The document summarizes a cyber security panel discussion held on May 9, 2013 in North Carolina. It provides background on the event sponsors and introduces Professor Ehab Al-Shaer, the director of the Cyber Defense Network Assurability Center at UNC Charlotte, who presented on security configuration analytics. It also briefly describes Al-Shaer's research at UNC Charlotte focusing on security configuration verification and risk estimation.

1. North Carolina Federal Advanced Technologies Symposium
May 9, 2013
Cyber Security Panel
Hosted by:
Office of Senator Richard Burr
NC Military Business Center
NC Military Foundation
Institute for Defense & Business
University of North Carolina System
Reception Sponsor:
Bronze Sponsor:

2. Science of Security Configuration
Analytics– Know your network!
Professor Ehab Al-Shaer,
Director of Cyber Defense Network Assurability Center
University of North Carolina Charlotte
ealshaer@uncc.edu
www.cyberdna.uncc.edu
Cyber Security Panel
NC Federal Advanced technologies Symposium
May 9, 2013

3. About CyberDNA Research
• Vision: Making Cybersecurity measurable, provable and usable
• Research Team:
– Multi-disciplinary team of 11 faculty members and 35 PhD students Areas
– security, networking, data mining, economics, power and control, behavior science/HCI.
• Active Funding: > 8.2M from NSF, NSA, ARO, AFRL, DHS, Bank of America, BB&T,
DTCC, Duke Energy, Cisco, Intel
• Prof. Al-Shaer was featured as Subject Matter Expert (SME) in Security
Configuration Analytics and Automation [DoD Information Assurance Newsletter,
2011].
• NSF Industry/University Collaborative Research Center on (Security) Configuration
Analytics and Automation (CCAA) Lead by UNC Charlotte and George Mason Univ
– Members include NSA, NIST, Bank of America, BB&T, DTCC, MITRE, Northrop Grumman
• Tools and Technology transfer projects for Cisco, Intel, Duke Energy, ..
• Research Long and solid track record on many areas particularly
– Security configuration analytics (verification and synthesis) for enterprise,
cloud and smart grid
– Security metrics and risk estimation
– Agility and resiliency for Cyber, clouds and Cyber-Physical

4. 4
Why Cybersecurity is Hard?
• Attack Detection (alone) Can not Deliver
– Learning-based = Knowing the attack OR Knowing the Deviation
Threshold  Easily Evadable
– Insufficient for attack avoidance
• Cybersecurity = Attack Prediction
• Attack Prediction is a Hard Problem
– Learning-driven vs. Prediction-driven
• Feature selection vs. information integration & analytics
– Scalable and accurate models of both system behavior and
adversary strategies.
– System complexity and adversary sophistication are
increasingly growing.

5. 6
The Need for Security Configuration
Analytics
• December 2008 report from Center for Strategic and International Studies
"Securing Cyberspace for the 44th Presidency" states that "inappropriate
or incorrect security configurations were responsible for 80% of Air Force
vulnerabilities"
• May 2008 report from Juniper Networks "What is Behind Network
Downtime?" states that "human factors [are] responsible for 50 to 80
percent of network device outages".
• BT/Gartner[3] has estimated that 65% of cyber-attacks exploit systems
with vulnerabilities introduced by configuration errors. The Yankee
Group[4] has noted that configuration errors cause 62% of network
downtime.
• A 2009 report[5] by BT and Huawei discusses how service outages caused
by “the human factor” themselves cause more than 30% of network
outages, “a major concern for carriers and causes big revenue-loss.

6. 7
Ehab Al-Shaer , Science of Security Configuration
Complexity of Configuration Analytics
• Scale – thousands of devices and million of rules.
• Distributed, yet Inter-dependent Devices and Rules.
• Policy semantic gap -- device roles (e.g., Rule-order semantics vs.
recursive ACL, single-trigger vs. multi-trigger policies)
• Multi-level and multi-layer Network configuration
– Overlay networks, groups/domains in cloud (e.g., EC2/VPC, security
groups)
– network access control, OS, application level etc
• Dynamic changes in networks and threat
• Security design trade-offs: risk vs mission, usability, cost, and
performance
[Source: Security Analytics and Automation, DoD IA Newsletter, Oct 2011]
7

