Cyber Security in Evolving Enterprise
Download
Report
Transcript Cyber Security in Evolving Enterprise
Cyber Security
in Evolving
Enterprise Environments
TechNet International 09
Adrian R Hartman, PhD
Senior Manager & Architect
LGS Innovations, Bell Labs
29 October 2009
• LGS is an independent entity of
Alcatel-Lucent
• Focused on serving
U. S. Government
• 500+ experienced professionals
across varied disciplines
• Government R&D
• Direct access to the world-class
innovation of Bell Labs
• LGS & Alcatel-Lucent (ALU) provide
a comprehensive portfolio of
Government Enterprise Security
Products / Services
29 October 2009
All Rights Reserved © LGS Innovations, LLC
2
Agenda
• The Cyber Security Problem
• Cyber Security Vision & Technologies
29 October 2009
All Rights Reserved © LGS Innovations, LLC
3
Evolution in Government Enterprise
Networks & Services
FROM
TO
Separated switched circuit voice/video &
IP data networks
Broadband converged, All IP,
multimedia next generation networks
Location-centric interconnected
enterprise services & perimeter
defenses
Regionalized Network Service Centers
(using virtual architectures) including
military systems
In house managed applications, data
storage & IT services
Networked / Cloud Computing (SaaS,
PaaS, IaaS) & Web 2.0+ Services
Enterprise services with limited extranet
collaboration / sharing
Global collaboration with customers /
partners including social networking
web sites, wikis & blogs
Separate vertical industry networks and
infrastructure control systems
Global networked Information Systems
encompassing: infrastructure, e-Gov,
health care, finance, commercial, etc
Wired networks with mobile extensions
Ubiquitous user centric services with
diverse terminals & 3G/4G Mobility
29 October 2009
All Rights Reserved © LGS Innovations, LLC
4
Faster Exploitation, Propagation,
Botnets, DDOS - SPAM on the Rise
Vulnerabilities Exploited Faster
Threats Propagating Faster
Exploits Now at Zero Day
Months
Hours
Weeks
Minutes
Days
Seconds
2006
2007
2008
2004 2005 2006 2008 2008
Botnet Launched DDOS on the Rise
SPAM: 90% of Emails in 12/08
Government agencies
Reported ~13,000 cyber
security incidents to
DHS in FY08,
triple the number
from two years earlier.
Sources: CERT/CC, Symantec, NVD, Cisco
29 October 2009
All Rights Reserved © LGS Innovations, LLC
5
Why is the Problem So Hard?
• The Enemy is Everywhere
– Nation-State Actors
– Non-State Actors
• Terrorists & Organized Crime
• Ad-Hoc Networks of “Hactivist”
– Cyber Threat now “Business” driven
– Barriers to Entry are low globally
• Complicated multinational law enforcement
• There are plenty of added perimeter Security Solutions
– Firewalls, IDS, IPS
– But are the boxes configured properly?
• Do they work together?
• The Government has Special Requirements & Regulations
– Multiple levels of security / coalition sharing
Government Networks are becoming more complex / vulnerable
Incursions on Military Networks were up 55% Last Year
29 October 2009
All Rights Reserved © LGS Innovations, LLC
6
The Current Approach Adds Perimeter
& Defense-in-Depth Protection
• Current Government approaches are limited
– Can we continue to address the increasing threats
• Growing numbers of vulnerabilities & patches?
• Is signature based virus / malware detection enough
– How are out sourced services protected?
– How are insider threats dealt with?
• Some deliberate and
• Some unintentional (memory sticks)
– Where is the perimeter in mobile networking?
– How does this approach address malicious code
embedded in software?
• There are known problems with the supply chain
Perimeter Protection add on security will not be sufficient
29 October 2009
All Rights Reserved © LGS Innovations, LLC
7
Agenda
• The Cyber Security Problem
• Cyber Security Vision & Technologies
29 October 2009
All Rights Reserved © LGS Innovations, LLC
8
How Do You Get Ahead of the Curve?
