Exhibitor session 2bChair: Ewan Quibell
Please switch your mobile phones to silent
19:30
No fire alarms scheduled. In the event of an alarm, please follow directions of NCC staff
Dinner (now full)Entrance via Goldsmith Street
16:30 - 17:30
Birds of a feather sessions
15:20 - 16:00
Lightning talks
Khipu
Vulnerability Management
in yourSecurity Architecture
Dirk Schrader
Content & About
»Experiences with vulnerability management as part of an overall security architecture
» Integrating vulnerability management into your security architecture, into your workflows.
»What are some of the best practices for this? What are the advantages, what are possible caveats?
»Dirk SchraderCISSP, CISM
»Khipu and Greenbone provide the technology behind the Jisc Vulnerability assessmentand information service
www.jisc.ac.uk/vulnerability-assessment-and-information-service www.khipu-networks.com www.greenbone.net
Vulnerability Management is required
» the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
» a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing ISO 27001 control A.12.6.1 asks for the
timely identification of vulnerabilities, the assessment of organization’s exposure to a vulnerability. ISO 27002 lists actions like» Make an asset inventory» Deal with vulnerabilities through
defined procedures
Vulnerability Management Process
prepare
identify classify
prioritize
assign
mitigate &remediate
store &repeat
improve
Vulnerability Management Processprepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
VM in a Security Architectureprepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
‚prepare‘ <-> Policiesprepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
» Install policies, standards that enforce Vulnerability Management
» Make sure that responsibilities & actions are defined
› asset owner› service owner› system owner,› ownership ≠ responsibility….?
» Define secure configurations, whitelist systems and applications
» Map to security controls, relate controls to responsibilities
» Start simple, enhance stepwise
‚identify, classify, prioritize‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
» Import and/or discover assets» Scan assets, scan them
authenticated» use CVSS, CVE, CPE» enhance with add. SecInfo» tag with Asset Criticality info
» use Score, Quality of Detection,and available Solution Type
» use Asset Information» Attack status confirms
‚identify, classify, prioritize‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
NAC (simplified)
‚identify, classify, prioritize‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
CMDB
‚identify, classify, prioritize‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve Threat Intel / SIEM
‚assign, mitigate & remediate‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
» use Reports, Alerts» based on Knowlegde, Experience, and
Role» track and trace assignment» patch and/or upgrade» block and/or isolate» work around» override is also a temporary option
‚assign, mitigate & remediate‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve Ticket System
‚assign, mitigate & remediate‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
Update / Patch Management
‚store & repeat‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
» predict and trend assets
» handle changes in infrastructure
» time-stamped data supports Forensics
» average of 40 high severity flaws published per week
› 2017: 1,007 high severity flaws so far in 15 weeks
‚store & repeat‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
Forensics
‚store & repeat‘ <-> Workflows & Tools
prepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
half-life of facts
‚improve‘ <-> Workflows & Toolsprepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
» Eases implementation of Updates and Changes to Policies, Guidelines, Compliance
» Meaningful KPIs for the IT Security documented
‚improve‘ <-> Workflows & Toolsprepare
identify
classify
prioritize
assign
mitigate &remediate
store &repeat
improve
03/05/2023
Thank you!Any questions?
