SlideShare une entreprise Scribd logo

Selling Unikernels: The CyberChaff Experience

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2kLukQr. Adam Wick talks about his team’s experience developing CyberChaff, a novel network defense solution with unikernels built into its core and why unikernels made sense for them, and how they talk about unikernels with their customers. Filmed at qconsf.com. Adam Wick leads the systems software group at Galois, Inc., an R&D company in Portland. He does research in formal methods, programming language development, operating systems, compiler engineering, and security. He has worked in a variety of fields at all level of the software stack, from hardware synthesis to web applications, but has recently focused on network and operating system security.

Technologie
1  sur  42
Adam Wick QCon SF 2016 Selling Unikernels: The CyberChaff Story
InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ cyberchaff
Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
© 2016 Galois, Inc.© 2016 Galois, Inc. Last year, I talked on and on, and then said: “The trick to developing unikernels is not to build a unikernel until you absolutely have to.” (because complexity) This ^ am going to say selling sell
© 2016 Galois, Inc.© 2016 Galois, Inc. The QConSF Unikernel Talk Trilogy My goal with these talks is to provide answers to the questions you might face trying to adopt unikernels in your technology stack. 2014: What the hell are these things? 2015: How do they affect my development cycle? 2016: How do they affect my sales?
Let’s Attack a Network Because nothing says “fun” like teaching more people the basics of how to cause massive economic damage across a variety of industries.
© 2016 Galois, Inc.© 2016 Galois, Inc. Step #1: Deploy Cat Pictures
© 2016 Galois, Inc.© 2016 Galois, Inc. Step #1: Deploy Cat Cute Animal Picture
© 2016 Galois, Inc.© 2016 Galois, Inc. Step #2: Pivot & Attack
© 2016 Galois, Inc.© 2016 Galois, Inc. Let’s Subdivide Let’s subdivide these steps even further: Deploy cute animal pictures. Gain a foothold on a network. Observe and Orient: Where am I? What’s around me? Decide: What’s my best next target? Act: Attack that system.
© 2016 Galois, Inc.© 2016 Galois, Inc. So What? What is the mean time between someone gaining access to your network and you detecting them? 146 days (or about 4½ months)
© 2016 Galois, Inc.© 2016 Galois, Inc.
So You Want To Defend A Network You want to do this. It makes you a hero!
© 2016 Galois, Inc.© 2016 Galois, Inc. Defending a Network Thus, one way to defend a network is to consider this diagram and find ways to impair the attacker’s ability to function at each of these steps. Deploy cute animal pictures. Gain a foothold on a network. Observe and Orient: Where am I? What’s around me? Decide: What’s my best next target? Act: Attack that system. Dear users: Please stop opening cat pictures… Add more email and spam filters, attachment filters Network and Host Hardening, Least Privilege! Intrusion Detection SIEM
© 2016 Galois, Inc.© 2016 Galois, Inc. Step #2: Pivot & Attack
© 2016 Galois, Inc.© 2016 Galois, Inc. Step #2 with CyberChaff
© 2016 Galois, Inc.© 2016 Galois, Inc. CyberChaff in a Nut Shell CyberChaff is a network defense capability that uses many lightweight virtual machines to generate false nodes on a network. Key Features: • Can emulate a wide variety of operating systems and services. • Add 400+ CyberChaff nodes using few resources: an Intel NUC or a standard 1U server. • Each Chaff node runs minimal software in its own virtual machine, limiting the possibility of compromise.
What The Hell, Adam? Why have you spent all this time talking about CyberChaff? I thought this was supposed to be about unikernels and “Modern CS in the Real World”?
© 2016 Galois, Inc.© 2016 Galois, Inc. Every CyberChaff Node Is A Unikernel Service Implementations Custom, Customizable Network Stack Network and Console Card Driver HaLVM 16-32MB per node Emulates 4000+ OSes All The Great Services Credential Trapping Protocol Passthrough No OS required No unused code No unused drivers No buffer overruns Cloud-ready  Haskell  C
© 2016 Galois, Inc.© 2016 Galois, Inc. The Thing About Selling Unikernels … is that generally speaking, you don’t need to mention the fact that you’re selling unikernels. © 2015 Galois, Inc.25 © 2015 Galois, Inc.25 So You Want To Build A Unikernel There are five steps to building a Unikernel: 1. Don’t. 2. Test & Measure. 3. Do. 4. Test (Part II) 5. Deploy. 1. Don’t
© 2016 Galois, Inc.© 2016 Galois, Inc. Engineering Sales 101 Problem? no no no no yes yes yes yes … although the precise technology does influence these … Idea Solves Problem? $? Installs?
© 2016 Galois, Inc.© 2016 Galois, Inc. Selling New Technology Idea Solves Problem? $? Installs? Does your brand new technology help in solving the problem, or does it make things more difficult? Does your brand new technology cost more than existing techniques? Does your new technology make it easier or harder to deploy? Unikernels: Provide a dramatically improved security posture by using lightweight virtual machines with a particularly difficult attack surface. Unikernels: Dramatically reduced virtual machine costs through reduced memory and CPU footprints. do with this, since we’re mostly selling hardware. * * * Unikernels: … EC2? CyberChaff: Don’t really have much to
