S

Cyber Ecosystem & Data Security

Subhro KarCSCE 824, Spring 2013

University of South Carolina, Columbia

What is an Ecosystem?

Definition

Functional Units

Relationships

Balance

Comparison with Cyber Space

Biological Ecosystems

The system is closely related

The balance is always maintained

Relationships are well defined

Monitored by nature

Source: http://www.tutorvista.com/content/biology/biology-iv/ecosystem/food-web.php

S

Evolution of the Cyber Ecosystem

A typical Network Diagram

Source: http://www.broadband.gov/plan/16-public-safety/

What is a Cyber Ecosystem?

Entities in network are not merely considered in isolation

Each member has a specific goal

Each member is related to every other member in one way or the other

Processes are important

Anticipate and prevent attacks

Limit the speed of attacks across devices

Recover to a trusted state

What is a Cyber Ecosystem?

Devices has a level of built in Security

Automated responses

Immunity

Malware Ecosystem

Each member in the ecosystem has a specific purpose

Each of the members respond to the behaviour of other members

Automated upto an extent

Monitoring the whole process

Building Blocks

Automated Course of Actions Pro-active responses Speed of response matches the speed of attacks Being able to decide on solutions based on historical data

Sharing of Information at different levels from local to global

Rapid learning procedures

Communications guided by policy rather than constraints

High levels of collaboration and interoperability

Authentication

Types of Attacks

Brute force attacks

Malware

Hacking attempts

Social Engineering

Insiders

Physical loss and theft

Monitoring

Monitoring forms one of the foundations of the Cyber Ecosystem

Informs about anomalies so that proper countermeasures can be taken

Does not always happen at the system level contrary to standard device monitoring

Business Process Monitoring

Holy grail of monitoring systems

Highest level of abstraction

Generally related to long running transactions

Can serve as a ready metric for overall success of the system

Can only detect problems post their occurrences

Uses complex business logic

Goal: To maintain business continuity

Functional Monitoring

Lower level than Business Process Monitoring

Granularity limited to a single application or node in a distributed architecture

Goal: To assess the availability as well as performance of a system

Generally done by bots running scripts on individual systems

Incapable of deciding on countermeasures

Technical Monitoring

Monitoring as a typical system administrator understands

Lowest level of monitoring and responsible for individual pieces of software

Subsystems are considered in isolation and has nothing to do with their contribution to the system

Ideal place for designing incident response since the monitoring system is aware of how to modify behaviour of individual subsystems.

Intelligence and Experience Gathering

Currently lacking in existing systems

Could be based on statistical models and data modeling

Should become more accurate based on experience

Should be able to heuristically identify attacks

Could put up some defence against 0 day attacks

S

Okay!! I got attacked… Now

what??!!

Incident Response

Targets for restoring the balance of the ecosystem just like its biological brother

Either filter it out or sacrifice parts of the system to facilitate containment

Not an isolated process. There are lots of loopbacks to the monitoring

Dynamically adjusts itself to adjust response based on current monitoring data

How does everything fit together?

It is a continuous process

Dynamic

Historical data is important

Business continuity important

The goal of the attacker might not be the epicenter of the attack

Source: http://blogs.csoonline.com/business_continuity_event_planning_the_incident_response_team

Incident Response - Implementation

Firewalls

Intrusion Detection and Prevention Systems

Log servers

Configuration Management Servers

Offline resources like Debuggers

Desired Cyber Ecosystem Capabilities

Automated Defense Identification, Selection, and Assessment Authentication

Interoperability

Machine Learning and Evolution

Security Built in

Business Rules-Based Behavior Monitoring

General Awareness and Education

Desired Cyber Ecosystem Capabilities

Moving Target

Privacy

Risk Based Data Management

Situation Awareness

Tailored Trustworthy spaces

Where we stand…

The ecosystem is far from automated. We have a long way to go

Triangulating automated decisions are complicated. Most of the processes are manual and will probably remain so in the near future

The weakest link is generally the End Users

Insiders can cause havocs

It is always about the financial incentive of being able to build a proper ecosystem.

References

Developing a healthy cyber ecosystem, http://www.mitre.org/news/digest/homeland_security/10_11/cyber_ecosystem.html

Enabling Distributed Security in Cyberspace, http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf

Cybersecurity Ecosystem – The Future? http://www.nextgov.com/cybersecurity/cybersecurity-report/2011/03/cybersecurity-ecosystem-the-future/54390/

Enabling Distributed Security in Cyberspace, http://blogs.msstate.edu/ored/Cyber%20Ecosystem%20I3P%20Presentation%2016%20April%202012%20MSU%20ras.ppt

Questions??

Source: http://what-if.xkcd.com