Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity

527 views

Published on

Stolen passwords, compromised medical records, taking the internet out through video cameras– cybersecurity breaches are in the news every day. Despite all this, the practice of cybersecurity today is generally reactive rather than proactive. That is, rather than improving their defenses in advance, organizations react to attacks once they have occurred by patching the individual vulnerabilities that led to those attacks. Researchers engineer solutions to the latest form of attack. What we need, instead, are scientifically founded design principles for building in security mechanisms from the beginning, giving protection against broad classes of attacks. Through scientific measurement, we can improve our ability to make decisions that are evidence-based, proactive, and long-sighted. Recognizing these needs, the US National Security Agency (NSA) devised a new framework for collaborative research, the “Lablet” structure, with the intent to more aggressively advance the science of cybersecurity. A key motivation was to catalyze a shift in relevant areas towards a more organized and cohesive scientific community. The NSA named Carnegie Mellon University, North Carolina State University, and the University of Illinois – Urbana Champaign its initial Lablets in 2011, and added the University of Maryland in 2014.
This talk will reflect on the structure of the collaborative research efforts of the Lablets, lessons learned in the transition to more scientific concepts to cybersecurity, research results in solving five hard security problems, and methods that are being used for the measurement of scientific progress of the Lablet research.

Published in: Software
  • Be the first to comment

The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity

  1. 1. The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity Laurie Williams North Carolina State University #metoosecurity
  2. 2. Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize democracy… We cannot tolerate that the vital interests of democracy are thus endangered. - Macron campaign statement
  3. 3. Attackers Unceasing Cybersecurity is all of our responsibility.. #metoosecurity
  4. 4. A game of cat and mouse …
  5. 5. Why the Science of Security? — “… nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.” (NSA BAA Industry Day, 2013)
  6. 6. 2011 Release
  7. 7. 2014 Re-release
  8. 8. The three missions of the Science of Security Lablets — Build a science of security community — Advance research methods in the context of cybersecurity to build a sound science of security — “Solve” hard security problems through the application of scientific research
  9. 9. Through diversity of opinion, creativity and unity is born.
  10. 10. Focus areas /
  11. 11. Through collaboration and unity, we can accelerate change on a larger scale.
  12. 12. Competition-free zone
  13. 13. Lablet (4)National Security Agency NCSU UIUC CMU NSAUMD Science of Security Lablets
  14. 14. Lablet (4)National Security Agency Sub-Lablet (26) UNL CU DC PENN PITT NAVY UVA GWU RICEUTSA UTA UA UNCC NCSU VT USC UC UCBERKELEY ICSI UIUC IU IIT PU WSU CMU GMU UNC UMD RIT NSA Science of Security Lablets & Sub-Lablets NEWCASTLE (UK)
  15. 15. NDSU UNL CU RSA CCT DC BC SC MITLL POTSDAM MIT SIEMENS RUTGERS AT&T PENN ARL PSU PITT NAVY UVA GWU HPHC NLM-NIH NU UMICH VERISIGN RPI UALBANY UCFRICEUTSA UTA TX A&M UA AUBURN GT UNCC NCSU VU VT UNM AFRL USC UC LLNL HP SU FUJITSU GOOGLE UCBERKELEY ICSI SYMANTEC L&C UW INL UIUC IU IIT UW-MADISON NWU PU WSU CMU GMU UNC UMD UH MANOA PC RIT NSA Lablet (4)National Security Agency Sub-Lablet (26) Collaborator (64)SURE (4) Science of Security Lablets, Sub-Lablets, and Collaborators NEWCASTLE (UK)