Thank you
Aruba, HPE
ON THE AIRWAVES – TRENDS IN WI-FI AND WIRELESS
Peter Thornycroft
April 2017
28
Agenda
• 802.11ax high efficiency WLANs• Machine Learning applied to WLANs• Evolving architecture for the enterprise WLAN
802.11AX HIGH EFFICIENCY WLANS
30
802.11ax: Issues Facing Wi-Fi Networks
• Many short data frames, many users
• Overlapping BSS’s in dense deployments block each other from transmitting
• Improving performance in outdoor hotspots
12
43
4
21
21
34
13
4
12
1
13
>80% of frames under 256B
31
802.11ax: Goals
• Enhance operation in 2.4 & 5 GHz bands (11ac was only 5 GHz)
• Increase average throughput per station by at least 4x in dense deployments
• Improvements both indoor and outdoor
• Scenarios include wireless corporate office, outdoor hotspot, dense
residential apartments and stadiums
• Maintain or improve power efficiency of the stations
32
802.11ax: Timeline (guess products late 2018 / early 2019)
0mo
IEEE802.11ax
TG kick offMay ‘14
D0.1Jan ‘16
D1.0Dec ‘16
D2.0May ‘17
Predicted
Final ApprovalDec ‘18Predicted
WFAAX
MTG kick offApr ‘16
Cert LaunchDec ‘18Predicted
IEEE802.11ac
SponsorBallot
Mar ‘18Predicted
TG kick offNov ‘08
D1.0Jun ‘11
12 mo 24 mo 36 mo
D0.1Jan ‘11
D2.0Feb ‘12
48 mo
D3.0Jun ‘12
SponsorBallot
May ‘13
60 mo
FinalApprovalOct ‘13
Publish Dec ‘13
0mo
12 mo 24 mo
WFAAC MTG kick off
Jun ‘10TTG kick off
Aug ‘11
36 mo
Plugfest #1Aug ‘12
PF #5Jan ‘13
LaunchJun ‘13
2016 2017 20182015
2016 2017 2018
SIG kick offAug ‘09
2014
SIG kick offFeb ‘14
2019
2019
33
802.11ax: features
Outdoor / Longer rangePower Saving
High DensitySpectral Efficiency & Area Throughput
8x8 AP
1024 QAM25% increasein data rate
OFDMA
Enhanced delay spread protection-long guard interval
Scheduled sleep and wake times
20 MHz-only clients
Spatial ReuseDL/UL MU-MIMOw/ 8 clients
L-STF L-LTF L-SIG RL-SIG HE-SIG-A HE-STF HE-LTF HE-LTF Data...8µs 8µs 4µs 4µs 16µs 4µs
Variable durations per HE-LTF symbol
PE
0.8us 11ac
1.6us 11ax
Extended range packet structure
3.2us 11ax
Beacon
TF
Next TWT Beacon
TF
TF
TF
TWT element: Implicit TWT, Next TWT, TWT Wake Interval
TWT Wake Interval
DL/ULMU
DL/ULMU
DL/ULMU
DL/ULMU
80 MHz Capable
20 MHz-only
2x increasein throughput
ac
ax
Up to 20% increasein data rate
Long OFDMSymbol
34
802.11ax: OFDMA
35
802.11ax: MU-MIMO, UL MU transmissions
• New Trigger control frame
• UL MU transmission may be OFDMA or MU-MIMO
• Trigger frame can be used as a Beamforming Report Poll, MU-BAR, MU-RTS, Buffer Status Report Poll, Bandwidth Query Report Poll…
Trigger frame
UL MU PPDU
AP
STA1
Acknowledge frame
UL MU PPDUSTA2
UL MU PPDUSTA3
UL MU PPDUSTA4
Freq
uenc
y/
Spa
tial d
omai
n
36
802.11ax: BSS colouring
• To increase capacity in dense environment, we need to increase frequency reuse between BSS’s
• BSS Colouring was a mechanism introduced in 802.11ah to assign a different “colour” per BSS, which will be extended to 11ax
• New channel access behavior will be assigned based on the colour detected
Increased Frequency Reuse (w/ 80 MHz channels) - All same-channel BSS blocking
12
43
4
21
21
34
13
4
12
1
13
Low Frequency Reuse (w/ 20 MHz channels)
1819
176
7
51
210
311
12
154
14
1316
89
Same-channel BSS only blocked on Colour Match
12
43
21
21
34
34
12
1 12
3
2
3
43
4
4
13
2
4
4
12
3
4
13
24
12
3
37
802.11ax: outdoor and longer-range features
• One of the goals of 802.11ax is improved performance outdoors- Longer delay spreads than the 11a/n/ac guard interval of 0.8 usec. 802.11ax modifies the guard intervals
options to 0.8, 1.6, and 3.2 usec - Possible multipath bounces off high speed vehicles. A Doppler bit indicates Doppler mode of transmission
