Winn Schwartau and Mark Carney's slideshow from RSA Conference 2018 about How to Measure the Security of Your Network Protection Devices with Analogue Network Security Architecture & Design.

1. SESSION
ID:
#RSAC
Winn
Schwartau
HOW
TO
MEASURE
THE
SECURITY
OF
YOUR
NETWORK
PROTECTION
DEVICES
WITH
ANALOGUE
NETWORK
SECURITY
ARCHITECTURE
&
DESIGN
LAB2-­‐W10
Security
Theoretician
@WinnSchwartau
Mark
Carney
Mathematician,
Security
Researcher,
Leeds
Univ,
UK
@LargeCardinal

2. #RSAC

3. #RSAC
The
World
As
It
Is
<Le
Sigh>
Security
is
Broken.
Abysmally
so.
TCP/IP
was
just
an
experiment.
— We
run
the
planet
on
it.
Assume
the
bad
guys
are
inside
already.
We
‘know’
newer,
faster
technology
will
protect
networks
and
data.
(Same
promises
since
1980s)
• If
You
Can’t
Measure
It,
You
Can’t
Manage
It.

4. #RSAC
This
Session
The
Theory:
1. Time-­‐Based
Security
2. Trust
3. Measurement
4. Feedback
5. Two
Man
Rule
6. OODA
The
Maths:
1. Boolean
2. Why
Bayes?
3. Exercises
4. Appendix
5. Trust
Factor
Model

5. #RSAC
Analogue:
WTF?
Continuously Variable & Dynamic

6. #RSAC
Done
Away
With
Gears

7. #RSAC
Averaging
Quanta:
Plank’s
‘d’
Analogue-­‐Digital
Duality/Granularity

8. #RSAC
Analogue
Bio-­‐Computers:
Brain/Neural-­‐Systems
(Neural
Interface
/
IoT)

9. #RSAC
Is
It
Analogue?
Continua
(Not
Binary)
Group
Discussion:
Analogue
vs.
Digital

10. #RSAC
Static
Security
Models:
Fortress
Mentality
&
Risk
Avoidance
• Expensive
• Not
Prone
to
Communication/Commerce
• Models
from
1970’s
•Bell
LaPadula
•Biba

11. #RSAC
Boolean
101
Refresher

12. #RSAC
The
Reference
Monitor
•Each
System
Request
Is
Mediated
•Yes/No
Decisions
•Process
Halts

13. #RSAC
Can
You
Rate
Your
Firewall?
(0-­‐10)

14. #RSAC
Time-­‐Based
Security

15. #RSAC
Protect-­‐Detect-­‐Respond
The
Original
Model:
1994-­‐1998
P(t) > D(t) + R(t)

16. #RSAC
Why
We
Can’t Rely
on
Protection
• No Product Guarantees
• Networks are highly dynamic
• Most protection is highly static.
• The security posture changes
continuously
• Network maps are ‘iffy’. Especially
ingress/egress
• Partner networks are often security
suspects.
• Complexity breeds vulnerability
• New
hacks
&
‘0’-­‐Days
• Patches
take
time
• Improper
configuration
• Insiders
(Errors
&
Intent)
How Much Protection Does
The Window Provide (Time)?

17. #RSAC
Evaluating
Exposure:
E(t)
• Assume
No
Protection:
•If
P
=
0,
• Then
E(t) =
D(t) +
R(t)
•If
P
>
0,
• Then
E(t) =
[P(t)
– (D(t) +
R(t))]
• Given
Total
Access
to
Your
Networks
-­‐
•How
much
‘Value’
can
be
stolen
in
1
minute?
•How
about
10
minutes?
•What
about
2
hours?
• Cost
in
$
of
DOS/DDoS?
• Best-­‐Case
Metric
of
Security
• Lim
Et =
Lim
(Dt)
+
Lim
(Rt)
t
>>
0 t
>
>0 t
>>
0
Secure
Computer

18. #RSAC
Measuring
Which
Files
Are
Targets
• P
>
D
+
R
– If
P
=
0,
then
D
+
R
=
E
• F
/
BW
=
T
– BW(mb)/~10
=
BW(MB)
• 1Gb/sec
~
(100MB/Sec)
– F
=
100MB
• If
E
>
1sec,
or
E
>
T,
F
is
Vulnerable

19. #RSAC
Defense
in
Depth
(Yes,
but…)
P>D+ R
^
P(d1)
>D(d1)
+ R(d1)
^
P(r1)
>D(r1)
+ R(r1)

20. #RSAC
Exercise
#1
Given
the
above,
what
analogue-­‐ish
technique
can
be
used
to
limit
the
amount
of
potential
data
exfiltration
over
time
period
‘E’?

