Lessons from Star Trek: Towards Self Defending Hosts

SELF-DEFENDING HOSTS:LESSONS FROM STAR TREK

Brian O’Higgins

CTO, Third Brigade

Reasoning with Computers

6 © Third Brigade, Inc.

Science Fiction

“Any sufficiently advanced

technology is indistinguishable

from magic”. Arthur C. Clarke

"Profiles of The Future”, 1961

(Clarke's third law)

October, 1945


Planning for the Future

“Prediction is very difficult,

especially about the future”

Neils Bohr


Planning for the Unknown

“…because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”

Donald Rumsfeld (a man “in the know”)


Self Healing Hosts

1. Introduction

2. Trends

3. Risk

4. Conclusions and research

challenge

Trends

Section 2 of 4


Recent changes in IT- big influence for security

• Mobility• Mass collaboration• Cybercrime• Virtualization• Datacenter consolidation• SaaS• Today’s toys become tomorrow’s tools• Microsoft’s push into security


It’s quiet out there, too quiet….


Malware “Firsts”

‘Big’ attacks were common a few years agoMalware is becoming more stealthy now

Elk ClonerApple II1981

1980 1990 2000 2007

Len EidelmanCoins ‘virus’1983

1st PC bootSector virus‘Brain’1986

1st wormMorris Worm1988

1st poly-morphic virus1990

1st mass-hysteria Michangelo 1992

1st macro virus‘concept’1995

CIH virus first version appears1998

Melissa,Targets word and outlook1999

‘I love you”Virus. Most costly.2001

Code Red,Nimda2001

SQL Slammer,Blaster2003

Witty,Sasser2003

Santy,1st web worm2004

1st MySpace worm2006

WMF1st zeroday2005


Evolution of the Attacks

• Investment in network controls stops simple mass attacks

• Attacks now ‘move up the stack’, attack applications and users

• Targeted attacks work, and are often unreported. Growing faster than mass attacks. Economic damage increases. (TJX)

• Gartner says the cost of a sensitive data breach will increase 20%/yr through 2009.

?


Security Market Hamster Wheel

Exploits occur

Temporary Balance

Bad guys innovate

Consolidation

Point Solutions


Vulnerability Cycle

Discovery

Crude Tools

Users exploitCrude tools

Automated scanningtools

Widespread use

Time

Intruders move to New exploits

www.cert.org

Security holes don’t die, the half-life is 19 days after a patch is issued for critical vulnerabilities(48 days for internal systems) *Qualys Jan 2006

Hacking festival kicks off

2005: average 6 days from discovery to exploit, average 54 days for a patch(Symantec Internet Security Threat Report, 2005)


Application Software = Achilles Heel

“75% of attacks now take place at the

application layer” Gartner, 2006

“4,375 vulnerabilities in the first 9 months

of 2006. Web flaws are the 3 most common.” Mitre Corp, 09/2006

“Customization of off-the-shelf software is the weakest link in application security”. Gartner, 09/2005

“By 2009, 80% of enterprises will fall victim to an application attack”. Gartner, 2007


Vulnerabilities

Web ServerMicrosoft, Apache, Netscape…

DatabaseOracle, Microsoft, Sybase, IBM…

Firewall Firewall Firewall

App ServerBEA, IBM, Oracle, Sun…

Insider

Authenticated

Pre-authenticated

OSWindows, Linux, Solaris

OS OS

Many ways to exploit a vulnerability with targeted attacks


Cross Site Scripting (cross site request forgeries), bypass network defenses

“Sleeping Giant” vulnerability

Web Server

Corporate Network Boundary

Firewall + Network Intrusion Prevention

1. User browses (rules allow this)

4. Attack succeeds because internal servers not fully patched.

2. Javascript or other malware downloads3. Malware probes internal servers

DMZ


Getting Harder to Defend

• Skills gap – attackers vs. internal

• Web 2.0 and futures– Non-programmers programming in

scripting languages– Applications now cross firewall

boundaries

The Good News: You don’t have to be perfect to be secure…

just stay ahead of the crowd

Qual

Function

Sched

Choose 2:


Software Security

• Write better software– “The reason people keep breaking into your computer

is because software sucks”, - Richard Clarke– Secure development lifecycle and tools– Only for new code

• Vulnerability scanning– Patch or re-write to repair defect– Deploy application with compensating controls

Always an acceptable choice, vs. patching which could be difficult or impossible. Host-based IPS plays a very important role.


