logging in or signing up Mullen Cyber TA Promia Abbott Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 91 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 31, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: John Mullen Steven Templeton Promia Incorporated 160 Spear St., Suite 320 San Francisco, CA 94105 415.536.1600 Promia, Inc. Cyber-TA Kickoff 28 September 2006 Experiences in DoD Security ManagementSlide2: Promia Founded – 1991, San Francisco Privately Held, Profitable Secure CORBA OO Enterprise Networking Tools World’s First CORBA Security Product Actively used in Corporations Worldwide Intelligent Agent Security Manager (IASM) SBIR Project – Deployed and Maintained Globally Anti-Terrorism Indications and Warnings SBIR Project CRADAs NSA R2, UC Davis Company OverviewSlide3: Our PeopleIntelligent Agent Security Manager: Intelligent Agent Security Manager Intelligent Agent Security Manager (IASM) Originated as Small Business Innovation Research Project US Navy SPAWAR PMW-160 Distributed Security Event Management System Objectives Substantially Reduce False Positive Alarms Supports IDS, Firewall, Router, Host Event Logs Increase Attack Detection Accuracy Signature and Anomaly for known, unknown attacks Reduce Workload to Monitor Asset Security Events Integrated Asset Viewer Passive, Minimally Active Asset Discovery Asset Monitoring Unauthorized Asset DetectionSlide5: Global Tiered Perspective Strike Group Ship Ship Ship Ship PRNOC Camps, Ports Bases, Stations, Network Operations Centers (NOSCs), Command Control Centers (SYSCONS) Bahrain Regional Operation Center UARNOC Naples Sigonella United Kingdom Rotab La Maddalena Souda Bay Yokokusa Guam Sasebo Atsugi Misawa Korea Okinawa Diego Garcia Singapore Naples, IT Regional Operation Center Bahrain ECRNOC CND Centers IORNOC CHASNOC SFNOC Test NOCs: = Sites Upgraded to with Promia IASM v1.2.2 (07/06) Tier - 1 Tier - 2 STRATCOM Norfolk, VA NCDOC NMCI CONUS Tier - 3 = Sites Purchased and Scheduled for installPhysical Design and Configuration: Physical Design and Configuration 6U 4U 1UIASM Features: IASM Features Designed for the DoD Global Information Grid Near Real-time acquisition and normalization of security event logs and alerts from Network and Host IDS Sensors, firewalls, routers, and O/S’s Signature-based analysis of normalized events, using both standard and site-specific Analysis Agents, to detect and generate IASM alarms about known security attacks Anomaly-based significance assessment of normalized events to assess and generate alarms about novel security attacks Configurable Concept Lattice for assignment of semantic meaning of security incidents Open systems-based, modular architecture to accommodate custom analysis engines, sensors, etc. Ability to customize Sensor Agents, Analysis AgentsCyber-TA Project – Promia Tasks: Cyber-TA Project – Promia Tasks Integrate SRI Anonymizer into IASM Operate with 2 Test NOCs inter-enclaved Measure Implementation Effectiveness Report Findings, Demonstrate Results Promia is on schedule with initial tasks Slide9: IASMIASM Data Experience: IASM Data Experience Different collection sites Multiple Navy NOCs. FAA sites. University sites. Small business/personal sites. Different IDSs Intrushield Snort Cisco IDS Real Secure Promia sensorsHow the IASM fits in: How the IASM fits in Back-end monitoring console Data archival Issues: How will anonymized data affect alert aggregation and assessment? What can be changed to mitigate problems resulting from anonymization strategy?Cyber-TA + IASM: Cyber-TA + IASM What have we learned about event monitoring that will have an impact on the Cyber-TA project.Security Management in the Real World: Security Management in the Real World Challenge Areas Acceptance Data volume Data quality Data analysis and presentationGaining the Trust of the Customer: Gaining the Trust of the Customer More Social than Technical Resistance to Acceptance When lives at stake When $$$ at stake Number of people affected Attitude toward project, vendor Personality (disorders) How does the system affect the security of the organization? How does it affect the mission of the organization? Perceived value of system Operator focus Voluntary vs. Mandatory Must convince groups that participation in Cyber-TA is in their own best interest, and that any risks regarding privacy or the operation of their site to be minimal.Volume of Alert Data: Volume of Alert Data Single site alert volume typically less than 1M alerts per day. After reduction and processing, <8 per hour. Majority of activity not significant (i.e. actionable) Many alerts can be aggregated w/o significant loss of information. Significant variation between sites. Traffic, architecture and IDS dependent. Site specific pre-processing may be useful solution. Archival Can be a big task, but not a problem given resources. Processing Not significant for stateless or minimal state analysis. Database performance is important. Load balancing parallelism is useful Bandwidth Sensor Process Extension: Sensor Process Extension Integrate data summarization into Cyber-TA sensor. Goal Reduce bandwidth Increase anonymization Mitigate some attacks on Cyber-TA system Enhance analysis w/o compromising security of data collection site.Sensor Process Extension: Sensor Process Extension Alerts are summarized at the sensor prior to anonymization. Degree of summarization based on: Volume of data Higher volumes tend of force higher levels of summarization Similarity of data Statistical and heuristic relations considered More similar data will aggregate to higher levels “Interestingness” of activity Heuristic Anomalousness Modifiable by Cyber-TA participants.Sensor Process Extension: Sensor Process Extension