CID-1 Kickoff 2.10 MiB application/vnd.ms-powerpoint
Download
Report
Transcript CID-1 Kickoff 2.10 MiB application/vnd.ms-powerpoint
CID #1 Kickoff
29 September 2010
Unclassified For Official Use Only
Contractual Context
• CID-1 Risk Reduction
- Current Contract
– Blackridge
– HBGary
• CID-1
Blackridge
- Starting
– Blackridge
– HBGary
– Akamai
• Cyber Accelerator
Starting
– Blackridge
– HBGary
Unclassified For Official Use Only
1
Risk Reduction
• Objectives:
– Set the stage for the actual CID activity
– Show significant progress in commercial integration by COB December
– Accelerated commercial road-map baseline
• Tasks
– Demonstration – described above
– CID / Cyber Accelerator commercial assessment
• Deliverables
CDRL
A001
Description
Monthly Progress/Cost Reports, due 5th day after end of each month
A002
A003
TIM Presentations and Meeting Minutes, due 14 calendar days following the event
Risk Reduction Report, due 31 December 2010
Unclassified For Official Use Only
2
Public Benefits
Schedule
Phase 1
Phase 2
Phase 3
CID-1
Completion
Core Component Capabilities
Blackridge
CID-1 will:
• Integrate innovative commercial capabilities of
Akamai, BlackRidge, and HBGary,
• Accelerate respective commercial product roadmaps.
• Demonstrate significantly enhanced commercial
cyber security capabilities illustrated through an ebanking use case.
• Enable government-unique use cases such as
integrated SIPRNet endpoint authentication and trust
assessment, securely communicated to an existing
content data network or web server for threat
detection and remediation.
Financials & Challenges
Endpoint Payloads; Hacker
“Toolmarks”; Trust Values
$’s provided by ASD/NII for risk reduction; projected
completion end of Calendar Year 2010
Secure TCP/IP session;
steganographic tokens in packet
header
FY10 Supplementals provided; projected completion of
demonstration end of FY2011
Internationally deployed platform
reaching 73 countries covering 20%
of world’s web traffic
If successful; Transition Partner and organization must
be quickly identified
Unclassified For Official Use Only
Use Cases
•
Demonstrated commercial use case:
–
–
–
–
Digital DNA endpoint agent detects if a protected device has been compromised by an advanced threat, based on
live memory and runtime analysis.
Endpoint TAC client communicates the compromise status, and a device authentication token, through the
protected communications path.
The content delivery network, augmented by the TAC appliance, recognizes the token and the compromise status
on the first packet of a TCP/IP session, and allows reroute, remediation, or other active response such as
geolocation or QoS management, before the endpoint interacts with a protected web server.
This has immediate commercial application for protecting hosted intranets at the enterprise level .
•
Enabled commercial use cases: e-commerce, fraud mitigation, and behavioral tracking (is the
endpoint user behaving like a person, or like a bot?).
•
Enabled governmental use cases:
–
–
The commercial use case is the government use case for protecting TIC, NIPRNet, or SIPRNet gateways and
web servers.
The ability to interface with GFE endpoint agents; the ability to use witting or unwitting host traffic; the ability to
transmit a unique tag for authenticating endpoints on the first packet, and to provide a protected communications
path; the ability to recover or redirect tagged traffic at line-rate, in real-time; and the ability to access 10-20% of
the world’s web traffic through a global content provider; all enable a range of government-unique missions.
Unclassified For Official Use Only
4
Phase Details
•
Phase 1
–
–
–
•
Phase 2 (Phase 1 Plus)
–
–
–
–
–
•
Integrate Endpoint security library with TAC client on a Microsoft XP operating system.
Demonstrate a protected endpoint is provisioned with the client, and configured to demonstrate good (and then bad)
security trust with respect to the assessment.
Demonstration differentiation between good and bad trust at the endpoint in the presence of endpoint compromises,
for a reasonable set of threat vectors.
The TAC Gateway shall be installed, configured and provisioned at the data center.
The TAC Gateway shall be provisioned to identify a multi-mode TAC identity. This allows the protected
communication of both identity and endpoint state.
The demonstration website shall be provisioned with HTTPS support at the data center.
The application will be a mock financial website, using HTTPS for the protocol to demonstrate compatibility with
encrypted traffic.
Demonstrate reception of inserted identification and security trust at the data center.
Phase 3 (Phase 2 Plus)
–
–
–
–
–
Lightweight endpoint security library at the endpoint, suitable for remote provisioning.
