Upload
carol-goble
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
S
Cyber Ecosystem & Data Security
Subhro KarCSCE 824, Spring 2013
University of South Carolina, Columbia
Biological Ecosystems
The system is closely related
The balance is always maintained
Relationships are well defined
Monitored by nature
Source: http://www.tutorvista.com/content/biology/biology-iv/ecosystem/food-web.php
What is a Cyber Ecosystem?
Entities in network are not merely considered in isolation
Each member has a specific goal
Each member is related to every other member in one way or the other
Processes are important
Anticipate and prevent attacks
Limit the speed of attacks across devices
Recover to a trusted state
Malware Ecosystem
Each member in the ecosystem has a specific purpose
Each of the members respond to the behaviour of other members
Automated upto an extent
Monitoring the whole process
Building Blocks
Automated Course of Actions Pro-active responses Speed of response matches the speed of attacks Being able to decide on solutions based on historical data
Sharing of Information at different levels from local to global
Rapid learning procedures
Communications guided by policy rather than constraints
High levels of collaboration and interoperability
Authentication
Types of Attacks
Brute force attacks
Malware
Hacking attempts
Social Engineering
Insiders
Physical loss and theft
Monitoring
Monitoring forms one of the foundations of the Cyber Ecosystem
Informs about anomalies so that proper countermeasures can be taken
Does not always happen at the system level contrary to standard device monitoring
Business Process Monitoring
Holy grail of monitoring systems
Highest level of abstraction
Generally related to long running transactions
Can serve as a ready metric for overall success of the system
Can only detect problems post their occurrences
Uses complex business logic
Goal: To maintain business continuity
Functional Monitoring
Lower level than Business Process Monitoring
Granularity limited to a single application or node in a distributed architecture
Goal: To assess the availability as well as performance of a system
Generally done by bots running scripts on individual systems
Incapable of deciding on countermeasures
Technical Monitoring
Monitoring as a typical system administrator understands
Lowest level of monitoring and responsible for individual pieces of software
Subsystems are considered in isolation and has nothing to do with their contribution to the system
Ideal place for designing incident response since the monitoring system is aware of how to modify behaviour of individual subsystems.
Intelligence and Experience Gathering
Currently lacking in existing systems
Could be based on statistical models and data modeling
Should become more accurate based on experience
Should be able to heuristically identify attacks
Could put up some defence against 0 day attacks
Incident Response
Targets for restoring the balance of the ecosystem just like its biological brother
Either filter it out or sacrifice parts of the system to facilitate containment
Not an isolated process. There are lots of loopbacks to the monitoring
Dynamically adjusts itself to adjust response based on current monitoring data
How does everything fit together?
It is a continuous process
Dynamic
Historical data is important
Business continuity important
The goal of the attacker might not be the epicenter of the attack
Source: http://blogs.csoonline.com/business_continuity_event_planning_the_incident_response_team
Incident Response - Implementation
Firewalls
Intrusion Detection and Prevention Systems
Log servers
Configuration Management Servers
Offline resources like Debuggers
Desired Cyber Ecosystem Capabilities
Automated Defense Identification, Selection, and Assessment Authentication
Interoperability
Machine Learning and Evolution
Security Built in
Business Rules-Based Behavior Monitoring
General Awareness and Education
Desired Cyber Ecosystem Capabilities
Moving Target
Privacy
Risk Based Data Management
Situation Awareness
Tailored Trustworthy spaces
Where we stand…
The ecosystem is far from automated. We have a long way to go
Triangulating automated decisions are complicated. Most of the processes are manual and will probably remain so in the near future
The weakest link is generally the End Users
Insiders can cause havocs
It is always about the financial incentive of being able to build a proper ecosystem.
References
Developing a healthy cyber ecosystem, http://www.mitre.org/news/digest/homeland_security/10_11/cyber_ecosystem.html
Enabling Distributed Security in Cyberspace, http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
Cybersecurity Ecosystem – The Future? http://www.nextgov.com/cybersecurity/cybersecurity-report/2011/03/cybersecurity-ecosystem-the-future/54390/
Enabling Distributed Security in Cyberspace, http://blogs.msstate.edu/ored/Cyber%20Ecosystem%20I3P%20Presentation%2016%20April%202012%20MSU%20ras.ppt