SCIT Labs - intrusion tolerant systems

1

Moving Target Proactive Cyber Defense – Keeping Bad Guys Out of Servers

Arun Sood, Ph.D.SCIT Labs, Inc

Clifton, [email protected]

SCIT Labs Confidential and Proprietary

SCIT Labs Confidential and Proprietary 2

I. Intrusions Are Inevitable

New Proactive Approaches are Required


Sunday Monday Tuesday Wednesday Thursday Friday Saturday

1GmailSony

2X-Factor TV Show Woman to WomanHealthcare

3Sony

4SECNetflix

5 6Bestbuy

7 Central OR Comm CollegeSony

8Huntington National Bank

9Assurant

10Fox

11Michaels

12 13 14

15 16 17Mass Government Regions Bank

18Anthem Blue Cross of California

19PBSNASA

20 Sony

21Lockheed MartinSony X2

22Sony

23Sony

24Sony

25 26Northrop Grumman

27L-3Communications

28

29Honda

30Nintendo

31Citibank

Source: Confab 2011

May 2011 Security Incidents Worldwide


Epsilon Data Breach – 2011


Source: Symantec 2010 Review


II. Cyber Attacks Persist

• Intruders need access and time to orchestrate their attacks

• Intrusions persist for days, weeks, months

• Malware is hard to detect

• Highly customized malicious code blends into the information landscape

SCIT Labs Confidential and Proprietary7

5 months2 months

3 months

Intruder Residence Time in Months

7


Verizon DBIR 2010: Significant Intruder Residence Time


III. Current Servers are Sitting Ducks

Adversary has the advantage

We increase Adversary Work Factor



The SCIT Approach

Reduce server exposure time

Restore to pristine state

Threat Independent

Must maintain uninterrupted service

12

• Detecting a vulnerability• Reporting vulnerability• Developing a patch to fix vulnerability• Patch distribution• Testing in staging area• Patch application

Zero Days – Fixing Vulnerabilities

Use Moving Target DefenseMake it Difficult to Exploit the Vulnerability



How SCIT works

13

Offlineservers; inself-cleansing

Online servers;potentiallycompromised

Servers-Virtual-Physical

Example: 5 online and 3 offline servers

13


Resilience, Recovery, Tolerance, Forensics


The SCIT Approach

• Patented, Proven, Award Winning Self Cleansing Intrusion Tolerance Technology

• Uses Virtualization Technology

• Ultra Low Intruder Residence Time

• Subverts attacks by robbing intruders of time and persistent access needed to launch attacks

IDS/IPS vs Intrusion ToleranceFirewall, IDS, IPS Intrusion tolerance

Risk management. Reactive. Proactive.

A priori information required.

Attack models. Software vulnerabilities.

Exposure time. Length of longest transaction.

Protection approach.

Prevent all intrusions. Limit losses.

System Administrator

workload.

High. Manage reaction rules. Manage false

alarms.

Less. No false alarms generated.

Design metric. Unspecified. Exposure time.

Packet/Data stream monitoring.

Required. Not required.

Higher traffic volume requires.

More computations. Computation volume unchanged.

Applying patches. Must be applied immediately.

Can be planned.

16SCIT Labs Confidential and Proprietary

16


Parameters usedSimulation Metrics Value (units)

Number of queries used

5000

Intruder Residence Time (IRT)

0 minutes to 2 months

Mean IRT – Pareto distribution

48 hours

Exposure Time – 2 cases

1. 4 hrs 2. 4 mins

Mean of records stolen per day

675 records/breach

Results of the simulation

Case Total damage (records)

No. of breaches

Mean Damage (records/breach)

NIDS 245,962 (100%) 192 1,281SCIT: ET 4hrsSCIT: ET 4 mins

55,364 (23%)1,015 (0.4%)

508508

1092

NIDS + HIDS 210,578 (86%) 164 1,284NIDS + SCIT(ET 4 hrs)NIDS + SCIT(ET 4 mins)

20,931 (9%)

383 (0.16%)

191

191

110

2

Results of Simulation: NIDS, SCIT, NIDS+SCIT

IDS Only SCIT+IDS


SCIT Server State Transitions

Archive VM forFuture Analysis Grace Period

Active – Exposed to Internet Online SpareStart New VM

Kill VM

1 2 3

6 5 4


SCIT – Applications

Web Tier: Web,DNS, SSO……

App Tier: Biz logic,Content Mgr, CRM….

Data Tier: DB Mgr;File Mgr

Storage Tier: Transactions (ms);Large File transfer (High speed- seconds)

1 2 M

1 2 N

1 L

1 K

1. One application(function) per server

2. Five applicationsper server

3. 1000 applications100 servers

4. Cloud

SCIT Implementations


• Lockheed Martin and Northrop Grumman

– Testing and validation of SCIT servers.

– Funded and collaborated with SCIT research

– Integrated in LM cloud offering; NGC evaluating use cases for cloud app

– LM and Landis Gyr are sub – SCIT application to Electricity Smart Grid

• Raytheon

– Collaborated on SBIR proposal

• Awards

– Winner Security Technology of Tomorrow Challenge, CNI Expo + GSC Jun 10

– Runners up Cyber Security Challenge GSC Nov 09

– Army SBIR: SCIT DNS

• Patents: 3 issued + 3 more applied.

Collaboration and Recognition


• Cloud and Hosting Services– Web sites: LAMP &

Windows IIS– DNS – Ecommerce – Single Sign On – Email and comm – LDAP server– Streaming media

• Government– Civil– DOD– Intelligence Community

• Financial services• Health care

Target Market and Applications


Risk = Threat X Vulnerabilities X Consequences


Technology Approach Threat Vulner-abilities

Conse-quences

Work Factor A D

Intrusion Detection / Prevention X +

Firewall X +

Malware detection X +

Incoming Packet Monitoring X +

Packet Analysis X +

SSL Proxy X +

SIEM X +

Forensics X +

SCIT - Recovery + Intrusion Tolerance + Forensic Support X +

Outgoing Packet Monitoring (DLP) X +

Cyber Security Approaches

A=Adversary Work Factor; D=Defender Work Factor


• Data Storage servers• Implement on one or two platforms using

remote access• Support & training• Develop evaluation measures• Demonstrate achievement of measures in 3

month• Roll out commitment and plan

Pilot Project


Benefits of SCIT

• SCIT removes malware without detection• SCIT reduces data ex-filtration• SCIT does not rely on signatures and is threat

independent• SCIT is mission resilient: automatic recovery• SCIT reduces intrusion response (alerts)

management cost

25


PROACTIVE CYBER ATTACK DEFENSE

Arun Sood, Ph.D.

[email protected]+1703.347.4494

Demo

Date post:	10-May-2015
Category:	Business
Upload:	zsolt-nemeth
View:	2,499 times
Download:	1 times

SCIT Labs - intrusion tolerant systems

Business