21. #RSAC
Exercise
#1
Answer

22. #RSAC
Trust

23. #RSACBinary
Trust
• Complete
Trust
is
Placed
in
One
Individual
Over
A
Network
• What
is
Your
Trust
Factor?

24. #RSAC
Trust
vs.
Risk

25. #RSAC
Perfect
Trust?
vs

26. #RSAC
Exercise
#2:
Alice’s
Trust
Factors
are:
.95
.901
.87
.79
.975
Which
gives
us
the
highest
overall
Trust
Factor
for
Alice:
Arithmetic
or
Geometric
Weighting?

27. #RSAC
Trust
Factors
comparison
by
Geometric
mean
27
Geometric
Mean
§ The
Geometric
mean
is
used
in
various
situations
where
trust
is
measured
– from
financial
institutions
to
dating
sites
§ The
Geometric
mean
calculated
by:
! 𝑥#
$
#%&
'
§ It
is
the
n-­‐th
root
of
the
product
of
n-­‐many
terms
§ See
right
for
a
comparison
between
geometric
and
arithmetic
means

28. #RSAC
Measurement

29. #RSAC
Black
Boxes

30. #RSAC
Black
Box
+
Reaction

31. #RSAC
Now,
Some
Bayes
“A
Bayesian
is
one
who,
vaguely
expecting
a
horse,
and
catching
a
glimpse
of
a
donkey,
strongly
believes
he
has
seen
a
mule.”
“A
frequentist
is
a
person
whose
long-­‐run
ambition
is
to
be
wrong
5%
of
the
time.”

32. #RSAC
What
is
‘Bayesian’
about
Bayesian
statistics?
32
Bayesian
statistics
lets
us
compare
our
hypotheses
as
conditional
probabilities
𝑃(𝐴) – the
probability
of
an
attack;
we
will
set
this
as
1
in
1000
or
0.001
(0.1%)
𝑃(𝐷|𝐴) – the
probability
we
detect
an
attack
given
an
attack
is
occurring
– also
called
the
‘sensitivity’;
we
will
set
this
as
99%
or
0.99
𝑃(𝐷) – the
probability
we
will
have
a
detection.
NB –
𝑃 𝐷 = 𝑃(𝐷|𝐴)×𝑃 𝐴 +
(𝑃 𝐷 𝐴̅ ×𝑃(𝐴̅))
Bayes
Theorem:
𝑃 𝐴 𝐷 =
𝑃 𝐷 𝐴 ×𝑃(𝐴)
𝑃(𝐷)

33. #RSAC
A
Worked
Example
33
Bayes
Theorem:
𝑃 𝐴 𝐷 =
𝑃 𝐷 𝐴 ×𝑃(𝐴)
𝑃(𝐷)
Probability
of
an
Attack
given
a
Detection
Probability
of
a
Detection
given
an
attack
is
in
progress
Probability
of
an
Attack
Probability
of
a
Detection

34. #RSAC
A
Worked
Example
34
Bayes
Theorem:
𝑃 𝐴 𝐷 =
𝑃 𝐷 𝐴 ×𝑃(𝐴)
𝑃 𝐷 𝐴 ×𝑃 𝐴 + (𝑃 𝐷 𝐴̅ ×𝑃 𝐴̅ )

35. #RSAC
A
Worked
Example
– Substitute
Numbers
35
Bayes
Theorem:
𝑃 𝐴 𝐷 =
0.99×0.001
0.99×0.001 + (0.01×0.999)

36. #RSAC
A
Worked
Example
– Substitute
Numbers
36
Bayes
Theorem:
𝑃 𝐴 𝐷 =
0.00099
0.01098

37. #RSAC
A
Worked
Example
– An
unusual
result!
37
Bayes
Theorem:
𝑃 𝐴 𝐷 = 0.09016
≈ 9%
But
HOW does
this
make
sense?

38. #RSAC
A
Worked
Example
– 1000
emails
38

39. #RSAC
A
Worked
Example
– The
malicious
email
39

40. #RSAC
A
Worked
Example
– The
false
positives
40

41. #RSAC
The
Malicious
Email
we
need
to
detect
The
10
(1%
of
1000)
False
Positives
we
need
to
consider
this
detection
could
be
The
11
possibilities
for
1
detection
A
Worked
Example
– An
explanation
of
9%
41
Thus,
we
can
see
that
the
actual
malicious
email
is
1
of
11
possibilities,
or
1
in
11,
or
≈ 9%
NB
– Bayes
is
not
fully
using
this
logic,
but
it
is
handy
for
understanding

