Research Advancements Towards
Protecting Critical Assets

Dr. Richard “Rick” Raines
Cyber Portfolio Manager
Oak Ridge Nati...
The Cyber Defense?
The Economist May 9, 2009
The Threat Landscape
• National intellectual property is being stolen at alarming
rates
• National assets are vulnerable t...
Understanding the Challenges
• Dynamic environment with a constant churn
– A domain of operations—”within” and “through”
–...
Who Are the Threat Actors ?
• Unintended threat actors -- Can be just about anyone??
– Target rich environment—people, pro...
Who “Really” Are the Threat
Actors?
• Over 90% of threat actors are external to an organization
• 55% of the actors associ...
The Targets
• 37% of incidents affected financial organizations
– Organized crime—virtual and physical methods
– Since 9/2...
Understanding Your Mission
• What does cyber Situational Awareness really mean?
– User-defined
– Real-time awareness of mi...
Long Term Grand Challenges
Cyber R&D Challenges
Operate Through An Outage/Attack
Identify
missioncritical
capabilities

Assess
complex
attack
plannin...
Cyber R&D Challenges
Predictive Awareness
Near-real-time
situational
awareness
of the
battlespace

Automated/
user-defined...
Cyber R&D Challenges
Security in the Cloud

Approach:
Wholly owned/
cloud service/
public internet

Complex
attack
plannin...
Cyber R&D Challenges
Self-Protective Data/Software
Resilient
data
(at rest and
in motion)

Protocols:
Secure,
resilient,
a...
Cyber R&D Challenges
Security of Mobile Devices
Classified/
UNCLAS
encryption

Power and
performance
issues
addressed

Har...
ORNL Cyber Research Strengths
• Observation-based
generative models
• Control of false
positives/negatives
• Modeling
of a...
ORNL Control Systems Security
Research Strengths
• Observation-based
generative models
• Control of false
positives/negati...
VERDE: Visualizing Energy Resources
Dynamically on Earth

• Monitoring Capability
– Situational awareness of subset of
tra...
Current technology
provides no practical
means to validate the full
behavior of software.

Program instructions
implement ...
Oak Ridge Cyber Analytics: Detecting
Zero Day Attacks
DoD Warfighter Challenge evaluation of ORNL’s ORCA:
•
•

•

Supervis...
Moving Ahead
•
•
•
•
•
•
•

Increased national focus on cyber security
Cyber law enforcement capabilities growing – “who”
...
Questions?
rainesra@ornl.gov
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical Assets by Dr. Richard “Rick” Raines
Upcoming SlideShare
Loading in …5
×

TakeDownCon Rocket City: Research Advancements Towards Protecting Critical Assets by Dr. Richard “Rick” Raines

401 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
401
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

TakeDownCon Rocket City: Research Advancements Towards Protecting Critical Assets by Dr. Richard “Rick” Raines

