Your SlideShare is downloading. ×
0
Moving Target Proactive Cyber Defense –   Keeping Bad Guys Out of Servers            Arun Sood, Ph.D.              SCIT La...
I. Intrusions Are InevitableNew Proactive Approaches are Required            SCIT Labs Confidential and Proprietary   2
May 2011 Security Incidents WorldwideSunday          Monday        Tuesday              Wednesday           Thursday   Fri...
Epsilon Data Breach – 2011        SCIT Labs Confidential and Proprietary   4
Source: Symantec 2010 ReviewSCIT Labs Confidential and Proprietary                 5
II. Cyber Attacks Persist• Intruders need access and time to orchestrate  their attacks• Intrusions persist for days, week...
Intruder Residence Time in             Months                                                    3 months                 ...
Verizon DBIR 2010:Significant Intruder Residence Time           SCIT Labs Confidential and Proprietary   8
III. Current Servers are Sitting Ducks      Adversary has the advantage   We increase Adversary Work Factor             SC...
SCIT Labs Confidential and Proprietary   10
The SCIT Approach   Reduce server exposure time      Restore to pristine state        Threat IndependentMust maintain unin...
Zero Days – Fixing Vulnerabilities•   Detecting a vulnerability•   Reporting vulnerability•   Developing a patch to fix vu...
Servers                       How SCIT works-Virtual                       Example: 5 online and 3 offline servers-Physica...
Resilience, Recovery, Tolerance, Forensics              SCIT Labs Confidential and Proprietary   14
The SCIT Approach• Patented, Proven, Award Winning Self  Cleansing Intrusion Tolerance Technology• Uses Virtualization Tec...
IDS/IPS vs Intrusion Tolerance                             Firewall, IDS, IPS                        Intrusion tolerance R...
Results of Simulation: NIDS, SCIT, NIDS+SCIT        Parameters used                                             Results of...
SCIT Server State Transitions             1                              2                            3                   ...
SCIT – Applications                                                                             SCIT ImplementationsWeb Ti...
Collaboration and Recognition•   Lockheed Martin and Northrop Grumman     – Testing and validation of SCIT servers.     – ...
Target Market and Applications• Cloud and Hosting                        • Government  Services                           ...
Risk = Threat X Vulnerabilities X Consequences                SCIT Labs Confidential and Proprietary   22
Cyber Security Approaches                                                          Vulner-         Conse-   Work FactorTec...
Pilot Project• Data Storage servers• Implement on one or two platforms using  remote access• Support & training• Develop e...
Benefits of SCIT• SCIT removes malware without detection• SCIT reduces data ex-filtration• SCIT does not rely on signature...
DemoPROACTIVE CYBER ATTACK DEFENSE      Arun Sood, Ph.D.     asood@scitlabs.com       +1703.347.4494         SCIT Labs Con...
Upcoming SlideShare
Loading in...5
×

SCIT Labs - intrusion tolerant systems

2,518

Published on

The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,518
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "SCIT Labs - intrusion tolerant systems"