© 2016 Galois, Inc.© 2016 Galois, Inc. OK, It’s Not All Rainbows and Dance Parties But it never is. Does your brand new technology cost more than existing techniques? Does your new technology make it easier or harder to deploy? As it happens, unikernel developers are a little thin on the ground, so development costs can be higher. We do have some trouble with software installs that don’t involve Xen.
Selling CyberChaff Let’s talk about the sales thing.
© 2016 Galois, Inc.© 2016 Galois, Inc. Selling CyberChaff, Phase 1 OMG 146 DAYS ON YOUR NETWORK!1! Deploy cute animal pictures. Gain a foothold on a network. Observe and Orient: Where am I? What’s around me? Decide: What’s my best next target? Act: Attack that system. CyberChaff™
© 2016 Galois, Inc.© 2016 Galois, Inc. Selling CyberChaff, Phase 1 Results 1. “That’s great! I’m in! Here’s my credit card!” 2. “Thank you for coming by.” 3. “That’s really interesting. Do you have a white paper or technical document describing this further that you could email to me?” 4. “Interesting. I have some questions …” This never happens. “I will never get this hour back, you jerks.” “ … so my insane workload can deal with you.”
© 2016 Galois, Inc.© 2016 Galois, Inc. Their Questions Are not about us, and in general not really about CyberChaff (in some sense), but rather about how CyberChaff can work in their environment: • Can it emulate <our operating system of choice>? • How about our <services of choice>? • How do you deploy CyberChaff? • What logging systems do you support? • How does this compare to a Honey Pot? • Isn’t that a lot of IP addresses? • Doesn’t that just add a huge attack surface to my network? Yes. Yes. Well, we have ... Most. Smaller and … Yes. Unikernels inside!
Unikernels: I’M SO GLAD YOU ASKED Let’s just remind ourselves about what a unikernel is.
© 2016 Galois, Inc.© 2016 Galois, Inc. Unikernels are specialised, single address space machine images constructed using library operating systems. - Wikipedia or Unikernels : Virtual Machines :: Exokernels : Physical Machines or Unikernels are single-process programs compiled to run directly on (usually virtual) hardware, rather than within a full-featured OS.
© 2016 Galois, Inc.© 2016 Galois, Inc.
© 2016 Galois, Inc.© 2016 Galois, Inc. Lower operating costs Faster response to events Smaller attack surface
© 2016 Galois, Inc.© 2016 Galois, Inc. Which means! Every CyberChaff node is in its own virtual machine. It is running Haskell from the ground (driver level) up. In fact, only the bits of Haskell you need to run that CyberChaff node. So good luck to your attackers.
© 2016 Galois, Inc.© 2016 Galois, Inc. Their Questions Are not about us, and in general not really about CyberChaff (in some sense), but rather about how CyberChaff can work in their environment: • Can it emulate <our operating system of choice>? • How about our <services of choice>? • How do you deploy CyberChaff? • What logging systems do you support? • How does this compare to a Honey Pot? • Isn’t that a lot of IP addresses? • Doesn’t that just add a huge attack surface to my network? Yes. Yes. Well, we have ... Most. Smaller and … Yes. No.
© 2016 Galois, Inc.© 2016 Galois, Inc. That’s Pretty Much It, Unikernel-wise Honestly, no one really cares all that much.
© 2016 Galois, Inc.© 2016 Galois, Inc. The Down Sides As it turns out, unikernels are not the magic pill that will make all your problems go away and cause your customers and funders to fawn all over you. It rarely adds some complication to your explanations … and complication is not great. It does cause some potentially-strange shifts in your roadmap that can be surprising to some customers. Staffing, particularly for “senior” staff, is a challenge.
Let’s Wrap Up
© 2016 Galois, Inc.© 2016 Galois, Inc. Unikernels (awesome)
© 2016 Galois, Inc.© 2016 Galois, Inc. CyberChaff (also awesome)
© 2016 Galois, Inc.© 2016 Galois, Inc. And you’ve made how much … ? I can’t tell you. But I will say: • CyberChaff is installed all around the world. • Some of those folks pay us. • They include:  Reed College  A Fortune 50 electronics company  A couple Defense Department contractors • It has been shown to be effective • We also have some resellers working their own deals
© 2016 Galois, Inc.© 2016 Galois, Inc. New Technology New technology can be a lot of fun. It can: • Enable some really cool capabilities • Simplify your development process • Provide you with differentiation from your competitors But it can also be scary: • How is it going to affect sales? When you go for it, go for it, and remember: • Stifle your urge to gush about the tech • Focus on how you solve the problem • Accentuate the positive
© 2016 Galois, Inc.© 2016 Galois, Inc. All trademarks, service marks, trade names, trade dress, product names and logos appearing in these slides are the property of their respective owners, including in some instances Galois, Inc. All rights are reserved. http://cyberchaff.com http://unikernel.org http://halvm.org Adam Wick awick@galois.com Twitter: @acwpdx Any questions?
Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ cyberchaff