7. 8
NSF Center on Security Analytics & Automation– The Big Picture
ANALYTICS
Predominately Manual Management Practices
Defensive
Actions
Logs and
Sensor Data
Security
Requirements
&
Policies
Enterprise
Polices &
Configuration
MEASURABLE SECURITY
Analytics & Automation
AUTOMATED
DEFENSE
RESILIENCY
COST-EFFECTIVE
HARDENING
Analytics Automation
Integration
action
System

8. 9
Policy
Violation
Threat
Prediction
Risk
Estimation
ConfigChecker: Security Analytics
Magic Box [ICNP09]
Risk
Mitigation
Attack
DiagnosisAgility
Actions
Resiliency
measure
ConfigChecker

9. Golden Technology
Services
© 2012 Golden Technology Services
_________________________________________________________________________
GOLDEN TECHNOLOGY SERVICES
Delivering Business Impact with Advanced Technology Solutions

10. _________________________________________________________________________
© 2012 Golden Technology Services
Cyber attacks are increasingly impacting both private sector and U.S.
government information networks and systems
May 15, 2013 11
Sources: IBM Corporation,PwC

11. _________________________________________________________________________
© 2012 Golden Technology Services
Proof points: Targeted attacks shake businesses & governments
May 15, 2013 12
Source: IBM Corp., 2011 Year-EndX-Force Trend and Risk Report.

12. _________________________________________________________________________
© 2012 Golden Technology Services
The Power of Cyber Knowing
• Everyday, cyber thieves run their reconnaissance on networks and servers, and afterward
know more about an organization’s IT security than they do.
• How Can The Cyber Thieves Know More About a Business IT Security Than They Do?
– They are super intelligent and their IT budget is significantly larger than most.
– They know there is limited to no risk of them ever being identified or caught.
– Their goal is simple - either to steal money, intellectual assets or both.
– Due to advertising, they have developed a work-around to bypass all of the readily
available and known IT security products and services - yes, all of them.
– Lastly, some of the security solutions used are manufactured or developed by some of
the nation states.
• The Market Needs To Add an Additional Security Layer to Their Network
– The market needs a service that is innovative in dealing with these very aggressive
cyber actors and threats.
– The market needs a tool that is 100% designed, manufactured and assembled with
integrity and trust in the US.
– The market needs a tool and service that are not advertised. This is important for US
national security, and financial services companies and others.

13. _________________________________________________________________________
© 2012 Golden Technology Services
Yet most U.S. SMBs can improve their online security practices
May 15, 2013 14
Source: “2012 National Small Business Study,” National Cyber Security Alliance, Sept. 2012

14. _________________________________________________________________________
© 2012 Golden Technology Services
What Are You Going To Do?
1) “Online Cyber Training” - training, risk assessment and policy management tools
that prepare employees for the current threat environment.
• More than 50% of all security incidents originate from successful social engineering
efforts.
• Training, testing and tracking the workforce offers a high return on investment.
• Training can be completed from anywhere, anytime, including at home.
• The FTC Safeguards Rule mandates the creation of a Written Information Security
Program (WISP).
• Service contains a comprehensive library of Data Security Policies that can be used
as templates for the development of an organization’s WISP.
2) Cyber Detection - automatically detects and terminates threats that evade
signatures and blacklists.
• Can find previously unknown and hidden threats within hours of deployment.
• Monitors servers, desktops, iOS and Android devices – employees & contractors
• Provides an alert so action can be taken immediately.
3) IP Address Blocking - blocks 3 million vetted and blacklisted IP addresses
• Blocks bi-directionally – Web Portal for each appliance to see what is being blocked
• Newly identified and vetted IP addresses are sent up to 4 times an hour to customer

15. CYBER SECURITY
• Intrusion detection - focused on protecting against attack vectors
based on software or hardware vulnerabilities.
• Firewall configuration, patch management, anti-virus
technologies and intrusion detection log monitoring.
• Masquerade Threat - access through the use of stolen, highjacked or
forged logon IDs and passwords.
• Security gaps in programs, or through bypassing the
authentication mechanism.
• Insider Threat – valid credentials or permissions (bad actor)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
16

