Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Cyber Security
1. North Carolina Federal Advanced Technologies Symposium
May 9, 2013
Cyber Security Panel
Hosted by:
Office of Senator Richard Burr
NC Military Business Center
NC Military Foundation
Institute for Defense & Business
University of North Carolina System
Reception Sponsor:
Bronze Sponsor:
2. Science of Security Configuration
Analytics– Know your network!
Professor Ehab Al-Shaer,
Director of Cyber Defense Network Assurability Center
University of North Carolina Charlotte
ealshaer@uncc.edu
www.cyberdna.uncc.edu
Cyber Security Panel
NC Federal Advanced technologies Symposium
May 9, 2013
3. About CyberDNA Research
• Vision: Making Cybersecurity measurable, provable and usable
• Research Team:
– Multi-disciplinary team of 11 faculty members and 35 PhD students Areas
– security, networking, data mining, economics, power and control, behavior science/HCI.
• Active Funding: > 8.2M from NSF, NSA, ARO, AFRL, DHS, Bank of America, BB&T,
DTCC, Duke Energy, Cisco, Intel
• Prof. Al-Shaer was featured as Subject Matter Expert (SME) in Security
Configuration Analytics and Automation [DoD Information Assurance Newsletter,
2011].
• NSF Industry/University Collaborative Research Center on (Security) Configuration
Analytics and Automation (CCAA) Lead by UNC Charlotte and George Mason Univ
– Members include NSA, NIST, Bank of America, BB&T, DTCC, MITRE, Northrop Grumman
• Tools and Technology transfer projects for Cisco, Intel, Duke Energy, ..
• Research Long and solid track record on many areas particularly
– Security configuration analytics (verification and synthesis) for enterprise,
cloud and smart grid
– Security metrics and risk estimation
– Agility and resiliency for Cyber, clouds and Cyber-Physical
4. 4
Why Cybersecurity is Hard?
• Attack Detection (alone) Can not Deliver
– Learning-based = Knowing the attack OR Knowing the Deviation
Threshold Easily Evadable
– Insufficient for attack avoidance
• Cybersecurity = Attack Prediction
• Attack Prediction is a Hard Problem
– Learning-driven vs. Prediction-driven
• Feature selection vs. information integration & analytics
– Scalable and accurate models of both system behavior and
adversary strategies.
– System complexity and adversary sophistication are
increasingly growing.
5. 6
The Need for Security Configuration
Analytics
• December 2008 report from Center for Strategic and International Studies
"Securing Cyberspace for the 44th Presidency" states that "inappropriate
or incorrect security configurations were responsible for 80% of Air Force
vulnerabilities"
• May 2008 report from Juniper Networks "What is Behind Network
Downtime?" states that "human factors [are] responsible for 50 to 80
percent of network device outages".
• BT/Gartner[3] has estimated that 65% of cyber-attacks exploit systems
with vulnerabilities introduced by configuration errors. The Yankee
Group[4] has noted that configuration errors cause 62% of network
downtime.
• A 2009 report[5] by BT and Huawei discusses how service outages caused
by “the human factor” themselves cause more than 30% of network
outages, “a major concern for carriers and causes big revenue-loss.
6. 7
Ehab Al-Shaer , Science of Security Configuration
Complexity of Configuration Analytics
• Scale – thousands of devices and million of rules.
• Distributed, yet Inter-dependent Devices and Rules.
• Policy semantic gap -- device roles (e.g., Rule-order semantics vs.
recursive ACL, single-trigger vs. multi-trigger policies)
• Multi-level and multi-layer Network configuration
– Overlay networks, groups/domains in cloud (e.g., EC2/VPC, security
groups)
– network access control, OS, application level etc
• Dynamic changes in networks and threat
• Security design trade-offs: risk vs mission, usability, cost, and
performance
[Source: Security Analytics and Automation, DoD IA Newsletter, Oct 2011]
7
7. 8
NSF Center on Security Analytics & Automation– The Big Picture
ANALYTICS
Predominately Manual Management Practices
Defensive
Actions
Logs and
Sensor Data
Security
Requirements
&
Policies
Enterprise
Polices &
Configuration
MEASURABLE SECURITY
Analytics & Automation
AUTOMATED
DEFENSE
RESILIENCY
COST-EFFECTIVE
HARDENING
Analytics Automation
Integration
action
System
15. CYBER SECURITY
• Intrusion detection - focused on protecting against attack vectors
based on software or hardware vulnerabilities.