Tagging, cloning, and redirection of live sessions at the TAC appliance, based on identity and security policy.
Quality of service tailored to identity and security policy.
Exposure to large volumes of non-participating live traffic, to assess optimum configurations for operational systems.
Full integration of client-side capabilities (all or subset) with server-side application layer.
Unclassified For Official Use Only
Technical Architecture
TCP Packet
Web
Traffic
Source
TCP Packet Options
1) Seq
2) Seq + Key + Time
3) Seq + Key + Time + LPI Data
CDN
NOC
TAC
Client
Endpoint
Payload
1.
2.
3.
4.
5.
TCP Packet
TAC
Appliance
Internet
CDN
Server
CDN Edge Network
SIEM
Monitor
TAC
Mgmt
Payload
Mgmt
Host generates web traffic destined for Content Data Network (CDN) provider
Endpoint payload generates data
TAC Client generates steganographic token, with LPI data embedded and signed with secure hash
TAC Appliance in data center recognizes token and takes action in conjunction with CDN: transport
payload data, clone or redirect session, geolocate
Reverse C3 path via store and forward acknowledgement at TAC Appliance
Unclassified For Official Use Only
Discussion Points
• Define what can be done given resources
• Define when we will target the end product
• Define where the final demonstration will occur
– Farallon’s Cupertino Office
• Giver/Receivers
– Who needs what and by when
• Discuss Working Tools
– Conference Calling
– Collaboration Tools
– Centralized storage
Unclassified For Official Use Only
7
Resources – Conference Calling
• Dial-in number:
• Conference code:
• Leader PIN
(469) 941-0740
6977859293
1550
• Get started:
1. Give your participants the date and time of the call, your dial-in number and your conference code.
2. At the specified time, dial your dial-in number, then enter your conference code, followed by #.
3. When prompted, press *, then enter your leader PIN, followed by #.
4. Your participants join the conference by dialing your number and entering the conference code.
• Helpful Keypad Commands:
00
*3
*4
*5/#5
*6/#6
*7/#7
11
*51/#51
#99
*#
**
Operator assistance - leader only
Change entry/exit method (recorded names, tones, silence) - leader only
Private roll call
Mute/unmute all participant lines - leader only
Mute/unmute your own line
Lock/unlock conference (including operator) - leader only
Third-party conference start - bypass hold music to start call as leader
Lecture mode on/off – leader only
Disconnect all lines except leader’s – leader only
Participant count
List available keypad commands
Ridge Partners, LLC and Akamai Confidential and Proprietary
Contractor Bid or Proposal Information and Source Selection Information - See FAR 2.101 and 3.104
8
Collaboration
Tools
•
•
•
•
Shared Desktop
Whiteboards
Chat
Etc.
• Shared Content
– Can be used instead
of a conference
– Encrypted at rest
Ridge Partners, LLC and Akamai Confidential and Proprietary
Contractor Bid or Proposal Information and Source Selection Information - See FAR 2.101 and 3.104
9
Project Sites
• Coming Soon
Ridge Partners, LLC and Akamai Confidential and Proprietary
Contractor Bid or Proposal Information and Source Selection Information - See FAR 2.101 and 3.104
10
Background
Unclassified For Official Use Only
11
BlackRidge Overview / Products
• StealthWorks authentication
– Designed to secure TCP/IP sessions and
make servers invisible to attacks – current
gap in end-to-end trust model
• Steganographically inserts signature +
time + sequence token into packet
header
• Runs at line rate from 1-40 Gb/sec,
very low latency
• Enhanced design includes 4-8 bit
LPI payload in token, adds payload
API, adds IP splicing feature
Unclassified For Official Use Only
Overview/ Endpoint Payloads
• Responder: live memory
and runtime analysis
• Passwords, chat, data
• Digital DNA: implant and
malware detection
• Determines behaviors, exports
Trait codes
• Trait signature identifies
compromise vectors
Unclassified For Official Use Only
Overview / Infrastructure
• EdgePlatform
– 48,000 servers in 1,000 networks
across 73 countries handle 1020% of the world's Web traffic
– Replicates and delivers news,
media, e-commerce, social
networking content from “the
edges of the Internet”
– Global traffic geolocation
• Network Operations Center in
Massachusetts
Global content
delivery and attack
monitoring
• Integrate StealthWorks into
data centers, backhaul,
network ops
Unclassified For Official Use Only
China, Columbia,
Egypt, Estonia,
Indonesia, Israel,
Latvia, Lithuania,
Malaysia, Qutar,
Turkey, Venezuela