Cyber Security


Published on

Published in: Technology, Business
  • Be the first to comment

Cyber Security

  1. 1. North Carolina Federal Advanced Technologies SymposiumMay 9, 2013Cyber Security PanelHosted by:Office of Senator Richard BurrNC Military Business CenterNC Military FoundationInstitute for Defense & BusinessUniversity of North Carolina SystemReception Sponsor:Bronze Sponsor:
  2. 2. Science of Security ConfigurationAnalytics– Know your network!Professor Ehab Al-Shaer,Director of Cyber Defense Network Assurability CenterUniversity of North Carolina Charlotteealshaer@uncc.eduwww.cyberdna.uncc.eduCyber Security PanelNC Federal Advanced technologies SymposiumMay 9, 2013
  3. 3. About CyberDNA Research• Vision: Making Cybersecurity measurable, provable and usable• Research Team:– Multi-disciplinary team of 11 faculty members and 35 PhD students Areas– security, networking, data mining, economics, power and control, behavior science/HCI.• Active Funding: > 8.2M from NSF, NSA, ARO, AFRL, DHS, Bank of America, BB&T,DTCC, Duke Energy, Cisco, Intel• Prof. Al-Shaer was featured as Subject Matter Expert (SME) in SecurityConfiguration Analytics and Automation [DoD Information Assurance Newsletter,2011].• NSF Industry/University Collaborative Research Center on (Security) ConfigurationAnalytics and Automation (CCAA) Lead by UNC Charlotte and George Mason Univ– Members include NSA, NIST, Bank of America, BB&T, DTCC, MITRE, Northrop Grumman• Tools and Technology transfer projects for Cisco, Intel, Duke Energy, ..• Research Long and solid track record on many areas particularly– Security configuration analytics (verification and synthesis) for enterprise,cloud and smart grid– Security metrics and risk estimation– Agility and resiliency for Cyber, clouds and Cyber-Physical
  4. 4. 4Why Cybersecurity is Hard?• Attack Detection (alone) Can not Deliver– Learning-based = Knowing the attack OR Knowing the DeviationThreshold  Easily Evadable– Insufficient for attack avoidance• Cybersecurity = Attack Prediction• Attack Prediction is a Hard Problem– Learning-driven vs. Prediction-driven• Feature selection vs. information integration & analytics– Scalable and accurate models of both system behavior andadversary strategies.– System complexity and adversary sophistication areincreasingly growing.
  5. 5. 6The Need for Security ConfigurationAnalytics• December 2008 report from Center for Strategic and International Studies"Securing Cyberspace for the 44th Presidency" states that "inappropriateor incorrect security configurations were responsible for 80% of Air Forcevulnerabilities"• May 2008 report from Juniper Networks "What is Behind NetworkDowntime?" states that "human factors [are] responsible for 50 to 80percent of network device outages".• BT/Gartner[3] has estimated that 65% of cyber-attacks exploit systemswith vulnerabilities introduced by configuration errors. The YankeeGroup[4] has noted that configuration errors cause 62% of networkdowntime.• A 2009 report[5] by BT and Huawei discusses how service outages causedby “the human factor” themselves cause more than 30% of networkoutages, “a major concern for carriers and causes big revenue-loss.
