Enabling Distributed Security in Cyberspace

Strengthening the Cyber EcosystemApril 2012

What is a Secure Cyber Ecosystem?

• Concept that the cyber “ecosystem” of organizations, people, and devices are able to work together in near-real time to:– Anticipate and prevent cyber attacks– Limit the speed of attacks across devices– Minimize the consequences of attacks– Recover to trusted state

2

What is a Secure Cyber Ecosystem? (cont.)

• Security capabilities which are built into cyber devices enable preventative and defensive courses of action–Enabling automated responses by the

devices to events in their environment• Cyber equivalent of the human immune

system

3

Cyber Ecosystem – Building Blocks

• Automation – Block 1– Automated Courses of Action (ACOAs)

• Actions taken in response to situation• Allows the speed of response to approach the speed of attack• Allows for adopting new or proven security solutions

– Sharing of information among local, mobile, and global entities

– Enables the ecosystem to sustain itself and supported missions while responding to attack

– Rapid learning by machines and humans

4

Cyber Ecosystem – Building Blocks

• Interoperability – Block 2– Allows communications to be defined by

policy rather than technical constraints– Enables cyber participants to collaborate

seamlessly and dynamically in automated community defense and response

– Enables a common operational picture and shared situational awareness

5

Cyber Ecosystem – Building Blocks (Block 2 Continued)

– Three Types of Interoperability1.Semantic: the ability of each party to understand

shared data 2.Technical: the ability for different technologies to

communicate and exchange data based upon widely defined and widely adopted interface standards

3.Policy: common business processes related to the transmission, receipt, and acceptance of data among participants

6

Cyber Ecosystem – Building Blocks (Block 2 Continued)

– Security Content Automation Protocol (SCAP) specifications:

• Languages: provide standard vocabularies and conventions for expressing security policy, technical check mechanisms, and assessment results

• Enumerations: define a standard nomenclature (naming format) and an official dictionary or list of items expressed using that nomenclature. For example, CVE provides a dictionary of publicly known information security vulnerabilities and exposures

• Measurement and Scoring Systems: evaluate specific characteristics of a vulnerability and based on those characteristics, generate a score that reflects the vulnerability’s severity

7

Cyber Ecosystem – Building Blocks

• Authentication – Block 3 – Assured means of identifying entities

and authorized actions– Sending and receiving parties are

known and accountable for their actions

– Protects anonymity when need

8

Cyber Ecosystem – Levels of Maturity

• Edge: network devices have widespread and easy access to information, sharing information, distributed decision making enables agile and adaptable defense

• Collaborative: multiple devices have a common plan of action, significant distributed decision making, resource sharing and information sharing

• Coordinated: multiple linked devices with shared security policies and some pooling of information and resources

• Deconflicted: partitioning of the problem space to avoid adverse cross-effects. Limited information sharing and interaction

• Isolated: individual devices, no shared objectives, information distribution or other interaction among devices

9

Maturity and Agility of Collaborative Defenses

10

• Rich interaction and decision-making• Agile, adaptable, and coordinated

• Extensive sharing, dynamic, and tailored• Multiple devices and groups work together

• Autonomous action delegated appropriately• Coordinated policies, configurations, resources

• Groups of devices work together; some groups interact• Links between systems enhance collaboration

• Some sharing of policies, configurations, and resources• Establish groups to minimize adverse cross effects

• Localized reporting and information sharing• Responses communicated locally, but are not coordinated

• Devices respond independently• No shared objectives; devices focus on themselves

• No information distribution; devices have only organic information

Increasing maturity and agility

Isol

ated

De-

confl

icte

d

Coor

dina

ted

Edge

Colla

bora

tive

• Rich interaction and decision-making• Agile, adaptable, and coordinated

• Extensive sharing, dynamic, and tailored• Multiple devices and groups work together

• Autonomous action delegated appropriately• Coordinated policies, configurations, resources

• Groups of devices work together; some groups interact• Links between systems enhance collaboration

