blackridge technology - wecc · port scanning and cyber attacks 2. isolates and protects servers,...
TRANSCRIPT
www.BlackRidge.us
BlackRidge Technology
Enforcing End-to-End Trustfor the
Energy Sector
Robert Hubbard
Director OEM
Jeff Long
Sales Engineer www.blackridge.us
BlackRidge technology originated from a Department of Defense contract to “cloak” IP Infrastructure in the Afghanistan war
Ability to “cloak” IP infrastructure protected
troop Stryker Vehicles as well as prevented DDOS attacks on
video signals from Drones.
BlackRidge Confidential – July 2018
BLACKRIDGE PRODUCT AND PARTNER DEVELOPMENT
DEVELOPMENT IN MOTION
DEVELOPMENT
ACCELERATION
PROGRAM, ARMY
DOD $5M FUNDING
CORE PRODUCT DEVELOPMENT
IP AND PATENT DEVELOPMENT
TECHNOLOGY DEMONSTRATION
PROGRAM, OSD
ENTERPRISE PRODUCT
DEVELOPMENT
MARKET TESTS, 100G DEMO
NETWORK OVERLAY
SOLUTION
100G TAC GATEWAY DEMOS
TO ARMY PEO-EIS
2011-2012
2010-20122013-2014
DOD UC APL APPROVAL
DISA AND ARMY
CONTACTS
2016-2017
SALES & MARKETING BUILDOUT
GOVERNMENT/DOD EXPANSION
SOFTWARE ENDPOINT
PRODUCTS
BLOCKCHAIN, IIOT, PUBLIC
CLOUDS
2017-2018CLOUD AND ENTERPRISE
PRODUCT
ENHANCEMENTS
IBM PARTNERSHIP
CIENA, REDHAT, SPLUNK,
AND MARIST
PARTNERSHIPS
2015-2016
Business Segments
Finance
HealthcareIndustrial Internet of
Things
Industrial Operational Technology
Blockchain Transactions
DefenseCloud Services
BlackRidge Confidential - July, 2018
Core Capabilities
BlackRidge Adaptive
Trust Platform
Enforce End-to-
End Trust
Isolate Apps and
Cloud Services
Segment Networks and Data Centers
Identity
Policy and Trust ModelsSegmentation
Compliance
Real Time Protection
Isolation/Cloaking
Centralized Management
• Protect high value servers and data (PII, algos, research, IP, ….)
• Protect Management Plane of IT networks and systems
• Data centers, IaaS cloud services, and IoT
Protect Critical Servers and Management Systems
• Control access to IaaS cloud servers by all parties
• All access attempts logged for audit history with attribution
• No unauthorized awareness of public cloud services
Isolate and Protect Cloud Services
• Infrastructure independent and supports heterogenous environments
• Separates security policy from network topology
• Addresses compliance, risk and regulatory requirements
Micro-segmentation / software-based segmentation
BlackRidge Product Capability Overview
A New, Adaptive Cyber Defense Model
to Support Today’s Global
Business
Enforce End-to-End Trust Across the
Business
Dynamically Segment Networks and Data
Centers
Proactively Isolate Applications and Cloud
Services
The How-to: “Caller ID for the Internet”
1. Authenticates identity before “answering the call” to stop port scanning and cyber attacks
2. Isolates and protects servers, and clouds from unwanted or malicious network connections
3. Provides ROI, reduces risk, provides segmentation for compliance
Secure Caller-ID: Who wants to connect to you?
BlackRidge’s “Secret Sauce”
• Identities & Groups• Insertion & Distribution
• Tokens & Keys
• Trusted Hosts & Protected Resources
• Trust Levels
• Rules & Actions
• Adaptive Nulling (Blacklisting) & Whitelisting
• Logging & Integration
First Packet Authentication
TCP/IP
BlackRidge First Packet Authentication™ stops attacks at the earliest possible time.
