Presentation on theme: " Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia."— Presentation transcript:
Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia
What is an Ecosystem? Definition Functional Units Relationships Balance Comparison with Cyber Space
Biological Ecosystems The system is closely related The balance is always maintained Relationships are well defined Monitored by nature Source: http://www.tutorvista.com/content/biology/biology-iv/ecosystem/food-web.php
Evolution of the Cyber Ecosystem
A typical Network Diagram Source: http://www.broadband.gov/plan/16-public-safety/
What is a Cyber Ecosystem? Entities in network are not merely considered in isolation Each member has a specific goal Each member is related to every other member in one way or the other Processes are important Anticipate and prevent attacks Limit the speed of attacks across devices Recover to a trusted state
What is a Cyber Ecosystem? Devices has a level of built in Security Automated responses Immunity
Malware Ecosystem Each member in the ecosystem has a specific purpose Each of the members respond to the behaviour of other members Automated upto an extent Monitoring the whole process
Building Blocks Automated Course of Actions Pro-active responses Speed of response matches the speed of attacks Being able to decide on solutions based on historical data Sharing of Information at different levels from local to global Rapid learning procedures Communications guided by policy rather than constraints High levels of collaboration and interoperability Authentication
Types of Attacks Brute force attacks Malware Hacking attempts Social Engineering Insiders Physical loss and theft
Monitoring Monitoring forms one of the foundations of the Cyber Ecosystem Informs about anomalies so that proper countermeasures can be taken Does not always happen at the system level contrary to standard device monitoring
Business Process Monitoring Holy grail of monitoring systems Highest level of abstraction Generally related to long running transactions Can serve as a ready metric for overall success of the system Can only detect problems post their occurrences Uses complex business logic Goal: To maintain business continuity
Functional Monitoring Lower level than Business Process Monitoring Granularity limited to a single application or node in a distributed architecture Goal: To assess the availability as well as performance of a system Generally done by bots running scripts on individual systems Incapable of deciding on countermeasures
Technical Monitoring Monitoring as a typical system administrator understands Lowest level of monitoring and responsible for individual pieces of software Subsystems are considered in isolation and has nothing to do with their contribution to the system Ideal place for designing incident response since the monitoring system is aware of how to modify behaviour of individual subsystems.
Intelligence and Experience Gathering Currently lacking in existing systems Could be based on statistical models and data modeling Should become more accurate based on experience Should be able to heuristically identify attacks Could put up some defence against 0 day attacks
Okay!! I got attacked… Now what??!!
Incident Response Targets for restoring the balance of the ecosystem just like its biological brother Either filter it out or sacrifice parts of the system to facilitate containment Not an isolated process. There are lots of loopbacks to the monitoring Dynamically adjusts itself to adjust response based on current monitoring data
How does everything fit together? It is a continuous process Dynamic Historical data is important Business continuity important The goal of the attacker might not be the epicenter of the attack Source: http://blogs.csoonline.com/business_continuity_event_planning_the_incident_response_team
Incident Response - Implementation Firewalls Intrusion Detection and Prevention Systems Log servers Configuration Management Servers Offline resources like Debuggers
Desired Cyber Ecosystem Capabilities Automated Defense Identification, Selection, and Assessment Authentication Interoperability Machine Learning and Evolution Security Built in Business Rules-Based Behavior Monitoring General Awareness and Education
Where we stand… The ecosystem is far from automated. We have a long way to go Triangulating automated decisions are complicated. Most of the processes are manual and will probably remain so in the near future The weakest link is generally the End Users Insiders can cause havocs It is always about the financial incentive of being able to build a proper ecosystem.
References Developing a healthy cyber ecosystem, http://www.mitre.org/news/digest/homeland_security/10_11/cyber_ecosystem.html http://www.mitre.org/news/digest/homeland_security/10_11/cyber_ecosystem.html Enabling Distributed Security in Cyberspace, http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf Cybersecurity Ecosystem – The Future? http://www.nextgov.com/cybersecurity/cybersecurity-report/2011/03/cybersecurity- ecosystem-the-future/54390/ http://www.nextgov.com/cybersecurity/cybersecurity-report/2011/03/cybersecurity- ecosystem-the-future/54390/ Enabling Distributed Security in Cyberspace, http://blogs.msstate.edu/ored/Cyber%20Ecosystem%20I3P%20Presentation%2016%2 0April%202012%20MSU%20ras.ppt http://blogs.msstate.edu/ored/Cyber%20Ecosystem%20I3P%20Presentation%2016%2 0April%202012%20MSU%20ras.ppt