Recommandé

Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixC4Media
 
Reactive Streams, j.u.concurrent, & Beyond!
Reactive Streams, j.u.concurrent, & Beyond!Reactive Streams, j.u.concurrent, & Beyond!
Reactive Streams, j.u.concurrent, & Beyond!C4Media
 
Elastic Data Analytics Platform @Datadog
Elastic Data Analytics Platform @DatadogElastic Data Analytics Platform @Datadog
Elastic Data Analytics Platform @DatadogC4Media
 
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry confluent
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 

Recommandé

Data Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixData Science in the Cloud @StitchFix
Data Science in the Cloud @StitchFixC4Media
 
Reactive Streams, j.u.concurrent, & Beyond!
Reactive Streams, j.u.concurrent, & Beyond!Reactive Streams, j.u.concurrent, & Beyond!
Reactive Streams, j.u.concurrent, & Beyond!C4Media
 
Elastic Data Analytics Platform @Datadog
Elastic Data Analytics Platform @DatadogElastic Data Analytics Platform @Datadog
Elastic Data Analytics Platform @DatadogC4Media
 
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry
Fundamentals of Stream Processing with Apache Beam, Tyler Akidau, Frances Perry confluent
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Contenu connexe

Plus de C4Media

Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 

Plus de C4Media (20)

Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Selling Unikernels: The CyberChaff Experience

