Upload
rinky25
View
911
Download
3
Embed Size (px)
DESCRIPTION
Citation preview
SELF-DEFENDING HOSTS:LESSONS FROM STAR TREK
Brian O’Higgins
CTO, Third Brigade
Reasoning with Computers
6 © Third Brigade, Inc.
Science Fiction
“Any sufficiently advanced
technology is indistinguishable
from magic”. Arthur C. Clarke
"Profiles of The Future”, 1961
(Clarke's third law)
October, 1945
9 © Third Brigade, Inc.
Planning for the Future
“Prediction is very difficult,
especially about the future”
Neils Bohr
10 © Third Brigade, Inc.
Planning for the Unknown
“…because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”
Donald Rumsfeld (a man “in the know”)
11 © Third Brigade, Inc.
Self Healing Hosts
1. Introduction
2. Trends
3. Risk
4. Conclusions and research
challenge
Trends
Section 2 of 4
13 © Third Brigade, Inc.
Recent changes in IT- big influence for security
• Mobility• Mass collaboration• Cybercrime• Virtualization• Datacenter consolidation• SaaS• Today’s toys become tomorrow’s tools• Microsoft’s push into security
14 © Third Brigade, Inc.
It’s quiet out there, too quiet….
15 © Third Brigade, Inc.
Malware “Firsts”
‘Big’ attacks were common a few years agoMalware is becoming more stealthy now
Elk ClonerApple II1981
1980 1990 2000 2007
Len EidelmanCoins ‘virus’1983
1st PC bootSector virus‘Brain’1986
1st wormMorris Worm1988
1st poly-morphic virus1990
1st mass-hysteria Michangelo 1992
1st macro virus‘concept’1995
CIH virus first version appears1998
Melissa,Targets word and outlook1999
‘I love you”Virus. Most costly.2001
Code Red,Nimda2001
SQL Slammer,Blaster2003
Witty,Sasser2003
Santy,1st web worm2004
1st MySpace worm2006
WMF1st zeroday2005
16 © Third Brigade, Inc.
Evolution of the Attacks
• Investment in network controls stops simple mass attacks
• Attacks now ‘move up the stack’, attack applications and users
• Targeted attacks work, and are often unreported. Growing faster than mass attacks. Economic damage increases. (TJX)
• Gartner says the cost of a sensitive data breach will increase 20%/yr through 2009.
?
18 © Third Brigade, Inc.
Security Market Hamster Wheel
Exploits occur
Temporary Balance
Bad guys innovate
Consolidation
Point Solutions
19 © Third Brigade, Inc.
Vulnerability Cycle
Discovery
Crude Tools
Users exploitCrude tools
Automated scanningtools
Widespread use
Time
Intruders move to New exploits
www.cert.org
Security holes don’t die, the half-life is 19 days after a patch is issued for critical vulnerabilities(48 days for internal systems) *Qualys Jan 2006
Hacking festival kicks off
2005: average 6 days from discovery to exploit, average 54 days for a patch(Symantec Internet Security Threat Report, 2005)
20 © Third Brigade, Inc.
Application Software = Achilles Heel
“75% of attacks now take place at the
application layer” Gartner, 2006
“4,375 vulnerabilities in the first 9 months
of 2006. Web flaws are the 3 most common.” Mitre Corp, 09/2006
“Customization of off-the-shelf software is the weakest link in application security”. Gartner, 09/2005
“By 2009, 80% of enterprises will fall victim to an application attack”. Gartner, 2007
21 © Third Brigade, Inc.
Vulnerabilities
Web ServerMicrosoft, Apache, Netscape…
DatabaseOracle, Microsoft, Sybase, IBM…
Firewall Firewall Firewall
App ServerBEA, IBM, Oracle, Sun…
Insider
Authenticated
Pre-authenticated
OSWindows, Linux, Solaris
OS OS
Many ways to exploit a vulnerability with targeted attacks
22 © Third Brigade, Inc.
Cross Site Scripting (cross site request forgeries), bypass network defenses
“Sleeping Giant” vulnerability
Web Server
Corporate Network Boundary
Firewall + Network Intrusion Prevention
1. User browses (rules allow this)
4. Attack succeeds because internal servers not fully patched.
2. Javascript or other malware downloads3. Malware probes internal servers
DMZ
23 © Third Brigade, Inc.