• Some sharing of policies, configurations, and resources• Establish groups to minimize adverse cross effects

• Localized reporting and information sharing• Responses communicated locally, but are not coordinated

• Devices respond independently• No shared objectives; devices focus on themselves

• No information distribution; devices have only organic information

Additional Considerations

• Scope – Enterprise focus needs to be expanded – mobility and cloud– Leverage full situation awareness (e.g., ISPs, vendors, enterprises)

• Behavior based modeling and monitoring – Software– Exceptions to normal behavior/patterns of an individual’s computer usage– Organization’s data being used in a manner consistent with business rules

• Risk based data management– Data tagging and motion

• Resilient communications for response & restoration• Moving target• Network Access Control and monitoring (e.g., EINSTEIN)

11

A future ecosystem incorporates multiple capabilities within the three functional areas of technology, process, and people

Attributes of the Cyber Ecosystem

An integrated security operating foundation which is:•Cost effective,•Flexible,•Interoperable,•Stable,•Enables rapid integration of new capabilities from multiple sources•Moving target

Technology– Healthy cyber devices will incorporate standards-based

authentication, interoperability, automation– Business rules based malicious behavior detection, and

risk based data management – Cyber devices will provide security, affordability, ease of

use and administration, scalability, and interoperability– Barriers to automated collaboration are based on policy,

not technology limitations Process

– Incentives for information sharing– Organize cyber defense so that machines defend against

machines and people defend against people– Economic based decision process – risk based

cybersecurity investments People

– The healthy cyber participants have continuing access to a range of education, training, and awareness opportunities

• Such as exercises, simulations, and fully‐immersive learning environments

– Have validated skills that have been codified for their occupations or positions and strongly proofed cyber identities

12

Foundations of the Cyber Ecosystem

Categories of Cyber AttacksAttrition Use of brute force methods to compromise, degrade, or destroy systems,

networks, or services. Includes distributed denial of service attacks intended to impair or deny access to a service or application and resource depletion attacks .

Malware Any malicious software, script, or code developed or used for the purpose of compromising or harming information assets without the owner’s informed consent, regardless of delivery method. Includes Web and email attacks and attacks executed from removable media or a peripheral device.

Hacking An attempt to intentionally access or harm information assets without authorization or in excess of authorization, usually conducted remotely. Includes data leakage attacks, injection attacks and abuse of functionality, spoofing, time and state attacks, buffer and data structure attacks, resource manipulation, use of stolen credentials, backdoors, brute force and dictionary attacks on passwords, and exploitation of authentication.

Social Tactics Use of social tactics such as deception, manipulation, and intimidation to obtain access to data, systems or controls. Includes pretexting (fake surveys), solicitation phishing, and elicitation of information through conversation.

13

Categories of Cyber AttacksImproper Usage (Insider Threat)

Inappropriate use of privileges or inappropriate logical or physical access to data, systems, or controls by a person or persons associated with an organization. Any incident that would violate an organization’s acceptable usage policies by an authorized user. Includes installation of unauthorized software and removal of sensitive data.

Physical Action /Loss or Theft of Equipment

Human Driven attacks that employ physical actions and/or require physical proximity. Examples are: stolen identity tokens and credit cards, tampering with or replacing card readers and point of sale terminals, and tampering with sensors. The loss or theft of a computing device or media used by the organization, such as a laptop or smart phone.

Multiple Component A single attack that encompasses the use of multiple techniques. Advanced attacks would often fall into this category, with various attack components occurring at different steps in the cyber kill chain.

Other An attack that does not fit into any of the other categories, such as supply chain attacks and network reconnaissance .

