Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The Rising Tide Lifts All
Boats: The Advancement of
Science in Cybersecurity
Laurie Williams
North Carolina State Universi...
Intervening in the last hour of an official
campaign, this operation clearly seeks to
destabilize democracy…
We cannot tol...
Attackers Unceasing
Cybersecurity is all of our
responsibility..
#metoosecurity
A game of cat and mouse …
Why the Science of Security?
— “… nagging perception that too much of the
research is opportunistic, lacks rigor, has weak...
2011 Release
2014 Re-release
The three missions of the
Science of Security Lablets
— Build a science of security community
— Advance research methods i...
Through diversity of opinion,
creativity and unity is born.
Focus areas
/
Through collaboration and
unity, we can accelerate
change on a larger scale.
Competition-free zone
Lablet (4)National Security Agency
NCSU
UIUC
CMU
NSAUMD
Science of Security Lablets
Lablet (4)National Security Agency Sub-Lablet (26)
UNL
CU
DC
PENN
PITT
NAVY
UVA
GWU
RICEUTSA
UTA
UA
UNCC
NCSU
VT
USC
UC
UC...
NDSU
UNL
CU
RSA
CCT
DC
BC
SC
MITLL
POTSDAM
MIT
SIEMENS
RUTGERS
AT&T
PENN
ARL
PSU
PITT
NAVY
UVA
GWU
HPHC
NLM-NIH
NU
UMICH
V...
UOFW
UVIC
IMDEA
NOVA
UP
UPV
EPFL USI
UWAR
LEEDS
LU
KENT
OXFORD
NEWCASTLE (UK)
UDS
JWGU
MPI-SWS
UiO
KTH
IUT
THU
BUAA
SMU
UN...
The three missions of the
Science of Security Lablets
— Build a science of security community
— Advance research methods i...
Those “pesky” and ever-
present tough questions
Where’s the
beef . . . .
science?
Tough questions lead to
great(er) insight.
“The quality of your answers is in direct
proportion to the quality of your que...
It’s so easy to fall back to
“engineering-ish” research.
Principles, Theories, Laws,
Hypotheses … Science
May be just a “subtle change”
Stand on the
shoulders of giants.
Software
Engineering
Type of result
Accepted
(ICSE
2002)
Accepted
(ICSE
2016)
Analysis … …
Evaluation … …
Experience 8 (19%) 4 (4%)
Example 16 ...
Type of result
Accepted
(ICSE
2002)
Accepted
(ICSE
2016)
Analysis … …
Evaluation … …
Experience 8 (19%) 4 (4%)
Example 16 ...
Type of result
Accepted
(ICSE
2002)
Accepted
(ICSE
2016)
Analysis … …
Evaluation … …
Experience 8 (19%) 4 (4%)
Example 16 ...
Type of result
Accepted
(ICSE
2002)
Accepted
(ICSE
2016)
Analysis … …
Evaluation … …
Experience 8 (19%) 4 (4%)
Example 16 ...
Science of Security Copycats
— Guidelines
— Seminars
— Research plan reviews
— Workshops
— Conference (Hot SoS)
The Rising Tide: Leading by
Example
Cybersecurity is all of our
responsibility..
#metoosecurity
1. Introduce yourself to someone you don’t know.
2. Provide on...
The three missions of the
Science of Security Lablets
— Build a science of security community
— Advance research methods i...
Through focus,
progress is made.
1. Thing 1
2. Thing 2
3. Thing 3
4. Thing 4
5. Thing 5
6. Thing 6
7. Thing 7
8. Thing 8
D...
Science of Security Focus
1. Scalability and composability
2. Policy-governed secure collaboration
3. Encryption algorithm...
Hard Problem 1: Scalability
and Composability
Challenge
— Develop methods to enable the construction
of secure systems wit...
Component and
Configuration Change
Hard Problem 2: Policy-Governed
Secure Collaboration
Challenge
— Develop methods to express and enforce
normative requirem...
Implied security and privacy
requirements
Templates
Repository
Supervised
Machine Learning
Hard Problem 3: Predictive
Security Metrics
Challenge
— Develop security metrics and models
capable of predicting whether ...
Leveraging stack traces
from crash dumps
Risk-based attack surface
approximation
Windows: 48% of all binaries crash, 95% of vulnerable binaries crash.
Firefox: 16%...
Hard Problem 4: Resilient
Architectures
Challenge
— Develop means to design and analyze
system architectures that deliver ...
Synthesizing Network
Security Configurations
Resiliency Configurations Synthesis
Resiliency
Requirements
Topology
i.e., li...
Hard Problem 5: Human
Behavior
Develop models of human behavior (of both
users and adversaries) that enable the design,
mo...
Phishing: Personality &
Persuasion
LinkedIn Passwords
As Seen at NC State
Protect users from
themselves … easily!
My Intentions
Security Collaborative Research
Science Life
#metoosecurity
Making the world
a better place
Making the world
a better place
Making the world
a better place … by making
ALL software more secure
#metoosecurity
— #metoosecurity When deploying rapidly, we need
processes to make sure we are not pushing out
vulnerabilit...
Slide photos -1— http://www.foxbusiness.com/markets/2017/07/13/verizon-customer-information-exposed-in-
data-breach.html
—...
Slide photos - 2
— https://bizpsycho.files.wordpress.com/2015/05/colored_puzzle_connection_1600_wht_9893.png
— https://sco...
Slide photos - 3
— http://1000awesomethings.com/2011/02/23/302-grandma-hair
— http://garysreflections.blogspot.com/2011/02...
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats:  The Advancement of Science in Cybersecurity
Upcoming SlideShare
Loading in …5
×