  16. 16. UOFW UVIC IMDEA NOVA UP UPV EPFL USI UWAR LEEDS LU KENT OXFORD NEWCASTLE (UK) UDS JWGU MPI-SWS UiO KTH IUT THU BUAA SMU UNIMELB ANU VUW ULISBOA Science of Security International Sub-Lablets and Collaborators Sub-Lablet (26) Collaborator (64)
  17. 17. The three missions of the Science of Security Lablets — Build a science of security community — Advance research methods in the context of cybersecurity to build a sound science of security — “Solve” hard security problems through the application of scientific research
  18. 18. Those “pesky” and ever- present tough questions Where’s the beef . . . . science?
  19. 19. Tough questions lead to great(er) insight. “The quality of your answers is in direct proportion to the quality of your questions.” --Albert Einstein
  20. 20. It’s so easy to fall back to “engineering-ish” research.
  21. 21. Principles, Theories, Laws, Hypotheses … Science
  22. 22. May be just a “subtle change”
  23. 23. Stand on the shoulders of giants. Software Engineering
  24. 24. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  25. 25. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  26. 26. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  27. 27. Type of result Accepted (ICSE 2002) Accepted (ICSE 2016) Analysis … … Evaluation … … Experience 8 (19%) 4 (4%) Example 16 (37%) 1 (1%) Persuasion 0 (0%) 1 (1%) Underspecified … … No validation mentioned 6 (14%) 0 (0%) Types of Validation
  28. 28. Science of Security Copycats — Guidelines — Seminars — Research plan reviews — Workshops — Conference (Hot SoS)
  29. 29. The Rising Tide: Leading by Example
  30. 30. Cybersecurity is all of our responsibility.. #metoosecurity 1. Introduce yourself to someone you don’t know. 2. Provide one way that you can bring security into your research and/or teaching. Two minutes …. GO!
  31. 31. The three missions of the Science of Security Lablets — Build a science of security community — Advance research methods in the context of cybersecurity to build a sound science of security — “Solve” hard security problems through the application of scientific research
  32. 32. Through focus, progress is made. 1. Thing 1 2. Thing 2 3. Thing 3 4. Thing 4 5. Thing 5 6. Thing 6 7. Thing 7 8. Thing 8 Do This! DON’T DO THIS! You wouldn’t do it anyway.
  33. 33. Science of Security Focus 1. Scalability and composability 2. Policy-governed secure collaboration 3. Encryption algorithms 4. Predictive security metrics 5. Intrusion Detection 6. Resilient architectures 7. Human behavior Do This! DON’T DO THIS!
  34. 34. Hard Problem 1: Scalability and Composability Challenge — Develop methods to enable the construction of secure systems with known security properties.
  35. 35. Component and Configuration Change
  36. 36. Hard Problem 2: Policy-Governed Secure Collaboration Challenge — Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains
  37. 37. Implied security and privacy requirements Templates Repository Supervised Machine Learning
  38. 38. Hard Problem 3: Predictive Security Metrics Challenge — Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.
  39. 39. Leveraging stack traces from crash dumps
  40. 40. Risk-based attack surface approximation Windows: 48% of all binaries crash, 95% of vulnerable binaries crash. Firefox: 16% of all files crash, 74% of vulnerable files crash. Fedora: 8% of all packages crash, 60% of vulnerable packages crash.
  41. 41. Hard Problem 4: Resilient Architectures Challenge — Develop means to design and analyze system architectures that deliver required service in the face of compromised components
  42. 42. Synthesizing Network Security Configurations Resiliency Configurations Synthesis Resiliency Requirements Topology i.e., links, hosts connectivity Mission e.g., connectivity requirements Resiliency Configurations -Isolation patterns -Security device placements -OS/Service/Software to be installed Business Constraints e.g., budget, usability constraint Diversity Model Isolation Model Host Info i.e., service/software requirements Impact Model Attack Graph Model Design Specifications - Resiliency metrics - Usability - Deployment/Cost
