Successfully reported this slideshow.

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

1

Share

Loading in …3
×
1 of 31
1 of 31

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

1

Share

Download to read offline

In his presentation at Merit Member Conference 2016, Bill Balmer demonstrated that a layered encryption strategy is the ultimate way to combat the latest cyberthreat: polymorphous attacks.

In his presentation at Merit Member Conference 2016, Bill Balmer demonstrated that a layered encryption strategy is the ultimate way to combat the latest cyberthreat: polymorphous attacks.

More Related Content

Similar to Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

Related Books

Free with a 14 day trial from Scribd

See all

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

  1. 1. Polymorphic Attacks on Data-in- Motion Require a New Security Approach From Both the Service Provider and End User Bill Balmer, May 11, 2016
  2. 2. © 2016 ADVA Optical Networking. All rights reserved. Confidential.2 Scary Slide - Municipal Attacks • Industries • 63% of healthcare companies breached last year (RSA 2016) • 76% of energy utilities breached in past year (Dark Reading 2016) • Municipal attacks • Cyber attack NY Dam • 2013 Bowman Avenue Dam used for flood control • Unauthorized access to the city’s computer system • Smart grids • 2012 – Televent Canada (Schneider Electric) • Breached firewall • San Francisco • 2015 - 40 fiber breaches • FBI - attackers posed as service provider employees • The purpose of the breaches has not been determined
  3. 3. © 2016 ADVA Optical Networking. All rights reserved. Confidential.3 Polymorphic Attacks • Polymorphism means “change the appearance of” • Mutation engines are bundled with Trojans and other types of malware • Usually hidden in encrypted payloads • Constantly mutates to avoid pattern recognition • Polymorphic attacks are the new standard with DDoS attacks used to cover the data breach. (North America and EMEA: The Continual Threat to Digital Brands for 2015) • Criminals are learning from government projects like the Stuxnet worm used in Iran nuclear plant and NSA man-in-the- middle attacks exposure through Snowden • Rogue nations are hiring CaaS (Criminals-as-a-Service)
  4. 4. © 2016 ADVA Optical Networking. All rights reserved. Confidential.4 The Key to Getting In • Stealing credentials is the point of most attacks • Vendors • Exploit • Target through HAVAC • Employees • Poor password control • Bribes • Exploits in security • IPSec aggressive mode • Force changes in passwords make users simplify passwords • Poorly configured servers • Physical intrusion – man-in-the-middle • Fiber bending • Wiring closets
  5. 5. © 2016 ADVA Optical Networking. All rights reserved. Confidential.5 Basic Cryptographic Goals Confidentiality (privacy) - "Encryption" Man-in-the-middle cannot understand message from Alice. Diffie-Hellman key agreement/exchange is arbitrated in the background. Man-in-the-middle could try to manipulate key exchange to Bob. Solution: authenticity - “authentication" Alice and Bob can be sure that they are really connected.
  6. 6. © 2016 ADVA Optical Networking. All rights reserved. Confidential.6 Man-in-the-Middle Attacks
  7. 7. © 2016 ADVA Optical Networking. All rights reserved. Confidential.7 • Distributed networks instead of a single entry point • Complex setup based on exception rules • Susceptible to DDoS attacks overloading the processor • Becomes a tool for polymorphic attacks • Firewalls are becoming the police tape around a crime scene – CISO AT&T* Firewall Limitations *Carrier Network Security Strategies – Heavy Reading Dec 2 2015
  8. 8. © 2016 ADVA Optical Networking. All rights reserved. Confidential.8 Next Generation Firewalls Will Be Dynamic
  9. 9. © 2016 ADVA Optical Networking. All rights reserved. Confidential.9 Data Analytics • Number of days before breach is recognized: Verizon 288 days and Microsoft 244 days* • Data analytics can** • Shorten discovery period • Help enforce policies • Through detection • Reduce staff • Through automation *Carrier Network Security Strategies – Heavy Reading Dec 2, 2015 ** TechForum Security Conference March 24, 2016
  10. 10. © 2016 ADVA Optical Networking. All rights reserved. Confidential.10 What To Do? • Amit Yoran, RSA president, said no fancy, expensive product can guarantee an organization’s safety: “There are no silver bullets in security.” • “The shift from volumetric towards application-layer attacks and from single vector to polymorphic attacks is bound to accelerate – and service provider defenses need to evolve in line with that.” • Each layer of transport for data in motion has its own challenges
  11. 11. © 2016 ADVA Optical Networking. All rights reserved. Confidential.11 Encryption Options Securing Data in Motion Physical PHY Data link MAC Network layer IP/MPLS Transport layer TCP, UDP Application, presentation, session layer Bits Frames Packets Segments Data 1 2 3 4 7 6 5 OSIlayer IPSec TLS, SSH In-flight Encryption MACsec
  12. 12. © 2016 ADVA Optical Networking. All rights reserved. Confidential.12 Secure Network Infrastructure Model Security on Every Network Layer • FSP 3000 family • Infrastructure encryption • Optical point to point • Cloud computing • Data center connectivity • Over 200 networks IPLayer Ethernet Layer Optical Layer Physical connectivity Virtual connectivity Virtual connectivity BSI approval R&D & NVF activities Solution available
  13. 13. © 2016 ADVA Optical Networking. All rights reserved. Confidential.13 Examples of Fiber Tapping Joshe Ruppe Security Researcher Techtarget: Optical network security: Inside a fiber-optic hack
