The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
1. Moving Target Proactive Cyber Defense –
Keeping Bad Guys Out of Servers
Arun Sood, Ph.D.
SCIT Labs, Inc
Clifton, VA
asood@scitlabs.com
SCIT Labs Confidential and Proprietary 1
2. I. Intrusions Are Inevitable
New Proactive Approaches are Required
SCIT Labs Confidential and Proprietary 2
3. May 2011 Security Incidents Worldwide
Sunday Monday Tuesday Wednesday Thursday Friday Saturday
1 2 3 4 5 6 7
Gmail X-Factor TV Sony SEC Bestbuy Central OR
Sony Show Woman Netflix Comm College
to Woman Sony
Healthcare
8 9 10 11 12 13 14
Huntington Assurant Fox Michaels
National Bank
15 16 17 18 19 20 21
Mass Anthem Blue PBS Sony Lockheed Martin
Government Cross of NASA Sony X2
Regions Bank California
22 23 24 25 26 27 28
Sony Sony Sony Northrop L-3
Grumman Communications
29 30 31
Honda Nintendo Citibank
Source: Confab 2011
SCIT Labs Confidential and Proprietary 3
6. II. Cyber Attacks Persist
• Intruders need access and time to orchestrate
their attacks
• Intrusions persist for days, weeks, months
• Malware is hard to detect
• Highly customized malicious code blends into
the information landscape
SCIT Labs Confidential and Proprietary 6
7. Intruder Residence Time in
Months
3 months
2 months
5 months
SCIT Labs Confidential and Proprietary 7
7
11. The SCIT Approach
Reduce server exposure time
Restore to pristine state
Threat Independent
Must maintain uninterrupted service
SCIT Labs Confidential and Proprietary 11
12. Zero Days – Fixing Vulnerabilities
• Detecting a vulnerability
• Reporting vulnerability
• Developing a patch to fix vulnerability
• Patch distribution
• Testing in staging area
• Patch application
Use Moving Target Defense
Make it Difficult to Exploit the Vulnerability
SCIT Labs Confidential and Proprietary 12
13. Servers
How SCIT works
-Virtual
Example: 5 online and 3 offline servers
-Physical
Online servers;
potentially
compromised
Offline
servers; in
self-cleansing
SCIT Labs Confidential and Proprietary 13
13
15. The SCIT Approach
• Patented, Proven, Award Winning Self
Cleansing Intrusion Tolerance Technology
• Uses Virtualization Technology
• Ultra Low Intruder Residence Time
• Subverts attacks by robbing intruders of time
and persistent access needed to launch
attacks
SCIT Labs Confidential and Proprietary 15
16. IDS/IPS vs Intrusion Tolerance
Firewall, IDS, IPS Intrusion tolerance
Risk management. Reactive. Proactive.
A priori information Attack models. Software Exposure time. Length of
required. vulnerabilities. longest transaction.
Protection approach. Prevent all intrusions. Limit losses.
System Administrator High. Manage reaction Less. No false alarms
workload. rules. Manage false alarms. generated.
Design metric. Unspecified. Exposure time.
Packet/Data stream Required. Not required.
monitoring.
Higher traffic volume More computations. Computation volume
requires. unchanged.
Applying patches. Must be applied Can be planned.
immediately.
SCIT Labs Confidential and Proprietary
16
16
17. Results of Simulation: NIDS, SCIT, NIDS+SCIT
Parameters used Results of the simulation
Simulation Metrics Value (units) Total damage No. of Mean Damage
Case
Number of queries 5000 (records) breaches (records/breach)
used NIDS 245,962 (100%) 192 1,281
Intruder Residence 0 minutes to 2 SCIT: ET 4hrs 55,364 (23%) 508 109
Time (IRT) months
SCIT: ET 4 mins 1,015 (0.4%) 508 2
Mean IRT – Pareto 48 hours
distribution NIDS + HIDS 210,578 (86%) 164 1,284
Exposure Time – 2 1. 4 hrs NIDS + SCIT
cases 2. 4 mins (ET 4 hrs) 20,931 (9%) 191 110
Mean of records 675 NIDS + SCIT
stolen per day records/breach (ET 4 mins) 383 (0.16%) 191 2
IDS Only SCIT+IDS
SCIT Labs Confidential and Proprietary 17
18. SCIT Server State Transitions
1 2 3
Active – Exposed
Start New VM Online Spare
to Internet
6 5 4
Archive VM for
Kill VM Grace Period
Future Analysis
SCIT Labs Confidential and Proprietary 18
19. SCIT – Applications
SCIT Implementations
Web Tier: Web, 1. One application
DNS, SSO…… 1 2 N (function) per
server
App Tier: Biz logic,
Content Mgr, CRM…. 1 2 M
2. Five applications
per server
Data Tier: DB Mgr;
File Mgr 1 L
3. 1000 applications
Storage Tier: 100 servers
Transactions (ms); 1 K
Large File transfer
(High speed- seconds) 4. Cloud
SCIT Labs Confidential and Proprietary 19
20. Collaboration and Recognition
• Lockheed Martin and Northrop Grumman
– Testing and validation of SCIT servers.
– Funded and collaborated with SCIT research
– Integrated in LM cloud offering; NGC evaluating use cases for cloud app
– LM and Landis Gyr are sub – SCIT application to Electricity Smart Grid
• Raytheon
– Collaborated on SBIR proposal
• Awards
– Winner Security Technology of Tomorrow Challenge, CNI Expo + GSC Jun 10
– Runners up Cyber Security Challenge GSC Nov 09
– Army SBIR: SCIT DNS
• Patents: 3 issued + 3 more applied.
SCIT Labs Confidential and Proprietary 20
21. Target Market and Applications
• Cloud and Hosting • Government
Services – Civil
– Web sites: LAMP & – DOD
Windows IIS – Intelligence Community
– DNS • Financial services
– Ecommerce • Health care
– Single Sign On
– Email and comm
– LDAP server
– Streaming media
SCIT Labs Confidential and Proprietary 21
22. Risk = Threat X Vulnerabilities X Consequences
SCIT Labs Confidential and Proprietary 22
23. Cyber Security Approaches
Vulner- Conse- Work Factor
Technology Approach Threat
abilities quences A D
Intrusion Detection / Prevention X +
Firewall X +
Malware detection X +
Incoming Packet Monitoring X +
Packet Analysis X +
SSL Proxy X +
SIEM X +
Forensics X +
SCIT - Recovery + Intrusion
X +
Tolerance + Forensic Support
Outgoing Packet Monitoring (DLP) X +
A=Adversary Work Factor; D=Defender Work Factor
SCIT Labs Confidential and Proprietary 23
24. Pilot Project
• Data Storage servers
• Implement on one or two platforms using
remote access
• Support & training
• Develop evaluation measures
• Demonstrate achievement of measures in 3
month
• Roll out commitment and plan
SCIT Labs Confidential and Proprietary 24
25. Benefits of SCIT
• SCIT removes malware without detection
• SCIT reduces data ex-filtration
• SCIT does not rely on signatures and is threat
independent
• SCIT is mission resilient: automatic recovery
• SCIT reduces intrusion response (alerts)
management cost
SCIT Labs Confidential and Proprietary 25