  6. 6. 7Ehab Al-Shaer , Science of Security ConfigurationComplexity of Configuration Analytics• Scale – thousands of devices and million of rules.• Distributed, yet Inter-dependent Devices and Rules.• Policy semantic gap -- device roles (e.g., Rule-order semantics vs.recursive ACL, single-trigger vs. multi-trigger policies)• Multi-level and multi-layer Network configuration– Overlay networks, groups/domains in cloud (e.g., EC2/VPC, securitygroups)– network access control, OS, application level etc• Dynamic changes in networks and threat• Security design trade-offs: risk vs mission, usability, cost, andperformance[Source: Security Analytics and Automation, DoD IA Newsletter, Oct 2011]7
  7. 7. 8NSF Center on Security Analytics & Automation– The Big PictureANALYTICSPredominately Manual Management PracticesDefensiveActionsLogs andSensor DataSecurityRequirements&PoliciesEnterprisePolices &ConfigurationMEASURABLE SECURITYAnalytics & AutomationAUTOMATEDDEFENSERESILIENCYCOST-EFFECTIVEHARDENINGAnalytics AutomationIntegrationactionSystem
  8. 8. 9PolicyViolationThreatPredictionRiskEstimationConfigChecker: Security AnalyticsMagic Box [ICNP09]RiskMitigationAttackDiagnosisAgilityActionsResiliencymeasureConfigChecker
  9. 9. Golden TechnologyServices© 2012 Golden Technology Services_________________________________________________________________________GOLDEN TECHNOLOGY SERVICESDelivering Business Impact with Advanced Technology Solutions
  10. 10. _________________________________________________________________________© 2012 Golden Technology ServicesCyber attacks are increasingly impacting both private sector and U.S.government information networks and systemsMay 15, 2013 11Sources: IBM Corporation,PwC
  11. 11. _________________________________________________________________________© 2012 Golden Technology ServicesProof points: Targeted attacks shake businesses & governmentsMay 15, 2013 12Source: IBM Corp., 2011 Year-EndX-Force Trend and Risk Report.
  12. 12. _________________________________________________________________________© 2012 Golden Technology ServicesThe Power of Cyber Knowing• Everyday, cyber thieves run their reconnaissance on networks and servers, and afterwardknow more about an organization’s IT security than they do.• How Can The Cyber Thieves Know More About a Business IT Security Than They Do?– They are super intelligent and their IT budget is significantly larger than most.– They know there is limited to no risk of them ever being identified or caught.– Their goal is simple - either to steal money, intellectual assets or both.– Due to advertising, they have developed a work-around to bypass all of the readilyavailable and known IT security products and services - yes, all of them.– Lastly, some of the security solutions used are manufactured or developed by some ofthe nation states.• The Market Needs To Add an Additional Security Layer to Their Network– The market needs a service that is innovative in dealing with these very aggressivecyber actors and threats.– The market needs a tool that is 100% designed, manufactured and assembled withintegrity and trust in the US.– The market needs a tool and service that are not advertised. This is important for USnational security, and financial services companies and others.
  13. 13. _________________________________________________________________________© 2012 Golden Technology ServicesYet most U.S. SMBs can improve their online security practicesMay 15, 2013 14Source: “2012 National Small Business Study,” National Cyber Security Alliance, Sept. 2012
  14. 14. _________________________________________________________________________© 2012 Golden Technology ServicesWhat Are You Going To Do?1) “Online Cyber Training” - training, risk assessment and policy management toolsthat prepare employees for the current threat environment.• More than 50% of all security incidents originate from successful social engineeringefforts.• Training, testing and tracking the workforce offers a high return on investment.• Training can be completed from anywhere, anytime, including at home.• The FTC Safeguards Rule mandates the creation of a Written Information SecurityProgram (WISP).• Service contains a comprehensive library of Data Security Policies that can be usedas templates for the development of an organization’s WISP.2) Cyber Detection - automatically detects and terminates threats that evadesignatures and blacklists.• Can find previously unknown and hidden threats within hours of deployment.• Monitors servers, desktops, iOS and Android devices – employees & contractors• Provides an alert so action can be taken immediately.3) IP Address Blocking - blocks 3 million vetted and blacklisted IP addresses• Blocks bi-directionally – Web Portal for each appliance to see what is being blocked• Newly identified and vetted IP addresses are sent up to 4 times an hour to customer