42. #RSAC
A
Worked
Example
– An
explanation
of
9%
42
Thus,
we
can
see
that
the
actual
malicious
email
is
1
of
11
possibilities,
or
1
in
11,
or
≈ 9%
How
we
can
improve
this
§ Note
that
we
have
indeed
one
confirmed
detection
§ Subsequent
detections
improve
the
confirmation
of
our
hypothesis
– that
there
is
some
attack
taking
place
§ We
do
this
by
using
the
derived
value
as
our
new
𝑃(𝐴)
Bayes
Theorem:
𝑃& 𝐴 𝐷 =
0.99×0.001
0.99×0.001 + (0.01×0.999)

43. #RSAC
A
Worked
Example
– An
explanation
of
9%
43
Bayes
Theorem
Iterated:
𝑃; 𝐴 𝐷 =
0.99×0.0902
0.0983
Thus,
we
can
see
that
the
actual
malicious
email
is
1
of
11
possibilities,
or
1
in
11,
or
≈ 9%
How
we
can
improve
this
§ Note
that
we
have
indeed
one
confirmed
detection
§ Subsequent
detections
improve
the
confirmation
of
our
hypothesis
– that
there
is
some
attack
taking
place
§ We
do
this
by
using
the
derived
value
as
our
new
𝑃(𝐴)

44. #RSAC
A
Worked
Example
– An
explanation
of
9%
44
Bayes
Theorem
Iterated:
𝑃; 𝐴 𝐷 = 0.9075 …
≈ 90.75%
Thus,
we
can
see
that
the
actual
malicious
email
is
1
of
11
possibilities,
or
1
in
11,
or
≈ 9%
How
we
can
improve
this
§ Note
that
we
have
indeed
one
confirmed
detection
§ Subsequent
detections
improve
the
confirmation
of
our
hypothesis
– that
there
is
some
attack
taking
place
§ We
do
this
by
using
the
derived
value
as
our
new
𝑃(𝐴)

45. #RSAC
A
Worked
Example
– An
explanation
of
9%
45
Bayes
Theorem
Iterated:
𝑃; 𝐴 𝐷 = 0.9075 …
≈ 90.75%
𝑃A 𝐴 𝐷 = 0.9990 …
≈ 99.90%
§ Thus,
our
confidence
improves
incredibly
fast
under
the
iteration
of
this
process
§ Our
hypothesis
gains
confidence
for
every
successful
detection
given
our
setup
§ We
can
now
see
how
to
deal
with
probabilities
and
intersections
thereof
with
a
view
to
confirming
our
beliefs
about
our
situation

46. #RSAC
Exercise
#3
Assume
you
have
2
detection
Black
Boxes,
made
by
different
vendors,
each
with
a
Trust
Factor
of
.9
Show:
1. The
difference
in
Trust
Factor
by
using
both
detection
product
versus
just
one
with
a
Boolean
OR
to
combine
the
two
vendor
products.
2. The
difference
in
Trust
Factor
by
using
both
detection
product
versus
just
one
with
a
Boolean
AND
to
combine
the
two
vendor
products.

47. #RSAC
Exercise
#3
Answer

48. #RSAC
Kill
Root:
The
2MR

49. #RSAC
Exercise
#4
Given
5 Admins,
each
with
.95
Trust
Factor,
what
is
the
overall
TF
for
this
access
point?

50. #RSAC
Exercise
#4
Answer
5
Admins
Each
TF
of
.95
(.95
+
.95
+
.95
+
.95
+
.95)/5
=
________
Or
.95
∗
.95
∗
.95
∗
.95
∗
.95
C
=______
Arith vs.
Geo?

51. #RSAC
2MR
Goal
• Ensure
that
Administrators
Do
Not
Exceed
Authority
• Ensure
They
Do
Not
Cause
Intentional
or
Accidental
Damage
• Reduce
Risk
From
Insiders
With Authority

52. #RSAC
Feedback
Is
Analogue
(Equilibrium
vs.
Chaos/Tipping
Point)
Acoustic
Electrical
Mechanical
Abstraction

53. #RSAC
The
TB-­‐FF
for
2MR

54. #RSAC
Analogue
Boole
A
=
Set B
=
Approve B(t) Q
=
Enable
Countdown
Status
0 0 OFF 0 Before
0 0 t
>
0 0 During
0 0 t
=
0 0 After
(No
B)
1 0 OFF 1 Before
1 0 t
>
0 1 During
1 0 t
=
0 0 After
(No
B)
1 1 OFF 1 Before
1 1 t
>
0 1 During
1 1 t
=
0 1 After
(No
B)
0 1 N/A 0 Before
T=Off
0 1 N/A 0 During
T
>
0
0 1 N/A 0 After
T=0

55. #RSAC
The
Time
Based
Reference
Monitor:
Phishing
Phixer

56. #RSAC
The
Time-­‐Based
Flip-­‐Flop

57. #RSAC
Exercise
#5
Design
a
2-­‐Man
Timed-­‐Based
Admin
control,
where
either
Alice
or
Bob
can
initiate
the
process,
and
require
the
other
to
verify.
This
only
works
in
a
pure
form
where
TF
Alice
– TF
Bob.