Cyber Security Vision
1. Holistic
Approach to Security
Security Throughout the Security Life Cycle
2. Threat Tolerant Network Design
Networks that Operate in the Presence of Malicious Software
3. Application Security and Web 2.0+ Approaches
Protect the Privacy and Integrity of Consumer Generated Data
29 October 2009
All Rights Reserved © LGS Innovations, LLC
9
1. Holistic Approach to Security
• Security Throughout Life Cycle
– Lowers Life Cycle Cost
• The cost of security incidents are often enormous
• Risk Based Assessments (solutions needs to be
affordable)
– Automated Certification and Accreditation
• Recognizes Inherent Need for Mobility
– Apply wireless security technology
• Behavior-Based Monitoring of Network Operations
– Detection of sophisticated zero day targeted attacks
– Security Event Management (SEM)
• Identifies Network Anomalies (Dynamic Behavior
Analysis)
• Determines if Requirements (Policies) are being met
The Perimeter is in New Places… Threats Come From the Inside
This Requires a System Level View of Vulnerabilities
29 October 2009
All Rights Reserved © LGS Innovations, LLC
10
Applying value-chain thinking to security
Increasing Lifecycle Value with Built in, Standards Compliant Security
Increased Security Transparency and Reduced Risk to the Buyer & End-User
29 October 2009
All Rights Reserved © LGS Innovations, LLC
11
Human
Environment
Hardware
Networks
Policy
End
Security
EndUser
User
Security
Control/Signaling
Security
Control/Signaling Security
Security
Planes
Security
Planes
Management
Security
Management Security
Data Confidentiality
Infrastructure Security
Non-repudiation
Vulnerabilities Can
Exist In Each Layer,
Plane, Dimension
Authentication
Services Security
VULNERABILITIES
Management
Access Control
Security Layers
Applications Security
THREATS
Privacy
Payload
Availability
Software
Integrity
Integrity
Data
Power
Communication Security
Comprehensive Security Analysis
Applying the X.805 Security Model
ATTACKS
8 Security Dimensions
Comprehensive End-to-End View of Network Security
Existing International Industry Standard Framework
Security Perspective (3 Layers 3 Planes 8 Dimensions)
29 October 2009
All Rights Reserved © LGS Innovations, LLC
12
Security Event Management
Dynamic Behavior Analysis
Alarms
Viewing
Descriptions
Customer /
Mission Data
(Requirements &
Policies)
Correlation Asset
Request Additional Data,
Take Action
Topology
Data
Analyze and Suppress
1
2
3
4
Domain A
OL
OMS
LU
BB
B
A
OMS
OMS
C
D
AL
BB
OMS
E
F
H
G
OL
5
6
7
8
Domain Z
Thresholder
Rate, Value, Time
Filter, Pattern Match, Message Map
Local to Global Name Mapping, Grouping
Network IDS Host IDS Firewalls AAA OS logs Routers Vulnerability Scanners Anti-Virus
29 October 2009
All Rights Reserved © LGS Innovations, LLC
13
2. Inherent Threat Tolerance
• Design Networks to Tolerate Inevitable Malware /
Backdoors / Timebombs
– Software Assurance Technology
• Protect Enterprise Office Applications / Operating
Systems
– Ability to Operate Networks in Degraded Mode
• Graceful Degradation of Prioritized Traffic
– Behavior-Based Monitoring of Network Operations
• BotNet Detection and Mitigation
• Tight Access Control to Identify Sources of Malware
• Wireless Network Protection Technology
• Protect 3G/4G Wireless Networks – users share
limited RF bandwidth
• Minimize client security software on the mobile
terminals
Technologies Resistant to the Effects of Malware / Threats are Needed
29 October 2009
All Rights Reserved © LGS Innovations, LLC
14
Software Diversity
• Protect networks against large-scale attacks
– Construct diverse instances (“shuffles”) of a program that are:
• Not all vulnerable to the same attack
• But are functionally equivalent
– Make it hard to design a successful attack:
• Prevent an attack that is successful against one computer from
spreading to other computers
– Extend polymorphic code shuffling
research to consider program structure
• Formal mathematical methods used
to change code signature by:
– Identifying independent code blocks
– Rearranging the blocks
– While maintaining functionality
29 October 2009
All Rights Reserved © LGS Innovations, LLC
15
BotNet Detection and Mitigation
Infection Report for 10.10.2.10
slowdown (t1)
symptoms
roles
reputation
untrusted
download (t2)
•Detects symptoms /
behaviors
–Not signatures
Owner: Jon Doe Virulence:
0.87
Symptoms:
Host slowed down at t1
- Downloaded exe from
untrusted hosts
Infection Detection
role of host
changed (t3)
(t1 > t3 > t2)
-- at time t2 from 192.168.1.10
(30KB)
-- at time t2’ from 192.168.3.12
(194KB)
- Change
in host role
Retroactive Query Results
Downloaded:
- 10.10.2.10 from 192.168.1.10 at time t2
Containment
Restrict all network access
Restrict outbound access
Uploaded:
recover evidence
-- role changed from web/mail
client to p2p-node at time t3
- 10.10.2.34 from 192.168.52.26 at time t4
- 10.10.2.34 from 192.168.52.26 at time t5
•Utilizes existing forensic
analysis technology
developed / operational at
Polytechnic University
- 10.10.2.54 uploaded to 192.168.52.26 at time t3
29 October 2009
Direct link
to packet data
Manual download
from source
All Rights Reserved © LGS Innovations, LLC
•Detects Botnets using
current & historical network
traffic / host data
•Provides multiple Botnet
detection and collaboration
mechanisms
Retroactive Query
Which hosts downloaded
or uploaded the payload?
