Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Polymorphic Attacks on Data-in-
Motion Require a New Security
Approach From Both the Service
Provider and End User
Bill Ba...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2
Scary Slide - Municipal Attacks
• Industries
• 63% of ...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.3
Polymorphic Attacks
• Polymorphism means “change the a...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.4
The Key to Getting In
• Stealing credentials is the po...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.5
Basic Cryptographic Goals
Confidentiality (privacy) - ...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.6
Man-in-the-Middle Attacks
© 2016 ADVA Optical Networking. All rights reserved. Confidential.7
• Distributed networks instead of
a single entry point...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.8
Next Generation Firewalls Will Be Dynamic
© 2016 ADVA Optical Networking. All rights reserved. Confidential.9
Data Analytics
• Number of days before breach is
recog...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.10
What To Do?
• Amit Yoran, RSA president, said no fanc...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.11
Encryption Options
Securing Data in Motion
Physical
P...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.12
Secure Network Infrastructure Model
Security on Every...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.13
Examples of Fiber Tapping
Joshe Ruppe Security Resear...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.14
Secure Data Center Interconnection
Innovation for hig...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.15
Encryption using G.709 / OTH Link Protocol
1 …….…. 14...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.16
Media Transport Network - Solution
Metro
Core
Event s...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.17
Optical Security Suite
Encryption
Security-hardened s...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.18
Secure Network Infrastructure Model
Security on Every...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.19
• Highest flexibility
• Minimum overhead
• Maximum se...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.20
IPsec Challenges – Technical Aspects
• Delay is measu...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.21
Flexible MACsec Data Encryption and Integrity
• L2 se...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.22
MACsec+ No Need for SP Switch Decrypt
Site A
LAN
LAN
...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.23
XG210C
XG210C
XG210C
Clinic
Regional hospital
Satelli...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.24
Secure Network Infrastructure Model
Security on Every...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.25
Future Proofing Security through Virtualization
• Fir...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.26
VNF Versus Assured VNF
Example: Encryption





...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.27
A1
A2
Physical test, monitoring, enforcement
L2/L3 lo...
© 2016 ADVA Optical Networking. All rights reserved. Confidential.28
IP Layer ProVM/Security NFV
© 2016 ADVA Optical Networking. All rights reserved. Confidential.29
IP Layer ProVM/Security NFV
© 2016 ADVA Optical Networking. All rights reserved. Confidential.30
• How we travel
• Get ticket online or at the airport...
Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclu...
Upcoming SlideShare
Loading in …5
×

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

745 views

Published on

In his presentation at Merit Member Conference 2016, Bill Balmer demonstrated that a layered encryption strategy is the ultimate way to combat the latest cyberthreat: polymorphous attacks.

Published in: Technology
  • Check the source ⇒ www.HelpWriting.net ⇐ This site is really helped me out gave me relief from headaches. Good luck!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • To get professional research papers you must go for experts like ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

