1
Moving Target Proactive Cyber Defense – Keeping Bad Guys Out of Servers
Arun Sood, Ph.D.SCIT Labs, Inc
Clifton, [email protected]
SCIT Labs Confidential and Proprietary
SCIT Labs Confidential and Proprietary 2
I. Intrusions Are Inevitable
New Proactive Approaches are Required
SCIT Labs Confidential and Proprietary 3
Sunday Monday Tuesday Wednesday Thursday Friday Saturday
1GmailSony
2X-Factor TV Show Woman to WomanHealthcare
3Sony
4SECNetflix
5 6Bestbuy
7 Central OR Comm CollegeSony
8Huntington National Bank
9Assurant
10Fox
11Michaels
12 13 14
15 16 17Mass Government Regions Bank
18Anthem Blue Cross of California
19PBSNASA
20 Sony
21Lockheed MartinSony X2
22Sony
23Sony
24Sony
25 26Northrop Grumman
27L-3Communications
28
29Honda
30Nintendo
31Citibank
Source: Confab 2011
May 2011 Security Incidents Worldwide
SCIT Labs Confidential and Proprietary 4
Epsilon Data Breach – 2011
SCIT Labs Confidential and Proprietary 5
Source: Symantec 2010 Review
SCIT Labs Confidential and Proprietary 6
II. Cyber Attacks Persist
• Intruders need access and time to orchestrate their attacks
• Intrusions persist for days, weeks, months
• Malware is hard to detect
• Highly customized malicious code blends into the information landscape
SCIT Labs Confidential and Proprietary7
5 months2 months
3 months
Intruder Residence Time in Months
7
SCIT Labs Confidential and Proprietary 8
Verizon DBIR 2010: Significant Intruder Residence Time
SCIT Labs Confidential and Proprietary 9
III. Current Servers are Sitting Ducks
Adversary has the advantage
We increase Adversary Work Factor
SCIT Labs Confidential and Proprietary 10
SCIT Labs Confidential and Proprietary 11
The SCIT Approach
Reduce server exposure time
Restore to pristine state
Threat Independent
Must maintain uninterrupted service
12
• Detecting a vulnerability• Reporting vulnerability• Developing a patch to fix vulnerability• Patch distribution• Testing in staging area• Patch application
Zero Days – Fixing Vulnerabilities
Use Moving Target DefenseMake it Difficult to Exploit the Vulnerability
SCIT Labs Confidential and Proprietary
SCIT Labs Confidential and Proprietary
How SCIT works
13
Offlineservers; inself-cleansing
Online servers;potentiallycompromised
Servers-Virtual-Physical
Example: 5 online and 3 offline servers
13
SCIT Labs Confidential and Proprietary 14
Resilience, Recovery, Tolerance, Forensics
SCIT Labs Confidential and Proprietary 15
The SCIT Approach
• Patented, Proven, Award Winning Self Cleansing Intrusion Tolerance Technology
• Uses Virtualization Technology
• Ultra Low Intruder Residence Time
• Subverts attacks by robbing intruders of time and persistent access needed to launch attacks
IDS/IPS vs Intrusion ToleranceFirewall, IDS, IPS Intrusion tolerance
Risk management. Reactive. Proactive.
A priori information required.
Attack models. Software vulnerabilities.
Exposure time. Length of longest transaction.
Protection approach.
Prevent all intrusions. Limit losses.
System Administrator
workload.
High. Manage reaction rules. Manage false
alarms.
Less. No false alarms generated.
Design metric. Unspecified. Exposure time.
Packet/Data stream monitoring.
Required. Not required.
Higher traffic volume requires.
More computations. Computation volume unchanged.
Applying patches. Must be applied immediately.
Can be planned.