The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity

650 views

Published on

Stolen passwords, compromised medical records, taking the internet out through video cameras– cybersecurity breaches are in the news every day. Despite all this, the practice of cybersecurity today is generally reactive rather than proactive. That is, rather than improving their defenses in advance, organizations react to attacks once they have occurred by patching the individual vulnerabilities that led to those attacks. Researchers engineer solutions to the latest form of attack. What we need, instead, are scientifically founded design principles for building in security mechanisms from the beginning, giving protection against broad classes of attacks. Through scientific measurement, we can improve our ability to make decisions that are evidence-based, proactive, and long-sighted. Recognizing these needs, the US National Security Agency (NSA) devised a new framework for collaborative research, the “Lablet” structure, with the intent to more aggressively advance the science of cybersecurity. A key motivation was to catalyze a shift in relevant areas towards a more organized and cohesive scientific community. The NSA named Carnegie Mellon University, North Carolina State University, and the University of Illinois – Urbana Champaign its initial Lablets in 2011, and added the University of Maryland in 2014.
This talk will reflect on the structure of the collaborative research efforts of the Lablets, lessons learned in the transition to more scientific concepts to cybersecurity, research results in solving five hard security problems, and methods that are being used for the measurement of scientific progress of the Lablet research.

Published in: Software
  • Protect your brain from memory loss with brain pill. find out more... ●●● https://tinyurl.com/brainpill101
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity

  1. 1. The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity Laurie Williams North Carolina State University #metoosecurity
  2. 2. Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize democracy… We cannot tolerate that the vital interests of democracy are thus endangered. - Macron campaign statement
  3. 3. Attackers Unceasing Cybersecurity is all of our responsibility.. #metoosecurity
  4. 4. A game of cat and mouse …
  5. 5. Why the Science of Security? — “… nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.” (NSA BAA Industry Day, 2013)
  6. 6. 2011 Release
  7. 7. 2014 Re-release
  8. 8. The three missions of the Science of Security Lablets — Build a science of security community — Advance research methods in the context of cybersecurity to build a sound science of security — “Solve” hard security problems through the application of scientific research
  9. 9. Through diversity of opinion, creativity and unity is born.
  10. 10. Focus areas /
  11. 11. Through collaboration and unity, we can accelerate change on a larger scale.
  12. 12. Competition-free zone
  13. 13. Lablet (4)National Security Agency NCSU UIUC CMU NSAUMD Science of Security Lablets
  14. 14. Lablet (4)National Security Agency Sub-Lablet (26) UNL CU DC PENN PITT NAVY UVA GWU RICEUTSA UTA UA UNCC NCSU VT USC UC UCBERKELEY ICSI UIUC IU IIT PU WSU CMU GMU UNC UMD RIT NSA Science of Security Lablets & Sub-Lablets NEWCASTLE (UK)
  15. 15. NDSU UNL CU RSA CCT DC BC SC MITLL POTSDAM MIT SIEMENS RUTGERS AT&T PENN ARL PSU PITT NAVY UVA GWU HPHC NLM-NIH NU UMICH VERISIGN RPI UALBANY UCFRICEUTSA UTA TX A&M UA AUBURN GT UNCC NCSU VU VT UNM AFRL USC UC LLNL HP SU FUJITSU GOOGLE UCBERKELEY ICSI SYMANTEC L&C UW INL UIUC IU IIT UW-MADISON NWU PU WSU CMU GMU UNC UMD UH MANOA PC RIT NSA Lablet (4)National Security Agency Sub-Lablet (26) Collaborator (64)SURE (4) Science of Security Lablets, Sub-Lablets, and Collaborators NEWCASTLE (UK)
  16. 16. UOFW UVIC IMDEA NOVA UP UPV EPFL USI UWAR LEEDS LU KENT OXFORD NEWCASTLE (UK) UDS JWGU MPI-SWS UiO KTH IUT THU BUAA SMU UNIMELB ANU VUW ULISBOA Science of Security International Sub-Lablets and Collaborators Sub-Lablet (26) Collaborator (64)
  17. 17. The three missions of the Science of Security Lablets — Build a science of security community — Advance research methods in the context of cybersecurity to build a sound science of security — “Solve” hard security problems through the application of scientific research
  18. 18. Those “pesky” and ever- present tough questions Where’s the beef . . . . science?
  19. 19. Tough questions lead to great(er) insight. “The quality of your answers is in direct proportion to the quality of your questions.” --Albert Einstein
  20. 20. It’s so easy to fall back to “engineering-ish” research.
  21. 21. Principles, Theories, Laws, Hypotheses … Science
  22. 22. May be just a “subtle change”
  23. 23. Stand on the shoulders of giants. Software Engineering
  24. 24. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  25. 25. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  26. 26. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  27. 27. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  28. 28. Science of Security Copycats — Guidelines — Seminars — Research plan reviews — Workshops — Conference (Hot SoS)
  29. 29. The Rising Tide: Leading by Example
  30. 30. Cybersecurity is all of our responsibility.. #metoosecurity 1. Introduce yourself to someone you don’t know. 2. Provide one way that you can bring security into your research and/or teaching. Two minutes …. GO!
  31. 31. The three missions of the Science of Security Lablets — Build a science of security community — Advance research methods in the context of cybersecurity to build a sound science of security — “Solve” hard security problems through the application of scientific research
  32. 32. Through focus, progress is made. 1. Thing 1 2. Thing 2 3. Thing 3 4. Thing 4 5. Thing 5 6. Thing 6 7. Thing 7 8. Thing 8 Do This! DON’T DO THIS! You wouldn’t do it anyway.
  33. 33. Science of Security Focus 1. Scalability and composability 2. Policy-governed secure collaboration 3. Encryption algorithms 4. Predictive security metrics 5. Intrusion Detection 6. Resilient architectures 7. Human behavior Do This! DON’T DO THIS!
  34. 34. Hard Problem 1: Scalability and Composability Challenge — Develop methods to enable the construction of secure systems with known security properties.
  35. 35. Component and Configuration Change
  36. 36. Hard Problem 2: Policy-Governed Secure Collaboration Challenge — Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains
  37. 37. Implied security and privacy requirements Templates Repository Supervised Machine Learning
  38. 38. Hard Problem 3: Predictive Security Metrics Challenge — Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.