High volume of same/similar activity more highly aggregated. Multiple DoS alerts w/ identical attributes Can “roll-up” those w/ same timestamp, contiguous timestamp (add count and duration), only vary in high source port (replace w/ “MHP”). Dissimilar activity not aggregated. Lone Buffer-Overflow w/ scans In bound vs. outbound worms. Low importance features more highly aggregated. High ports, multiple IPs set by load balancer. Normal activity more highly aggregated. Don’t need details on yet another port 80 host sweep, background traffic worm, or FP artifacts of site architecture. Interesting or security-significant activity less highly grouped than that identified as less interesting or not security significant. Requests for details of specific alerts honored. Activity targeting critical servers. Alerts for attacks on host w/ known vulnerability.User-specified Interestingness Requests: User-specified Interestingness Requests From Cyber-TA participant or Cyber-TA prime. Require negotiation w/ participants Heckman: May require request validation. Domain specific language to support request validationSecurity Management in the Real World: Security Management in the Real World Time Synchronization Accurate time information required for accurate assessment Accurate time information difficult to obtain Clock Sync constant: clock skew, Time Zones, network propagation Variable: clock drift, reset, propagation IDS quirks Sigs received “out of order” from IDS NTP not viable solutionSecurity Management in the Real World: Security Management in the Real World Localization Not all Networks are the Same Network Architecture effects Detection NATing, Firewalls, Sensor Placement, Load Balancers Same alert on different networks may indication different activity. Security Management in the Real World: Sensors are far from perfect. Can be their own worst enemy… Extreme number of false positives. Most really just advisory. Can be DoS attack Signatures are rarely current Current signatures rarely good Can be surprisingly effective in novel ways Signature based methods limit analysis potential. Security Management in the Real WorldSecurity Management in the Real World: Security Management in the Real World Poor Sensors (cont.) Medical analogy: Signatures not primary detection tool. Primary action based on signs and symptoms. Can we develop a new class of sensors that monitor ”signs and symptoms”? When problem is detected, signatures on “rule-outs” are tried. Details of sensor alerts are processed for common patterns that could lead to first cut of auto-generated signature. Should be over specific (to avoid false negatives), then refined as more tagged alerts are processed. Network vs. Host sensors (observed vs. reported) Should Cyber-TA project develop and run S&S rules for wide internet health monitoring and epidemiologic analysis You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Mullen Cyber TA Promia Abbott Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 91 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 31, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: John Mullen Steven Templeton Promia Incorporated 160 Spear St., Suite 320 San Francisco, CA 94105 415.536.1600 Promia, Inc. Cyber-TA Kickoff 28 September 2006 Experiences in DoD Security ManagementSlide2: Promia Founded – 1991, San Francisco Privately Held, Profitable Secure CORBA OO Enterprise Networking Tools World’s First CORBA Security Product Actively used in Corporations Worldwide Intelligent Agent Security Manager (IASM) SBIR Project – Deployed and Maintained Globally Anti-Terrorism Indications and Warnings SBIR Project CRADAs NSA R2, UC Davis Company OverviewSlide3: Our PeopleIntelligent Agent Security Manager: Intelligent Agent Security Manager Intelligent Agent Security Manager (IASM) Originated as Small Business Innovation Research Project US Navy SPAWAR PMW-160 Distributed Security Event Management System Objectives Substantially Reduce False Positive Alarms Supports IDS, Firewall, Router, Host Event Logs Increase Attack Detection Accuracy Signature and Anomaly for known, unknown attacks Reduce Workload to Monitor Asset Security Events Integrated Asset Viewer Passive, Minimally Active Asset Discovery Asset Monitoring Unauthorized Asset DetectionSlide5: Global Tiered Perspective Strike Group Ship Ship Ship Ship PRNOC Camps, Ports Bases, Stations, Network Operations Centers (NOSCs), Command Control Centers (SYSCONS) Bahrain Regional Operation Center UARNOC Naples Sigonella United Kingdom Rotab La Maddalena Souda Bay Yokokusa Guam Sasebo Atsugi Misawa Korea Okinawa Diego Garcia Singapore Naples, IT Regional Operation Center Bahrain ECRNOC CND Centers IORNOC CHASNOC SFNOC Test NOCs: = Sites Upgraded to with Promia IASM v1.2.2 (07/06) Tier - 1 Tier - 2 STRATCOM Norfolk, VA NCDOC NMCI CONUS Tier - 3 = Sites Purchased and Scheduled for installPhysical Design and Configuration: Physical Design and Configuration 6U 4U 1UIASM Features: IASM Features Designed for the DoD Global Information Grid Near Real-time acquisition and normalization of security event logs and alerts from Network and Host IDS Sensors, firewalls, routers, and O/S’s Signature-based analysis of normalized events, using both standard and site-specific Analysis Agents, to detect and generate IASM alarms about known security attacks Anomaly-based significance assessment of normalized events to assess and generate alarms about novel security attacks Configurable Concept Lattice for assignment of semantic meaning of security incidents Open systems-based, modular architecture to accommodate custom analysis engines, sensors, etc. Ability to customize Sensor Agents, Analysis AgentsCyber-TA Project – Promia Tasks: Cyber-TA Project – Promia Tasks Integrate SRI Anonymizer into IASM Operate with 2 Test NOCs inter-enclaved Measure Implementation Effectiveness Report Findings, Demonstrate Results Promia is on schedule with initial tasks Slide9: IASMIASM Data Experience: IASM Data Experience Different collection sites Multiple Navy NOCs. FAA sites. University sites. Small business/personal sites. Different IDSs Intrushield Snort Cisco IDS Real Secure Promia sensorsHow the IASM fits in: How the IASM fits in Back-end monitoring console Data archival Issues: How will anonymized data affect alert aggregation and assessment? What can be changed to mitigate problems resulting from anonymization strategy?Cyber-TA + IASM: Cyber-TA + IASM What have we learned about event monitoring that will have an impact on the Cyber-TA project.Security Management in the Real World: Security Management in the Real World Challenge Areas Acceptance Data volume Data quality Data analysis and presentationGaining the Trust of the Customer: Gaining the Trust of the Customer More Social than Technical Resistance to Acceptance When lives at stake When $$$ at stake Number of people affected Attitude toward project, vendor Personality (disorders) How does the system affect the security of the organization? How does it affect the mission of the organization? Perceived value of system Operator focus Voluntary vs. Mandatory Must convince groups that participation in Cyber-TA is in their own best interest, and that any risks regarding privacy or the operation of their site to be minimal.Volume of Alert Data: Volume of Alert Data Single site alert volume typically less than 1M alerts per day. After reduction and processing, <8 per hour. Majority of activity not significant (i.e. actionable) Many alerts can be aggregated w/o significant loss of information. Significant variation between sites. Traffic, architecture and IDS dependent. Site specific pre-processing may be useful solution. Archival Can be a big task, but not a problem given resources. Processing Not significant for stateless or minimal state analysis. Database performance is important. Load balancing parallelism is useful Bandwidth Sensor Process Extension: Sensor Process Extension Integrate data summarization into Cyber-TA sensor. Goal Reduce bandwidth Increase anonymization Mitigate some attacks on Cyber-TA system Enhance analysis w/o compromising security of data collection site.Sensor Process Extension: Sensor Process Extension Alerts are summarized at the sensor prior to anonymization. Degree of summarization based on: Volume of data Higher volumes tend of force higher levels of summarization Similarity of data Statistical and heuristic relations considered More similar data will aggregate to higher levels “Interestingness” of activity Heuristic Anomalousness Modifiable by Cyber-TA participants.Sensor Process Extension: Sensor Process Extension High volume of same/similar activity more highly aggregated. Multiple DoS alerts w/ identical attributes Can “roll-up” those w/ same timestamp, contiguous timestamp (add count and duration), only vary in high source port (replace w/ “MHP”). Dissimilar activity not aggregated. Lone Buffer-Overflow w/ scans In bound vs. outbound worms. Low importance features more highly aggregated. High ports, multiple IPs set by load balancer. Normal activity more highly aggregated. Don’t need details on yet another port 80 host sweep, background traffic worm, or FP artifacts of site architecture. Interesting or security-significant activity less highly grouped than that identified as less interesting or not security significant. Requests for details of specific alerts honored. Activity targeting critical servers. Alerts for attacks on host w/ known vulnerability.User-specified Interestingness Requests: User-specified Interestingness Requests From Cyber-TA participant or Cyber-TA prime. Require negotiation w/ participants Heckman: May require request validation. Domain specific language to support request validationSecurity Management in the Real World: Security Management in the Real World Time Synchronization Accurate time information required for accurate assessment Accurate time information difficult to obtain Clock Sync constant: clock skew, Time Zones, network propagation Variable: clock drift, reset, propagation IDS quirks Sigs received “out of order” from IDS NTP not viable solutionSecurity Management in the Real World: Security Management in the Real World Localization Not all Networks are the Same Network Architecture effects Detection NATing, Firewalls, Sensor Placement, Load Balancers Same alert on different networks may indication different activity. Security Management in the Real World: Sensors are far from perfect. Can be their own worst enemy… Extreme number of false positives. Most really just advisory. Can be DoS attack Signatures are rarely current Current signatures rarely good Can be surprisingly effective in novel ways Signature based methods limit analysis potential. Security Management in the Real WorldSecurity Management in the Real World: Security Management in the Real World Poor Sensors (cont.) Medical analogy: Signatures not primary detection tool. Primary action based on signs and symptoms. Can we develop a new class of sensors that monitor ”signs and symptoms”? When problem is detected, signatures on “rule-outs” are tried. Details of sensor alerts are processed for common patterns that could lead to first cut of auto-generated signature. Should be over specific (to avoid false negatives), then refined as more tagged alerts are processed. Network vs. Host sensors (observed vs. reported) Should Cyber-TA project develop and run S&S rules for wide internet health monitoring and epidemiologic analysis