• To expand the coverage and robustness of an outdoor hotspot- New extended range packet format with more robust preamble- Dual Carrier Modulation (DCM) – replicate the same information on different subcarriers for diversity gain
and narrow band interference protection, ~3.5 dB gain- Narrower transmission bandwidth for Data field – 106 tones (~8 MHz) can be used to reduce noise
bandwidth
L-STF L-LTF L-SIG RL-SIG HE-SIG-A HE-STF HE-LTF HE-LTF Data...8µs 8µs 4µs 4µs 16µs 4µs
Variable durations per HE-LTF symbol
PE
HE extended range SU PPDU format
38
802.11ax: new PHY data rates
11ax 11ac
Data rate (Mbps)
Mode gain Data rate (Mbps)
Mode
Min 0.375 1SS, MCS0, DCM, 26-tone
6.5 1SS, MCS0, 20 MHz
Max, 20 MHz
143.4*NSS 1024 QAM, r=5/6, ‐13.6 usec symbol
65% 86.7*NSS 256-QAM, r=3/4 (256-QAM, r=5/6 only valid for NSS=3,6), 3.6 usec symbol
Max, 40 MHz
286.8*NSS 1024 QAM, r=5/6, ‐13.6 usec symbol
43% 200*NSS 256-QAM, r=5/6, 3.6 usec symbol
Max, 80 MHz
600.4*NSS 1024 QAM, r=5/6, ‐13.6 usec symbol
39% 433.3*NSS 256-QAM, r=5/6, 3.6 usec symbol
Max, 160 MHz
600.4*2*NSS 1024 QAM, r=5/6, ‐13.6 usec symbol
39% 433.3*2*NSS 256-QAM, r=5/6, 3.6 usec symbol
NSS = 1…8 for both 11ac and 11ax
39
802.11ax: Target Wake Time for power save
• Target Wake Time (TWT) is a power saving mechanism in 802.11ah which allows the STA to sleep for periods of time, and wake up at pre-scheduled times to exchange information with its AP
doc.: IEEE 802.11-12/0823r0
Submission
Power Consumption Profiles
July 2012
Matthew Fischer, et al.
• Baseline PS-POLL
Slide 14
Beacon
Wake
LMSM RM LM/RM TM RM
UL BA
LM/RM
BADL
TMRM SM
SleepAccess delay
Lookup + Access delay
Beacon
LMSM RM ?M TM RM
UL BA BADL
TMRM SM
Slot delayWake Sleep
LMSM TM RM
UL BA BADL
TMRM SM
Wake Sleep
• Beacon-based access
• TWT-based access
SM: Sleep Mode LM: Listen ModeRM: Receive ModeTM: Transmit Mode
40
802.11ax: 20 MHz-only clients
• Provide support for low power, low complexity devices (IOT): wearable devices, sensors and automation, medical equipment, etc.
ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING IN ENTERPRISE NETWORKS
42
Artificial Intelligence and Machine Learning
• Drawing inferences from large amounts of data− First obtain a large amount of training data (labelled for supervised learning)− Then train the ML model to get the ‘right’ result from the training data− Now let the model loose on new data
• Can be applied to different problems− Network Management− Misbehaving devices or users− Device discovery & classification (e.g. IoT)
• Can close the loop with suggested changes or automated actions
43
Architecture for Machine Learning
On-premise data collector
Network data sources• Span ports• Firewalls• WLAN• Network
Management• Authentication• DHCP• …
send to cloud
Identify anomalies
Cluster anomalies
Root cause& fixes
alerts
actions
44
Network management: Benefits
Better network operationsReal-time insights with root cause analysis
and remedy recommendation
– “A large fraction of Lync calls fail in building A, because of non-WiFi interference”
– “On July 7th, 38 users in building B suffered slow Wi-Fi speed due to suboptimal channel allocation”
– “45 users failed to connect to Wi-Fi, because of Radius server overload”
Better network planningMacro insights with long-term
recommendations
– “Compared to similar buildings, users in building A achieve 20% lower data rate”
– “In building B, peak hour traffic grows by 2.3% month-to-month. This will become a network bottleneck in 14 months”
45
Network Management: Environment type detection
User density
Connection life time
Cluster 1• low user density• high connection life time• Example: Office space
Cluster 2• high user density• high connection life time• Example: Lecture hall
Cluster 3• high user density• low connection life time• Example: Cafeteria area