Defining HIPS/HIDS: Intrusion Defense?

HIPS

Analysts

IPSvendors

Firewallvendors

IDSvendors

Anti-virusvendors

NACvendors

A broad combination of techniques to detect and block attacks from exploiting the host


IPS Easier at the Host

• Modern host-based IPS is a different story

• Consider trying to spot the bad guy– In a crowded football stadium?– On the street in front of your house?– Trying to get into a door or window of your house?

• Finer-grained filtering works. – It is much easier to spot the bad stuff trying to enter

the host. Knowing the application context helps a lot!


De-perimeterization

• Jericho Forum

• An attack is an attack, internal or external

• Protect IT assets from every threat, identified or potential – “it only takes one”: A single infected PC can

take down an entire network

• Start thinking about the applications, and work outwards. Not from the outside in.

Risk

Section 3 of 4


Defining Risk

Risk = more things can happen than will happen

Risk = probability of occurrence X consequence


Minimizing Risk

Threat * Vulnerability

CountermeasuresRisk = * Value

Maximize this

Minimize thisPeople or thing

Don’t look at threat vs countermeasures. Consider vulnerability vs countermeasures.


Security in Balance

Security

$

low

high

high

Cost of breaches

Cost of securityTotal Cost

Optimal Expenditure


New threats increase risk

source: Bob Blakely, Burton Group

(Re)NormalizedResidualRisk

1

0(Threat, Vulnerability)

Product 1

Product 1Risk Taxbefore new threat

Product 1Risk Taxafter new threat


Compliance Balancing Act is Hard

Suppliers

Employees, Branch Offices

Customers

Streamlined Business

Processes

Access to Services & Information

Extended Enterprise

InformationInformationSecurity GovernanceSecurity Governance

Governance & Regulation

HIPAAHIPAA GLBAGLBA PCIPCI

Sarbanes-OxleySarbanes-Oxley

EU Data Protection ActEU Data Protection Act

FISMAFISMA

Policies, Procedures, OperationsPolicies, Procedures, Operations

MITSMITS

CA SB1386CA SB1386

PIPEDAPIPEDA

SEC RegsSEC Regs

Web

NERCNERC Others…Others…


Compliance

• Compliant ≠ secure

• Being secure sure helps compliance

• SOX expenditures on IT deficiencies are less than 5% of compliance spend– (accounting policies, financial processes are

the big items)


Requirement for web application protection

Requirement 6.6:

“Ensure that all web-facing applications are protected against known attacks by…installing an application layer firewall in front of web-facing applications.”

Must have by July, 2008

OWASP Top 10 PCI 6.5 Sub-requirements VISA PABP

A1 Unvalidated Input 6.5.1 Unvalidated input 5.5.1 Unvalidated input

A2 Broken Access Control

6.5.2 Broken access control

5.5.2 Broken access control

A3 Broken Authentication and Session Management

6.5.3 Broken authentication and session management

5.5.3 Broken authentication and session management

A4 Cross Site Scripting 6.5.4 Cross-site scripting (XSS)

