CyberDEW Een Distributed Early Warning Systeem ten behoeve van Cyber Security

Transcription

1 THALES NEDERLAND B.V. AND/OR ITS SUPPLIERS. THIS INFORMATION CARRIER CONTAINS PROPRIETARY INFORMATION WHICH SHALL NOT BE USED, REPRODUCED OR DISCLOSED TO THIRD PARTIES WITHOUT PRIOR WRITTEN AUTHORIZATION BY THALES NEDERLAND B.V. AND/OR ITS SUPPLIERS, AS APPLICABLE. CyberDEW Een Distributed Early Warning Systeem ten behoeve van Cyber Security NCSRA-II Workshop Critical Infrastructures Frans Jansen

2 2 / Inhoud CyberDEW? Team Ervaringen met SBIR fase1 Intrusion Detection Wat is het, context, het probleem CyberDEW, haalbaarheids studie Onderzoeks vragen Oplossing (Technisch & businesswise) Waarde van de haalbaarheids studie

3 3 / CyberDEW?

4 4 / CyberDEW, a SBIR CyberSecurity project M. Bargh, R. Bakker ICT Security, Information Fusion, Sensors S. Choeni, D. Moolenaar, S. Verwer DataAnalysis, training, testsets THALES Research BL Security S. Iacob, T. Quillinan, P. de Oude InformationSecurity, Fusion, Distributed Datasharing W. Navest, F. Jansen BusinessPlan, System Architecture, Project leading

5 5 / Ervaringen met SBIR, fase1 Consortium tot stand gekomen netwerk Samenwerking 4 partijen, upfront taakverdeling, regelmatige meetings Strak geleid Goed bevallen. Smaakt naar meer Motivatie bedrijfsleven Kleinschalig project.. extern betaald gering risico Relatief gemakkelijk te starten Uitbreiden kennis & netwerk in nieuw domein

6 6 / Intrusion Detection

7 7 / Intrusion Prevention vs. Intrusion Detection Something s wrong Keep em out

8 8 / Intrusion Detection, taxonomy Intrusion Detection Systems, types Network based (NIDS) Based on network traffic promiscuous mode Host based (HIDS) application level Based on logs, O/S audit trails Login attempts, non-normal file access, abnormal sequence of sys calls Detection Methods Signature-based Search for patterns of known attacks. Compare with signatures Few false-positives, not suited for zero-day attacks Anomaly-based Look for out-of-norm behaviour Can detect new types, requires training/yields false positives

9 9 / Intrusion Detection, anomaly based Classical (statistical) Approach 1 st stage: build clean profile 2 nd stage: distinguish normal-anomalous using statistics Artificial Immune System Fingerprints (bit sequences) indicate allowed applications How to (best) represent behaviour in general Data Mining and Machine Learning Other methods Genetic algorithms/particle swarm search Clustering/fuzzy set theory Hierarchical neural networks Signal analysis (wavelet) Hidden Markov Models

10 10 / Intrusion Detection, the current situation Observations Rule based approach leads to False Positives & False Negatives Configuration is complex & environment specific Anomaly based Is hard, much time required to train the system Attacks have become more advanced Carried out in phases: reconnaissance/establishment/exploitation/2 nd spread Distributed out over time & place Attacks remain under the radar Statistical analysis averages out useful information No real false positives/negatives Weak Signals we have a problem

11 11 / CyberDEW, haalbaarheidsstudie

12 12 / CyberDEW, initial principles Mechanism (Clever) Attacks are carried out in phases Reconnaissance, intrusion, exploitation, secondary infection The principle Correlation & Fusion of (in themselves weak) signals can lead to detection Assumptions Causal relation between attack and observable events Change of traffic patterns in themselves too subtle to detect Users detect slowdown/different behaviour CERT alerts in general indicate attacks are going on Attack attempts are correlated in time & place Reconnaissance, carried out in batches temporal relation between scans Attacks simultaneously carried out (hide correlation, increase efficiency)

13 13 / CyberDEW, probleemstelling Causale modellen kunnen worden afgeleid van expert kennis? uitgebreid en getest worden met patronen uit verkeersdata? hoe partiële causale modellen combineren? Informatie van IDS en SIEM Zinvol & hoe efficient verzamelen & delen Wat nodig CyberDEW systeem veilig te maken? Hoe organisaties ertoe bewegen relevante info te delen? Wat is het meest realistische business model? Wat is marktgrootte en ROI? Verantwoordelijkheden van CyberDEW uitgever en gebruiker, hoe handhaven?

14 14 / An innovative solution. CyberDEW Value is found in the combination A solution based on Correlation & fusion using Dynamic Bayesian Networks Framework supports adding/adjusting parallel types of correlators Secure & Scalable Information sharing between nodes Combining information beyond the own domain Usage of heterogeneous information sources Attractive value-proposition for participants

15 15 / CyberDEW, Complex event detection... Alert CyberDEW Node Fuser Temporal correlator... Alert CyberDEW Node Fuser Temporal correlator Alert CyberDEW Node Alert CyberDEW Node Fuser Temporal correlator... Fuser Temporal correlator IDS IDS... IDS IDS IDS... IDS Correlator finds temporal and spatial correlations Fuser uses knowledge of local domain (probability thresholds) to decide if an alert needs to be fired

16 16 / Innovation, worked out further Informatie fusion collecting and combining of weak signals yields more than the sum of all parts IDS alerts Expert reports Intelligence reports (national entities NCSC/GOVCERT) User reports (social media, other organisations) Scalability and ease of configuration Data driven architecture (publish / subscribe) Modular fusion (partial fusion, hierarchically) Secure collaboration in information sharing Already proven in other projects (Martello) Contributor: has a say over contributed information System resilience (detect and counter sabotage)

17 17 / CyberDEW, Architecture ProcessingNode LeafNode

18 18 / CyberDEW, Expert & Analysis Process Integration Weak signals originate from physically distributed sources, e.g. IDS s running on different servers Information sources of physically distributed correlated events must be first collected in order to fuse them Dynamic Process Integration Framework (DPIF) supports integration of heterogeneous information sources and analysis processes (fusion algorithms) DPIF supports easy integration with 3 rd party tools Domain specific algorithms can be created with 3 rd party domain experts and could enrich the solution

19 19 / Example: Banking Domain

20 20 / Business perspectief Markt, daar naar toe & risico s Markt Dreigingen nemen toe 100% bescherming is niet mogelijk Behoefte aan monitoring & vroegtijdige alarmering stijgend Centrale overheid Go-to-market Initiële verkoop aan CyberDEW partners voor verdere ontwikkeling Thales verkooporganisatie (60 landen) + lokaal aanwezig (NL) Schaalbare & flexibele oplossing, competitief met IDS/IPS SOC Continue doorontwikkeling Risico s Ontwikkeling IDS/IPS, SOC

21 21 / Waarde Intrusion detectie door geavanceerde fusie Op basis van informatie sharing & processing framework Early warning met hogere betrouwbaarheid mogelijk Sterk afhankelijk van nauwkeurigheid van modellen Ontwikkelingstijd, 3 rd parties? Fuseert informatie uit veel/diverse bronnen Schaalbaar & toepasbaar op bestaande systemen Sterker naarmate breder