View
260
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Research Advancements Towards Protecting Critical Assets
Dr. Richard “Rick” RainesCyber Portfolio Manager
Oak Ridge National Laboratory
15 July 2013
The Cyber Defense?
The Economist May 9, 2009
The Threat Landscape
• National intellectual property is being stolen at alarming rates
• National assets are vulnerable to attack and exploitation• Personal Identifiable Information at risk• Competing and difficult national priorities for resources
The Landscape is continually changing
TransportationTransportation
WaterWaterElectric PowerElectric Power
Oil & GasOil & Gas
Communications
Communications
FinancialFinancialEmergency Emergency
Understanding the Challenges
• Dynamic environment with a constant churn– A domain of operations—”within” and “through”– Anytime, anywhere access to data and information– Policy and Statutory lanes emerging
• Agile adversaries– Cyber and Cyber Physical – Overt and covert attacks/exploits
• Data continues to grow– Sensor feeds yield terabytes of raw data– Analyst burdens continue to grow
We Continue to Play Catch Up
Who Are the Threat Actors ?
• Unintended threat actors -- Can be just about anyone??– Target rich environment—people, processes, machines
• Personal gain threat actors -- individual and organized crime– Insiders?
• Ideological threat actors– Hacktivists, extremists and terrorists
• Nation-state threat actors– Intelligence gathering, military actions
The Sophistication of the Actors Continue to Increase
#OpUSA (7 May 13)#OpNorthKorea (25 Jun 13)
Who “Really” Are the Threat Actors?
• Over 90% of threat actors are external to an organization• 55% of the actors associated with organized crime
– Predominantly in U.S. and Eastern Europe
• ~20% of actors associated with nation-state operations– Over 90% attributable to China
• Internal actors: large percentage of events tied to unintentional misconfigurations
But, sophistication not always needed….
Source: www.verizonenterprise.com/DBIR/2013
The Targets• 37% of incidents affected financial organizations
– Organized crime—virtual and physical methods– Since 9/2012, 46 U.S. institutions in over 200 separate intrusions
(FBI)
• 24% targeted individuals in retail environments– 40% of data thefts attributed to employees in the direct
payment chain• Waiters, cashiers, bank tellers—”skimmers” and like-devices
• Organizations will always be targets for who they are and what they do
Actors will continue to look for the “low hanging fruit”
Source: www.verizonenterprise.com/DBIR/2013
Understanding Your Mission• What does cyber Situational Awareness really mean?
– User-defined– Real-time awareness of mission health– Highly relevant information to the decision-maker
• What are the “crown jewels” in your mission space?– The critical components that you can’t operate without– Understanding the interdependencies
• What are the capabilities needed for success?– Revolutionary advances rather than evolutionary
progress– The right talent and enough to ensure success– Partnerships are critical
Mission Assurance = Operational Success
Long Term Grand Challenges
System of systems approach to ensure continuity of operations (COOP)
Identifymission-critical
capabilities
Assesscomplex
attackplanningproblem
Designdefensein depth
Detect/block
attacks
Discover/mitigateattacks
Enablegraceful
degradationof resilient
(self-healing)systems
Operate Through An Outage/Attack
Cyber R&D Challenges
Mission-critical systems available and functional to operate through
Near-real-timesituationalawareness
of the battlespace
Automated/ user-defined
view
Networkmapping
Predictive/self-healing
systems
Anticipatefailure
or attackand react
automatically
Predictive Awareness
Cyber R&D Challenges
Cyber R&D Challenges
Visibility of data and computations without access to specific problem
Approach:Wholly owned/cloud service/public internet
Complexattack
planningproblem
Varietyof securitystructures
Maskingdeception
Continuousmaneuver
Gracefuldegradationof resilient
(self-healing)systems
Security in the Cloud
High user confidence in data and software
Resilientdata
(at rest andin motion)
Protocols:Secure,
resilient,active
Trustworthycomputing
High-user-confidencecheck sum
Hardware-backed
trust
Gracefuldegradationof mission-
critical data to“last known
good”
Self-Protective Data/Software
Cyber R&D Challenges
Bring your own device (disaster?)
