The document discusses the evolving cybersecurity landscape, emphasizing the challenges presented by the consumerization of IT and the sophisticated tactics of adversaries, such as advanced persistent threats. It critiques traditional security measures as inadequate and proposes the use of compartmentalized security models and modern encryption technologies to protect critical assets. Recommendations include focusing on access control, hiding sensitive information, and managing security through community-based interest systems.

1. Dave Frymier
Vice President and CISO, Unisys
Don’t sweat the small stuff – protect
what matters the most.

2. © 2014 Unisys Corporation. All rights reserved. 2
Two Big Drivers
IT Environment
Consumerization of IT
• New devices are everywhere;
employees will use them
– Consumer devices are not generally
MS domain aware
• Not just about devices—new services
on the Internet tunnel port 80
– gotomyPC, logmein
– Dropbox
• Organizational perimeter crumbling

3. © 2014 Unisys Corporation. All rights reserved. 3
• Enters through spam e-mail, bad websites
• “Beacons” back to command and
control servers
– Reports in
– Obtains instructions/more malware
• Evades anti-malware software
• Low and slow
• Looks laterally and vertically in network
for high value targets
• Can be found through beaconing activity
Random spam
Spear phishing
Bad web site
Departmental
infrastructure
Enterprise
Administration
(Active Directory)
Corporate
Jewels
ThreatAdvanced Persistent
Botnet
C&C

4. © 2014 Unisys Corporation. All rights reserved. 4
Who are the Adversaries?

5. © 2014 Unisys Corporation. All rights reserved. 5
Normalization of Element-specific log file data
Assets and
Vulnerabilities
Threat
Pattern
Database
Event
Database
Asset Inventory
and Vulnerability
Scanning
Scanner
Response and
Remediation
Event
Correlation
Engine
Portal
Portal Portal
Portal
Portal
Reporting
IncidentsUnisys or
Customer
Ticketing System
Dashboard & Reports
Portal Portal
Customer
Managed Security Elements
Element-
specific
Agents
Element-
specific
Agents
Element-
specific
Agents
Security Infrastructure; Network Devices; OS, Application and Data Logs
Threatand
Vulnerability
Alerting
Unisys
Monitored or Managed Security Elements
Security Monitoring Model – SIEM
Current countermeasures
Intrusion
Detection &
Prevention
Network
Firewall &
VPN
Secure
Remote
Access
Endpoint
Security
Security
Event
Monitoring
Vulnerability
Mgmt.
Threat &
Vulnerablity
Alerting
Email
Scanning
Web Content
Security
Web
Application
Security
Security
Incident
Management
Application
Security
Services
Network Security
Services

6. © 2014 Unisys Corporation. All rights reserved. 6
• It’s mostly after-the-fact
• Protects everything the
same way
• Getting more and more
expensive—like big data
– Software costs
– Storage of all the log and
traffic data/meta data
– Processing
– Network resources to move
data from endpoint to SIEM
For advanced adversaries, the traditional approach
just isn’t working.
SIEM
The New York Times article retrieved from www.nytimes.com

7. © 2014 Unisys Corporation. All rights reserved. 7
Howis this possible?
• The real world follows the laws of physics—
the cyber world follows manmade rules that
govern the transfer of data
• We forget how young the Internet is; it grew
like a weed—without much change in the
underlying protocols
• There are fundamental design flaws
– Anonymity and spoofing
• Standardization cuts both ways
• Software has bugs
This is not going
to be fixed quickly.

8. © 2014 Unisys Corporation. All rights reserved. 8
Edward Snowden
Interview with Guardian readers, June 2013
Encryption works. Properly implemented
strong crypto systems are one of the few
things that you can rely on.
“
”
SNOWDEN

9. © 2014 Unisys Corporation. All rights reserved. 9
Perimeter – to compartment
We’re going from this… … to this

10. © 2014 Unisys Corporation. All rights reserved. 10
RiskAnalysis
• Perhaps mankind’s oldest security
technique
• FIPS-199 – find it on the internet
• Output – list of most important assets and who should have
access
• Build a compartmentalized security model based on need-
to-know
• Protect and enforce that security model by “hiding” your
most important assets so the APT can’t find them

11. © 2014 Unisys Corporation. All rights reserved. 11
Jewels
Compartmentalized
Corporate
Jewels KMC
Other BU
Apps
Business
Unit Apps
BUIP
IAM
Any PC, Mac,
Linux
Authentication
Any device that can send a
username, password
and certificate
Messaging
Additional
Authentication/Authorization
as needed
11
Illustrative example only.
Corporate
Standard
Hardened
PC
Voice
Over IP
Low Business Impact High Business Impact Medium Business Impact
Web
User
Mobile
Gateway
Enterprise
Architecture

12. © 2014 Unisys Corporation. All rights reserved. 12
Traditional “buffer area” model
• Used to separate corporate network from foreign networks
• Defense-in-depth
• Extending the concept internally is overkill

13. © 2014 Unisys Corporation. All rights reserved. 13
Security zones
No defense-in-depth, but much more manageable and less
expensive

14. © 2014 Unisys Corporation. All rights reserved. 14
Software defined communities
• Systems and users running common software that
implements communities of interest (COI)
– Strong encryption
– Endpoint protection
– Trusted encryption key
management
• Manage users and
identities, not IP
addresses
• Emerging class of
products
• Vormetric, Unisys,
Koolspan

15. © 2014 Unisys Corporation. All rights reserved. 15
Stealth Shim
7. Application
6. Presentation
5. Session
4. Transport
3. Network
1. Physical
2. Link
NIC
• Software, running on Windows and
Linux computers
• FIPS 140-2 AES-256 certified
cryptography module
• Provides compartmentalized security by
implementing virtual communities of interest
(COI) for predetermined endpoint users
• Authenticates and authorizes users based
on identity, not network topology
• Because it executes between the network
and link protocol layers, it has no effect on
applications or existing networks
• Makes systems undiscoverable by attackers
• Supports “clear COI” to allow for incremental
integration into existing environments
Whatis Unisys Stealth™?

16. © 2014 Unisys Corporation. All rights reserved. 16
Comparison
Tiers Zones Software
Defined
Hides endpoints Yes Yes Yes
Network/LAN
changes
Yes Yes No
Application
changes
No No No
Installation
disruption
High High Low
Ongoing
maintenance
High High Low
Staff skill High High Low
Cost $$$ $$ $

17. © 2014 Unisys Corporation. All rights reserved. 17
Unisys Stealth Solution
Proactive. Scalable.
Consistent.
A Virtual Web Server
B Virtual Web Server
A Virtual App Server
B Virtual App Server
A Virtual DB Server
B Virtual DB Server
Stealth
for Cloud
“Safe” Site
Corporate Site
“Risky” Site
Internet
Stealth
Regional Isolation
Stealth Secure
Remote Access
Enterprise
Amazon EC2
VM
VM
VM
VM
External
Network
Windows
Client
SSVT
Protected
App
Server
Protected
Database
Server
Stealth Data Center
Segmentation
Protected
App
Server
Email
Server
(unprotected)
Internet
Stealth
for Mobile

18. © 2014 Unisys Corporation. All rights reserved. 18
Summing it up
• CoIT and APTs are a fact of life
• Adversaries are extremely sophisticated and capable
• Current tools aren’t working
• The base problems won’t be fixed soon
• Modern encryption, properly implemented, WORKS
• Identify the most important information and who needs
access
• Hide this information using compartmentalized need-to-
know communities of interest
• Keep BYO and consumer devices away from the COIs

19. Thank You
David Frymier, Vice President and CISO, Unisys Corporation