Hardware Enabled Zero Day Protection

Similar documents
Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Deep Security Vulnerability Protection Summary

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Analysis One Code Desc. Transaction Amount. Fiscal Period

Industrial Security for Process Automation

Session ID: Session Classification:

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Post-Access Cyber Defense

Hi and welcome to the Microsoft Virtual Academy and

AgriLife Information Technology IT General Session January 2010

Current counter-measures and responses by CERTs

Frontiers in Cyber Security: Beyond the OS

Accenture Cyber Security Transformation. October 2015

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Security Overview of the Integrity Virtual Machines Architecture

How To Protect A Network From Attack From A Hacker (Hbss)

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

24/7 Visibility into Advanced Malware on Networks and Endpoints

Advanced Persistent Threats

Certification Programs

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Information. Product update Recovery. Asset manager. Set console address Create recovery point. Client properties

Cisco Advanced Services for Network Security

Access FedVTE online at: fedvte.usalearning.gov

Oracle Database Security Myths

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Providing a jump start to EFI application development and a uniform pre-boot environment

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

WIND RIVER SECURE ANDROID CAPABILITY

Guardian: Hypervisor as Security Foothold for Personal Computers

Enterprise Cybersecurity: Building an Effective Defense

NICE and Framework Overview

HP Compaq dc7800p Business PC with Intel vpro Processor Technology and Virtual Appliances

Virtualization for Security

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

The Operating System Lock Down Solution for Linux

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

05 June 2015 A MW TLP: GREEN

McAfee Endpoint Protection Products

Covert Operations: Kill Chain Actions using Security Analytics

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Facilitated Self-Evaluation v1.0

Locking down a Hitachi ID Suite server

DOBUS And SBL Cloud Services Brochure

13.6 PRODUCT RELEASE AND ROADMAP UPDATE ERIC HARLESS SENIOR PRODUCT MANAGER

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Protect Yourself in the Cloud Age

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

Defending Against Cyber Attacks with SessionLevel Network Security

TLP: GREEN FBI. FBI Liaison Alert System # A MW

Attacking Hypervisors via Firmware and Hardware

McAfee Security Architectures for the Public Sector

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Cyber R &D Research Roundtable

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

How to Secure Infrastructure Clouds with Trusted Computing Technologies

McAfee Network Security Platform

Space Ground Services in the Joint Information Environment (JIE)

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Perspectives on Cybersecurity in Healthcare June 2015

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

UEFI on Dell BizClient Platforms

Trustworthy Computing

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

The Value of Physical Memory for Incident Response

Hardware Backdooring is practical. Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Alexandria Overview. Sept 4, 2015

Cost effective methods of test environment management. Prabhu Meruga Director - Solution Engineering 16 th July SCQAA Irvine, CA

What is Next Generation Endpoint Protection?

DATA CENTER IPS COMPARATIVE ANALYSIS

Solution Guide Parallels Virtualization for Linux

McAfee MOVE / VMware Collaboration Best Practices

Transcription:

Hardware Enabled Zero Day Protection Cyber Security Division 2012 Principal Investigators Meeting October 11, 2012 Paul A. Rivera President/CEO Def-Logix, Inc. Email: privera@def-logix.com Phone: 210-478-1369

Introduction Company founded in 2008 Based out of San Antonio, Texas Primary customer is USAF

Team Team Member Roles Background Paul Rivera (KEY) Program / Project Manager and Principal Investigator 16+ years of Computer and network security research and development. Specializing in development and testing of Intrusion Detection/Prevention Systems, Network Vulnerability scanners and Network Analysis tools. Jeffrey Samas (KEY) Kevin Borden Principal Engineer Project Lead of First Responder and Entrap components. Director/Principal Engineer Project Lead of Enterprise Integration (HBSS integration) 20+ years as an accomplished software developer. Extensive experience in the full SDLC, coding standards, software configuration management, and project management in the cyber security domain, and has specific experience building kernel level applications and Host Based Security System (HBSS) integration. 20+ years of experience in software engineering. Lead developer of DISA s Asset Configuration Compliance Module (ACCM). Extensive development experience with McAfee SDK and HBSS module development.