16. INTRUSION DETECTION
• Traditional protection technologies have matured
• National Vulnerability Database (http://nvd.nist.gov) vulnerability disclosures
across the industry in 1H2011 were down 37.1% from 2H2008[1]
• Class of tools
• e-Sentinel
• Host Based Security System
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
17
VulnerabilityDisclosures

17. MASQUERADE THREAT
• Recent trends indicate that stealing
or forging log-in credentials has
become a common methodology for
achieving unauthorized access
• User Behavior
• Identify deviations from
expected behavior
• Access to applications over system
access
• Utilize logs to monitor behavior
• New class of tools
INSIDER THREAT
• Bad Actors
• User Behavior (threshold of bad
behavior)
• Identify deviations from
expected behavior
• Access to applications over system
access
• Access to Multifunction-Printers
• Utilize logs to monitor behavior
• New class of tools
THREAT CLASSES
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
18
C-SAMS

18. CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
19
• Cyber Defense
• Insider / Masquerade Threat Focus: Identity theft; Exfiltration; Credential
amplification
• Whitelist Oriented: When are there observable shifts in agent behavior
from “normal” to “abnormal”?
• Model-driven:
• Enterprise Architecture
• Business Process Modeling
• Business Process Execution Language (BPEL)
• Web Ontology Language (OWL)

19. CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
20
Actual Behaviors
GCCC Merged
Log Files
End User
Publishes Events That Indicate
Behavior Outside the Norm
Detects Anomalous Behavior by
Comparing Expected vs. Actual
Legacy
Future CSV

20. 21
About Signalscape
Signalscape offers security solutions and vulnerability
analysis to the DoD, Law Enforcement, and Cyber
Communities.
Our expertise ranges from miniature single board wireless
solutions for one-time mission critical applications to fully
integrated wireless surveillance, tracking, and data transport
platforms.
Specifically, Signalscape specializes in Audio and Video
Wireless Data Detection, Collection, and Transport
including:
• Wireless Sensors (Audio and Video)
• Mobility Systems (Cellular Data Transport)
• Software Defined Radio (SDR)
Visit us at www.signalscape.com.

21. Challenges Facing DoD, LE, and Cyber Communities
Two issues facing DoD, Law Enforcement, and Cyber Communities
include:
• Detecting and analyzing audio and video streams embedded in
massive amounts of wireless network traffic (both encrypted and
unencrypted)
• Deploying Smart, Wireless, Audio and Video Sensors
Signalscape provides Wireless Video Collection and Analytics
capabilities both from a defensive and offensive point of view.
Specifically two key wireless video topics of interest to the IC and Cyber
Community:
• Video Detection and Vulnerability Analysis
• Video Sensing
22

22. Video Detection and Vulnerability Analysis
• Packet payload inspection (if unencrypted)
• Detection of encrypted audio and video streams via traffic pattern
classification algorithms based on machine learning
• Network vulnerability analysis
Video Sensing
• Smart Sensing – On-board analytics and storage
• Power Management – Avoid transmission until sensor detects event
of interest
• Utilize time-shifted transmission
• Post collection egress (log in and download data at less than real-
time speeds)
23

23. 24
Wireless Audio/Video Security Platform (WASP)
• Wireless (900 MHz, 2.4 GHz, cellular) retrieval of HD video, HD
images and audio
• On-board ARM processor plus DSP to run application software
in parallel with video algorithms.
• CDMA/GSM Wireless Link
• 2.4GHz Wireless Link (higher data rates, third-party product
integration)
• IP Gateway Infrastructure
• DVR Capability (record, playback on-demand)
• Camera analytics (face detection, wide dynamic range
processing, motion detection)

24. WASP System Architecture
25
RF to IP Video
GatewayWASP
Ethernet INTERNET
Satellite Internet
Terminal
LoS
IP Radio
Local User
Remote Users

25. OnWire Capabilities
 Area of Expertise
• Identity, Access, & Federation
Management
• Federated Trust (SAML/XSLT/
Web Services)
• 2-Factor Authentication
• PKI / Smart Cards
 Professional Services
• Systems Engineering
• Development
• Integration Services
• Consulting Services
26
 Cloud Services
• Federated SSO
• Identity and Access
Management as a Service
• Consulting Services