16SCIT Labs Confidential and Proprietary
16
SCIT Labs Confidential and Proprietary 17
Parameters usedSimulation Metrics Value (units)
Number of queries used
5000
Intruder Residence Time (IRT)
0 minutes to 2 months
Mean IRT – Pareto distribution
48 hours
Exposure Time – 2 cases
1. 4 hrs 2. 4 mins
Mean of records stolen per day
675 records/breach
Results of the simulation
Case Total damage (records)
No. of breaches
Mean Damage (records/breach)
NIDS 245,962 (100%) 192 1,281SCIT: ET 4hrsSCIT: ET 4 mins
55,364 (23%)1,015 (0.4%)
508508
1092
NIDS + HIDS 210,578 (86%) 164 1,284NIDS + SCIT(ET 4 hrs)NIDS + SCIT(ET 4 mins)
20,931 (9%)
383 (0.16%)
191
191
110
2
Results of Simulation: NIDS, SCIT, NIDS+SCIT
IDS Only SCIT+IDS
SCIT Labs Confidential and Proprietary 18
SCIT Server State Transitions
Archive VM forFuture Analysis Grace Period
Active – Exposed to Internet Online SpareStart New VM
Kill VM
1 2 3
6 5 4
SCIT Labs Confidential and Proprietary 19
SCIT – Applications
Web Tier: Web,DNS, SSO……
App Tier: Biz logic,Content Mgr, CRM….
Data Tier: DB Mgr;File Mgr
Storage Tier: Transactions (ms);Large File transfer (High speed- seconds)
1 2 M
1 2 N
1 L
1 K
1. One application(function) per server
2. Five applicationsper server
3. 1000 applications100 servers
4. Cloud
SCIT Implementations
SCIT Labs Confidential and Proprietary 20
• Lockheed Martin and Northrop Grumman
– Testing and validation of SCIT servers.
– Funded and collaborated with SCIT research
– Integrated in LM cloud offering; NGC evaluating use cases for cloud app
– LM and Landis Gyr are sub – SCIT application to Electricity Smart Grid
• Raytheon
– Collaborated on SBIR proposal
• Awards
– Winner Security Technology of Tomorrow Challenge, CNI Expo + GSC Jun 10
– Runners up Cyber Security Challenge GSC Nov 09
– Army SBIR: SCIT DNS
• Patents: 3 issued + 3 more applied.
Collaboration and Recognition
SCIT Labs Confidential and Proprietary 21
• Cloud and Hosting Services– Web sites: LAMP &
Windows IIS– DNS – Ecommerce – Single Sign On – Email and comm – LDAP server– Streaming media
• Government– Civil– DOD– Intelligence Community
• Financial services• Health care
Target Market and Applications
SCIT Labs Confidential and Proprietary 22
Risk = Threat X Vulnerabilities X Consequences
SCIT Labs Confidential and Proprietary 23
Technology Approach Threat Vulner-abilities
Conse-quences
Work Factor A D
Intrusion Detection / Prevention X +
Firewall X +
Malware detection X +
Incoming Packet Monitoring X +
Packet Analysis X +
SSL Proxy X +
SIEM X +
Forensics X +
SCIT - Recovery + Intrusion Tolerance + Forensic Support X +
Outgoing Packet Monitoring (DLP) X +
Cyber Security Approaches
A=Adversary Work Factor; D=Defender Work Factor
SCIT Labs Confidential and Proprietary 24
• Data Storage servers• Implement on one or two platforms using
remote access• Support & training• Develop evaluation measures• Demonstrate achievement of measures in 3
month• Roll out commitment and plan
Pilot Project
SCIT Labs Confidential and Proprietary
Benefits of SCIT
• SCIT removes malware without detection• SCIT reduces data ex-filtration• SCIT does not rely on signatures and is threat
independent• SCIT is mission resilient: automatic recovery• SCIT reduces intrusion response (alerts)
management cost
25
SCIT Labs Confidential and Proprietary 26
PROACTIVE CYBER ATTACK DEFENSE
Arun Sood, Ph.D.
[email protected]+1703.347.4494
Demo