Maturing Cyber Security Using BioThreat Experiences and Resources Norman Lee Johnson Tim Williams 15 Jun 2009 njohnson@referentia.com twilliams@referentia.com
Goal: Provide a new viewpoint for maturing cybersecurity What was it like to live in London 200 years ago? • How common was disease? • Life expectancy? What changed? Background • Related work: Adaptive Immunity Maturity of Cyber and Bio Similarities Function-Process System Maturing Cyber with Bio Specific Guidelines Specific Examples
White House’s 60-day Review of National CyberSecurity From Pres. Obama’s introduction of the report: • “…cyberthreat is one of the most serious economic and national security challenges we face as a nation." • ”…not as prepared as we should be, as a government, or as a country.” • ”… from a few keystrokes on a computer -- a weapon of mass disruption." Lead by Melissa Hathaway, Senior Advisor to the Director of National Intelligence (DNI) and Cyber Coordination Executive • Reviewed more than 250 executive orders, policies and advisory reports • Held 40 meetings with stakeholders • Reviewed more than 100 papers submitted to it • “Dealing with security piecemeal by different sectors and stakeholders, and dealing with security as a stand-alone issue, has not provided a secure infrastructure.” A commentary made the observation: • ”…It’s like we’re playing football and our adversaries are playing soccer”
Difference in Maturation of Bio and Cyber systems Frequency and types of events Depth and breadth of response to events
How Public Health was changed over 150 years…. 150 years ago 100 years ago Currently Unstoppable waves of epidemics Common epidemics stopped Proactive planning and Response to “rare” epidemics response Changes: Changes: 1) threat anticipation - deep understanding of threat Safe water, sanitation and protection 2) development of surveillance data streams against the big killers (e.g., smallpox 3) analysis-visualization of complex data vaccination) 4) decision-support system-of-system models to predict consequences/benefits
The Maturation of Public Health Public Health The Maturation of Scottish Introduction of HIV, the virus bacteriologist Sir antisepsis in that causes AIDS, Alexander Fleming prevention of is identified discovers penicillin cross-infection 1983 1928 1796 Edward Jenner James Watson and Rhazes develops first Francis Crick suggests blood vaccination for describe the is the cause of smallpox structure of DNA disease 1953 1860’s 910 460 BCE 1832 1870’s 1980 Cholera in London Louis Pasteur and Birth of Hippocrates W.H.O. and Paris (water) Robert Koch the Father of Medicine 1940’s-present (World Health establish the germ Organization) Emergence of 1300’s theory of disease announces antibiotic resistance Plague in Europe smallpox is and multi-drug (rats/fleas) 1980’s-90’s eradicated. resistance Multi-drug 1970’s-80’s resistant pathogens Humans began to Emergence of re-emerge investigate new viral (TB, Staph) how disease diseases spreads (Lassa, Ebola, Marburg)
Cyber protection: Policy scale This is what attackers do: Attacking Nation/ Organization/ Individual Event/ Decision Threat Threat Escape - To Attack Creation Placement Attack Exploitation How do we operationally respond?