14

Desired Cyber Ecosystem Capabilities

• Automated Defense Identification, Selection, and Assessment• Authentication• Interoperability• Machine Learning and Evolution • Security Built in• Business Rules-Based Behavior Monitoring• General Awareness and Education• Moving Target• Privacy• Risk-Based Data Management• Situational Awareness• Tailored Trustworthy Spaces

15

Attack Categories Addressed By Desired Cyber Ecosystem Capabilities

CapabilitiesAttrition

Malware

Hacking

Social Tactics

Improper Usage (Insider)

Physical Action; Loss or Theft

Multiple Component

Other

Automation x x x x x x x xAuthentication x x x x x x xInteroperability x x x x xMachine Learning and Adaptation

x x x x x x x x

Build Security In x x x x x x xBusiness Rules-Based Behavior Monitoring

x x x x x x x x

General Awareness and Education

x x x x x x x x

Moving Target x x x x x xPrivacy x x x x x x x xRisk-Based Data Management

x x x x x x x x

Situational Awareness

x x x x x x x x

Tailored Trustworthy Spaces

x x x x x x

Attacks

16

Cyber Ecosystem – Next Steps

• Develop roadmap– Identify additional building blocks

• Joint RFI by DHS/NIST

– Verify that the capabilities address attack vectors

– Seek and organize community of interest– Develop draft roadmap/architecture

17

Backup Slides

Questions• Can we use the use the Cyber Ecosystem as the

basis for a To-Be Architecture? • What are the most challenging or intractable

issues or concerns?• What are some current initiatives, projects, or

capabilities that could have applicability?– Especially any work or research related to

authentication, automation, and interoperability

• Who is doing research and development, policy work, or process work related to the Cyber Ecosystem?

19

Cyber Ecosystem Roadmap – Issues – How to measure, validate and communicate

“business case”– Commercial firms conforming to standards– Governance model that allows owners to cede

decision making to the community– Building more secure and better quality

software– Progress in solving hard problems and fielding

capabilities that implement that progress

20

Questions• Please identify concerns regarding the legal,

policy or technical implications of the Cyber Ecosystem.

• Please provide constructive feedback that can help shape the successful implementation of the Cyber Ecosystem.

• Are there any topics or issues that you recommend be considered by DHS, industry, or industry/government working groups?

21

Questions• What pieces are missing?• Can you recommend technologies for potential

early adoption or demonstration?• Can you recommend use cases for potential early

adoption or demonstration?• Please identify potential areas of collaboration

between industry/academia and DHS to conduct research or pilots in support of the Cyber Ecosystem implementation.

22

Questions• Are you aware of information that would help

finalize a comprehensive definition of a cyber ecosystem? – What is a feasible timeframe for actually

implementing and operating such a definition/vision?

• What are the most important technologies, issues, or concerns associated with the cyber ecosystem?

23

Cyber Ecosystem – Selected Attributes

• Assured• Usable• Information connected across space and

time• Rapid and essentially universal learning• Greater attribution

24

Cyber Ecosystem – Selected Attributes

• New defensive tactics• Constant feedback• Self aware/User aware• Autonomously reacting & dynamic• Resilient• Greater network reach

25

Mapping: Analysis of intersections between the various “ecosystem” related documents

26

DHS “Ecosystem Whitepaper”

3 Building Blocks

Includes the topics:

Automation

Interoperability

Authentication

Incentives and Adoption

DHS “Blueprint”

Where Building Blocks Addressed

DHS R&D / EOP R&D Other

EOP “National Strategy for

Trusted Identities in Cyberspace”Where incentives and

adoption are addressed:

Objective 1, 7, 12, 13, 19, and 20

(Capabilities 6, 33, 50, 57, 70-75)

Objectives 2, 4, and 16

Objective 14

Objectives 15 and 17

Problems 4, 6, 10, and 11

Problems 1 and 6

Problems 1, 7, and 8

Problems 1 and 4

• Tailored trustworthy spaces

• National Priority-NSTIC

No direct intersection

• Designed-In Security

• Moving Target

• Cyber Economic Incentives

• Adoption

Several capabilities within the DHS Blueprint and DHS & White House R&D strategies directly support the same efforts proposed in the Ecosystem Whitepaper