Getting Harder to Defend
• Skills gap – attackers vs. internal
• Web 2.0 and futures– Non-programmers programming in
scripting languages– Applications now cross firewall
boundaries
The Good News: You don’t have to be perfect to be secure…
just stay ahead of the crowd
Qual
Function
Sched
Choose 2:
24 © Third Brigade, Inc.
Software Security
• Write better software– “The reason people keep breaking into your computer
is because software sucks”, - Richard Clarke– Secure development lifecycle and tools– Only for new code
• Vulnerability scanning– Patch or re-write to repair defect– Deploy application with compensating controls
Always an acceptable choice, vs. patching which could be difficult or impossible. Host-based IPS plays a very important role.
25 © Third Brigade, Inc.
Defining HIPS/HIDS: Intrusion Defense?
HIPS
Analysts
IPSvendors
Firewallvendors
IDSvendors
Anti-virusvendors
NACvendors
A broad combination of techniques to detect and block attacks from exploiting the host
26 © Third Brigade, Inc.
IPS Easier at the Host
• Modern host-based IPS is a different story
• Consider trying to spot the bad guy– In a crowded football stadium?– On the street in front of your house?– Trying to get into a door or window of your house?
• Finer-grained filtering works. – It is much easier to spot the bad stuff trying to enter
the host. Knowing the application context helps a lot!
27 © Third Brigade, Inc.
De-perimeterization
• Jericho Forum
• An attack is an attack, internal or external
• Protect IT assets from every threat, identified or potential – “it only takes one”: A single infected PC can
take down an entire network
• Start thinking about the applications, and work outwards. Not from the outside in.
Risk
Section 3 of 4
29 © Third Brigade, Inc.
Defining Risk
Risk = more things can happen than will happen
Risk = probability of occurrence X consequence
30 © Third Brigade, Inc.
Minimizing Risk
Threat * Vulnerability
CountermeasuresRisk = * Value
Maximize this
Minimize thisPeople or thing
Don’t look at threat vs countermeasures. Consider vulnerability vs countermeasures.
31 © Third Brigade, Inc.
Security in Balance
Security
$
low
high
high
Cost of breaches
Cost of securityTotal Cost
Optimal Expenditure
32 © Third Brigade, Inc.
New threats increase risk
source: Bob Blakely, Burton Group
(Re)NormalizedResidualRisk
1
0(Threat, Vulnerability)
Product 1
Product 1Risk Taxbefore new threat
Product 1Risk Taxafter new threat
33 © Third Brigade, Inc.
Compliance Balancing Act is Hard
Suppliers
Employees, Branch Offices
Customers
Streamlined Business
Processes
Access to Services & Information
Extended Enterprise
InformationInformationSecurity GovernanceSecurity Governance
Governance & Regulation
HIPAAHIPAA GLBAGLBA PCIPCI
Sarbanes-OxleySarbanes-Oxley
EU Data Protection ActEU Data Protection Act
FISMAFISMA
Policies, Procedures, OperationsPolicies, Procedures, Operations
MITSMITS
CA SB1386CA SB1386
PIPEDAPIPEDA
SEC RegsSEC Regs
Web
NERCNERC Others…Others…
34 © Third Brigade, Inc.
Compliance
• Compliant ≠ secure
• Being secure sure helps compliance
• SOX expenditures on IT deficiencies are less than 5% of compliance spend– (accounting policies, financial processes are
the big items)
35 © Third Brigade, Inc.
Requirement for web application protection
Requirement 6.6:
“Ensure that all web-facing applications are protected against known attacks by…installing an application layer firewall in front of web-facing applications.”
Must have by July, 2008
OWASP Top 10 PCI 6.5 Sub-requirements VISA PABP
A1 Unvalidated Input 6.5.1 Unvalidated input 5.5.1 Unvalidated input
A2 Broken Access Control
6.5.2 Broken access control
5.5.2 Broken access control
A3 Broken Authentication and Session Management
6.5.3 Broken authentication and session management
5.5.3 Broken authentication and session management
A4 Cross Site Scripting 6.5.4 Cross-site scripting (XSS)
5.5.4 Cross-site scripting (XSS)
A5 Buffer Overflow 6.5.5 Buffer overflows 5.5.5 Buffer overflows
A6 Injection Flaws 6.5.6 Injection flaws 5.5.6 Injection flaws
A7 Improper Error Handling
6.5.7 Improper error handling
5.5.7 Improper error handling
A8 Insecure Storage 6.5.8 Insecure storage 5.5.8 Insecure storage
A9 Application Denial of Service
6.5.9 Denial of service 5.5.9 Denial of service
A10 Insecure Configuration Management
6.5.10 Insecure configuration management
5.5.10 Insecure configuration managementSource: Burton Group
37 © Third Brigade, Inc.