  39. 39. Leveraging stack traces from crash dumps
  40. 40. Risk-based attack surface approximation Windows: 48% of all binaries crash, 95% of vulnerable binaries crash. Firefox: 16% of all files crash, 74% of vulnerable files crash. Fedora: 8% of all packages crash, 60% of vulnerable packages crash.
  41. 41. Hard Problem 4: Resilient Architectures Challenge — Develop means to design and analyze system architectures that deliver required service in the face of compromised components
  42. 42. Synthesizing Network Security Configurations Resiliency Configurations Synthesis Resiliency Requirements Topology i.e., links, hosts connectivity Mission e.g., connectivity requirements Resiliency Configurations -Isolation patterns -Security device placements -OS/Service/Software to be installed Business Constraints e.g., budget, usability constraint Diversity Model Isolation Model Host Info i.e., service/software requirements Impact Model Attack Graph Model Design Specifications - Resiliency metrics - Usability - Deployment/Cost
  43. 43. Hard Problem 5: Human Behavior Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties /
  44. 44. Phishing: Personality & Persuasion
  45. 45. LinkedIn Passwords
  46. 46. As Seen at NC State
  47. 47. Protect users from themselves … easily!
  48. 48. My Intentions Security Collaborative Research Science Life #metoosecurity
  49. 49. Making the world a better place
  50. 50. Making the world a better place
  51. 51. Making the world a better place … by making ALL software more secure
  52. 52. #metoosecurity — #metoosecurity When deploying rapidly, we need processes to make sure we are not pushing out vulnerabilities
  53. 53. Slide photos -1— http://www.foxbusiness.com/markets/2017/07/13/verizon-customer-information-exposed-in- data-breach.html — http://www.tomandjerryonline.com/images/TrapHappy1.jpg — http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539 — http://www.dailymail.co.uk/tvshowbiz/article-1085791/Free-DVD-The-Four-Musketeers-todays- Mail-Sunday.html — https://www.reddit.com/r/pics/comments/1aw3f3/pathway/; http://www.bbc.co.uk/bristol/content/image_galleries/tunnel_gallery.shtml — http://www.thomthom.net/gallery/everything/tunnel-vision/ — http://davemeehan.com/cycling/ojos-negros-tunnel-vision — http://www.techsangam.com/wp33/wp-content/uploads/2011/05/1221_jargon-boil-the- ocean_485x340_forbes_com.jpg — https://upload.wikimedia.org/wikipedia/en/3/33/Silicon_valley_title.png — http://www.hindustantimes.com/india-news/tirupati-temple-andhra-pradesh-secretariat-hit-by- wannacry-ransomware-attack/story-UJorivWJKEe2CL2tTaDusK.html — https://www.popxo.com/2016/12/stereotypes-about-introverts-and-extroverts-broken/ — http://www.troll.me/images/pissed-off-obama/you-better-watch-yourself-thumb.jpg
  54. 54. Slide photos - 2 — https://bizpsycho.files.wordpress.com/2015/05/colored_puzzle_connection_1600_wht_9893.png — https://scottmccown.wordpress.com/category/competition/ — https://www.linkedin.com/pulse/standing-shoulders-giants-6-apis-instant-saas-success-nick-boucart — http://thebsblog.com/2015/10/09/oops-wrong-diagnosis/#prettyPhoto/0/ — http://www.findmemes.com/eye-roll-memes — http://user47329.vs.easily.co.uk/wp-content/uploads/2014/08/Science-v-Engineering-Wordpress3.jpg — http://memegenerator.net/instance/59256035 — http://www.pxleyes.com/photoshop-contest/20606/makeover.html — http://lorettalovehuffblog.com/ — http://itnewscast.com/book/export/html/62241 — http://www.jenningswire.com/book-coaches/searching-for-the-needle-in-the-haystack/ — https://www.bing.com/images/search?view=detailV2&ccid=Y%2bfsSC%2b6&id=00072BAC4D3C77EC F8E4AFFA13CCBFE0EC8E8A12&thid=OIP.Y-fsSC-6cSVEL_8ECb- wlgEsC7&q=capability+brown++bridges&simid=608050771047878264&selectedIndex=7&ajaxhist=0
  55. 55. Slide photos - 3 — http://1000awesomethings.com/2011/02/23/302-grandma-hair — http://garysreflections.blogspot.com/2011/02/chinese-hackers-now-hitting-major.html — http://www.my-programming.com/2011/10/how-to-become-a-programmer/ — http://www.govconexecutive.com/2011/02/executive-spotlight-joseph-cormier-of-gtec — https://cdn.psychologytoday.com/sites/default/files/field_blog_entry_images/ext.jpg — http://www.keywordsblogger.com/wp-content/uploads/2009/05/persuading.jpg — http://www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016 — http://www.zdnet.com/article/these-are-the-worst-passwords-from-the-linkedin-hack/ — https://www.iii.com/sites/default/files/imce/Elizabeth_Image_for_Blog_July_2015.png — https://www.magzter.com/news/488/1242/032017/er0pk — http://www.youngwebbuilder.com/how-to-get-listed-on-justtweetit-directory/ — https://alisonhinksyoga.wordpress.com/2013/09/09/a-rising-tide-lifts-all-boats/ http://thecybersaviours.com/intrusion-detection-system-ids

×