Biometric security features
Classified/UNCLAS
encryption
Power and performance
issuesaddressed
Hardware root of
trust
Selfhealing
Data Validated Leakage/Transfer
contained
Security of Mobile Devices
Cyber R&D Challenges
Evidence-based action
Computationalcyber
securityScience-
basedsecurity
Protection and control
Nonclassicallight sources
Quantumsimulation
Application-orientedresearch
Analytics
Informationvisualization
Datamanagement
• Observation-based generative models
• Control of false positives/negatives
• Modeling of adversaries
• Mathematical rigor• Computationally
intensive methods• At scale, near real time
• Statistics vs metrics• Repeatability
and reproducibility• Trend observation
and identification
• Photon pair and continuous variable entanglement
• Comprehensive source design and simulation
• High-performancecomputing resources
• Putting quantum and computing together
• From first principles to real solutions
• Quantum for computing, communication, sensing, and security
• Probabilistic modeling• Social network analysis• Relational learning• Heterogeneous data analysis
• Geospatial and temporal display methods
• Multiple, coordinated visualizations
• User-centered design and user testing
• Online, near-real-time methods
• Graph modeling/retrieval• Distributed storage
and analysis methods
ORNL Cyber Research Strengths
Evidence-based action
Computationalcyber
securityReal-time
Monitoring
Detection, control and wide-area visualization
Standardsdevelopment
Resilient control systems Advanced
components Analytics
Informationvisualization
Datamanagement
• Observation-based generative models
• Control of false positives/negatives
• Modeling of adversaries
• Vulnerability assessments• Mathematical rigor• Computationally
intensive methods• At scale, near real time
• Time synchronized data• Fault disturbances
recorders, PMUs• Voltage, frequency,
phase 3, current
• Industry guidelines• Interoperability
• Physics based protection schemes
• Cyber physical interface
• Fault current limiters• Saturable reactors• Power electronics
• Probabilistic modeling• Social network analysis• Relational learning• Heterogeneous data analysis
• Geospatial and temporal display methods
• Multiple, coordinated visualizations
• User-centered design and user testing
• Online, near-real-time methods
• Graph modeling/retrieval• Distributed storage
and analysis methods
ORNL Control Systems Security Research Strengths
Wide-Area Power Grid Situational Awareness
Impact Models and Data Analysis
Distribution Outages Analysis
• Monitoring Capability– Situational awareness of subset of
transmission lines (above 65 KV)– Situational awareness of distribution
outages (status of approximately 100 Million power customers)
– Social-media feeds ingest– Real-time weather overlays
• Modeling and Analysis– Predictive and post-event impact
modeling and contingency simulation– Automatic forecasts of power recovery– Energy interdependency modeling– Mobile application– Cyber dependency
VERDE: Visualizing Energy Resources Dynamically on Earth
Validation. Software can be analyzed for intended functionality.
Readiness. Software can be analyzed for malicious content.
Instruction semantics can be mathematically combined to compute the functional effect of programs.
Function and security analysis of compiled binaries through behavior computation
HOW IT WORKS:
• Hyperion Protocol technology computes the behavior of compiled binaries.
• Structure theorem shows how to transform code into standard control structures with no arbitrary branching.
• Correctness theorem shows how to express behavior of control structures as non-procedural specifications.
• Computed behavior can be compared to semantic signatures of vulnerabilities and malicious operations.
Current technology provides no practical means to validate the full behavior of software.
Software may contain unknown vulnerabilities and sleeper code that compromise operations.
Program instructions implement functional semantics that can be precisely defined.
Determination of vulnerabilities and malicious content can be carried out at machine speeds.
System for computing behavior of binaries to identify vulnerabilities sleeper codes and malware.
QU
AN
TIT
ATIV
E IM
PAC
TG
OA
L
STA
TU
S Q
UO
NEW
IN
SIG
HTS
Mathematical Foundations developed at IBM SEI/CMU developed Function Extraction (FX)
ORNL developing 2nd Gen FX on HPC
Hyperion Protocol
Oak Ridge Cyber Analytics: Detecting Zero Day Attacks
Approach:• Generalize computer communication behaviors
using machine learning models.• Classify incoming network data in real-time.• Complement signature-based sensor arrays to
focus on attack variants.
Advantages:• No signatures – trains on examples of attacks• Detects attacks missed by the most advanced
OTS intrusion detectors.• Detect zero day attacks that are variants of
existing attack vectors.
DoD Warfighter Challenge evaluation of ORNL’s ORCA: • Supervised Learner (Tweaked AdaBoost):
• Detected 94% of attacks using machine learning methods• False positive rate is only 1.8%
• Semi-supervised Learner (Linear Laplacian RLS):• Detected 60% of attacks using machine learning methods• No false positives
• Detecting both previously seen and never before seen attacks.
Moving Ahead
• Increased national focus on cyber security• Cyber law enforcement capabilities growing – “who”• Digital forensics are improving -- “how”• Information Sharing and Analysis Centers (ISACs) – “what”• Maturing education and training for the professionals• Better education for “the masses”• Rapidly evolving R&D breakthroughs
The Human is still the weakest element in the cyber domain