  43. 43. Hard Problem 5: Human Behavior Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties /
  44. 44. Phishing: Personality & Persuasion
  45. 45. LinkedIn Passwords
  46. 46. As Seen at NC State
  47. 47. Protect users from themselves … easily!
  48. 48. My Intentions Security Collaborative Research Science Life #metoosecurity
  49. 49. Making the world a better place
  50. 50. Making the world a better place
  51. 51. Making the world a better place … by making ALL software more secure
  52. 52. #metoosecurity — #metoosecurity When deploying rapidly, we need processes to make sure we are not pushing out vulnerabilities
  53. 53. Slide photos -1— http://www.foxbusiness.com/markets/2017/07/13/verizon-customer-information-exposed-in- data-breach.html — http://www.tomandjerryonline.com/images/TrapHappy1.jpg — http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539 — http://www.dailymail.co.uk/tvshowbiz/article-1085791/Free-DVD-The-Four-Musketeers-todays- Mail-Sunday.html — https://www.reddit.com/r/pics/comments/1aw3f3/pathway/; http://www.bbc.co.uk/bristol/content/image_galleries/tunnel_gallery.shtml — http://www.thomthom.net/gallery/everything/tunnel-vision/ — http://davemeehan.com/cycling/ojos-negros-tunnel-vision — http://www.techsangam.com/wp33/wp-content/uploads/2011/05/1221_jargon-boil-the- ocean_485x340_forbes_com.jpg — https://upload.wikimedia.org/wikipedia/en/3/33/Silicon_valley_title.png — http://www.hindustantimes.com/india-news/tirupati-temple-andhra-pradesh-secretariat-hit-by- wannacry-ransomware-attack/story-UJorivWJKEe2CL2tTaDusK.html — https://www.popxo.com/2016/12/stereotypes-about-introverts-and-extroverts-broken/ — http://www.troll.me/images/pissed-off-obama/you-better-watch-yourself-thumb.jpg
  54. 54. Slide photos - 2 — https://bizpsycho.files.wordpress.com/2015/05/colored_puzzle_connection_1600_wht_9893.png — https://scottmccown.wordpress.com/category/competition/ — https://www.linkedin.com/pulse/standing-shoulders-giants-6-apis-instant-saas-success-nick-boucart — http://thebsblog.com/2015/10/09/oops-wrong-diagnosis/#prettyPhoto/0/ — http://www.findmemes.com/eye-roll-memes — http://user47329.vs.easily.co.uk/wp-content/uploads/2014/08/Science-v-Engineering-Wordpress3.jpg — http://memegenerator.net/instance/59256035 — http://www.pxleyes.com/photoshop-contest/20606/makeover.html — http://lorettalovehuffblog.com/ — http://itnewscast.com/book/export/html/62241 — http://www.jenningswire.com/book-coaches/searching-for-the-needle-in-the-haystack/ — https://www.bing.com/images/search?view=detailV2&ccid=Y%2bfsSC%2b6&id=00072BAC4D3C77EC F8E4AFFA13CCBFE0EC8E8A12&thid=OIP.Y-fsSC-6cSVEL_8ECb- wlgEsC7&q=capability+brown++bridges&simid=608050771047878264&selectedIndex=7&ajaxhist=0
  55. 55. Slide photos - 3 — http://1000awesomethings.com/2011/02/23/302-grandma-hair — http://garysreflections.blogspot.com/2011/02/chinese-hackers-now-hitting-major.html — http://www.my-programming.com/2011/10/how-to-become-a-programmer/ — http://www.govconexecutive.com/2011/02/executive-spotlight-joseph-cormier-of-gtec — https://cdn.psychologytoday.com/sites/default/files/field_blog_entry_images/ext.jpg — http://www.keywordsblogger.com/wp-content/uploads/2009/05/persuading.jpg — http://www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016 — http://www.zdnet.com/article/these-are-the-worst-passwords-from-the-linkedin-hack/ — https://www.iii.com/sites/default/files/imce/Elizabeth_Image_for_Blog_July_2015.png — https://www.magzter.com/news/488/1242/032017/er0pk — http://www.youngwebbuilder.com/how-to-get-listed-on-justtweetit-directory/ — https://alisonhinksyoga.wordpress.com/2013/09/09/a-rising-tide-lifts-all-boats/ http://thecybersaviours.com/intrusion-detection-system-ids

×