Enabling Distributed Security in Cyberspace Strengthening the Cyber Ecosystem April 2012
What is a Secure Cyber Ecosystem? • Concept that the cyber “ecosystem” of organizations, people, and devices are able to work together in near-real time to: • Anticipate and prevent cyber attacks • Limit the speed of attacks across devices • Minimize the consequences of attacks • Recover to trusted state
What is a Secure Cyber Ecosystem? (cont.) • Security capabilities which are built into cyber devices enable preventative and defensive courses of action • Enabling automated responses by the devices to events in their environment • Cyber equivalent of the human immune system
Cyber Ecosystem – Building Blocks • Automation – Block 1 • Automated Courses of Action (ACOAs) • Actions taken in response to situation • Allows the speed of response to approach the speed of attack • Allows for adopting new or proven security solutions • Sharing of information among local, mobile, and global entities • Enables the ecosystem to sustain itself and supported missions while responding to attack • Rapid learning by machines and humans
Cyber Ecosystem – Building Blocks • Interoperability – Block 2 • Allows communications to be defined by policy rather than technical constraints • Enables cyber participants to collaborate seamlessly and dynamically in automated community defense and response • Enables a common operational picture and shared situational awareness
Cyber Ecosystem – Building Blocks (Block 2 Continued) • Three Types of Interoperability • Semantic: the ability of each party to understand shared data • Technical: the ability for different technologies to communicate and exchange data based upon widely defined and widely adopted interface standards • Policy: common business processes related to the transmission, receipt, and acceptance of data among participants
Cyber Ecosystem – Building Blocks (Block 2 Continued) • Security Content Automation Protocol (SCAP) specifications: • Languages:provide standard vocabularies and conventions for expressing security policy, technical check mechanisms, and assessment results • Enumerations:define a standard nomenclature (naming format) and an official dictionary or list of items expressed using that nomenclature. For example, CVE provides a dictionary of publicly known information security vulnerabilities and exposures • Measurement and Scoring Systems: evaluate specific characteristics of a vulnerability and based on those characteristics, generate a score that reflects the vulnerability’s severity
Cyber Ecosystem – Building Blocks • Authentication – Block 3 • Assured means of identifying entities and authorized actions • Sending and receiving parties are known and accountable for their actions • Protects anonymity when need
Cyber Ecosystem – Levels of Maturity • Edge: network devices have widespread and easy access to information, sharing information, distributed decision making enables agile and adaptable defense • Collaborative: multiple devices have a common plan of action, significant distributed decision making, resource sharing and information sharing • Coordinated: multiple linked devices with shared security policies and some pooling of information and resources • Deconflicted: partitioning of the problem space to avoid adverse cross-effects. Limited information sharing and interaction • Isolated: individual devices, no shared objectives, information distribution or other interaction among devices
Maturity and Agility of Collaborative Defenses • Rich interaction and decision-making • Agile, adaptable, and coordinated • Extensive sharing, dynamic, and tailored • Multiple devices and groups work together • Autonomous action delegated appropriately • Coordinated policies, configurations, resources • Groups of devices work together; some groups interact • Links between systems enhance collaboration • Some sharing of policies, configurations, and resources • Establish groups to minimize adverse cross effects • Localized reporting and information sharing • Responses communicated locally, but are not coordinated • Devices respond independently • No shared objectives; devices focus on themselves • No information distribution; devices have only organic information Edge Increasing maturity and agility Collaborative Coordinated De-conflicted Isolated Rich interaction and decision-making Agile, adaptable, and coordinated Extensive sharing, dynamic, and tailored Multiple devices and groups work together Autonomous action delegated appropriately Coordinated policies, configurations, resources Groups of devices work together; some groups interact Links between systems enhance collaboration Some sharing of policies, configurations, and resources Establish groups to minimize adverse cross effects Localized reporting and information sharing Responses communicated locally, but are not coordinated Devices respond independently No shared objectives; devices focus on themselves No information distribution; devices have only organic information
Additional Considerations • Scope • Enterprise focus needs to be expanded – mobility and cloud • Leverage full situation awareness (e.g., ISPs, vendors, enterprises) • Behavior based modeling and monitoring • Software • Exceptions to normal behavior/patterns of an individual’s computer usage • Organization’s data being used in a manner consistent with business rules • Risk based data management • Data tagging and motion • Resilient communications for response & restoration • Moving target • Network Access Control and monitoring (e.g., EINSTEIN)