58. #RSAC
2MR:
AND
Agreement

59. #RSAC
Exercise
#6
Design
a
time-­‐based
circuit
that
shows
the
logic
of
a
car
and
driver
making
a
lane
change.

60. #RSAC
Self-­‐Driving
Car
(without
Trust
Factor)

61. #RSAC
Detection
in
Depth
Code
Granularity
Divide
by
Time
and
Bandwidth
Think
Shannon:
0
Limit-­‐Function
Application
Internal
DR
Matrix
&
API
to
Reaction
Matrix
Network
Segmented
Graceful
Degradation
Internetworking

62. #RSAC
Make
Vendors
Accountable
Vendor
Promises
“Accuracy”
90%
in
1ms
(10%
Risk)
95%
in
100ms
(5%
Risk)
99%
in
1,000ms
Ask
Every
Vendor
for
Metrics!
Set:
Negative
Time
>
Vendor(t)
Knowable
Security/Risk
over
Time
Vendor
Provides:
History
&
Samples
Reviewed
Per
’Click’
Accuracy
Update

63. #RSAC

64. #RSAC
1ST Edition
Signed
Copies:
July
2018
For
first
edition
signed
copies
of
the
book:
www.AnalogueNetworkSecurity.com

65. #RSAC
Winn Schwartau
• www.AnalogueNetworkSecurity.Com
• +1 727 393 6600
• CEO/Founder
• TheSecurityAwarenessCompany.Com
• Winn@TheSecurityAwarenessCompany.com
facebook.com/TheSACompany
twitter.com/SecAwareCo
linkedin.com/company/the-­‐security-­‐awareness-­‐company
Comments? Questions? Responses?
.COM

66. #RSAC
APPENDIX

67. #RSAC
Trust
Factors
– a
proposed
methodology
67
§ ANS
requires
that
we
abandon
absolutes
of
trust,
and
instead
require
that
trust
of
some
object
A
(a
device,
or
person,
or
other)
is
strictly
some
factor
TF(A)
where
we
require
0
≤
TF(A)
≤
1
§ But
we
need
to
consider
how
to
iterate
these
values
in
time
§ We
consider
an
expansion
on
the
scheme
on
the
right
𝑇𝐹FG&(𝐴)
= 𝑇𝐹F 𝐴 ± 𝐷(𝑇𝐹F 𝐴 )

68. #RSAC
Trust
Factors
– Deriving
a
closed-­‐form
model
68
𝑇𝐹FG&(𝐴)
= 𝑇𝐹F 𝐴 ± 𝐷(𝑇𝐹F 𝐴 )
Let:
𝐷 𝑇𝐹F 𝐴 =
𝑑𝑇𝐹F(𝐴)
𝑑𝑡
= 𝛿 𝑡, 𝑡 + 1 + 𝐼(𝑇𝐹F 𝐴 , 𝑥&, 𝑥;,…)
Substituting,
we
get:
𝑇𝐹FG&(𝐴)
= 𝑇𝐹F 𝐴 ± 𝛿 𝑡, 𝑡 + 1 ± 𝐼(𝑇𝐹F 𝐴 , 𝑥&, 𝑥;,…)

69. #RSAC
Trust
Factors
– Deriving
a
closed-­‐form
model
69
Substituting,
we
get:
𝑇𝐹FG&(𝐴)
= 𝑇𝐹F 𝐴 ± 𝛿 𝑡, 𝑡 + 1 ± 𝐼(𝑇𝐹F 𝐴 , 𝑥&, 𝑥;,…)
Goal:
Value
of
our
𝑇𝐹FG& 𝐴
The
𝛿 𝑡, 𝑡 + 1 function
‘shapes’
our
curve
in
time
by
acting
as
a
default
change
of
TF 𝐴
Our
current
value
of
𝑇𝐹F 𝐴 – this
is
our
start
value
This
is
the
‘influencer’
function
that
can
read
parameters
and
push/pull
𝑇𝐹 𝐴 according
to
pre-­‐defined
requirements/thresholds/etc.
NB -­‐ A
similarity
to
Gottman
and
Murray’s
equations
was
unexpected,
but
is
an
interesting
line
of
inquiry
we
are
pursuing