  15. 15. CYBER SECURITY• Intrusion detection - focused on protecting against attack vectorsbased on software or hardware vulnerabilities.• Firewall configuration, patch management, anti-virustechnologies and intrusion detection log monitoring.• Masquerade Threat - access through the use of stolen, highjacked orforged logon IDs and passwords.• Security gaps in programs, or through bypassing theauthentication mechanism.• Insider Threat – valid credentials or permissions (bad actor)@2013 SECURBORATION, INC. COMPANYPROPRIETARY16
  16. 16. INTRUSION DETECTION• Traditional protection technologies have matured• National Vulnerability Database ( vulnerability disclosuresacross the industry in 1H2011 were down 37.1% from 2H2008[1]• Class of tools• e-Sentinel• Host Based Security System@2013 SECURBORATION, INC. COMPANYPROPRIETARY17VulnerabilityDisclosures
  17. 17. MASQUERADE THREAT• Recent trends indicate that stealingor forging log-in credentials hasbecome a common methodology forachieving unauthorized access• User Behavior• Identify deviations fromexpected behavior• Access to applications over systemaccess• Utilize logs to monitor behavior• New class of toolsINSIDER THREAT• Bad Actors• User Behavior (threshold of badbehavior)• Identify deviations fromexpected behavior• Access to applications over systemaccess• Access to Multifunction-Printers• Utilize logs to monitor behavior• New class of toolsTHREAT CLASSES@2013 SECURBORATION, INC. COMPANYPROPRIETARY18C-SAMS
  18. 18. CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)@2013 SECURBORATION, INC. COMPANYPROPRIETARY19• Cyber Defense• Insider / Masquerade Threat Focus: Identity theft; Exfiltration; Credentialamplification• Whitelist Oriented: When are there observable shifts in agent behaviorfrom “normal” to “abnormal”?• Model-driven:• Enterprise Architecture• Business Process Modeling• Business Process Execution Language (BPEL)• Web Ontology Language (OWL)
  19. 19. CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)@2013 SECURBORATION, INC. COMPANYPROPRIETARY20Actual BehaviorsGCCC MergedLog FilesEnd UserPublishes Events That IndicateBehavior Outside the NormDetects Anomalous Behavior byComparing Expected vs. ActualLegacyFuture CSV
  20. 20. 21About SignalscapeSignalscape offers security solutions and vulnerabilityanalysis to the DoD, Law Enforcement, and CyberCommunities.Our expertise ranges from miniature single board wirelesssolutions for one-time mission critical applications to fullyintegrated wireless surveillance, tracking, and data transportplatforms.Specifically, Signalscape specializes in Audio and VideoWireless Data Detection, Collection, and Transportincluding:• Wireless Sensors (Audio and Video)• Mobility Systems (Cellular Data Transport)• Software Defined Radio (SDR)Visit us at
  21. 21. Challenges Facing DoD, LE, and Cyber CommunitiesTwo issues facing DoD, Law Enforcement, and Cyber Communitiesinclude:• Detecting and analyzing audio and video streams embedded inmassive amounts of wireless network traffic (both encrypted andunencrypted)• Deploying Smart, Wireless, Audio and Video SensorsSignalscape provides Wireless Video Collection and Analyticscapabilities both from a defensive and offensive point of view.Specifically two key wireless video topics of interest to the IC and CyberCommunity:• Video Detection and Vulnerability Analysis• Video Sensing22
  22. 22. Video Detection and Vulnerability Analysis• Packet payload inspection (if unencrypted)• Detection of encrypted audio and video streams via traffic patternclassification algorithms based on machine learning• Network vulnerability analysisVideo Sensing• Smart Sensing – On-board analytics and storage• Power Management – Avoid transmission until sensor detects eventof interest• Utilize time-shifted transmission• Post collection egress (log in and download data at less than real-time speeds)23
  23. 23. 24Wireless Audio/Video Security Platform (WASP)• Wireless (900 MHz, 2.4 GHz, cellular) retrieval of HD video, HDimages and audio• On-board ARM processor plus DSP to run application softwarein parallel with video algorithms.• CDMA/GSM Wireless Link• 2.4GHz Wireless Link (higher data rates, third-party productintegration)• IP Gateway Infrastructure• DVR Capability (record, playback on-demand)• Camera analytics (face detection, wide dynamic rangeprocessing, motion detection)
