1. October 17-18, 2006 l Santa Clara, CA Runtime Intelligence A new generation of application security and performance controls Sebastian Holst sebastian@preemptive.com PreEmptive Solutions

2. October 17-18, 2006 l Santa Clara, CA 2 DRAFT It’s 2:45 PM Do you know where your applications are?

3. October 17-18, 2006 l Santa Clara, CA 3 DRAFT

4. October 17-18, 2006 l Santa Clara, CA 4 DRAFT

5. October 17-18, 2006 l Santa Clara, CA 5 DRAFT The telling you what I’m going to tell you slide Runtime Intelligence: –what it is and why you might care Implications & requirements –What’s possible, what’s missing and what you can expect Runtime Intelligence applications and their value propositions –From software suppliers to enterprise consumers; security, compliance and business performance Early commercialization –Tamper notification and application usage

6. October 17-18, 2006 l Santa Clara, CA 6 DRAFT What is the point of work? Process People Information Information Systems

7. October 17-18, 2006 l Santa Clara, CA 7 DRAFT What is the point of work? The Application Process People Information Information Systems

8. October 17-18, 2006 l Santa Clara, CA 8 DRAFT The weakest link? Monitor Log Audit Applications Legally Blind to Usage context Deployment scope Operational materiality Stakeholder orientation Supplier interests

9. October 17-18, 2006 l Santa Clara, CA 9 DRAFT Process People Information Information Systems What is the point of work? Consumers Suppliers Channels Field Finance Users Partners Supply chain Regulators Investors service IT Service providers Development Sales Manufacturing CRM

10. October 17-18, 2006 l Santa Clara, CA 10 DRAFT Pressing issues for Runtime Intelligence Senior software executives want insight into channel performance, product and platform usage, quality of service and adoption Senior enterprise executives want IT security reassurance but lack necessary understanding Development managers want to align resources with security risks and platform requirements IT Security managers want credibility Product managers want insight into usage and behavior Businesses (and BUs) want, but are reluctant to provide, comparisons or guidance. Customer support needs reliable environmental data to provide better individual support, benchmark across platforms and over time. Information security and business executives often speak different languages All assessments are difficult : Too much data, not enough time.

11. October 17-18, 2006 l Santa Clara, CA 11 DRAFT What’s required Usage context –Design and development coordination Use case, materiality, coding and data conventions Deployment scope –Aggregation beyond individual IT domains SaaS or other managed service archipelago Operational materiality –Near-time integration with business metrics Activity monitoring & trend analysis incorporating site-specific business information, thresholds and tolerances Stakeholder orientation –Role-specific dashboards and reports Security, privacy, compliance, performance, financial, sales… Additional requirements –Best practices, security, privacy and liability

12. October 17-18, 2006 l Santa Clara, CA 12 DRAFT The development process Develop –Embed attributes: Entry & Exit points – tamper check methods –Utilize SDK: Attack, suspicious use case, positive use case –Application is enhanced at same stage as obfuscation Deploy –No boundaries Enterprise and supply chain ISV customer base Collect –Data is sent via Web Service (SOAP) to a managed service Collect, burst, fire and forget Opt-in and default is that no identifiable information is sent Enrich –Business information is periodically uploaded and integrated into a signal repository Connect supplier and supply chain to individual user, their “identify” and the business interests they serve Analyze and test through managed dashboards –Benchmarking, threshold monitoring, trending and visualization Application security, usage, compliance and business performance Distribute –Access to Runtime Intelligence can be delegated to constituent communities Increase opt-in and extend the value Act –Detective controls can lead to faster and more effective responses Environmental hostility, misuse, adoption best practices, etc…

13. October 17-18, 2006 l Santa Clara, CA 13 DRAFT Obfuscation Development Process Compiler Output Assemblies Dotfuscator Obfuscates Compacts Links -s Attributes Input Assemblies Source Code Map file External Configuration External Dependencies Obfuscation Attributes

14. October 17-18, 2006 l Santa Clara, CA 14 DRAFT Runtime Intelligence (SO-s) Development Process Compiler Output Assemblies (Including SO-s runtime) Dotfuscator With SO-s Attributes Input Assemblies Source Code SO-s Attributes Obfuscation Attributes SO-s Runtime Assembly Via SDK Via Attributes Map file External Configuration External Dependencies

15. October 17-18, 2006 l Santa Clara, CA 15 DRAFT SO-s Deployment Message Buffer SSL option Identifiable information is hashed Buffer is Tunable at development and runtime Messages optimized for performance Runtime SO-s DLL Application Signals Dotfuscator Instrumentation Obfuscation Pruning & Consolidation

16. October 17-18, 2006 l Santa Clara, CA 16 DRAFT SO-signal What’s in a signal? –Anything that can be logged, monitored or audited Events –Application/Process/Service events Start/stop, tamper, exception, … Suspicious, novel, best practice –Account access and management events Environmental data –Runtime stack, application family, application ID –License key, identity Application data –Relevant to signal to provide context How are signals organized? –Consistent structures and conventions are required to enable security, performance and other aggregation and analysis “Internally developed applications and independent software vendors should provide log data that supports centralized application security information and event management.” Define Application Security Log Output Standards, Amrit T. Williams, Gartner Inc. 4 May 2006

17. October 17-18, 2006 l Santa Clara, CA 17 DRAFT SO-s SaaS Data Validation & insertion into staging tables Signal Validation Processing for OLAP and source-specific access Application Signals Internet Dozens of servers, load balanced with fully redundant architecture and clean separation of tiers, supporting terabytes of extensible storage and security best practices that include regular threat modeling, 3 rd party evaluation, SAS70 Type II certified facilities, etc. Runtime Intelligence Virtual Repository Processing for OLAP and source-specific access Business Information Business information sources Internet Secure WebDAV Msg queue (MSMQ) Data Validation & insertion into staging tables Facilities

18. October 17-18, 2006 l Santa Clara, CA 18 DRAFT Software vendor monitoring field adoption and behavior Commercial product family Adoption, platform utilization & stability Tamper Relative stability of beta Pipeline activity and stability

19. October 17-18, 2006 l Santa Clara, CA 19 DRAFT View into active evaluations Pipeline dependencies Most active Having problems?

20. October 17-18, 2006 l Santa Clara, CA 20 DRAFT

21. October 17-18, 2006 l Santa Clara, CA 21 DRAFT Availability SO-signal: first generation of SO-s family distributed as a component of the Dotfuscator family –Available now for evaluation –Q4: Tamper notification 35% of the packaged software installed on personal computers (PC) worldwide in 2005 was illegal and circumvention of license controls is an increasingly common practice – Source: BSA – Amounting to $34 billion is lost revenue –Posing material security and liability risk to consumers –Q1: Usage, stability and environmental controls Offering usage, stability and adoption dashboards in near-time –Runtime Intelligence is offered on a subscription basis Software included in existing Dotfuscator license agreements

22. October 17-18, 2006 l Santa Clara, CA 22 DRAFT Questions? Sebastian Holst sebastian@preemptive.com PreEmptive Solutions