SCIT Labs - intrusion tolerant systems

  • 2,177 views
Uploaded on

The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that …

The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,177
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
19
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Moving Target Proactive Cyber Defense – Keeping Bad Guys Out of Servers Arun Sood, Ph.D. SCIT Labs, Inc Clifton, VA asood@scitlabs.com SCIT Labs Confidential and Proprietary 1
  • 2. I. Intrusions Are InevitableNew Proactive Approaches are Required SCIT Labs Confidential and Proprietary 2
  • 3. May 2011 Security Incidents WorldwideSunday Monday Tuesday Wednesday Thursday Friday Saturday1 2 3 4 5 6 7Gmail X-Factor TV Sony SEC Bestbuy Central ORSony Show Woman Netflix Comm College to Woman Sony Healthcare8 9 10 11 12 13 14Huntington Assurant Fox MichaelsNational Bank15 16 17 18 19 20 21 Mass Anthem Blue PBS Sony Lockheed Martin Government Cross of NASA Sony X2 Regions Bank California22 23 24 25 26 27 28Sony Sony Sony Northrop L-3 Grumman Communications29 30 31Honda Nintendo Citibank Source: Confab 2011 SCIT Labs Confidential and Proprietary 3
  • 4. Epsilon Data Breach – 2011 SCIT Labs Confidential and Proprietary 4
  • 5. Source: Symantec 2010 ReviewSCIT Labs Confidential and Proprietary 5
  • 6. II. Cyber Attacks Persist• Intruders need access and time to orchestrate their attacks• Intrusions persist for days, weeks, months• Malware is hard to detect• Highly customized malicious code blends into the information landscape SCIT Labs Confidential and Proprietary 6
  • 7. Intruder Residence Time in Months 3 months 2 months5 months SCIT Labs Confidential and Proprietary 7 7
  • 8. Verizon DBIR 2010:Significant Intruder Residence Time SCIT Labs Confidential and Proprietary 8
  • 9. III. Current Servers are Sitting Ducks Adversary has the advantage We increase Adversary Work Factor SCIT Labs Confidential and Proprietary 9
  • 10. SCIT Labs Confidential and Proprietary 10
  • 11. The SCIT Approach Reduce server exposure time Restore to pristine state Threat IndependentMust maintain uninterrupted service SCIT Labs Confidential and Proprietary 11
  • 12. Zero Days – Fixing Vulnerabilities• Detecting a vulnerability• Reporting vulnerability• Developing a patch to fix vulnerability• Patch distribution• Testing in staging area• Patch application Use Moving Target Defense Make it Difficult to Exploit the Vulnerability SCIT Labs Confidential and Proprietary 12
  • 13. Servers How SCIT works-Virtual Example: 5 online and 3 offline servers-Physical Online servers; potentially compromised Offline servers; in self-cleansing SCIT Labs Confidential and Proprietary 13 13
  • 14. Resilience, Recovery, Tolerance, Forensics SCIT Labs Confidential and Proprietary 14
  • 15. The SCIT Approach• Patented, Proven, Award Winning Self Cleansing Intrusion Tolerance Technology• Uses Virtualization Technology• Ultra Low Intruder Residence Time• Subverts attacks by robbing intruders of time and persistent access needed to launch attacks SCIT Labs Confidential and Proprietary 15
  • 16. IDS/IPS vs Intrusion Tolerance Firewall, IDS, IPS Intrusion tolerance Risk management. Reactive. Proactive. A priori information Attack models. Software Exposure time. Length of required. vulnerabilities. longest transaction.Protection approach. Prevent all intrusions. Limit losses.System Administrator High. Manage reaction Less. No false alarms workload. rules. Manage false alarms. generated. Design metric. Unspecified. Exposure time.Packet/Data stream Required. Not required. monitoring.Higher traffic volume More computations. Computation volume requires. unchanged. Applying patches. Must be applied Can be planned. immediately. SCIT Labs Confidential and Proprietary 16 16