  1. 1. Research Advancements Towards Protecting Critical Assets Dr. Richard “Rick” Raines Cyber Portfolio Manager Oak Ridge National Laboratory 15 July 2013
  2. 2. The Cyber Defense? The Economist May 9, 2009
  3. 3. The Threat Landscape • National intellectual property is being stolen at alarming rates • National assets are vulnerable to attack and exploitation • Personal Identifiable Information at risk • Competing and difficult national priorities for resources Electric Power Oil & Gas Water Emergency Transportation Communications Financial The Landscape is continually changing
  4. 4. Understanding the Challenges • Dynamic environment with a constant churn – A domain of operations—”within” and “through” – Anytime, anywhere access to data and information – Policy and Statutory lanes emerging • Agile adversaries – Cyber and Cyber Physical – Overt and covert attacks/exploits • Data continues to grow – Sensor feeds yield terabytes of raw data – Analyst burdens continue to grow We Continue to Play Catch Up
  5. 5. Who Are the Threat Actors ? • Unintended threat actors -- Can be just about anyone?? – Target rich environment—people, processes, machines • Personal gain threat actors -- individual and organized crime – Insiders? • Ideological threat actors – Hacktivists, extremists and terrorists #OpUSA (7 May 13) #OpNorthKorea (25 Jun 13) • Nation-state threat actors – Intelligence gathering, military actions The Sophistication of the Actors Continue to Increase
  6. 6. Who “Really” Are the Threat Actors? • Over 90% of threat actors are external to an organization • 55% of the actors associated with organized crime – Predominantly in U.S. and Eastern Europe • ~20% of actors associated with nation-state operations – Over 90% attributable to China • Internal actors: large percentage of events tied to unintentional misconfigurations Source: www.verizonenterprise.com/DBIR/2013 But, sophistication not always needed….
  7. 7. The Targets • 37% of incidents affected financial organizations – Organized crime—virtual and physical methods – Since 9/2012, 46 U.S. institutions in over 200 separate intrusions (FBI) • 24% targeted individuals in retail environments – 40% of data thefts attributed to employees in the direct payment chain • Waiters, cashiers, bank tellers—”skimmers” and like-devices • Organizations will always be targets for who they are and what they do Source: www.verizonenterprise.com/DBIR/2013 Actors will continue to look for the “low hanging fruit”
  8. 8. Understanding Your Mission • What does cyber Situational Awareness really mean? – User-defined – Real-time awareness of mission health – Highly relevant information to the decision-maker • What are the “crown jewels” in your mission space? – The critical components that you can’t operate without – Understanding the interdependencies • What are the capabilities needed for success? – Revolutionary advances rather than evolutionary progress – The right talent and enough to ensure success – Partnerships are critical Mission Assurance = Operational Success
  9. 9. Long Term Grand Challenges
  10. 10. Cyber R&D Challenges Operate Through An Outage/Attack Identify missioncritical capabilities Assess complex attack planning problem Design defense in depth Detect/ block attacks Discover/ mitigate attacks Enable graceful degradation of resilient (self-healing) systems System of systems approach to ensure continuity of operations (COOP)
  11. 11. Cyber R&D Challenges Predictive Awareness Near-real-time situational awareness of the battlespace Automated/ user-defined view Network mapping Predictive/ self-healing systems Anticipate failure or attack and react automatically Mission-critical systems available and functional to operate through
  12. 12. Cyber R&D Challenges Security in the Cloud Approach: Wholly owned/ cloud service/ public internet Complex attack planning problem Variety of security structures Masking deception Continuous maneuver Graceful degradation of resilient (self-healing) systems Visibility of data and computations without access to specific problem
  13. 13. Cyber R&D Challenges Self-Protective Data/Software Resilient data (at rest and in motion) Protocols: Secure, resilient, active Trustworthy computing High-userconfidence check sum Hardwarebacked trust High user confidence in data and software Graceful degradation of missioncritical data to “last known good”
  14. 14. Cyber R&D Challenges Security of Mobile Devices Classified/ UNCLAS encryption Power and performance issues addressed Hardware root of trust Self healing Data Validated Leakage/ Transfer contained Biometric security features Bring your own device (disaster?)