Preparation: Planning, : Planning, Monitoring and Prevention Preparation n o g i n t n c & i o i r s i d s o t d n s t s m r a r t l d e r o e o i p o i a n o n i t t r t i p u n t o a a c c t s x I g n M i e e u t E r e t o n C e T f C A a D S Attacking Event/ Decision Threat Threat Escape - Nation or To attack Creation Placement Attack Exploitation Organization Consequence Recovery Interdiction Containment Mitigation Mitigation: Management Surveillance and Response
Maturity of Program = Pushing out from the event Preparation: Planning, : Planning, Monitoring and Prevention Preparation n o g i n n t c & i o r i s i d s o t d n s t s m a r r t l d e r o e o i p o i a n o n i t t r t i p u n t o a a c c t s x g n M i I e e u t E r e t o n C e T f C A a D S Immature Program Attacking Event/ Decision Threat Threat Escape - Nation or To attack Creation Placement Attack Exploitation Organization Mature Program Consequence Recovery Interdiction Containment Mitigation Mitigation: Management Surveillance and Response
Similarities - Why Bio is relevant to Cyber Function-Process Similarities • The threat-host lifecycle (the infection process)
The Lifecycle of a Threat in a Host System Threats require a host or host systems - within which they attack, enter, exist, manipulate, steal resources, and evade. The life of a threat is a “threat lifecycle” Outside “Company Network - Host Host hardware organization Firewall”: routers “Firewall” and software - system Systems not isolation- Network Users and under any protection admins System admins control Internal Policy-Regulation Exit or Threat Life- Enter Evade Move to Attack or Spread to Repeat Replicate communicate Cycle network detection host Collect data other hosts Cycle outside Detect - Detect Assess damage, Defender Detect - Detect - Detect - Detect and/or Protect stop entry deter locate source, Stop move stop attack stop spread Actions from entry replication communication etc … Examples of threat lifecycles: Viral threat : Denial of service : DNS/BGP spoofing :
Similarities - Why Bio is relevant to Cyber Function-Process Similarities • The host system immune response options • Host immune state determines susceptibility • Host defense options are very similar - Layered defense systems : • Cell wall - firewall, with preferential transport • Innate immune response - always active • Adaptive immune response - takes time to work the first time • System isolation • Death of host
Similarities - Why Bio is relevant to Cyber System Similarities • Direct Consequences • Secondary and indirect consequences
Maturing the Cyber domain from bio resources Develop programs that extend out from the event Similar challenges require similar solutions • Inherent chaotic nature of systems require a data-driven approach From a Analysis of Cyber Gaps and Bio Opportunities • Data stream development • Surveillance and situational awareness • Analysis and visualization • Decision support resources • Predictive/forecasting simulations • Consequence-benefit analysis resources • Resources to integrate all of the above
Analysis of Requirements, Gaps and Resources Cyber Resources Existing Cyber Cyber Gaps: Enabling Bio- Required Resources Resources Needed Resources Diverse cyber data : providing Rich and more in Status of components: Genome” threat data historical and real-time data of development - Network susceptibility, symptoms of bases, “virulence” current network topology and flow traffic types/volume; attack, readiness, activity, databases, current threats, traffic; enclave, component and component types & threat level current news user activity, access, status programs used Analysis and visualization of In development - Large Health of network and Threat phylogeny, complex data streams : past and data set analysis components, direct and syndromic surveillance, situational health, attacks, losses; identifying trends and inferred attack status, health metrics, virulence global-to-local drill down, weak- precursors, anomalous syndromic precursors to change ID, forensic tools, signal precursors, threat ID and behavior, ideally attack ID, forensics, threat responsiveness status, attribution, intuitive analysis of automated attribution, … visualization resources large data sets Predictive models of future Scarce - mostly Databases of threats, Epidemiological simulation state/losses from an attack academic simulations of standard threat models, resources, studies of given historical and current state, network activity for emerging threat theory, mitigation options, coupled with transparency of outcome-to- limited threats; no effectiveness of response infrastructure sims, cost cause and uncertainty exhaustive studies of options estimates, quantification tipping points Consequence - benefit Very limited for real- Metrics for mission Standard threat scenarios resources including risk time response; limited readiness, threat- for uniform preparedness, assessment, management and for planning; limited vulnerability mapping, advanced risk assessment, communication, expert- fundamental integration of simulations adversary models, stakeholder conflict resolution, understanding mission continuity Decision-support integration of Very limited - currently Cost-benefit analysis of Threat anticipation- above for planning and wet-ware (human) “what if” scenarios and prediction, risk-based response : quantitative and based, no policy-level response options; Risk training, multi-stakeholder transparent assessment of guidance on management and net-assessment studies, options, local-to-global cost- infrastructure acquisition, communication acquisition tools readiness tradeoffs, acquisition no operations support guidance, etc. tools
Recommend
More recommend