Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SentryHQ’s Reactive Security: The New Host-Based Intrusion                         Detection Paradigm  Traditional host in...
The answer is collaborative attack vector closure, an easy-to-understand adaptationof open-source software engineering pri...
Real-Time Attack Mitigation        We believe that the only way to stop an attack is to prepare an automatic, immediateres...
SentryHQ utilizes a custom implementation of SSHv2 protocol for all of itscommunication, be it internal or external. We’ve...
Upcoming SlideShare
Loading in …5
×

SentryHQ's Reactive Security

398 views

Published on

Traditional Host Intrusion detection systems usually bring an attack to an operator's attention, but this asynchronous attack response paradigm may not be sufficient to stop an attack before it can do damage to a system. The solution, Amr Ali and Zach Dexter explain, is reactive security, or shutting down attacks in real-time, via collaborative attack vector closure.

  • Be the first to comment

  • Be the first to like this

SentryHQ's Reactive Security

  1. 1. SentryHQ’s Reactive Security: The New Host-Based Intrusion Detection Paradigm Traditional host intrusion detection systems usually bring an attack to an operators attention, but this asynchronous attack response paradigm may not be sufficient to stop an attack before it can do damage to a system. The solution, Amr Ali and Zach Dexter explain, is reactive security, or shutting down attacks in real-time, via collaborative attack vector closure.Introduction There are two problems with traditional host intrusion detection systems (HIDS). First,the attack may not be detected, because traditional HIDS may not pick up on sophisticatedattacks or attacks that use new vectors. Second, even if an attack is detected, damage mayoccur before an operator can respond. To solve the first problem, we propose an open-sourcerepository of attack detectors. To solve the second problem, we propose a system to respond toattacks in real-time, including an open-source repository of attack responses. Traditional host intrusion detection systems can abstractly detect attacks that are eitheridentical to previous attacks or similar to previous attacks. The former can be detected usingsignature databases, and the latter by machine learning algorithms. Pattern recognition is an inductive approach to intrusion detection: The HIDS infers thatan attack is taking place when an event shares characteristics of a prior attack. But what if weknow nothing about an attack? What if an attack uses a new vector? Traditional host intrusiondetection systems solve this problem by letting the attack happen and notify an operator, orpartially sever access to the system while being indifferent to the nature of the attack or theoperations of the system itself. A traditional HIDS will update a rule database or exclude the just-discovered attackvector from a training set of data on what constitutes the normal behavior of a system. Theproblem with the traditional HIDS approach is that it seeks to stop poorly-executed or non-coordinated attacks that look like previous attacks or otherwise fail to fool a system. To stop sophisticated or new attacks, we must get the HIDS to deduce that an attack isoccurring, even if the HIDS has no knowledge whatsoever of the attack vector, and even if anattack is clever enough to appear to machine-learning algorithms as normal behavior. A deductive security system would specify a set of invariants. If even one of thoseinvariants changes, a system is said to be compromised. But how can any HIDS specify a set ofinvariants large enough to provide meaningful coverage of attack vectors? How can a deductiveHIDS know how invariants might change across deployments to different machines? And whatdoes it mean to close an attack vector that the deductive HIDS doesnt even know is open?
  2. 2. The answer is collaborative attack vector closure, an easy-to-understand adaptationof open-source software engineering principles. A community of attack detector authorscontributes to an open-source repository of invariants. Let us call an invariant expressed via a programming language a detector. Contributorsgeneralize the invariants so that members of the community may clone any detector, provideparameters relevant to their implementations, and store the customized detectors in a privaterepository. After testing the customized detectors in the field, community members may commitpatches and merge them upstream to the main repository of detectors. We propose to grow this open-source platform with a good number of invariants for mostpieces of software running on todays systems. Attackers will have little opportunity to avoiddetection, as the attack vectors that the HIDS doesnt even know about are now closed. Once an attack is detected, a pre-configured response executes as a countermeasurewith the intention to either eliminate the threat or act as means of damage control.Threat Detection & Response There are predominantly two methodologies to address threats; either develop detectionmethods for the specificities of different threats, or detect anomalies in the behavior of thesystem and treat them as possible threats. The approach of which a detection method is developed to identify a particular threatworks well if and only if we know intrinsic details of the threat we are trying to address. Since thepossibilities of threats and their mutations are theoretically infinite, this approach is ultimatelya never ending cat-mouse chase. However, this approach also comes with the advantage offacing less false-positives because through it we know how the threat exactly behaves and howwe could respond to it. On the other hand we could compile a set of invariants of a system which we know howit behaves so that we abstractly normalize its operations and be able to detect a threat throughsensing anomalies in its behavior. This method comes with the disadvantage of being abstractand thus prone to false-positives due to a legitimate change of an operation or anunforeseeable logical branch in a well behaving set of instructions. There is no one concrete solution to addressing threats but a combination of variants ofmethodologies. Since humans are the cornerstone of the reason security as a philosophyexists, we propose that people engage in catering the different security approaches to theirunique needs by allowing the community a platform which offers the tools necessary todescriptively define their systems’ operations and at the same time be able to define anticipatedthreats and how to respond to them. SentryHQ’s the platform that allows the community to develop detectors for unboundednumber of operating systems and applications, detectors that are synchronously combinedwith responses that are not only catered to the underlying operating system but also to theapplications running on-top of it. The locally synchronized combination of a detector andresponse acts as a first layer of defense against any threat.
  3. 3. Real-Time Attack Mitigation We believe that the only way to stop an attack is to prepare an automatic, immediateresponse before the attack happens. Too often, an attack is over, and the attacker has madeoff with valuable data, before the attack is noticed. Even if a traditional Host Intrusion DetectionSystem notices the attack, often nothing is done until an operator responds. SentryHQ bolstersthe operator’s capabilities by allowing her to configure immediate attack responses. Attack detectors pick up on abnormal behavior, either by specifying invariant conditionsor by looking for signs of an attack. When a detector picks up on an attack, it does more thansimply notify the machine’s operator. The detector fires any number of attack responses on any number of machines. Ifthere is an attack response listening on the compromised machine, the response can shut theattacker out of that machine. If responses on other machines are also listening on the detector,those responses will fire, too. Such flexibility allows the security context to not only be bound toa single machine but an entire network of machines that can realize an attack and respond to itin unanimity.Collaborative Attack Vector Closure Work together to achieve maximum attack vector coverage. Community members tagattack detection and attack response code to place it in the public repository. Any member ofthe community can clone these items, upgrade them, and publish the code back to the publicrepository. Users can leave code with modifications specific to their machines unpublished. Over time, SentryHQ will severely restrict the number of vectors still open to attackers.For each detector made available to the community, an attack vector is closed. And eachresponse available in the public repository gives community members more power to stopattacks before they result in damage.Why SentryHQ? No one likes nor have the time to dive into endless amount of configuration files andforeign syntaxes to be able to run a HIDS that only reports back a compromise. Beyond initialconfiguration of your account; SentryHQ components are entirely configurable through ourintuitive hosted web interface. In cyberspace the first “O” of Boyd’s OODA (Observe, Orient, Decide, Act) loop isalways impaired; with SentryHQ we’ve managed to enable your entire network to be able toobserve an elaborated attack and respond to it on many levels and in dynamic configurationsthrough the detectors and responses deployed on any number of machines you have.
  4. 4. SentryHQ utilizes a custom implementation of SSHv2 protocol for all of itscommunication, be it internal or external. We’ve taken great care to account for the worstsituations a system can be into including ours. With SentryHQ you can benefit from and participate in an ever-growing community thatconstantly supplies the public repository with new detectors and responses that addressesthreats that target most applications and their underlying operating systems.

×