Automatic granularity: subdivide buildings based on Wi-Fi characteristics
− Example: library entrance area vs. library archive stacks
46
Network management: Data-driven anomaly detection
• Detect anomalous values of network metrics, while accounting for the circumstances− AP experiences high air utilization (uplink + downlink + ambient), given time of day and band− Client station has uplink/downlink rate imbalance, given its device type and band− Client station is using low downlink rate, given its RSSI, band and device type− No manual thresholds are needed, separate models for each environment type mantain low false alarm rate
47
Network management: Clustering of issues
d1
d2
Cluster 1• device type: iPhones• ssid: UW• issues: roam-802.11-assoc
Cluster 3• device type: iPad • sta_mac: a888088f4b0c• ssid: CSE-Local• location: CSE basement• bssid: 04bd88337850• ch: 40• controller: 113• issues: roam-802.11-assoc
dn
Cluster 2• device type: iPhone & Android• ssid: UW• controller: 8901• location: KNE.5
48
Security: Automated detection of insider-threats
Compromised Users & Hosts
Negligent Employees
Malicious Insiders
ATTACKS AND RISKY BEHAVIORS
on the inside
49
Security: behavioural analytics approach
Behavioral Analytics
UNSUPERVISED
+SEMI-
SUPERVISED
HISTORICAL
+PEER GROUP
MACHINE LEARNING BASELINES
Internal Resource Access Finance servers
AuthenticationAD logins
Remote AccessVPN logins
External Activity
C&C, personal email
SaaS ActivityOffice 365, Box
Cloud IaaSAWS, Azure
Physical Accessbadge logs
ExfiltrationDLP, Email
50
Security: finding the malicious in the anomalous
Behavioral Analytics
SUPERVISED
MACHINE LEARNINGDLP
SandboxFirewalls
STIXRulesEtc.
THIRD PARTY ALERTS
51
IoT: Security Starts with Identifying Devices
Seeing totals and mix of devices helps understand risk. CCTV cameras from XiongMai Technologies can be an issue.
Visibility needed to make accurate planning decisions - bandwidth usage, firewall rules, etc.
1
2
3Having Information useful during internal and external audits.
52
IoT: Comprehensive Profiler Methods
• DHCP Fingerprinting (support for IP-Helper and use of SPAN/RSPAN mirroring)
• SNMP/Network Discovery (MIB reads to identify static IP addressed devices)
• WMI (useful for Windows)• SSH (useful for Linux)• CDP, LLDP (useful in Cisco networks)• HTTP User-Agent (useful for Apple)• MAC OUI (useful for Android)
• ARP Reads, Subnet Scans• Active Sync Plugin• Nmap Port scans• TCP
EVOLUTION OF THE EDGE – ENTERPRISE NETWORK ARCHITECTURE
54
Network architecture
• Only at the edge can the network sense
• Device radio characteristics• Device authentication status• Unassociated devices• All intrusion attempts
Radio information- Signal level- SNR
radio 802.11mgmt
802.11 management- Associated- Data rate- Frame error
rate- MAC- Sleeping
Auth- Status- Identity- Role- Blacklist
L2- ARP- VLAN- mDNS
IP- DHCP- IP
address
Multicast- IGMP- MC
Neighbors
L4-7- Sessions &
protocols- Destinations,
ports- Rates- QoS
Mobility awareness- Origin &
location- Roaming
history- AP load- Neighbor APs
L2 traffic & services
L3 traffic & services
802.11 connected device
55
Network architecture
Traffic forwarding
Policy layer
• Abstract the network model to a policy layer
• Policy layer interfaces to external APIs
• External APIs export sensing information, accept reconfiguration
Appsservices
56
Network architecture
• The network hollows out
• The edge is used for sensing and reporting
• Policy definitions allow the network to dynamically reconfigure in response to traffic & external events
• APIs allow the network to dynamically reconfigure in response to external requirements
• Big Data is accumulated locally or in the cloud
• Machine Learning is applied to many networking problems
THANK YOU
Thank you