication and session management A4 Cross Site Scripting 6.5.4 Cross-site scripting (XSS) 5.5.4 Cross-site scripting (XSS) A5 Buffer Overflow 6.5.5 Buffer overflows 5.5.5 Buffer overflows A6 Injection Flaws 6.5.6 Injection flaws 5.5.6 Injection flaws A7 Improper Error Handling 6.5.7 Improper error handling 5.5.7 Improper error handling A8 Insecure Storage 6.5.8 Insecure storage 5.5.8 Insecure storage A9 Application Denial of Service 6.5.9 Denial of service 5.5.9 Denial of service A10 Insecure Configuration Management 6.5.10 Insecure configuration management 5.5.10 Insecure configuration management
Business Drivers for Host Security
Shield until patching
Shield from targeted attacks
Shield without patching
PCI DSS SOX GLBA HIPAA COBIT MITS
HIPS: Network-based vs. Behavior-based Approach Applications & Services TCP/IP Network Approach Kernel-mode User-mode System Execution Control Hardware 2 1 Host Computer Behavior-based: System Execution Control blocks attacks at application calls to the OS 2 Network Approach: Deep Packet Inspection blocks attacks at the network layer 1 Management Overhead
Tuning Sensitivity Probability of error False Positives (FP): Appropriate system execution is halted or data traffic is dropped False Negatives (FN): Malicious system execution is allowed or data traffic accepted 0 1
Close to the host is the best location for tuning accuracy
Drive the curves down for a broader acceptable operating range
Blended filtering approach Filtered Traffic Raw Traffic Stateful Firewall Exploit Filters Vulnerability Filters Smart Filters Custom Filters 1 2 3 4 5 Deep packet inspection Greater chance of false negatives Greater chance of false positives
blended approach Filtered Traffic Allow known good Raw Traffic Stop known bad Shield known vulnerabilities Shield unknown vulnerabilities (Zero-day) Stateful Firewall Exploit Filters Vulnerability Filters Smart Filters Custom Filters 1 2 3 4 5 Protect specific applications Deep packet inspection
Protection for custom web applications Unprotected Protected Tested with industry-leading web application scanner, against 1000’s of attacks 17 10. Insecure configuration management 2 9. Denial of service 0 8. Insecure storage 23 7. Improper error handling 13 6. Injection flaws 3 5. Buffer overflows 8 4. Cross site scripting (XSS) flaws 10 3. Broken authentication and session mgt. 0 2. Broken access control 25 # Vuln’s 1. Unvalidated input OWASP Top 10 Vulnerabilities 2 0 0 0 0 0 0 0 0 0 # Vuln’s
By 2010, only one new security threat out of 10 will require the deployment of a tactical point solution , compared with eight out of 10 in 2005.
By 2011, 20% of desktops in large enterprises, and 70% of servers, will be equipped with virtual security partitions (VSPs) , up from less than 1% in 2006.
Source, Gartner, Publication Date: 30 November 2006/ID Number: G00144411
Where does the host agent live?
Host security Agent options Hardware VM Layer Guest OS Guest OS Guest OS Server Guest network shim Future of Network security Best app protection Most efficient
Research Challenge Section 4 of 4
Disconnect growing between danger levels and management estimations
Threats continue to evolve, need new controls
Application attacks recognized as a priority
Risk-based compliance arriving
HIPS is becoming recognized (now and future)
as a key approach to move from reactive to proactive
an important control for software assurance
as a foundation for self-defending host vision
no silver bullet, will always need new stuff
will continue to improve with better tuning…
Towards self-defending hosts in a dynamic threat environment Extended Enterprise Host security (IDS/IPS) everywhere there is IP Porous perimeter Recommendation Engine In-the-cloud collaboration Sensor Networks Vulnerability info Security Manager Research challenge: sense, and tune appropriately