Self-Cleaning Intrusion Tolerance (SCIT)Self-Cleaning Intrusion Tolerance (SCIT)

MSAG msag.net 703.538-0807

Copyright © 2014, Micro Systems Consultants, Inc.Permission to duplicate and distribute this document is granted

provided the document is duplicated and distributed in its entirety, three pages.

November 2014 Author: Eric Jacobs, Director ejacobs@msag.net

MSAG Vision Series TM

AIRCRAFT AEROSPACE

Self-Cleansing Intrusion Tolerance (SCIT)

Copyright © 2014, Micro Systems Consultants, Inc.

Permission to duplicate and distribute this document is granted

provided the document is duplicated and distributed in its entirety, three pages.

1

Intrusions are Inevitable

The figure at right is an excerpt from Verizon’s

2014 Data Breach Investigations Report

(http://www.verizonenterprise.com/DBIR/2014/).

The data clearly shows the significant amount of

time that typically exists between the Compromise

of a system, of which more than half the time takes

place in a matter of minutes, and the time it takes

to Discover the Compromise, which more than

half the time takes months. In more than 90% of

these instances, Exfiltration has occurred before

the Compromise was Discovered.

Cyber security strategies built on Intrusion

Detection Systems (IDS) and Intrusion Prevention

Systems (IPS) cannot prevent all intrusions. Self-

Cleaning Intrusion Tolerance (SCIT) is an award-

winning patented technology that delivers a

proactive approach to cyber attack deterrence. The

SCIT approach applies to virtual and physical

server environments. It exploits virtualization to

automatically restore the operating system and

applications to a pristine state and achieves ultra-

low intrusion persistence time – minutes as

opposed to days, weeks, or months, for

conventional systems. SCIT servers subvert

attacks by robbing intruders of the time and

persistent access needed to launch and sustain attacks.

The SCIT Process

SCIT-enabled servers have a six-state cycle, as illustrated below – Startup to Online Spare to

Production/Exposed to Quiescent (which drains the transaction queue) to Forensics and, finally

to Stop, when the server is stopped and destroyed. SCIT-enabled servers reduce operational costs

and the probability of violating Service Level Agreements and Objectives (SLA/SLO) by

increasing the protection of the datasets and operational resilience.

Self-Cleansing Intrusion Tolerance (SCIT)

Copyright © 2014, Micro Systems Consultants, Inc.

Permission to duplicate and distribute this document is granted

provided the document is duplicated and distributed in its entirety, three pages.

2

SCIT software and appliance-based solutions can be installed rapidly and seamlessly integrated

with existing FISMA-compliant architecture. There is no requirement to alter existing security

implementations or protocols, and SCIT cycle times can be adapted based on information from

existing security tools. SCIT does not require changes to application code.

Benefits of a Proactive Approach

SCIT proactively deters cyber attacks by reducing the window of opportunity for adversaries to

mount and execute cyber attacks. SCIT-enabled web servers become state-of-the-art agile

defense systems that features:

• Responses to newly discovered vulnerabilities. Threat vectors can often be better

managed at a more sane pace with less urgency and chance of collateral adverse effects.

• Ultra Low Intrusion Persistence Time, configurable from hours to as low as one minute.

• Automatic restore to a pristine state at regular intervals without manual intervention.

• Automatic recovery from software deletion attacks.

• Increased visibility of the repeated attempts of intruders to access your environment.

Production /

Exposed

Start

Online Spare

Quiescent

Forensics

Stop

SCIT APPROACH

Pristine servers rotated into

production at appropriate

time intervals.

Capture for offline

Forensic Analysis

Self-Cleansing Intrusion Tolerance (SCIT)

Copyright © 2014, Micro Systems Consultants, Inc.

Permission to duplicate and distribute this document is granted

provided the document is duplicated and distributed in its entirety, three pages.

3

• Lower Total Cost of Ownership (TCO) by reducing false positive alerts and associated

investigation and recovery costs.

• Reduction of memory leaks through SCIT’s continuous clean processes.

• Increased operational resilience, faster recovery time, and better update management.

Additional benefits realized after introducing SCIT-enabled servers includes:

• Reduction in data exfiltration losses.

• Support for forensic and cyber intelligence activities.

• Quick and easy application of hot patches and recovery from bad patches.

• Support for disaster recovery/Continuity of Operations (COOP) architectures.

SCIT Compared to Traditional Approaches

Existing host integrity tools such as firewalls, IPS, and IDS are reactive and help with

understood and known threats. These tools provide limited, if any, protection against zero-day

threats. SCIT is proactive, threat independent, and contains zero-day threat losses.

Conclusion

This paper highlights a cost-effective approach to the implementation of proactive measures to

protect an organization’s infrastructure and assets. SCIT can quickly be operational with little

impact on an organization’s technical staff and existing processes.

MSAG 2785 Hartland Road

Falls Church, VA 22043msag.net

703.538.0807