  14. 14. © 2016 ADVA Optical Networking. All rights reserved. Confidential.14 Secure Data Center Interconnection Innovation for high-performance cloud data center interconnect Application Technology • Highest performance • Lowest latency • Maximum security Benefits Solution FSP 3000
  15. 15. © 2016 ADVA Optical Networking. All rights reserved. Confidential.15 Encryption using G.709 / OTH Link Protocol 1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080 1 2 3 4 Column number OTU/ODU overhead ROW OPU overhead Encryption FEC areaEncrypted Payload OCH Overhead Och payload FEC data Optical channel frame structure 5TCE link protocol • Supports • OTU-2 • OTU-2e • OTU-2f AES 256 encrypted OPU2 payload Automatic key exchange using DH Key Exchange
  16. 16. © 2016 ADVA Optical Networking. All rights reserved. Confidential.16 Media Transport Network - Solution Metro Core Event site Event site Event site TV studio A TV studio B Metro
  17. 17. © 2016 ADVA Optical Networking. All rights reserved. Confidential.17 Optical Security Suite Encryption Security-hardened software Physical layer monitoring Power tracking and intrusion detection Time-domain reflectometer (OTDR/cable integrity) Access line monitoring (ALM) Continuity check messages (CCM) RADIUS Secure shell SNMPv3 AES-256 Authentication Diffie-Hellman A complete and integrated solution leveraging advanced technology 122842636
  18. 18. © 2016 ADVA Optical Networking. All rights reserved. Confidential.18 Secure Network Infrastructure Model Security on Every Network Layer • FSP 150 family • 1.75 million deployed • Infrastructure encryption • ProNID™ • ProVM™ • Enterprise encryption • MacSec Plus • Certes CryptoFlow™ NFV • Who? • Service providers • Local government • Branch offices – small count • Cloud providers IPlayer Ethernet layer Optical layer Physical connectivity Virtual connectivity Virtual connectivity BSI approval R&D & NFV activities Solution available
  19. 19. © 2016 ADVA Optical Networking. All rights reserved. Confidential.19 • Highest flexibility • Minimum overhead • Maximum security Secure Access in Virtual Networks Innovation for flexible cloud access in fixed and mobile applications Application Technology Benefits Solution FSP 150
  20. 20. © 2016 ADVA Optical Networking. All rights reserved. Confidential.20 IPsec Challenges – Technical Aspects • Delay is measured in msec instead of µsec Latency • Up to 50% addi- tional bandwidth overhead Efficiency • No wire-speed performance up to 100Gbit/s Scalability • Exposed sender/reciever Confidentiality • Only works for IP traffic Compatibility • Issues scale linearly with links and endpoints Complexity
  21. 21. © 2016 ADVA Optical Networking. All rights reserved. Confidential.21 Flexible MACsec Data Encryption and Integrity • L2 secure connectivity using standard MACsec format with VLAN bypass • Works with MEF E-Line (EPL and EVPL) • Supports point-to-point and hub-and-spoke secure connectivity • Encryption directly at the Ethernet layer – line rate • State of the art symmetric encryption algorithms: AES 128, AES 256 • Low latency, bandwidth efficiency • Dynamic and secure key exchange • Password-authenticated Diffie-Hellman algorithm • Intrusion proof key storage ConnectGuardTM Ethernet – flexibility and data security altogether
  22. 22. © 2016 ADVA Optical Networking. All rights reserved. Confidential.22 MACsec+ No Need for SP Switch Decrypt Site A LAN LAN Site B
  23. 23. © 2016 ADVA Optical Networking. All rights reserved. Confidential.23 XG210C XG210C XG210C Clinic Regional hospital Satellite hospital Regional hospital Regional hospital ProVM-C ProNID-C Case Study – WellSpan Healthcare
  24. 24. © 2016 ADVA Optical Networking. All rights reserved. Confidential.24 Secure Network Infrastructure Model Security on Every Network Layer • Enterprise encryption • ProVM™ • FSP 150 vSE • Certes CryptoFlow™ • Layer 3 and 7 • Cloud applications • Key management • Who? • Big box companies • Branch offices • Universities • Local government IPlayer Ethernet layer Optical layer Physical connectivity Virtual connectivity Virtual connectivity BSI approval R&D & NFV activities Solution available
  25. 25. © 2016 ADVA Optical Networking. All rights reserved. Confidential.25 Future Proofing Security through Virtualization • Firewalls – future • Interactive updates from security centers • Matching patterns of attacks • Updates to combat new threats • Data analytics • Remote probes • Live monitoring • Filters / traps • Application security • Micro-segmentation to limit damage • Policy management
  26. 26. © 2016 ADVA Optical Networking. All rights reserved. Confidential.26 VNF Versus Assured VNF Example: Encryption         Encryption as VNF OVS Storage NetworkCompute IPsec Encryption as an assured VNF OVS Storage NetworkCompute Latency Cost @ 1Gbit/s Cost @ 10Mbit/s Resource consumption
  27. 27. © 2016 ADVA Optical Networking. All rights reserved. Confidential.27 A1 A2 Physical test, monitoring, enforcement L2/L3 low latency, sync, MACSEC Hardware data plane The Assured Model Multicore x86 server Flexible L3/4/7 service creation Network interface Compute host infrastructure VM-1 VM-2 VNF VNF VM-2 VM-2 VNF VNF N1 Hardware equivalent OVS ovs
  28. 28. © 2016 ADVA Optical Networking. All rights reserved. Confidential.28 IP Layer ProVM/Security NFV
  29. 29. © 2016 ADVA Optical Networking. All rights reserved. Confidential.29 IP Layer ProVM/Security NFV
  30. 30. © 2016 ADVA Optical Networking. All rights reserved. Confidential.30 • How we travel • Get ticket online or at the airport • Prove who you are • Go through security checkpoint • Get into terminal • Boarding checks • Do you belong on the flight? Security Is a Fact of Life How data should travel
  31. 31. Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.