• Firewall configuration, patch management, anti-virus
technologies and intrusion detection log monitoring.
• Masquerade Threat - access through the use of stolen, highjacked or
forged logon IDs and passwords.
• Security gaps in programs, or through bypassing the
authentication mechanism.
• Insider Threat – valid credentials or permissions (bad actor)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
16
16. INTRUSION DETECTION
• Traditional protection technologies have matured
• National Vulnerability Database (http://nvd.nist.gov) vulnerability disclosures
across the industry in 1H2011 were down 37.1% from 2H2008[1]
• Class of tools
• e-Sentinel
• Host Based Security System
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
17
VulnerabilityDisclosures
17. MASQUERADE THREAT
• Recent trends indicate that stealing
or forging log-in credentials has
become a common methodology for
achieving unauthorized access
• User Behavior
• Identify deviations from
expected behavior
• Access to applications over system
access
• Utilize logs to monitor behavior
• New class of tools
INSIDER THREAT
• Bad Actors
• User Behavior (threshold of bad
behavior)
• Identify deviations from
expected behavior
• Access to applications over system
access
• Access to Multifunction-Printers
• Utilize logs to monitor behavior
• New class of tools
THREAT CLASSES
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
18
C-SAMS
18. CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
19
• Cyber Defense
• Insider / Masquerade Threat Focus: Identity theft; Exfiltration; Credential
amplification
• Whitelist Oriented: When are there observable shifts in agent behavior
from “normal” to “abnormal”?
• Model-driven:
• Enterprise Architecture
• Business Process Modeling
• Business Process Execution Language (BPEL)
• Web Ontology Language (OWL)
19. CYBER SEMANTIC ACCOUNT MANAGEMENT SERVICE (CSAMS)
@2013 SECURBORATION, INC. COMPANY
PROPRIETARY
20
Actual Behaviors
GCCC Merged
Log Files
End User
Publishes Events That Indicate
Behavior Outside the Norm
Detects Anomalous Behavior by
Comparing Expected vs. Actual
Legacy
Future CSV
20. 21
About Signalscape
Signalscape offers security solutions and vulnerability
analysis to the DoD, Law Enforcement, and Cyber
Communities.
Our expertise ranges from miniature single board wireless
solutions for one-time mission critical applications to fully
integrated wireless surveillance, tracking, and data transport
platforms.
Specifically, Signalscape specializes in Audio and Video
Wireless Data Detection, Collection, and Transport
including:
• Wireless Sensors (Audio and Video)
• Mobility Systems (Cellular Data Transport)
• Software Defined Radio (SDR)
Visit us at www.signalscape.com.
21. Challenges Facing DoD, LE, and Cyber Communities
Two issues facing DoD, Law Enforcement, and Cyber Communities
include:
• Detecting and analyzing audio and video streams embedded in
massive amounts of wireless network traffic (both encrypted and
unencrypted)
• Deploying Smart, Wireless, Audio and Video Sensors
Signalscape provides Wireless Video Collection and Analytics
capabilities both from a defensive and offensive point of view.
Specifically two key wireless video topics of interest to the IC and Cyber
Community:
• Video Detection and Vulnerability Analysis
• Video Sensing
22
22. Video Detection and Vulnerability Analysis
• Packet payload inspection (if unencrypted)
• Detection of encrypted audio and video streams via traffic pattern
classification algorithms based on machine learning
• Network vulnerability analysis
Video Sensing
• Smart Sensing – On-board analytics and storage
• Power Management – Avoid transmission until sensor detects event
of interest
• Utilize time-shifted transmission
• Post collection egress (log in and download data at less than real-
time speeds)
23
23. 24
Wireless Audio/Video Security Platform (WASP)
• Wireless (900 MHz, 2.4 GHz, cellular) retrieval of HD video, HD
images and audio
• On-board ARM processor plus DSP to run application software
in parallel with video algorithms.
• CDMA/GSM Wireless Link
• 2.4GHz Wireless Link (higher data rates, third-party product
integration)
• IP Gateway Infrastructure
• DVR Capability (record, playback on-demand)
• Camera analytics (face detection, wide dynamic range
processing, motion detection)
24. WASP System Architecture
25
RF to IP Video
GatewayWASP
Ethernet INTERNET
Satellite Internet
Terminal
LoS
IP Radio
Local User
Remote Users
25. OnWire Capabilities
Area of Expertise
• Identity, Access, & Federation
Management
• Federated Trust (SAML/XSLT/
Web Services)
• 2-Factor Authentication
• PKI / Smart Cards
Professional Services
• Systems Engineering
• Development
• Integration Services
• Consulting Services
26
Cloud Services
• Federated SSO
• Identity and Access
Management as a Service
• Consulting Services
26. Gartner’s Nexus of “Forces”
The Gartner Group has coined the phrase Nexus of Forces to
refer to four technology areas having a profound affect on IT
The forces of the Nexus are intertwined to create a user-driven
ecosystem of modern computing.