  • 1. Adam Wick QCon SF 2016 Selling Unikernels: The CyberChaff Story
  • 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ cyberchaff
  • 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  • 4. © 2016 Galois, Inc.© 2016 Galois, Inc. Last year, I talked on and on, and then said: “The trick to developing unikernels is not to build a unikernel until you absolutely have to.” (because complexity) This ^ am going to say selling sell
  • 5. © 2016 Galois, Inc.© 2016 Galois, Inc. The QConSF Unikernel Talk Trilogy My goal with these talks is to provide answers to the questions you might face trying to adopt unikernels in your technology stack. 2014: What the hell are these things? 2015: How do they affect my development cycle? 2016: How do they affect my sales?
  • 6. Let’s Attack a Network Because nothing says “fun” like teaching more people the basics of how to cause massive economic damage across a variety of industries.
  • 7. © 2016 Galois, Inc.© 2016 Galois, Inc. Step #1: Deploy Cat Pictures
  • 8. © 2016 Galois, Inc.© 2016 Galois, Inc. Step #1: Deploy Cat Cute Animal Picture
  • 9. © 2016 Galois, Inc.© 2016 Galois, Inc. Step #2: Pivot & Attack
  • 10. © 2016 Galois, Inc.© 2016 Galois, Inc. Let’s Subdivide Let’s subdivide these steps even further: Deploy cute animal pictures. Gain a foothold on a network. Observe and Orient: Where am I? What’s around me? Decide: What’s my best next target? Act: Attack that system.
  • 11. © 2016 Galois, Inc.© 2016 Galois, Inc. So What? What is the mean time between someone gaining access to your network and you detecting them? 146 days (or about 4½ months)
  • 12. © 2016 Galois, Inc.© 2016 Galois, Inc.
  • 13. So You Want To Defend A Network You want to do this. It makes you a hero!
  • 14. © 2016 Galois, Inc.© 2016 Galois, Inc. Defending a Network Thus, one way to defend a network is to consider this diagram and find ways to impair the attacker’s ability to function at each of these steps. Deploy cute animal pictures. Gain a foothold on a network. Observe and Orient: Where am I? What’s around me? Decide: What’s my best next target? Act: Attack that system. Dear users: Please stop opening cat pictures… Add more email and spam filters, attachment filters Network and Host Hardening, Least Privilege! Intrusion Detection SIEM
  • 15. © 2016 Galois, Inc.© 2016 Galois, Inc. Step #2: Pivot & Attack
  • 16. © 2016 Galois, Inc.© 2016 Galois, Inc. Step #2 with CyberChaff
  • 17. © 2016 Galois, Inc.© 2016 Galois, Inc. CyberChaff in a Nut Shell CyberChaff is a network defense capability that uses many lightweight virtual machines to generate false nodes on a network. Key Features: • Can emulate a wide variety of operating systems and services. • Add 400+ CyberChaff nodes using few resources: an Intel NUC or a standard 1U server. • Each Chaff node runs minimal software in its own virtual machine, limiting the possibility of compromise.
  • 18. What The Hell, Adam? Why have you spent all this time talking about CyberChaff? I thought this was supposed to be about unikernels and “Modern CS in the Real World”?
  • 19. © 2016 Galois, Inc.© 2016 Galois, Inc. Every CyberChaff Node Is A Unikernel Service Implementations Custom, Customizable Network Stack Network and Console Card Driver HaLVM 16-32MB per node Emulates 4000+ OSes All The Great Services Credential Trapping Protocol Passthrough No OS required No unused code No unused drivers No buffer overruns Cloud-ready  Haskell  C
  • 20. © 2016 Galois, Inc.© 2016 Galois, Inc. The Thing About Selling Unikernels … is that generally speaking, you don’t need to mention the fact that you’re selling unikernels. © 2015 Galois, Inc.25 © 2015 Galois, Inc.25 So You Want To Build A Unikernel There are five steps to building a Unikernel: 1. Don’t. 2. Test & Measure. 3. Do. 4. Test (Part II) 5. Deploy. 1. Don’t
  • 21. © 2016 Galois, Inc.© 2016 Galois, Inc. Engineering Sales 101 Problem? no no no no yes yes yes yes … although the precise technology does influence these … Idea Solves Problem? $? Installs?
  • 22. © 2016 Galois, Inc.© 2016 Galois, Inc. Selling New Technology Idea Solves Problem? $? Installs? Does your brand new technology help in solving the problem, or does it make things more difficult? Does your brand new technology cost more than existing techniques? Does your new technology make it easier or harder to deploy? Unikernels: Provide a dramatically improved security posture by using lightweight virtual machines with a particularly difficult attack surface. Unikernels: Dramatically reduced virtual machine costs through reduced memory and CPU footprints. do with this, since we’re mostly selling hardware. * * * Unikernels: … EC2? CyberChaff: Don’t really have much to
  • 23. © 2016 Galois, Inc.© 2016 Galois, Inc. OK, It’s Not All Rainbows and Dance Parties But it never is. Does your brand new technology cost more than existing techniques? Does your new technology make it easier or harder to deploy? As it happens, unikernel developers are a little thin on the ground, so development costs can be higher. We do have some trouble with software installs that don’t involve Xen.