Editor's Notes

  • The following OTU/ODU overhead bytes are used for the dynamic key exchange in our ADVA AES256 encryption solution:

    10TCE-PCN-16GU+AES100G: GCC2

    5TCE-PC(T)N-10G+AES10G: GCC1/2
  • Security-Hardened Software:

    RADIUS support for secure and centralized user access management
    Secure Shell protocol (SSH) for encrypted network management communication
    SNMPv3 as latest available SNMP version providing inherent security mechanisms for network management communication

    Cable Diagnostics or Cable Integrity Check on RJ-45 Copper Ports of the FSP 150 product family
  • MACsec+ extends MACsec to support end-to-end secure connectivity in a MACsec unaware network.
    Secure the EVC payload while leaving the transport VLANs in the clear
  • OVOpen vSwitch (OVS)
    Addresses one of the big questions of decentralized platforms:

    IS-IOR – Is similar to the OVS, but operates in hardware, requiring no hypervisor involvement since the intel technology takes advantage of the PCI-e data plane and can recognize the Data Packet and place it directly into the appropriate VM’s memory. DMA – Direct Memory Access.

    ProVM will allow the Service Provider to not only test the network but also test between the VNFs. This will great aid in trouble shooting problems with service chaining. Over the next several years NFV deployments are going to be new to the Service Providers. Detailed analysis well help not only save cost but build better operation procedures for deployment and troubleshooting. A single truck roll for an unidentified fault will cost more than the difference between a ProVM and a COTS platform.




  • ×