A future ecosystem incorporates multiple capabilities within the three functional areas of technology, process, and people Foundations of the Cyber Ecosystem Attributes of the Cyber Ecosystem An integrated security operating foundation which is: • Cost effective, • Flexible, • Interoperable, • Stable, • Enables rapid integration of new capabilities from multiple sources • Moving target • Technology • Healthy cyber devices will incorporate standards-based authentication, interoperability, automation • Business rules based malicious behavior detection, and risk based data management • Cyber devices will provide security, affordability, ease of use and administration, scalability, and interoperability • Barriers to automated collaboration are based on policy, not technology limitations • Process • Incentives for information sharing • Organize cyber defense so that machines defend against machines and people defend against people • Economic based decision process – risk based cybersecurity investments • People • The healthy cyber participants have continuing access to a range of education, training, and awareness opportunities • Such as exercises, simulations, and fully‐immersive learning environments • Have validated skills that have been codified for their occupations or positions and strongly proofed cyber identities
Desired Cyber Ecosystem Capabilities • Automated Defense Identification, Selection, and Assessment • Authentication • Interoperability • Machine Learning and Evolution • Security Built in • Business Rules-Based Behavior Monitoring • General Awareness and Education • Moving Target • Privacy • Risk-Based Data Management • Situational Awareness • Tailored Trustworthy Spaces
Attack Categories Addressed By Desired Cyber Ecosystem Capabilities Attacks
Cyber Ecosystem – Next Steps • Develop roadmap • Identify additional building blocks • Joint RFI by DHS/NIST • Verify that the capabilities address attack vectors • Seek and organize community of interest • Develop draft roadmap/architecture
Questions • Can we use the use the Cyber Ecosystem as the basis for a To-Be Architecture? • What are the most challenging or intractable issues or concerns? • What are some current initiatives, projects, or capabilities that could have applicability? • Especially any work or research related to authentication, automation, and interoperability • Who is doing research and development, policy work, or process work related to the Cyber Ecosystem?
Cyber Ecosystem Roadmap – Issues • How to measure, validate and communicate “business case” • Commercial firms conforming to standards • Governance model that allows owners to cede decision making to the community • Building more secure and better quality software • Progress in solving hard problems and fielding capabilities that implement that progress
Questions • Please identify concerns regarding the legal, policy or technical implications of the Cyber Ecosystem. • Please provide constructive feedback that can help shape the successful implementation of the Cyber Ecosystem. • Are there any topics or issues that you recommend be considered by DHS, industry, or industry/government working groups?
Questions • What pieces are missing? • Can you recommend technologies for potential early adoption or demonstration? • Can you recommend use cases for potential early adoption or demonstration? • Please identify potential areas of collaboration between industry/academia and DHS to conduct research or pilots in support of the Cyber Ecosystem implementation.
Questions • Are you aware of information that would help finalize a comprehensive definition of a cyber ecosystem? • What is a feasible timeframe for actually implementing and operating such a definition/vision? • What are the most important technologies, issues, or concerns associated with the cyber ecosystem?
Cyber Ecosystem – Selected Attributes • Assured • Usable • Information connected across space and time • Rapid and essentially universal learning • Greater attribution
Cyber Ecosystem – Selected Attributes • New defensive tactics • Constant feedback • Self aware/User aware • Autonomously reacting & dynamic • Resilient • Greater network reach
Mapping: Analysis of intersections between the various “ecosystem” related documents Several capabilities within the DHS Blueprint and DHS & White House R&D strategies directly support the same efforts proposed in the Ecosystem Whitepaper DHS “Ecosystem Whitepaper” 3 Building Blocks Includes the topics: DHS “Blueprint” Where Building Blocks Addressed DHS R&D / EOP R&D Other • Designed-In Security • Moving Target Problems 1, 7, and 8 Automation Objectives 2, 4, and 16 No direct intersection Problems 1 and 6 Interoperability Objectives 15 and 17 Problems 4, 6, 10, and 11 • Tailored trustworthy spaces • National Priority-NSTIC EOP “National Strategy for Trusted Identities in Cyberspace” Authentication Objective 14 Where incentives and adoption are addressed: Objective 1, 7, 12, 13, 19, and 20 (Capabilities 6, 33, 50, 57, 70-75) • Cyber Economic Incentives • Adoption Incentives and Adoption Problems 1 and 4