  1. 1. Polymorphic Attacks on Data-in- Motion Require a New Security Approach From Both the Service Provider and End User Bill Balmer, May 11, 2016
  2. 2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2 Scary Slide - Municipal Attacks • Industries • 63% of healthcare companies breached last year (RSA 2016) • 76% of energy utilities breached in past year (Dark Reading 2016) • Municipal attacks • Cyber attack NY Dam • 2013 Bowman Avenue Dam used for flood control • Unauthorized access to the city’s computer system • Smart grids • 2012 – Televent Canada (Schneider Electric) • Breached firewall • San Francisco • 2015 - 40 fiber breaches • FBI - attackers posed as service provider employees • The purpose of the breaches has not been determined
  3. 3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3 Polymorphic Attacks • Polymorphism means “change the appearance of” • Mutation engines are bundled with Trojans and other types of malware • Usually hidden in encrypted payloads • Constantly mutates to avoid pattern recognition • Polymorphic attacks are the new standard with DDoS attacks used to cover the data breach. (North America and EMEA: The Continual Threat to Digital Brands for 2015) • Criminals are learning from government projects like the Stuxnet worm used in Iran nuclear plant and NSA man-in-the- middle attacks exposure through Snowden • Rogue nations are hiring CaaS (Criminals-as-a-Service)
  4. 4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.4 The Key to Getting In • Stealing credentials is the point of most attacks • Vendors • Exploit • Target through HAVAC • Employees • Poor password control • Bribes • Exploits in security • IPSec aggressive mode • Force changes in passwords make users simplify passwords • Poorly configured servers • Physical intrusion – man-in-the-middle • Fiber bending • Wiring closets
  5. 5. © 2016 ADVA Optical Networking. All rights reserved. Confidential.5 Basic Cryptographic Goals Confidentiality (privacy) - "Encryption" Man-in-the-middle cannot understand message from Alice. Diffie-Hellman key agreement/exchange is arbitrated in the background. Man-in-the-middle could try to manipulate key exchange to Bob. Solution: authenticity - “authentication" Alice and Bob can be sure that they are really connected.
  6. 6. © 2016 ADVA Optical Networking. All rights reserved. Confidential.6 Man-in-the-Middle Attacks
  7. 7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.7 • Distributed networks instead of a single entry point • Complex setup based on exception rules • Susceptible to DDoS attacks overloading the processor • Becomes a tool for polymorphic attacks • Firewalls are becoming the police tape around a crime scene – CISO AT&T* Firewall Limitations *Carrier Network Security Strategies – Heavy Reading Dec 2 2015
  8. 8. © 2016 ADVA Optical Networking. All rights reserved. Confidential.8 Next Generation Firewalls Will Be Dynamic
  9. 9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.9 Data Analytics • Number of days before breach is recognized: Verizon 288 days and Microsoft 244 days* • Data analytics can** • Shorten discovery period • Help enforce policies • Through detection • Reduce staff • Through automation *Carrier Network Security Strategies – Heavy Reading Dec 2, 2015 ** TechForum Security Conference March 24, 2016
  10. 10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.10 What To Do? • Amit Yoran, RSA president, said no fancy, expensive product can guarantee an organization’s safety: “There are no silver bullets in security.” • “The shift from volumetric towards application-layer attacks and from single vector to polymorphic attacks is bound to accelerate – and service provider defenses need to evolve in line with that.” • Each layer of transport for data in motion has its own challenges
  11. 11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.11 Encryption Options Securing Data in Motion Physical PHY Data link MAC Network layer IP/MPLS Transport layer TCP, UDP Application, presentation, session layer Bits Frames Packets Segments Data 1 2 3 4 7 6 5 OSIlayer IPSec TLS, SSH In-flight Encryption MACsec
  12. 12. © 2016 ADVA Optical Networking. All rights reserved. Confidential.12 Secure Network Infrastructure Model Security on Every Network Layer • FSP 3000 family • Infrastructure encryption • Optical point to point • Cloud computing • Data center connectivity • Over 200 networks IPLayer Ethernet Layer Optical Layer Physical connectivity Virtual connectivity Virtual connectivity BSI approval R&D & NVF activities Solution available
  13. 13. © 2016 ADVA Optical Networking. All rights reserved. Confidential.13 Examples of Fiber Tapping Joshe Ruppe Security Researcher Techtarget: Optical network security: Inside a fiber-optic hack
  14. 14. © 2016 ADVA Optical Networking. All rights reserved. Confidential.14 Secure Data Center Interconnection Innovation for high-performance cloud data center interconnect Application Technology • Highest performance • Lowest latency • Maximum security Benefits Solution FSP 3000