Current security productsstart after network sessions are established.tim
e
Packet Flows
SessionSetup
DataTransfer
time
Network Session
Packet FlowPort Scans and attacks occur during TCP/IP Session setup
BlackRidge closes the TCP/IP vulnerability exploited in 100% of cyber attacks
www.BlackRidge.us
BlackRidge Use Cases
and Benefits
Enforcing End-to-End Trustin Energy Sector
www.blackridge.us
Dynamically Segment Critical Resources
1. Blocks unauthorized users or devices from seeing and accessing systems or critical network resources
2. Controls which identities or groups can access and traverse the network
3. Enforces security policy across network boundaries to support legacy and new cloud-based environments
Group A Group B
Group C Group D
Flat Data Center network: Integrated legacy systems
Logical separation by• Functional Group:
Manufacturing, Finance, Vendors, IP/Data
Problem
Protection of legacy systems from external unauthorized access without costly network re-engineering
The Network perimeter is dissolved, tradition protection tools allows connection before authentication
Solution
• Access based on user identity to critical systems
• Cloaking of critical assets
Benefits
• Access based on context-sensitive identity
• Secure connection between user and approved system
• Makes entire network completely invisible
• Eliminates lateral movement on internal networks
• Automated policies reduce operational costs, while capital expenditures on less efficient and less secure technologies are reduced
Software Defined Perimeter
Problem
Protection of legacy systems from internal unauthorized access without costly network re-engineering – Segmentation
Solution
• Access based on user identity to critical systems
• Cloaking of critical assets
Benefits
• Proactively enables full access control of which identities can access legacy systems across the network
• Blocks identities from seeing and accessing unauthorized systems or network segments
• Enforces consistent segmentation policies across enterprise and cloud networks
• Simple, easy to manage access controls, while eliminating dependency on complex VPNs, NACs and firewalls.
• Automated policies reduce operational costs, while capital expenditures on less efficient and less secure technologies are reduced.
• 70% reduction in Software/Hardware and Operating costs
Identity Based Network Segmentation
A real substationcan be fairly complex.
Identity Insertion
Identity Insertion
and Resolution
Identity Resolution
Use Case: Logically Segmenting Resources In The Field
Workflow1. Show Operator 1 accessing Field Device2. Show External Operator X accessing Field Device X3. Show External Operator Y accessing Field Device Y4. Show External Operator X not able to access Field Device Y5. Show integration to SIEM via custom dashboard
Cloaking Resources in Plain Sight!!!Op
X Y
X YIdentity Insertion
Identity Insertion
and Resolution
Identity Resolution
Setup• Unique Identities for Internal
Operators• Unique Identities for External
Operators• Policies to allow only Internal
Operators to access Field Devices.• Policies to allow External Operators
to only access their relevant Field Devices.
• BlackRidge to Elastic Stack configured
www.BlackRidge.us
BlackRidge
Detect and Defend
Models
Enforcing End-to-End Trustin Energy Sector
www.blackridge.us
Two Strategy Models
18
Detect Model
• Detect and (maybe) Mitigate
Defend Model
• Block
• False Positive - A False Alarm• This is the measurement of events that
have caused false alarms• This is a measurement of deployability
• False Negative- An Undetected Attack• This is the measurement of bad traffic
allowed through an enforcement device, sometime called leakage
• This is a measurement of effectiveness
• Deployability and Effectiveness are inversely correlated to false positives and false negatives respectively• Low false positives is high deployability• Low false negatives is high
effectiveness
Metrics – Evaluating Capabilities
19
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
False Positives
False Negatives
IdealSolution
• Uses flow (network) and content (application) information• Content only available after session
establishment• Encryption makes content unavailable
• Compares against a database (blacklist) or algorithm• Spoofed information can produce false
alarms (false positives)• Blacklisting only works against known
attacks, fails against zero-day attacks (false negatives)
• Strategy – Detect, then mitigate• Notification of incident• Mitigation not real time, if at all• Tolerant of high levels of false positives
The Detect Model
20
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
Goal: Detect and (maybe) Mitigate
DetectModel
• Builds on the Detect Model• Inherits the characteristics of the
Detect Model
• Strategy – Block threats immediately• Blocking in real-time
• False positives are now a critical factor• An false positive blocks a person
or device from performing
• Adversary’s creation of a false positive is an attack vector
The Defend Model
21
Goal: Block an Attack or Threat
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh Detect
Model DefendModel
For any network security technology, the effectiveness of that technology depends on the network threat it is being evaluated against
Metrics Depend on Evaluation Criteria
22
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
Firewallvs
Static IP
Firewallvs
Scanning
Firewallvs
Zero-Day
• Available information• Network Addresses (IP, MAC), Protocol
• Content
• Addresses cannot be authenticated• Addresses can be spoofed
• Content • Application specific
• Content information is not authenticated, can be spoofed
• Content is unavailable when encrypted
Detection Decision Making
23
• Easy: Static Stuff• To Non-existent services (ports)• To Non-existent devices, networks (IP addresses)• From Prohibited networks (IP addresses)
• Hard: Everything Else• Encrypted content• Mutating content• Stuff that can be spoofed• Stuff that cannot be authenticated
• Increases in difficulty results in increases in both false positives and false negatives • And corresponding decreases in deployability and effectiveness
Detection Difficulty
24
• Network addresses cannot be authenticated • Adversary can spoof addresses
• Encrypted content eliminates application information
• Limited response automation• Blocking IP or MAC addresses are broadly
targeted responses• May require a person to review address
block before activation • Adversary can use a false positive as an
attack vector
The Defend Model cannot be reliablyimplemented without Authentication
False Positives Break the Defend Model
25
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
DefendModel
False Positives
• Today’s firewalls reduce false positives at the expense of security• Threats that generate false positives are
not blocked
• Today’s firewalls cannot block• Network scanning, mapping and
discovery• Zero-day attacks• Encrypted Traffic• Adversary traffic with spoofed (valid)
addresses • Adversary traffic with spoofed (valid)
content
• Some heuristics improve effectiveness• Often at the expense of deployability
How Do Firewalls Work?
