agile, adaptive cyber security proactive vs. reactive ... summit_m kono 2011.pdfproactive vs....

© 2011 - Referentia Systems Incorporated – Confidential & Proprietary

Agile, Adaptive Cyber Security –

Proactive vs. Reactive Direction

September 7, 2011

Referentia Systems Inc. Michael Kono

1


• Challenge

• General strategy to mitigate

– First step is what to protect

– Create finite avenues of approach or paths to assets

– Create “cyber terrain” around assets – logical

segregation

– Instrument avenues of approach

– Monitor and maintain

– Position tools to detect and counter attacks

• Future directions

Agenda

2


Cyber Security Challenges

• Cyber attack threat now from a global attack

surface

– Current network defense is reactive and inflexible,

focusing on rigid configuration management of an

assumed relatively static network architecture

– Attack planning and staging can take place over

years

• Attacks are increasingly more sophisticated and

focused at mapping vulnerabilities of a relatively

static target

– Cyber Security strategy must transition to more pro-

active and adaptable CONOPS


A New Way for Cyber Security

Create Certifiable Mission Assurance to Fight Through Cyber Attacks

New

Perspective

Protect the Essential

Mission

New

Tools

Design, Build, Monitor, and

Protect Cyber Terrain

New

Approach

Cyber Terrain to protect

Mission Enclaves

New

Training

Deploying and Using New

Cyber Security

New Way

For

Cyber Security


• Can’t make the Internet safe – any network out

of direct control especially the Internet is

untrustworthy

• Enterprise is just a participant on Internet via

interfaces at multiple levels

– Identify critical, high-value enterprise assets and

“isolate” from untrustworthy network enclaves

– Create extensions of trusted enterprise enclave to

satellite or remote sites – avenue of approach #1

– Create bridge from less trusted to trusted core; i.e.

exception to approach #1

• Traditionally this is via DMZ composed of IDS, firewalls, etc

• Need to shift to a data-centric approach

Strategy – What to Protect

5


VSE Construct

• Virtual Secure Enclaves are:

– Network enclaves logically separated from

underlying physical network transport via

encrypted VPN layer(s) -- approach #1

– Controlled data flow between network enclaves

via policy enforced Controlled Interface (CI) --

approach #2

• Policy enforcement becomes defined via explicitly

defined ingress/egress points during operation and

network enclave re-configuration

– Enclave boundaries with other enclaves are

defined by CIs and VPN tunnels; i.e. small,

defendable cyber terrains


Basic Virtual Secure Enclave

7

VSE is a “logically” separated network enclave with a well defined

network boundary, controlled access (VPNs), and controlled data

transfer across boundaries


• Migrate to using “expert engine” tools vs.

traditional approaches

• Each icon represents a VSE variant

Enterprise Deployment


• Manual design and configuration is not practical

• Tool-based approach provides fast, cost

effective agility with CM (BOM auto generated)

Enterprise Deployment


Deployment-CM’d Scripting

© 2011 - Referentia Systems Incorporated – Confidential & Proprietary 11

Addition of Controlled Interface

RE*

A

RE

B

“A” Data

Objects

“B” Data

Objects

Network B

say “Enterprise”

Network A

say “Internet”

Controlled Interface (CI)

VSE-Enterprise Domain VSE-Enterprise Domain

Low Trust Domain

CI

Instrumentation

Points to Monitor

Encrypted VPN tunnel

* RE = Rules Engine


LiveAction nSA + Cyber Terrain

• Virtual Secure Enclave (VSE) constructs used

to create an agile, logical set of smaller

networks on the physical transport layer

– VSE creates small networks with well-defined

cyber boundaries via limited, well-defined, and

controlled interfaces and encrypted access routes

• Defined boundaries and very finite access

points facilitate effective instrumentation

• Example: LiveAction provides Situational

Awareness and Command and Control of

single or multiple VSEs


LiveAction Near-Real-Time Display

• LiveAction is unique in its ability to provide an end-to-

end network situational-awareness (SA) picture

• Allows real-time re-configuration of network and

verification end-to-end

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

YIELD

Source

Destination

Signaling

Voice

Call

Manager

© 2011 - Referentia Systems Incorporated – Confidential & Proprietary 14

LiveAction Applied for SA

•Observe Red team actions

•Respond to attacks

•Capabilities:

Real-time and forensic analysis

and response to attacks

• Probing and attack visualization

• Highlight blacklist IP addresses

• QoS to respond to attacks

• Observe probing and volume attacks

• Tunnel Performance and Debugging

• Historical view (efficient lossless storage)


Secure Portal: Operational Value

Resilience: integrated cyber security, QoS and availability

QoS within enclaves for

high-priority functions

Dynamic network setup,

operation, shutdown

All traffic segmented to create

defendable cyber terrain and

enable ubiquitous failover

Non-conforming traffic can

be easier to identify


Distributed Enclave Portal Model

• Enables enterprise-class services for

everyone

• Controlled access into critical networks

• Security services for Internet access

• Leverages low cost transport for

secure and open usage

• Supports local jurisdiction policy

control


Summary

• Proven, relevant innovation derived from DoD

R&D and experimentation

• Way forward…….

– Virtualization of VSE to increase agility, reduce cost

and ultimately address cloud-computing security

requirements

– Development of high-density, distributed, high-query

speed network sensor data storage

– Mitigation strategies and solutions for insider threat

leveraging “cyber terrain” construct

– Migration from IPv4 to IPv6 and incorporation of

“stealth” strategies to make targeting and mapping

difficult

agile, adaptive cyber security proactive vs. reactive ... summit_m kono 2011.pdfproactive vs....

Documents