  15. 15. © 2016 ADVA Optical Networking. All rights reserved. Confidential.15 Encryption using G.709 / OTH Link Protocol 1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080 1 2 3 4 Column number OTU/ODU overhead ROW OPU overhead Encryption FEC areaEncrypted Payload OCH Overhead Och payload FEC data Optical channel frame structure 5TCE link protocol • Supports • OTU-2 • OTU-2e • OTU-2f AES 256 encrypted OPU2 payload Automatic key exchange using DH Key Exchange
  16. 16. © 2016 ADVA Optical Networking. All rights reserved. Confidential.16 Media Transport Network - Solution Metro Core Event site Event site Event site TV studio A TV studio B Metro
  17. 17. © 2016 ADVA Optical Networking. All rights reserved. Confidential.17 Optical Security Suite Encryption Security-hardened software Physical layer monitoring Power tracking and intrusion detection Time-domain reflectometer (OTDR/cable integrity) Access line monitoring (ALM) Continuity check messages (CCM) RADIUS Secure shell SNMPv3 AES-256 Authentication Diffie-Hellman A complete and integrated solution leveraging advanced technology 122842636
  18. 18. © 2016 ADVA Optical Networking. All rights reserved. Confidential.18 Secure Network Infrastructure Model Security on Every Network Layer • FSP 150 family • 1.75 million deployed • Infrastructure encryption • ProNID™ • ProVM™ • Enterprise encryption • MacSec Plus • Certes CryptoFlow™ NFV • Who? • Service providers • Local government • Branch offices – small count • Cloud providers IPlayer Ethernet layer Optical layer Physical connectivity Virtual connectivity Virtual connectivity BSI approval R&D & NFV activities Solution available
  19. 19. © 2016 ADVA Optical Networking. All rights reserved. Confidential.19 • Highest flexibility • Minimum overhead • Maximum security Secure Access in Virtual Networks Innovation for flexible cloud access in fixed and mobile applications Application Technology Benefits Solution FSP 150
  20. 20. © 2016 ADVA Optical Networking. All rights reserved. Confidential.20 IPsec Challenges – Technical Aspects • Delay is measured in msec instead of µsec Latency • Up to 50% addi- tional bandwidth overhead Efficiency • No wire-speed performance up to 100Gbit/s Scalability • Exposed sender/reciever Confidentiality • Only works for IP traffic Compatibility • Issues scale linearly with links and endpoints Complexity
  21. 21. © 2016 ADVA Optical Networking. All rights reserved. Confidential.21 Flexible MACsec Data Encryption and Integrity • L2 secure connectivity using standard MACsec format with VLAN bypass • Works with MEF E-Line (EPL and EVPL) • Supports point-to-point and hub-and-spoke secure connectivity • Encryption directly at the Ethernet layer – line rate • State of the art symmetric encryption algorithms: AES 128, AES 256 • Low latency, bandwidth efficiency • Dynamic and secure key exchange • Password-authenticated Diffie-Hellman algorithm • Intrusion proof key storage ConnectGuardTM Ethernet – flexibility and data security altogether
  22. 22. © 2016 ADVA Optical Networking. All rights reserved. Confidential.22 MACsec+ No Need for SP Switch Decrypt Site A LAN LAN Site B
  23. 23. © 2016 ADVA Optical Networking. All rights reserved. Confidential.23 XG210C XG210C XG210C Clinic Regional hospital Satellite hospital Regional hospital Regional hospital ProVM-C ProNID-C Case Study – WellSpan Healthcare
  24. 24. © 2016 ADVA Optical Networking. All rights reserved. Confidential.24 Secure Network Infrastructure Model Security on Every Network Layer • Enterprise encryption • ProVM™ • FSP 150 vSE • Certes CryptoFlow™ • Layer 3 and 7 • Cloud applications • Key management • Who? • Big box companies • Branch offices • Universities • Local government IPlayer Ethernet layer Optical layer Physical connectivity Virtual connectivity Virtual connectivity BSI approval R&D & NFV activities Solution available
  25. 25. © 2016 ADVA Optical Networking. All rights reserved. Confidential.25 Future Proofing Security through Virtualization • Firewalls – future • Interactive updates from security centers • Matching patterns of attacks • Updates to combat new threats • Data analytics • Remote probes • Live monitoring • Filters / traps • Application security • Micro-segmentation to limit damage • Policy management
  26. 26. © 2016 ADVA Optical Networking. All rights reserved. Confidential.26 VNF Versus Assured VNF Example: Encryption         Encryption as VNF OVS Storage NetworkCompute IPsec Encryption as an assured VNF OVS Storage NetworkCompute Latency Cost @ 1Gbit/s Cost @ 10Mbit/s Resource consumption
  27. 27. © 2016 ADVA Optical Networking. All rights reserved. Confidential.27 A1 A2 Physical test, monitoring, enforcement L2/L3 low latency, sync, MACSEC Hardware data plane The Assured Model Multicore x86 server Flexible L3/4/7 service creation Network interface Compute host infrastructure VM-1 VM-2 VNF VNF VM-2 VM-2 VNF VNF N1 Hardware equivalent OVS ovs
  28. 28. © 2016 ADVA Optical Networking. All rights reserved. Confidential.28 IP Layer ProVM/Security NFV
  29. 29. © 2016 ADVA Optical Networking. All rights reserved. Confidential.29 IP Layer ProVM/Security NFV
  30. 30. © 2016 ADVA Optical Networking. All rights reserved. Confidential.30 • How we travel • Get ticket online or at the airport • Prove who you are • Go through security checkpoint • Get into terminal • Boarding checks • Do you belong on the flight? Security Is a Fact of Life How data should travel
  31. 31. Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.

×