agile, adaptive cyber security proactive vs. reactive ... summit_m kono 2011.pdfproactive vs....
TRANSCRIPT
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
Agile, Adaptive Cyber Security –
Proactive vs. Reactive Direction
September 7, 2011
Referentia Systems Inc. Michael Kono
1
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
• Challenge
• General strategy to mitigate
– First step is what to protect
– Create finite avenues of approach or paths to assets
– Create “cyber terrain” around assets – logical
segregation
– Instrument avenues of approach
– Monitor and maintain
– Position tools to detect and counter attacks
• Future directions
Agenda
2
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
Cyber Security Challenges
• Cyber attack threat now from a global attack
surface
– Current network defense is reactive and inflexible,
focusing on rigid configuration management of an
assumed relatively static network architecture
– Attack planning and staging can take place over
years
• Attacks are increasingly more sophisticated and
focused at mapping vulnerabilities of a relatively
static target
– Cyber Security strategy must transition to more pro-
active and adaptable CONOPS
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
A New Way for Cyber Security
Create Certifiable Mission Assurance to Fight Through Cyber Attacks
New
Perspective
Protect the Essential
Mission
New
Tools
Design, Build, Monitor, and
Protect Cyber Terrain
New
Approach
Cyber Terrain to protect
Mission Enclaves
New
Training
Deploying and Using New
Cyber Security
New Way
For
Cyber Security
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
• Can’t make the Internet safe – any network out
of direct control especially the Internet is
untrustworthy
• Enterprise is just a participant on Internet via
interfaces at multiple levels
– Identify critical, high-value enterprise assets and
“isolate” from untrustworthy network enclaves
– Create extensions of trusted enterprise enclave to
satellite or remote sites – avenue of approach #1
– Create bridge from less trusted to trusted core; i.e.
exception to approach #1
• Traditionally this is via DMZ composed of IDS, firewalls, etc
• Need to shift to a data-centric approach
Strategy – What to Protect
5
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
VSE Construct
• Virtual Secure Enclaves are:
– Network enclaves logically separated from
underlying physical network transport via
encrypted VPN layer(s) -- approach #1
– Controlled data flow between network enclaves
via policy enforced Controlled Interface (CI) --
approach #2
• Policy enforcement becomes defined via explicitly
defined ingress/egress points during operation and
network enclave re-configuration
– Enclave boundaries with other enclaves are
defined by CIs and VPN tunnels; i.e. small,
defendable cyber terrains
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
Basic Virtual Secure Enclave
7
VSE is a “logically” separated network enclave with a well defined
network boundary, controlled access (VPNs), and controlled data
transfer across boundaries
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
• Migrate to using “expert engine” tools vs.
traditional approaches
• Each icon represents a VSE variant
Enterprise Deployment
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
• Manual design and configuration is not practical
• Tool-based approach provides fast, cost
effective agility with CM (BOM auto generated)
Enterprise Deployment
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
Deployment-CM’d Scripting
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary 11
Addition of Controlled Interface
RE*
A
RE
B
“A” Data
Objects
“B” Data
Objects
Network B
say “Enterprise”
Network A
say “Internet”
Controlled Interface (CI)
VSE-Enterprise Domain VSE-Enterprise Domain
Low Trust Domain
CI
Instrumentation
Points to Monitor
Encrypted VPN tunnel
* RE = Rules Engine
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
LiveAction nSA + Cyber Terrain
• Virtual Secure Enclave (VSE) constructs used
to create an agile, logical set of smaller
networks on the physical transport layer
– VSE creates small networks with well-defined
cyber boundaries via limited, well-defined, and
controlled interfaces and encrypted access routes
• Defined boundaries and very finite access
points facilitate effective instrumentation
• Example: LiveAction provides Situational
Awareness and Command and Control of
single or multiple VSEs
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
LiveAction Near-Real-Time Display
• LiveAction is unique in its ability to provide an end-to-
end network situational-awareness (SA) picture
• Allows real-time re-configuration of network and
verification end-to-end
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
YIELD
Source
Destination
Signaling
Voice
Call
Manager
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary 14
LiveAction Applied for SA
•Observe Red team actions
•Respond to attacks
•Capabilities:
Real-time and forensic analysis
and response to attacks
• Probing and attack visualization
• Highlight blacklist IP addresses
• QoS to respond to attacks
• Observe probing and volume attacks
• Tunnel Performance and Debugging
• Historical view (efficient lossless storage)
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
Secure Portal: Operational Value
Resilience: integrated cyber security, QoS and availability
QoS within enclaves for
high-priority functions
Dynamic network setup,
operation, shutdown
All traffic segmented to create
defendable cyber terrain and
enable ubiquitous failover
Non-conforming traffic can
be easier to identify
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
Distributed Enclave Portal Model
• Enables enterprise-class services for
everyone
• Controlled access into critical networks
• Security services for Internet access
• Leverages low cost transport for
secure and open usage
• Supports local jurisdiction policy
control
© 2011 - Referentia Systems Incorporated – Confidential & Proprietary
Summary
• Proven, relevant innovation derived from DoD
R&D and experimentation
• Way forward…….
– Virtualization of VSE to increase agility, reduce cost
and ultimately address cloud-computing security
requirements
– Development of high-density, distributed, high-query
speed network sensor data storage
– Mitigation strategies and solutions for insider threat
leveraging “cyber terrain” construct
– Migration from IPv4 to IPv6 and incorporation of
“stealth” strategies to make targeting and mapping
difficult