  1. 1. Moving Target Proactive Cyber Defense – Keeping Bad Guys Out of Servers Arun Sood, Ph.D. SCIT Labs, Inc Clifton, VA asood@scitlabs.com SCIT Labs Confidential and Proprietary 1
  2. 2. I. Intrusions Are InevitableNew Proactive Approaches are Required SCIT Labs Confidential and Proprietary 2
  3. 3. May 2011 Security Incidents WorldwideSunday Monday Tuesday Wednesday Thursday Friday Saturday1 2 3 4 5 6 7Gmail X-Factor TV Sony SEC Bestbuy Central ORSony Show Woman Netflix Comm College to Woman Sony Healthcare8 9 10 11 12 13 14Huntington Assurant Fox MichaelsNational Bank15 16 17 18 19 20 21 Mass Anthem Blue PBS Sony Lockheed Martin Government Cross of NASA Sony X2 Regions Bank California22 23 24 25 26 27 28Sony Sony Sony Northrop L-3 Grumman Communications29 30 31Honda Nintendo Citibank Source: Confab 2011 SCIT Labs Confidential and Proprietary 3
  4. 4. Epsilon Data Breach – 2011 SCIT Labs Confidential and Proprietary 4
  5. 5. Source: Symantec 2010 ReviewSCIT Labs Confidential and Proprietary 5
  6. 6. II. Cyber Attacks Persist• Intruders need access and time to orchestrate their attacks• Intrusions persist for days, weeks, months• Malware is hard to detect• Highly customized malicious code blends into the information landscape SCIT Labs Confidential and Proprietary 6
  7. 7. Intruder Residence Time in Months 3 months 2 months5 months SCIT Labs Confidential and Proprietary 7 7
  8. 8. Verizon DBIR 2010:Significant Intruder Residence Time SCIT Labs Confidential and Proprietary 8
  9. 9. III. Current Servers are Sitting Ducks Adversary has the advantage We increase Adversary Work Factor SCIT Labs Confidential and Proprietary 9
  10. 10. SCIT Labs Confidential and Proprietary 10
  11. 11. The SCIT Approach Reduce server exposure time Restore to pristine state Threat IndependentMust maintain uninterrupted service SCIT Labs Confidential and Proprietary 11
  12. 12. Zero Days – Fixing Vulnerabilities• Detecting a vulnerability• Reporting vulnerability• Developing a patch to fix vulnerability• Patch distribution• Testing in staging area• Patch application Use Moving Target Defense Make it Difficult to Exploit the Vulnerability SCIT Labs Confidential and Proprietary 12
  13. 13. Servers How SCIT works-Virtual Example: 5 online and 3 offline servers-Physical Online servers; potentially compromised Offline servers; in self-cleansing SCIT Labs Confidential and Proprietary 13 13
  14. 14. Resilience, Recovery, Tolerance, Forensics SCIT Labs Confidential and Proprietary 14
  15. 15. The SCIT Approach• Patented, Proven, Award Winning Self Cleansing Intrusion Tolerance Technology• Uses Virtualization Technology• Ultra Low Intruder Residence Time• Subverts attacks by robbing intruders of time and persistent access needed to launch attacks SCIT Labs Confidential and Proprietary 15
  16. 16. IDS/IPS vs Intrusion Tolerance Firewall, IDS, IPS Intrusion tolerance Risk management. Reactive. Proactive. A priori information Attack models. Software Exposure time. Length of required. vulnerabilities. longest transaction.Protection approach. Prevent all intrusions. Limit losses.System Administrator High. Manage reaction Less. No false alarms workload. rules. Manage false alarms. generated. Design metric. Unspecified. Exposure time.Packet/Data stream Required. Not required. monitoring.Higher traffic volume More computations. Computation volume requires. unchanged. Applying patches. Must be applied Can be planned. immediately. SCIT Labs Confidential and Proprietary 16 16
  17. 17. Results of Simulation: NIDS, SCIT, NIDS+SCIT Parameters used Results of the simulationSimulation Metrics Value (units) Total damage No. of Mean Damage CaseNumber of queries 5000 (records) breaches (records/breach)used NIDS 245,962 (100%) 192 1,281Intruder Residence 0 minutes to 2 SCIT: ET 4hrs 55,364 (23%) 508 109Time (IRT) months SCIT: ET 4 mins 1,015 (0.4%) 508 2Mean IRT – Pareto 48 hoursdistribution NIDS + HIDS 210,578 (86%) 164 1,284Exposure Time – 2 1. 4 hrs NIDS + SCITcases 2. 4 mins (ET 4 hrs) 20,931 (9%) 191 110Mean of records 675 NIDS + SCITstolen per day records/breach (ET 4 mins) 383 (0.16%) 191 2 IDS Only SCIT+IDS SCIT Labs Confidential and Proprietary 17
  18. 18. SCIT Server State Transitions 1 2 3 Active – ExposedStart New VM Online Spare to Internet 6 5 4 Archive VM for Kill VM Grace Period Future Analysis SCIT Labs Confidential and Proprietary 18
  19. 19. SCIT – Applications SCIT ImplementationsWeb Tier: Web, 1. One applicationDNS, SSO…… 1 2 N (function) per serverApp Tier: Biz logic,Content Mgr, CRM…. 1 2 M 2. Five applications per serverData Tier: DB Mgr;File Mgr 1 L 3. 1000 applicationsStorage Tier: 100 serversTransactions (ms); 1 KLarge File transfer(High speed- seconds) 4. Cloud SCIT Labs Confidential and Proprietary 19
  20. 20. Collaboration and Recognition• Lockheed Martin and Northrop Grumman – Testing and validation of SCIT servers. – Funded and collaborated with SCIT research – Integrated in LM cloud offering; NGC evaluating use cases for cloud app – LM and Landis Gyr are sub – SCIT application to Electricity Smart Grid• Raytheon – Collaborated on SBIR proposal• Awards – Winner Security Technology of Tomorrow Challenge, CNI Expo + GSC Jun 10 – Runners up Cyber Security Challenge GSC Nov 09 – Army SBIR: SCIT DNS• Patents: 3 issued + 3 more applied. SCIT Labs Confidential and Proprietary 20
  21. 21. Target Market and Applications• Cloud and Hosting • Government Services – Civil – Web sites: LAMP & – DOD Windows IIS – Intelligence Community – DNS • Financial services – Ecommerce • Health care – Single Sign On – Email and comm – LDAP server – Streaming media SCIT Labs Confidential and Proprietary 21
  22. 22. Risk = Threat X Vulnerabilities X Consequences SCIT Labs Confidential and Proprietary 22
  23. 23. Cyber Security Approaches Vulner- Conse- Work FactorTechnology Approach Threat abilities quences A DIntrusion Detection / Prevention X +Firewall X +Malware detection X +Incoming Packet Monitoring X +Packet Analysis X +SSL Proxy X +SIEM X +Forensics X +SCIT - Recovery + Intrusion X +Tolerance + Forensic SupportOutgoing Packet Monitoring (DLP) X + A=Adversary Work Factor; D=Defender Work Factor SCIT Labs Confidential and Proprietary 23
  24. 24. Pilot Project• Data Storage servers• Implement on one or two platforms using remote access• Support & training• Develop evaluation measures• Demonstrate achievement of measures in 3 month• Roll out commitment and plan SCIT Labs Confidential and Proprietary 24
  25. 25. Benefits of SCIT• SCIT removes malware without detection• SCIT reduces data ex-filtration• SCIT does not rely on signatures and is threat independent• SCIT is mission resilient: automatic recovery• SCIT reduces intrusion response (alerts) management cost SCIT Labs Confidential and Proprietary 25
  26. 26. DemoPROACTIVE CYBER ATTACK DEFENSE Arun Sood, Ph.D. asood@scitlabs.com +1703.347.4494 SCIT Labs Confidential and Proprietary 26
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×