–Hierarchical Bloom filter
technology permits
months of data to be
stored for queries
OR
•Provides targeted
mitigation
recommendations
16
Wireless Network Security (Aware)
Aware
Detector
BTS
Aware Detector
RNC
RNC
RNC
RNC
RNC
PDSN
Aware
Central
Wireless
Core
Home
Agent
Internet
Aware Central
• Provides traffic assessment to assist in network & • Security Event Viewer for reports,
end user service quality protection
alarms, network awareness and
forensics
• Wireless 3G/4G Network Anomaly Behavior
Detector (Bell Labs algorithms)
• Element / configuration manager for
Detectors & Mitigation Appliances for
• Monitors individual subscriber session behavior
Security Event Management
• Calculates “cost” of behavior relative to real-time
• Mitigation plan through IPS/Firewall,
capacity in the network
Mobile Quarantine of abusive users
• Observes Mobile-to-Mobile & Internet-to-Mobile
traffic
29 October 2009
All Rights Reserved © LGS Innovations, LLC
17
Laptop Guardian
•Protects the mobile laptop & applications with
hardened wireless agent
•Automates VPN connection to the Enterprise
•
•
•
•
Agent: Intelligent data card, plugs into the end-user mobile host, terminates IPsec tunnel to
Gateway, includes 3G interface (HSDPA, EV-DOrA) for ubiquitous connectivity
Gateway: Enhanced remote access server, deploys at the edge of the enterprise network
Driver: Software package, installs on the end-user mobile host
Management Server: Management software platform, installs on general-purpose enterprise server
29 October 2009
All Rights Reserved © LGS Innovations, LLC
18
3. Application Security & Web 2+
Approaches
• Secure the Applications
– Security Concerns:
• RSS, AJAX (Asynchronous JavaScript and XML), Instant
Messaging, Widgets / Gadgets
• Web 2.0 apps might initially have higher vulnerabilities than above
• Provide a “platform in the cloud” that makes proprietary data stored
in applications securely accessible across Web 2.0 interfaces
– In Government private cloud computing
• Meet Government Information Assurance requirements
– In Government public cloud computing
• Provide security standards transparency & SLAs audit support
• Establish how Government customer data integrity & privacy will be
assured
• Consider segregating Government domains in the cloud
29 October 2009
All Rights Reserved © LGS Innovations, LLC
19
The Bottom Line…
• Today’s Networks are Different
–
–
–
–
Voice & Data -> Converged, Multimedia, All IP
Enterprise -> Web 2.0+ & Cloud Computing
Standard Content -> Consumer Generated Content
Fixed Users -> Mobile Users
1. NETWORK
2.PEOPLE
• Today’s Adversaries are More Sophisticated
– Threats extended to all networks connected to the
Global Information System
• Security Paradigm Shifts are Needed
– Parameter Security -> Holistic Security
– Threat Intolerance ->Threat Tolerance
– Signature Based -> Behavior Based
29 October 2009
All Rights Reserved © LGS Innovations, LLC
4. KNOWLEDGE
3.PROCESS
20
Thank You… Any Questions?
Adrian R Hartman
Senior Manager and Architect
Solution Engineering
LGS, Bell Labs Innovations
15 Vreeland Road
Florham Park, NJ 07932
mobile: 908-578-3679
phone: 973-437-9868
www.lgsinnovations.com
[email protected]
29 October 2009
All Rights Reserved © LGS Innovations, LLC
21
Backup
Alcatel-Lucent Security Solutions
A Comprehensive Enterprise Portfolio
29 October 2009
All Rights Reserved © LGS Innovations, LLC
23
Security Innovations for Next
Generation Networks
Bell Labs Security Framework
X.805, ISO 18028
Security
Consulting
Secure ALU
COTS
Networking
Products
Security
Assessments
Third Party Partner
Relationships
ALU VPN/Firewall
(aka The Brick)
Vital ISA for
Security Event
Management
29 October 2009
Software Diversity
Bot Detection
Laptop Guardian
All Rights Reserved © LGS Innovations, LLC
24
Network Reconnaissance for
Penetration Testing
Internet Probing, Mapping and
Analysis
Remotely probe Internet
connected networks
–
–
–
–
•
Low probability of network disruption
Determine target network exposure,
vulnerabilities and weaknesses
Produce detailed analyses, network
maps and collected data
Propose Remediation
Identify machines with
vulnerabilities in the target
network
–
Network Reconnaissance Process
Web Servers, DNS Servers,
Vulnerable Hosts
Provided as Output
–
Potential Targets, Paths to Target
Machines, Server Types,
Vulnerabilities i.e. Open Ports
29 October 2009
All Rights Reserved © LGS Innovations, LLC
25
Kiviat Diagram X.805 Example: High
Risk Zones / Plans for Remediation
Access control
X.805 Dimension % of Risk to
Remediate
1.00
0.90
0.80
•Privacy
0.70
0.91
0.94
Authentication
0.71
0.92
0.60
0.47
0.30
0.42
Non
0.10
0.52
0.00
0.90
0.53
0.41
Non-repudiation
0
Data
confidentiality
Communication
Security
Data Integrity
8
Availability
7
Privacy
14
repudiation
0.52
0.60
0.65
0.95
0.92
•Low Priority
•Medium priority
12
0.35
0.20
Data
integrity
Authentication
0.61
0.40
0.59
0.90
10
0.50
0.56
Availability
Access control
0.75
Data
confidentiality
10
0
0.93
Communication
Security
Area of high
risk gaps
•High priority
•Current Levels - High
The red areas show high risk gaps for X.805 dimensions.
Purple indicates the implementation status of high priority security capabilities.
29 October 2009
All Rights Reserved © LGS Innovations, LLC
26