• Information is the context for delivering enhanced social and
mobile experiences.
• Mobile devices are a platform for effective social networking
and new ways of work.
• Social links people to their work and each other in new and
unexpected ways.
• Cloud enables delivery of information and functionality to users
and systems.
User adoption of these technologies means that IT
organizations must adapt their security posture to account for
these forces.
27
27. Security Implications
28
Diagram Source: Gartner (June 2012)
Callouts Source: OnWire (April 2013)
Data Leakage
(corp data
migrates to
public cloud)
Data Leakage
(data cached
on device)
Unpredictable
platform type (user
chooses platform)
Unpredictable app
behavior (user
owns the app)
Blurring of work
and private data
Privacy Issues
Attack Target –
honeypot of data
Attack Target –
honeypot of data
Access
Control Issues
Phishing target
(large number
of
unsophisticated
users)
28. IAM Vision & OnWire’s Expertise
Key Themes
Standardized IAM
and Compliance
Expand IAM vertically to provide identity &
access intelligence to the business; Integrate
horizontally to enforce user access to data, app,
and infrastructure
Secure Cloud, Mobile, Social
Collaboration
Enhance context-based access control for
cloud, mobile and SaaS access, as well as
integration with proofing, validation &
authentication solutions
IAM Governance
and Insider Threat
Continue to develop Privileged Identity
Management (PIM) capabilities and enhanced
Identity and Role management
29. IBM Security Products
Information
• InfoSphere Guardium
- Activity monitor, data encryption, vulnerability assessment
• Key Lifecycle Manager (managing signing and encryption keys)
Mobile
• Endpoint Management (Endpoint Manager for Mobile Devices)
• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity
Manager)
• Network Security (Mobile Connect)
Cloud
• Application Security (Rational Appscan, Policy Manager)
• Infrastructure Security (Host Protection, Virtual Server Protection, Network Intrusion
Prevention System)
• IAM (Access Manager for Cloud and Mobile, Identity Manager, Federated Identity
Manager)
Social
• QRadar Security Intelligence Platform
• Application Security (Rational Appscan, Policy Manager)
• IAM (Access Manager, Identity Manager, Federated Identity Manager)
30
31. About VSi
• VSi, based in Winston-Salem, NC, specializes in web-based
intelligence and analytical software applications
• VSi’s MIDaS™, (U.S. Patents Nos. 6,877,006; 7,167,864;
7,720,861; 8,082,268) is a browser-based, ad-hoc, multi-
dimensional analytical tool for users and analysts
• VSi’s patents have been licensed to IBM and Oracle
• VSi’s MIDaS™ links distributed disparate data sources to
produce user-defined analytical views
• VSi’s MIDaS™ uses a fine-grained security model that
implements multi-level security capability
• VSi’s MIDaS™ delivers its capabilities without writing any
code
32. IDENTIFICATION OF PROBLEM –
NOT A NEW PROBLEM ;
A NEW DOMAIN
• Analysis – Multi-INT Fusion: HUMINT, COMINT, IMINT ELINT
• Perimeter Security, Sensors – Access,Authentication and
Authorization
• Pattern Analysis – Intrusion patterns
• Inference capability
• Information dissemination – Reporting
• Strategic andTactical/Imminent threat assessment
• Collaboration – Functional Defeat Models
• Design of intrusion protection and vulnerability minimization
33. NEW TECHNOLOGY – MULTI-USE
• Re-use existing resources to develop new intelligence
• Analysis tools should be flexible to be used for multiple
purposes – Intelligence Analysis; Target Centric Analysis;
Threat Assessment
• Data source agnostic - Structured and Unstructured data
fusion
• Collaborative “System-of-Systems” model development
• Analysis should focus on the requirements of the Analyst and
Field Operator – Flexible ; Near RealTime
• Comprehensive visualization – Geospatial; Network-graph;
temporal; 3D
• Multi-level security - Information dissemination; Reporting