  24. 24. WASP System Architecture25RF to IP VideoGatewayWASPEthernet INTERNETSatellite InternetTerminalLoSIP RadioLocal UserRemote Users
  25. 25. OnWire Capabilities Area of Expertise• Identity, Access, & FederationManagement• Federated Trust (SAML/XSLT/Web Services)• 2-Factor Authentication• PKI / Smart Cards Professional Services• Systems Engineering• Development• Integration Services• Consulting Services26 Cloud Services• Federated SSO• Identity and AccessManagement as a Service• Consulting Services
  26. 26. Gartner’s Nexus of “Forces” The Gartner Group has coined the phrase Nexus of Forces torefer to four technology areas having a profound affect on IT The forces of the Nexus are intertwined to create a user-drivenecosystem of modern computing.• Information is the context for delivering enhanced social andmobile experiences.• Mobile devices are a platform for effective social networkingand new ways of work.• Social links people to their work and each other in new andunexpected ways.• Cloud enables delivery of information and functionality to usersand systems. User adoption of these technologies means that ITorganizations must adapt their security posture to account forthese forces.27
  27. 27. Security Implications28Diagram Source: Gartner (June 2012)Callouts Source: OnWire (April 2013)Data Leakage(corp datamigrates topublic cloud)Data Leakage(data cachedon device)Unpredictableplatform type (userchooses platform)Unpredictable appbehavior (userowns the app)Blurring of workand private dataPrivacy IssuesAttack Target –honeypot of dataAttack Target –honeypot of dataAccessControl IssuesPhishing target(large numberofunsophisticatedusers)
  28. 28. IAM Vision & OnWire’s ExpertiseKey ThemesStandardized IAMand ComplianceExpand IAM vertically to provide identity &access intelligence to the business; Integratehorizontally to enforce user access to data, app,and infrastructureSecure Cloud, Mobile, SocialCollaborationEnhance context-based access control forcloud, mobile and SaaS access, as well asintegration with proofing, validation &authentication solutionsIAM Governanceand Insider ThreatContinue to develop Privileged IdentityManagement (PIM) capabilities and enhancedIdentity and Role management
  29. 29. IBM Security Products Information• InfoSphere Guardium- Activity monitor, data encryption, vulnerability assessment• Key Lifecycle Manager (managing signing and encryption keys) Mobile• Endpoint Management (Endpoint Manager for Mobile Devices)• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated IdentityManager)• Network Security (Mobile Connect) Cloud• Application Security (Rational Appscan, Policy Manager)• Infrastructure Security (Host Protection, Virtual Server Protection, Network IntrusionPrevention System)• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated IdentityManager) Social• QRadar Security Intelligence Platform• Application Security (Rational Appscan, Policy Manager)• IAM (Access Manager, Identity Manager, Federated Identity Manager)30
  30. 30. Cyber Security:A New Domain forIntelligenceAnalysisMARK VASUDEVANPRESIDENTVSI
  31. 31. About VSi• VSi, based in Winston-Salem, NC, specializes in web-basedintelligence and analytical software applications• VSi’s MIDaS™, (U.S. Patents Nos. 6,877,006; 7,167,864;7,720,861; 8,082,268) is a browser-based, ad-hoc, multi-dimensional analytical tool for users and analysts• VSi’s patents have been licensed to IBM and Oracle• VSi’s MIDaS™ links distributed disparate data sources toproduce user-defined analytical views• VSi’s MIDaS™ uses a fine-grained security model thatimplements multi-level security capability• VSi’s MIDaS™ delivers its capabilities without writing anycode
  32. 32. IDENTIFICATION OF PROBLEM –NOT A NEW PROBLEM ;A NEW DOMAIN• Analysis – Multi-INT Fusion: HUMINT, COMINT, IMINT ELINT• Perimeter Security, Sensors – Access,Authentication andAuthorization• Pattern Analysis – Intrusion patterns• Inference capability• Information dissemination – Reporting• Strategic andTactical/Imminent threat assessment• Collaboration – Functional Defeat Models• Design of intrusion protection and vulnerability minimization
  33. 33. NEW TECHNOLOGY – MULTI-USE• Re-use existing resources to develop new intelligence• Analysis tools should be flexible to be used for multiplepurposes – Intelligence Analysis; Target Centric Analysis;Threat Assessment• Data source agnostic - Structured and Unstructured datafusion• Collaborative “System-of-Systems” model development• Analysis should focus on the requirements of the Analyst andField Operator – Flexible ; Near RealTime• Comprehensive visualization – Geospatial; Network-graph;temporal; 3D• Multi-level security - Information dissemination; Reporting