Team Team Member Roles Background Nicholas Navarro (KEY) Adrienne Young Software Engineer Project Lead of Shimmer and Phoenix Components Software Engineer Developer on Shimmer and Phoenix components 13+ years of experience in information security. Specializing in developing both network security applications and infrastructure solutions. Experienced developing MS Windows kernel/driver level and UEFI applications. 16+ years as a software engineer specializing in Cyber security. Designed applications for real time monitoring and device control. Experienced developing digital forensic and UEFI applications. David Clark Thomas Rognon Testing Engineer Project Lead of Quality Assurance Software Developer User Interface Development 4+ years of unit testing, integration testing, functional testing, system testing, acceptance testing and automated regression testing. 9+ years of experience developing user interfaces and automation. Paul Graves Technical Writer 5+ years of experience developing, gathering, and disseminating technical information among customers and software engineers. Specializing in developing training material, configuration requirement specifications, user and installation guides.

Technical Topic Area TTA #11 Hardware Enabled Trust Hardware can be the final sanctuary and foundation of trust in the computing environment. Hardware can provide a game changing foundation to build on future cyber infrastructure Current technology under utilize hardware capabilities to provide trust and system security. Hardware security solutions will be harder to break and increase the difficulty for an attacker to compromise systems. End to End Trust Enabling hardware to thwart attacks Hardware enabled Resilience 5

Malware is Evolving MS Windows is forcing malware authors to develop new sophisticated new tactics, reaching deep into OS internals. Bootkits like TDL4 arose from the need to circumvent Windows Patch Guard. DNS Changer infection showed the power of this technique. Worse is to come: BIOS malware will likely arise in response to Windows 8 secure boot. Proof of concept BIOS malware Rakshasa (Blackhat 2012) has the ability to infect multiple firmware, giving it the ability to survive HD format and BIOS flashing. IPV4 DNS Changer Infection Map 6

Solution Full Spectrum Protection Host Layers User Space OS libraries and executables Kernel Space system and device drivers UEFI Application Firmware, BIOS and VMM UEFI Drivers NIC, SATA and graphic cards Ring 3 0-1 -2 Def-Logix Technologies First Responder responds to compromise and interfaces with enterprise security architecture Entrap prevents malicious code from executing Shimmer detects compromise and restores the system Phoenix protects Shimmer OS UEFI Hardware

First Responder Process Injection Keyboard Logger Benign Call API/Windows RT Monitoring Windows Kernel

Entrap Applications Application Hybrid Sandbox Pass-to-Hash Anti-Virus Security Programs Kernel Structures IDT Interrupt Descriptor Table SSDT System Service Dispatch Table IRP I/O Request Packets Shadow SSDT

Shimmer Shimmer Application Security Kernel Shimmer Partition

Shimmer Con t Network McAfee epo Hard Drive FR Windows System DLLs, Executables verification verification Critical File Backup verification I m a g e s OS, User Space Shimmer Partition Firmware

UEFI Communication McAfee epo First Responder Windows UEFI Aware UEFI Applications/Hardware

Phoenix Off-CPU Validation System Firmware Integrity check Prior to OS Control Option ROM Network Interface Card 13

HEZDP in action Shimmer Phoenix Load UEFI Shell Firmware Platform Initialization EFI Driver Dispatcher Boot Manager OS Loader Windows Kernel Entrap First Responder Platform Initialization OS Boot Runtime 14

HEZDP in the Enterprise Internet Attack Thwarted Entrap First Responder Security Management Server End-to-End Trust Resilience Phoenix First Shimmer Responder 15

TTA Criteria BAA-TTA-11 Question First Responder Entrap Shimmer Phoenix Is the system secure? Is it in good standing? Is it trustworthy? Even if broken in the future, can past operations be trusted? Is the system genuine? What was its path from manufacturing to system prototype demonstration in an operational environment? N/A N/A N/A N/A Was the design of its elements compliant with the best industry and technology practices? 16

Technical Challenges Legacy BIOS and Option ROM device support. The Compatibility Support Module (CSM) is provided to address the two key technical issues. Instability and Recovery Shimmer recovery toolset Existing Infrastructures and Legacy OS support Securing the UEFI Partition Disable mountvol command. Control access to UEFI partition Encryption Firmware password Enterprise Level Deployment 17