Business Drivers for Host Security
Shield until patching
Shield from targeted attacks
Shield without patching
PCI DSS
SOX
GLBA
HIPAA
COBIT
MITS
38 © Third Brigade, Inc.
Applications & Services
TCP/IP
Network
Approach
Ker
nel
-mo
de
Use
r-m
od
e
System Execution Control
Hardware
HIPS: Network-based vs. Behavior-based Approach
2
Behavior-based:
System Execution Control blocks attacks at application calls to the OS
2
Network Approach:
Deep Packet Inspection blocks attacks at the network layer
1
1
Host ComputerManagementManagement
OverheadOverhead
39 © Third Brigade, Inc.
Tuning
Sensitivity
Pro
babi
lity
of e
rror
False Positives (FP): Appropriate system execution is halted or data traffic is dropped
False Negatives (FN): Malicious system execution is allowed or data traffic accepted
01
• Close to the host is the best location for tuning accuracy
• Drive the curves down for a broader acceptable operating range
40 © Third Brigade, Inc.
Blended filtering approach
Filtered TrafficFiltered Traffic
Raw TrafficRaw Traffic
Stateful Firewall
Exploit Filters
Vulnerability Filters
Smart Filters
Custom Filters
1
2
3
4
5
Dee
p pa
cket
insp
ectio
n
Greater chance of false negatives
Greater chance of false positives
41 © Third Brigade, Inc.
blended approach
Filtered TrafficFiltered Traffic
Allow known good
Raw TrafficRaw Traffic
Stop known bad
Shield knownvulnerabilities
Shield unknownvulnerabilities (Zero-day)
Stateful Firewall
Exploit Filters
Vulnerability Filters
Smart Filters
Custom Filters
1
2
3
4
5 Protect specificapplications
Dee
p pa
cket
insp
ectio
n
42 © Third Brigade, Inc.
Protection for custom web applications
OWASP Top 10 Vulnerabilities # Vuln’s
1. Unvalidated input 252. Broken access control 03. Broken authentication and session mgt. 104. Cross site scripting (XSS) flaws 85. Buffer overflows 36. Injection flaws 137. Improper error handling 238. Insecure storage 09. Denial of service 210. Insecure configuration management 17
# Vuln’s
0
0
0
0
0
0
0
0
0
2
Unprotected Protected
Tested with industry-leading web application scanner, against 1000’s of attacks
43 © Third Brigade, Inc.
Gartner Predicts...
• By 2010, only one new security threat out of 10 will require the deployment of a tactical point solution, compared with eight out of 10 in 2005.
• By 2011, 20% of desktops in large enterprises, and 70% of servers, will be equipped with virtual security partitions (VSPs), up from less than 1% in 2006.
Source, Gartner, Publication Date: 30 November 2006/ID Number: G00144411
44 © Third Brigade, Inc.
VM Environments
• Where does the host agent live?
Host securityAgent options
Hardware
VM Layer
GuestOS
GuestOS
GuestOS
Server
Guest network shimFuture of Network security
Best app protection
Most efficient
Research Challenge
Section 4 of 4
46 © Third Brigade, Inc.
Summary
• Disconnect growing between danger levels and management estimations
• Threats continue to evolve, need new controls• Application attacks recognized as a priority• Risk-based compliance arriving• HIPS is becoming recognized (now and future)
– as a key approach to move from reactive to proactive– an important control for software assurance – as a foundation for self-defending host vision– no silver bullet, will always need new stuff– will continue to improve with better tuning…
47 © Third Brigade, Inc.
DIR-604
48 © Third Brigade, Inc.
Towards self-defending hosts in a dynamic threat environment
Extended Enterprise
Host security (IDS/IPS) everywhere there is IP
Porous perimeter
RecommendationEngine
In-the-cloudcollaboration
SensorNetworks
Vulnerabilityinfo
SecurityManager
Research challenge: sense, and tune appropriately
THANK YOU
www.thirdbrigade.com