5.5.4 Cross-site scripting (XSS)

A5 Buffer Overflow 6.5.5 Buffer overflows 5.5.5 Buffer overflows

A6 Injection Flaws 6.5.6 Injection flaws 5.5.6 Injection flaws

A7 Improper Error Handling

6.5.7 Improper error handling

5.5.7 Improper error handling

A8 Insecure Storage 6.5.8 Insecure storage 5.5.8 Insecure storage

A9 Application Denial of Service

6.5.9 Denial of service 5.5.9 Denial of service

A10 Insecure Configuration Management

6.5.10 Insecure configuration management

5.5.10 Insecure configuration managementSource: Burton Group


Business Drivers for Host Security

Shield until patching

Shield from targeted attacks

Shield without patching

PCI DSS

SOX

GLBA

HIPAA

COBIT

MITS


Applications & Services

TCP/IP

Network

Approach

Ker

nel

-mo

de

Use

r-m

od

e

System Execution Control

Hardware

HIPS: Network-based vs. Behavior-based Approach

2

Behavior-based:

System Execution Control blocks attacks at application calls to the OS

2

Network Approach:

Deep Packet Inspection blocks attacks at the network layer

1

1

Host ComputerManagementManagement

OverheadOverhead


Tuning

Sensitivity

Pro

babi

lity

of e

rror

False Positives (FP): Appropriate system execution is halted or data traffic is dropped

False Negatives (FN): Malicious system execution is allowed or data traffic accepted

01

• Close to the host is the best location for tuning accuracy

• Drive the curves down for a broader acceptable operating range


Blended filtering approach

Filtered TrafficFiltered Traffic

Raw TrafficRaw Traffic

Stateful Firewall

Exploit Filters

Vulnerability Filters

Smart Filters

Custom Filters

1

2

3

4

5

Dee

p pa

cket

insp

ectio

n

Greater chance of false negatives

Greater chance of false positives


blended approach

Filtered TrafficFiltered Traffic

Allow known good

Raw TrafficRaw Traffic

Stop known bad

Shield knownvulnerabilities

Shield unknownvulnerabilities (Zero-day)

Stateful Firewall

Exploit Filters

Vulnerability Filters

Smart Filters

Custom Filters

1

2

3

4

5 Protect specificapplications

Dee

p pa

cket

insp

ectio

n


Protection for custom web applications

OWASP Top 10 Vulnerabilities # Vuln’s

1. Unvalidated input 252. Broken access control 03. Broken authentication and session mgt. 104. Cross site scripting (XSS) flaws 85. Buffer overflows 36. Injection flaws 137. Improper error handling 238. Insecure storage 09. Denial of service 210. Insecure configuration management 17

# Vuln’s

0

0

0

0

0

0

0

0

0

2

Unprotected Protected

Tested with industry-leading web application scanner, against 1000’s of attacks


Gartner Predicts...

• By 2010, only one new security threat out of 10 will require the deployment of a tactical point solution, compared with eight out of 10 in 2005.

• By 2011, 20% of desktops in large enterprises, and 70% of servers, will be equipped with virtual security partitions (VSPs), up from less than 1% in 2006.

Source, Gartner, Publication Date: 30 November 2006/ID Number: G00144411


VM Environments

• Where does the host agent live?

Host securityAgent options

Hardware

VM Layer

GuestOS

GuestOS

GuestOS

Server

Guest network shimFuture of Network security

Best app protection

Most efficient

Research Challenge

Section 4 of 4


Summary

• Disconnect growing between danger levels and management estimations

• Threats continue to evolve, need new controls• Application attacks recognized as a priority• Risk-based compliance arriving• HIPS is becoming recognized (now and future)

– as a key approach to move from reactive to proactive– an important control for software assurance – as a foundation for self-defending host vision– no silver bullet, will always need new stuff– will continue to improve with better tuning…


DIR-604


Towards self-defending hosts in a dynamic threat environment

Extended Enterprise

Host security (IDS/IPS) everywhere there is IP

Porous perimeter

RecommendationEngine

In-the-cloudcollaboration

SensorNetworks

Vulnerabilityinfo

SecurityManager

Research challenge: sense, and tune appropriately

THANK YOU

www.thirdbrigade.com

Documents

Lessons from Star Trek: Towards Self Defending Hosts