  15. 15. ORNL Cyber Research Strengths • Observation-based generative models • Control of false positives/negatives • Modeling of adversaries • Photon pair and continuous variable entanglement • Comprehensive source design and simulation • High-performance computing resources • Putting quantum and computing together • Mathematical rigor • Computationally intensive methods • At scale, near real time Computational cyber Evidencesecurity based action Nonclassical light sources • Statistics vs metrics • Repeatability and reproducibility • Trend observation and identification Sciencebased security Protection and control Quantum simulation Data management Information visualization Applicationoriented research • From first principles to real solutions • Quantum for computing, communication, sensing, and security Analytics • • • • Probabilistic modeling Social network analysis Relational learning Heterogeneous data analysis • Online, near-real-time methods • Graph modeling/retrieval • Distributed storage and analysis methods • Geospatial and temporal display methods • Multiple, coordinated visualizations • User-centered design and user testing
  16. 16. ORNL Control Systems Security Research Strengths • Observation-based generative models • Control of false positives/negatives • Modeling of adversaries • Vulnerability assessments • Mathematical rigor • Computationally intensive methods • At scale, near real time • Time synchronized data • Fault disturbances recorders, PMUs • Voltage, frequency, phase 3, current Computational cyber Real-time Evidencesecurity Monitoring based action • Industry guidelines • Interoperability • Physics based protection schemes • Cyber physical interface Standards development Resilient control systems Detection, control and wide-area visualization Data management Information visualization Advanced components • Fault current limiters • Saturable reactors • Power electronics Analytics • • • • Probabilistic modeling Social network analysis Relational learning Heterogeneous data analysis • Online, near-real-time methods • Graph modeling/retrieval • Distributed storage and analysis methods • Geospatial and temporal display methods • Multiple, coordinated visualizations • User-centered design and user testing
  17. 17. VERDE: Visualizing Energy Resources Dynamically on Earth • Monitoring Capability – Situational awareness of subset of transmission lines (above 65 KV) – Situational awareness of distribution outages (status of approximately 100 Million power customers) – Social-media feeds ingest Wide-Area Power Grid Situational Awareness – Real-time weather overlays • Modeling and Analysis – Predictive and post-event impact modeling and contingency simulation – Automatic forecasts of power recovery – Energy interdependency modeling – Mobile application – Cyber dependency Impact Models and Data Analysis Distribution Outages Analysis
  18. 18. Current technology provides no practical means to validate the full behavior of software. Program instructions implement functional semantics that can be precisely defined. Instruction semantics can be mathematically combined to compute the functional effect of programs. HOW IT WORKS: • Hyperion Protocol technology computes the behavior of compiled binaries. • Structure theorem shows how to transform code into standard control structures with no arbitrary branching. • Correctness theorem shows how to express behavior of control structures as nonprocedural specifications. QUANTITATIVE IMPACT Software may contain unknown vulnerabilities and sleeper code that compromise operations. Mathematical Foundations developed at IBM SEI/CMU developed Function Extraction (FX) ORNL developing 2nd Gen FX on HPC • Computed behavior can be compared to semantic signatures of vulnerabilities and malicious operations. GOAL NEW INSIGHTS STATUS QUO Hyperion Protocol Determination of vulnerabilities and malicious content can be carried out at machine speeds. Validation. Software can be analyzed for intended functionality. Readiness. Software can be analyzed for malicious content. System for computing behavior of binaries to identify vulnerabilities sleeper codes and malware. Function and security analysis of compiled binaries through behavior computation
  19. 19. Oak Ridge Cyber Analytics: Detecting Zero Day Attacks DoD Warfighter Challenge evaluation of ORNL’s ORCA: • • • Supervised Learner (Tweaked AdaBoost): • Detected 94% of attacks using machine learning methods • False positive rate is only 1.8% Semi-supervised Learner (Linear Laplacian RLS): • Detected 60% of attacks using machine learning methods • No false positives Detecting both previously seen and never before seen attacks. Approach: • Generalize computer communication behaviors using machine learning models. • Classify incoming network data in real-time. • Complement signature-based sensor arrays to focus on attack variants. Advantages: • No signatures – trains on examples of attacks • Detects attacks missed by the most advanced OTS intrusion detectors. • Detect zero day attacks that are variants of existing attack vectors.
  20. 20. Moving Ahead • • • • • • • Increased national focus on cyber security Cyber law enforcement capabilities growing – “who” Digital forensics are improving -- “how” Information Sharing and Analysis Centers (ISACs) – “what” Maturing education and training for the professionals Better education for “the masses” Rapidly evolving R&D breakthroughs The Human is still the weakest element in the cyber domain
  21. 21. Questions? rainesra@ornl.gov

×