SCIT Labs - intrusion tolerant systems


Published on

The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SCIT Labs - intrusion tolerant systems

  1. 1. Moving Target Proactive Cyber Defense – Keeping Bad Guys Out of Servers Arun Sood, Ph.D. SCIT Labs, Inc Clifton, VA SCIT Labs Confidential and Proprietary 1
  2. 2. I. Intrusions Are InevitableNew Proactive Approaches are Required SCIT Labs Confidential and Proprietary 2
  3. 3. May 2011 Security Incidents WorldwideSunday Monday Tuesday Wednesday Thursday Friday Saturday1 2 3 4 5 6 7Gmail X-Factor TV Sony SEC Bestbuy Central ORSony Show Woman Netflix Comm College to Woman Sony Healthcare8 9 10 11 12 13 14Huntington Assurant Fox MichaelsNational Bank15 16 17 18 19 20 21 Mass Anthem Blue PBS Sony Lockheed Martin Government Cross of NASA Sony X2 Regions Bank California22 23 24 25 26 27 28Sony Sony Sony Northrop L-3 Grumman Communications29 30 31Honda Nintendo Citibank Source: Confab 2011 SCIT Labs Confidential and Proprietary 3
  4. 4. Epsilon Data Breach – 2011 SCIT Labs Confidential and Proprietary 4
  5. 5. Source: Symantec 2010 ReviewSCIT Labs Confidential and Proprietary 5
  6. 6. II. Cyber Attacks Persist• Intruders need access and time to orchestrate their attacks• Intrusions persist for days, weeks, months• Malware is hard to detect• Highly customized malicious code blends into the information landscape SCIT Labs Confidential and Proprietary 6
  7. 7. Intruder Residence Time in Months 3 months 2 months5 months SCIT Labs Confidential and Proprietary 7 7
  8. 8. Verizon DBIR 2010:Significant Intruder Residence Time SCIT Labs Confidential and Proprietary 8
  9. 9. III. Current Servers are Sitting Ducks Adversary has the advantage We increase Adversary Work Factor SCIT Labs Confidential and Proprietary 9
  10. 10. SCIT Labs Confidential and Proprietary 10
  11. 11. The SCIT Approach Reduce server exposure time Restore to pristine state Threat IndependentMust maintain uninterrupted service SCIT Labs Confidential and Proprietary 11
  12. 12. Zero Days – Fixing Vulnerabilities• Detecting a vulnerability• Reporting vulnerability• Developing a patch to fix vulnerability• Patch distribution• Testing in staging area• Patch application Use Moving Target Defense Make it Difficult to Exploit the Vulnerability SCIT Labs Confidential and Proprietary 12
  13. 13. Servers How SCIT works-Virtual Example: 5 online and 3 offline servers-Physical Online servers; potentially compromised Offline servers; in self-cleansing SCIT Labs Confidential and Proprietary 13 13
  14. 14. Resilience, Recovery, Tolerance, Forensics SCIT Labs Confidential and Proprietary 14
  15. 15. The SCIT Approach• Patented, Proven, Award Winning Self Cleansing Intrusion Tolerance Technology• Uses Virtualization Technology• Ultra Low Intruder Residence Time• Subverts attacks by robbing intruders of time and persistent access needed to launch attacks SCIT Labs Confidential and Proprietary 15
  16. 16. IDS/IPS vs Intrusion Tolerance Firewall, IDS, IPS Intrusion tolerance Risk management. Reactive. Proactive. A priori information Attack models. Software Exposure time. Length of required. vulnerabilities. longest transaction.Protection approach. Prevent all intrusions. Limit losses.System Administrator High. Manage reaction Less. No false alarms workload. rules. Manage false alarms. generated. Design metric. Unspecified. Exposure time.Packet/Data stream Required. Not required. monitoring.Higher traffic volume More computations. Computation volume requires. unchanged. Applying patches. Must be applied Can be planned. immediately. SCIT Labs Confidential and Proprietary 16 16