26
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
AdvancedHeuristics
Firewallvs
ScanningZero-DayEncryptedSpoofed AddrSpoofed Content
• Identity is an authenticatible element• Enables cryptographic authentication
• Cannot be spoofed
• Available at the network• Independent of content
• Available when content is encrypted
• Authenticated Non-Interactively• Operates within existing network transactions
• Does not reveal presence of network elements before authentication has completed successfully
Introducing Identity
27
• Whitelisting requires Authentication• Without authentication, whitelisting
can be attacked by spoofing, producing high levels of false positives that result in denial of service to valid users and devices
• Whitelisting blocks all unidentified and unauthorized traffic
• Whitelisting blocks zero day attacks from unidentified and unauthorized traffic
Whitelisting
28
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
Identity,Authentication
andWhitelisting
• Authentication of Identity enables whitelisted network flows
• Eliminates reliance on content for decision information• Much more computationally efficient than content inspection
• Enables defense automation• Block or redirect on a per-flow basis based on the presence or absence
of a specific identity
The Defend Model can be reliably implemented with Authentication
Identity Eliminates False Positives
29
• Behavioral analytics integration is required to address insider threat and stolen identity credentials threats
• Identity enables automation with feedback from analytics for a closed loop system
Enabling Defense Automation
30
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
DefenseAutomation
w/ AuthenticatedIdentity
DefenseAutomation,No Identity
• Blocks zero day attacks from unidentified and unauthorized traffic
• Enables defense automation
• Enables analytics integration for a closed loop system, addressing insider threats
These are achievable only by using Authenticated Identity
Identity Enables the Defend Model
31
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
Identityand
Authentication
• TAC delivers • End-to-End Identity at the network• Per Session Authentication
• Consumes external Identity sources
• Provides attribution information to external SIEM and analytics
• Provides automated cyber defense for external analytics and AI systems
Identity and TAC
32
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
• Blocks Unidentified Traffic• Blocks Unauthorized Traffic• Blocks Unauthorized Network
Scanning and Discovery• Blocks Unauthorized Zero-day Attacks• Blocks Unauthorized Encrypted Traffic• Blocks Unauthorized Adversary Traffic
with spoofed addresses • Blocks Unauthorized Adversary Traffic
with spoofed content• Enables Responsive Analytics
Integration• Enables Cyber Defense Automation
BlackRidge TAC Delivers
33
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
AdvancedHeuristics
Security without the False Positive Compromise
Firewallvs
ScanningZero-DayEncryptedSpoofed AddrSpoofed Content
• Blocks Unidentified Traffic• Blocks Unauthorized Traffic• Blocks Unauthorized Network
Scanning and Discovery• Blocks Unauthorized Zero-day Attacks• Blocks Unauthorized Encrypted Traffic• Blocks Unauthorized Adversary Traffic
with spoofed addresses • Blocks Unauthorized Adversary Traffic
with spoofed content• Enables Responsive Analytics
Integration• Enables Cyber Defense Automation
BlackRidge TAC Delivers
34
Low – Effectiveness – High
Low
–D
eplo
yab
ility
–H
igh
AdvancedHeuristics
Security without the False Positive Compromise
Firewallvs
ScanningZero-DayEncryptedSpoofed AddrSpoofed Content
www.BlackRidge.us
Thank You