  • 17. Results of Simulation: NIDS, SCIT, NIDS+SCIT Parameters used Results of the simulationSimulation Metrics Value (units) Total damage No. of Mean Damage CaseNumber of queries 5000 (records) breaches (records/breach)used NIDS 245,962 (100%) 192 1,281Intruder Residence 0 minutes to 2 SCIT: ET 4hrs 55,364 (23%) 508 109Time (IRT) months SCIT: ET 4 mins 1,015 (0.4%) 508 2Mean IRT – Pareto 48 hoursdistribution NIDS + HIDS 210,578 (86%) 164 1,284Exposure Time – 2 1. 4 hrs NIDS + SCITcases 2. 4 mins (ET 4 hrs) 20,931 (9%) 191 110Mean of records 675 NIDS + SCITstolen per day records/breach (ET 4 mins) 383 (0.16%) 191 2 IDS Only SCIT+IDS SCIT Labs Confidential and Proprietary 17
  • 18. SCIT Server State Transitions 1 2 3 Active – ExposedStart New VM Online Spare to Internet 6 5 4 Archive VM for Kill VM Grace Period Future Analysis SCIT Labs Confidential and Proprietary 18
  • 19. SCIT – Applications SCIT ImplementationsWeb Tier: Web, 1. One applicationDNS, SSO…… 1 2 N (function) per serverApp Tier: Biz logic,Content Mgr, CRM…. 1 2 M 2. Five applications per serverData Tier: DB Mgr;File Mgr 1 L 3. 1000 applicationsStorage Tier: 100 serversTransactions (ms); 1 KLarge File transfer(High speed- seconds) 4. Cloud SCIT Labs Confidential and Proprietary 19
  • 20. Collaboration and Recognition• Lockheed Martin and Northrop Grumman – Testing and validation of SCIT servers. – Funded and collaborated with SCIT research – Integrated in LM cloud offering; NGC evaluating use cases for cloud app – LM and Landis Gyr are sub – SCIT application to Electricity Smart Grid• Raytheon – Collaborated on SBIR proposal• Awards – Winner Security Technology of Tomorrow Challenge, CNI Expo + GSC Jun 10 – Runners up Cyber Security Challenge GSC Nov 09 – Army SBIR: SCIT DNS• Patents: 3 issued + 3 more applied. SCIT Labs Confidential and Proprietary 20
  • 21. Target Market and Applications• Cloud and Hosting • Government Services – Civil – Web sites: LAMP & – DOD Windows IIS – Intelligence Community – DNS • Financial services – Ecommerce • Health care – Single Sign On – Email and comm – LDAP server – Streaming media SCIT Labs Confidential and Proprietary 21
  • 22. Risk = Threat X Vulnerabilities X Consequences SCIT Labs Confidential and Proprietary 22
  • 23. Cyber Security Approaches Vulner- Conse- Work FactorTechnology Approach Threat abilities quences A DIntrusion Detection / Prevention X +Firewall X +Malware detection X +Incoming Packet Monitoring X +Packet Analysis X +SSL Proxy X +SIEM X +Forensics X +SCIT - Recovery + Intrusion X +Tolerance + Forensic SupportOutgoing Packet Monitoring (DLP) X + A=Adversary Work Factor; D=Defender Work Factor SCIT Labs Confidential and Proprietary 23
  • 24. Pilot Project• Data Storage servers• Implement on one or two platforms using remote access• Support & training• Develop evaluation measures• Demonstrate achievement of measures in 3 month• Roll out commitment and plan SCIT Labs Confidential and Proprietary 24
  • 25. Benefits of SCIT• SCIT removes malware without detection• SCIT reduces data ex-filtration• SCIT does not rely on signatures and is threat independent• SCIT is mission resilient: automatic recovery• SCIT reduces intrusion response (alerts) management cost SCIT Labs Confidential and Proprietary 25
  • 26. DemoPROACTIVE CYBER ATTACK DEFENSE Arun Sood, Ph.D. asood@scitlabs.com +1703.347.4494 SCIT Labs Confidential and Proprietary 26