26. Gartner’s Nexus of “Forces”
 The Gartner Group has coined the phrase Nexus of Forces to
refer to four technology areas having a profound affect on IT
 The forces of the Nexus are intertwined to create a user-driven
ecosystem of modern computing.
• Information is the context for delivering enhanced social and
mobile experiences.
• Mobile devices are a platform for effective social networking
and new ways of work.
• Social links people to their work and each other in new and
unexpected ways.
• Cloud enables delivery of information and functionality to users
and systems.
 User adoption of these technologies means that IT
organizations must adapt their security posture to account for
these forces.
27

27. Security Implications
28
Diagram Source: Gartner (June 2012)
Callouts Source: OnWire (April 2013)
Data Leakage
(corp data
migrates to
public cloud)
Data Leakage
(data cached
on device)
Unpredictable
platform type (user
chooses platform)
Unpredictable app
behavior (user
owns the app)
Blurring of work
and private data
Privacy Issues
Attack Target –
honeypot of data
Attack Target –
honeypot of data
Access
Control Issues
Phishing target
(large number
of
unsophisticated
users)

28. IAM Vision & OnWire’s Expertise
Key Themes
Standardized IAM
and Compliance
Expand IAM vertically to provide identity &
access intelligence to the business; Integrate
horizontally to enforce user access to data, app,
and infrastructure
Secure Cloud, Mobile, Social
Collaboration
Enhance context-based access control for
cloud, mobile and SaaS access, as well as
integration with proofing, validation &
authentication solutions
IAM Governance
and Insider Threat
Continue to develop Privileged Identity
Management (PIM) capabilities and enhanced
Identity and Role management

29. IBM Security Products
 Information
• InfoSphere Guardium
- Activity monitor, data encryption, vulnerability assessment
• Key Lifecycle Manager (managing signing and encryption keys)
 Mobile
• Endpoint Management (Endpoint Manager for Mobile Devices)
• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity
Manager)
• Network Security (Mobile Connect)
 Cloud
• Application Security (Rational Appscan, Policy Manager)
• Infrastructure Security (Host Protection, Virtual Server Protection, Network Intrusion
Prevention System)
• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity
Manager)
 Social
• QRadar Security Intelligence Platform
• Application Security (Rational Appscan, Policy Manager)
• IAM (Access Manager, Identity Manager, Federated Identity Manager)
30

30. Cyber Security:
A New Domain for
Intelligence
Analysis
MARK VASUDEVAN
PRESIDENT
VSI

31. About VSi
• VSi, based in Winston-Salem, NC, specializes in web-based
intelligence and analytical software applications
• VSi’s MIDaS™, (U.S. Patents Nos. 6,877,006; 7,167,864;
7,720,861; 8,082,268) is a browser-based, ad-hoc, multi-
dimensional analytical tool for users and analysts
• VSi’s patents have been licensed to IBM and Oracle
• VSi’s MIDaS™ links distributed disparate data sources to
produce user-defined analytical views
• VSi’s MIDaS™ uses a fine-grained security model that
implements multi-level security capability
• VSi’s MIDaS™ delivers its capabilities without writing any
code

32. IDENTIFICATION OF PROBLEM –
NOT A NEW PROBLEM ;
A NEW DOMAIN
• Analysis – Multi-INT Fusion: HUMINT, COMINT, IMINT ELINT
• Perimeter Security, Sensors – Access,Authentication and
Authorization
• Pattern Analysis – Intrusion patterns
• Inference capability
• Information dissemination – Reporting
• Strategic andTactical/Imminent threat assessment
• Collaboration – Functional Defeat Models
• Design of intrusion protection and vulnerability minimization

33. NEW TECHNOLOGY – MULTI-USE
• Re-use existing resources to develop new intelligence
• Analysis tools should be flexible to be used for multiple
purposes – Intelligence Analysis; Target Centric Analysis;
Threat Assessment
• Data source agnostic - Structured and Unstructured data
fusion
• Collaborative “System-of-Systems” model development
• Analysis should focus on the requirements of the Analyst and
Field Operator – Flexible ; Near RealTime
• Comprehensive visualization – Geospatial; Network-graph;
temporal; 3D
• Multi-level security - Information dissemination; Reporting

34. WHAT DOES VSi’s MIDaS™ LOOK LIKE?