Schedule Phase 1 - Elicitation and Elaboration Phase 2 - Developm Configuration Requirements Specification 13 Nov First Responder 11 Jan 9 Oct Presentation Materials Rqrments Definition 11 Oct Kickoff Meeting Design Shimmer 12 Oct Financial Report Master Test Plan 27 Nov Technical 14 Report Dec Develop Environment Oct Nov Dec Jan 2012 2013

Milestones Milestone Date Comment Prototypes First Responder 11 Jan 2013 Entrap 11 Feb 2013 Shimmer 11 Mar 2013 Phoenix 11 Apr 2013 HBSS Integration epo Integration Fieldable Prototype 1 May 2013 Infrastructure Support 4 Jun 2013 GUI, Deployment, Console Management 2 Jul 2013 Begin Final Field Regression Testing

Deliverables Item Deliverable Date Comment A001 Financial Report Technical Report 12 Oct 2012 Initial Report, followed by Monthlies 14 Dec 2012 Initial Report, followed by Quarterlies A002 Presentation Materials 9 Oct 2012 A003 CRS 13 Nov 2012 Configuration Requirements Specification A004 Master Test Plan 27 Nov 2012 A005 User Guide 12 Apr 2013 Installation Guide 12 Apr 2013 Release Notes 12 Apr 2013 A006 Initial Release 11 Oct 2013 Binaries, Source, Packaging Information A007 Final Release 11 Feb 2014

Deliverables Deliverable Date Comment Kickoff Meeting 11OCT12 Status Review Meetings Quarterly Dates to be set by AFRL PM Interim Meetings TBD Schedule/Medium to be set by AFRL PM Interim Deliverables Quarterly Dates to be set by AFRL PM

Technology Transition DETER Lab PREDICT and SWAMP Government Pilot in DISA, DoD and/or USAF Colleges and Universities Build relationships with local universities and colleges Commercial Leverage existing relationship with McAfee Software Innovation Alliance (SIA) 22

Quad Chart BAA Number: Cyber Security BAA 11-02 Title: Hardware Enabled Zero-Day Protection (HEZDP) Offeror Name: Def-Logix, Inc Date: July 7, 2011 Operational Capability: 1. Performance targets: Prevention of exploits, defense against pass-the-hash and AV Bypass techniques. 2. Quantify performance for key parameters: Prevent 90% of exploits. Stop lateral movement via Pass The Hash (PTH). Secure integrity of AV and other host based defense systems. 3. Cost of ownership: Leverages existing deployed technology reducing overall costs. HEZDP technology adheres to multi-tiered license model to maximize adoption across organizations. 4. Addresses BAA goals: Fulfills TTA 11 goals providing a holistic approach in combating malicious activity. Proposed Technical Approach: 1. Provides layered defense from Ring -2 to Ring 3. Protects against exploits. Protect against Pass-the-Hash and AV Bypass Techniques. Existing commercial solutions are easily bypassed as they lack appropriate Ring -1 and Ring -2 defenses. 2. Extend Entrap to prevent of exploits. Develop Shimmer to ensure integrity of Entrap and AV structures as well as provide protection against Pass-the-Hash. Develop Phoenix to provide out-of-band integrity checks. Integrate into enterprise management frameworks such as McAfee epo. 3. Protects against 70% of exploits Entrap near completion. First Responder, Phoenix and Shimmer are in initial R&D stages 4. & 5. Internal R&D. Schedule, Cost, Deliverables, & Contact Info: Type II Proposal. 21 month effort, first operational prototype after nine months. v1.0 deliverable 18 months after award. v1.1 delivered upon completion. Deliverables: Includes software binaries and executable; Complete user and administrative documentation, Final Technical Report. Corporate Information: Def-Logix, Inc. 10010 San Pedro, Suite 510 San Antonio, TX 78216 Technical POC: Paul A. Rivera Technical POC email: privera@def-logix.com Technical POC Phone: 210-478-1369 23

Questions? 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information