  • 24. Selling CyberChaff Let’s talk about the sales thing.
  • 25. © 2016 Galois, Inc.© 2016 Galois, Inc. Selling CyberChaff, Phase 1 OMG 146 DAYS ON YOUR NETWORK!1! Deploy cute animal pictures. Gain a foothold on a network. Observe and Orient: Where am I? What’s around me? Decide: What’s my best next target? Act: Attack that system. CyberChaff™
  • 26. © 2016 Galois, Inc.© 2016 Galois, Inc. Selling CyberChaff, Phase 1 Results 1. “That’s great! I’m in! Here’s my credit card!” 2. “Thank you for coming by.” 3. “That’s really interesting. Do you have a white paper or technical document describing this further that you could email to me?” 4. “Interesting. I have some questions …” This never happens. “I will never get this hour back, you jerks.” “ … so my insane workload can deal with you.”
  • 27. © 2016 Galois, Inc.© 2016 Galois, Inc. Their Questions Are not about us, and in general not really about CyberChaff (in some sense), but rather about how CyberChaff can work in their environment: • Can it emulate <our operating system of choice>? • How about our <services of choice>? • How do you deploy CyberChaff? • What logging systems do you support? • How does this compare to a Honey Pot? • Isn’t that a lot of IP addresses? • Doesn’t that just add a huge attack surface to my network? Yes. Yes. Well, we have ... Most. Smaller and … Yes. Unikernels inside!
  • 28. Unikernels: I’M SO GLAD YOU ASKED Let’s just remind ourselves about what a unikernel is.
  • 29. © 2016 Galois, Inc.© 2016 Galois, Inc. Unikernels are specialised, single address space machine images constructed using library operating systems. - Wikipedia or Unikernels : Virtual Machines :: Exokernels : Physical Machines or Unikernels are single-process programs compiled to run directly on (usually virtual) hardware, rather than within a full-featured OS.
  • 30. © 2016 Galois, Inc.© 2016 Galois, Inc.
  • 31. © 2016 Galois, Inc.© 2016 Galois, Inc. Lower operating costs Faster response to events Smaller attack surface
  • 32. © 2016 Galois, Inc.© 2016 Galois, Inc. Which means! Every CyberChaff node is in its own virtual machine. It is running Haskell from the ground (driver level) up. In fact, only the bits of Haskell you need to run that CyberChaff node. So good luck to your attackers.
  • 33. © 2016 Galois, Inc.© 2016 Galois, Inc. Their Questions Are not about us, and in general not really about CyberChaff (in some sense), but rather about how CyberChaff can work in their environment: • Can it emulate <our operating system of choice>? • How about our <services of choice>? • How do you deploy CyberChaff? • What logging systems do you support? • How does this compare to a Honey Pot? • Isn’t that a lot of IP addresses? • Doesn’t that just add a huge attack surface to my network? Yes. Yes. Well, we have ... Most. Smaller and … Yes. No.
  • 34. © 2016 Galois, Inc.© 2016 Galois, Inc. That’s Pretty Much It, Unikernel-wise Honestly, no one really cares all that much.
  • 35. © 2016 Galois, Inc.© 2016 Galois, Inc. The Down Sides As it turns out, unikernels are not the magic pill that will make all your problems go away and cause your customers and funders to fawn all over you. It rarely adds some complication to your explanations … and complication is not great. It does cause some potentially-strange shifts in your roadmap that can be surprising to some customers. Staffing, particularly for “senior” staff, is a challenge.
  • 37. © 2016 Galois, Inc.© 2016 Galois, Inc. Unikernels (awesome)
  • 38. © 2016 Galois, Inc.© 2016 Galois, Inc. CyberChaff (also awesome)
  • 39. © 2016 Galois, Inc.© 2016 Galois, Inc. And you’ve made how much … ? I can’t tell you. But I will say: • CyberChaff is installed all around the world. • Some of those folks pay us. • They include:  Reed College  A Fortune 50 electronics company  A couple Defense Department contractors • It has been shown to be effective • We also have some resellers working their own deals
  • 40. © 2016 Galois, Inc.© 2016 Galois, Inc. New Technology New technology can be a lot of fun. It can: • Enable some really cool capabilities • Simplify your development process • Provide you with differentiation from your competitors But it can also be scary: • How is it going to affect sales? When you go for it, go for it, and remember: • Stifle your urge to gush about the tech • Focus on how you solve the problem • Accentuate the positive
  • 41. © 2016 Galois, Inc.© 2016 Galois, Inc. All trademarks, service marks, trade names, trade dress, product names and logos appearing in these slides are the property of their respective owners, including in some instances Galois, Inc. All rights are reserved. http://cyberchaff.com http://unikernel.org http://halvm.org Adam Wick awick@galois.com Twitter: @acwpdx Any questions?
  • 42. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ cyberchaff