  17. 17. Results of Simulation: NIDS, SCIT, NIDS+SCIT Parameters used Results of the simulationSimulation Metrics Value (units) Total damage No. of Mean Damage CaseNumber of queries 5000 (records) breaches (records/breach)used NIDS 245,962 (100%) 192 1,281Intruder Residence 0 minutes to 2 SCIT: ET 4hrs 55,364 (23%) 508 109Time (IRT) months SCIT: ET 4 mins 1,015 (0.4%) 508 2Mean IRT – Pareto 48 hoursdistribution NIDS + HIDS 210,578 (86%) 164 1,284Exposure Time – 2 1. 4 hrs NIDS + SCITcases 2. 4 mins (ET 4 hrs) 20,931 (9%) 191 110Mean of records 675 NIDS + SCITstolen per day records/breach (ET 4 mins) 383 (0.16%) 191 2 IDS Only SCIT+IDS SCIT Labs Confidential and Proprietary 17
  18. 18. SCIT Server State Transitions 1 2 3 Active – ExposedStart New VM Online Spare to Internet 6 5 4 Archive VM for Kill VM Grace Period Future Analysis SCIT Labs Confidential and Proprietary 18
  19. 19. SCIT – Applications SCIT ImplementationsWeb Tier: Web, 1. One applicationDNS, SSO…… 1 2 N (function) per serverApp Tier: Biz logic,Content Mgr, CRM…. 1 2 M 2. Five applications per serverData Tier: DB Mgr;File Mgr 1 L 3. 1000 applicationsStorage Tier: 100 serversTransactions (ms); 1 KLarge File transfer(High speed- seconds) 4. Cloud SCIT Labs Confidential and Proprietary 19
  20. 20. Collaboration and Recognition• Lockheed Martin and Northrop Grumman – Testing and validation of SCIT servers. – Funded and collaborated with SCIT research – Integrated in LM cloud offering; NGC evaluating use cases for cloud app – LM and Landis Gyr are sub – SCIT application to Electricity Smart Grid• Raytheon – Collaborated on SBIR proposal• Awards – Winner Security Technology of Tomorrow Challenge, CNI Expo + GSC Jun 10 – Runners up Cyber Security Challenge GSC Nov 09 – Army SBIR: SCIT DNS• Patents: 3 issued + 3 more applied. SCIT Labs Confidential and Proprietary 20
  21. 21. Target Market and Applications• Cloud and Hosting • Government Services – Civil – Web sites: LAMP & – DOD Windows IIS – Intelligence Community – DNS • Financial services – Ecommerce • Health care – Single Sign On – Email and comm – LDAP server – Streaming media SCIT Labs Confidential and Proprietary 21
  22. 22. Risk = Threat X Vulnerabilities X Consequences SCIT Labs Confidential and Proprietary 22
  23. 23. Cyber Security Approaches Vulner- Conse- Work FactorTechnology Approach Threat abilities quences A DIntrusion Detection / Prevention X +Firewall X +Malware detection X +Incoming Packet Monitoring X +Packet Analysis X +SSL Proxy X +SIEM X +Forensics X +SCIT - Recovery + Intrusion X +Tolerance + Forensic SupportOutgoing Packet Monitoring (DLP) X + A=Adversary Work Factor; D=Defender Work Factor SCIT Labs Confidential and Proprietary 23
  24. 24. Pilot Project• Data Storage servers• Implement on one or two platforms using remote access• Support & training• Develop evaluation measures• Demonstrate achievement of measures in 3 month• Roll out commitment and plan SCIT Labs Confidential and Proprietary 24
  25. 25. Benefits of SCIT• SCIT removes malware without detection• SCIT reduces data ex-filtration• SCIT does not rely on signatures and is threat independent• SCIT is mission resilient: automatic recovery• SCIT reduces intrusion response (alerts) management cost SCIT Labs Confidential and Proprietary 25
  26. 26. DemoPROACTIVE CYBER ATTACK DEFENSE Arun Sood, Ph.D. +1703.347.4494 SCIT Labs Confidential and Proprietary 26