SlideShare una empresa de Scribd logo

27 Nov 2013 Cyber defence CDE themed competition presentations

Defence and Security Accelerator
Defence and Security Accelerator

Centre for Defence Enterprise (CDE) Innovation Network. Themed competition launch - Cyber defence: securing against the insider threat.

TecnologíaEmpresariales
1 de 34
Descargar para leer sin conexión
Room 1 Cyber Defence: Securing Against the Insider Threat Centre for Defence Enterprise (CDE) themed competition 29 November 2013 © Crown copyright 2013 Dstl
Defence challenges in cyber security © Crown Copyright Dstl 2011
The threat, the risk • Increasing in complexity and scale • Diverse, asymmetric & symmetric • “Non-traditional” cyber threats – Electromagnetic attack • MOD’s business – Working in dangerous situations – An obvious target 29 November 2013 © Crown copyright 2013 Dstl
MOD networks • Large and varied – 70+ countries – 1200 UK sites – 800,000 IP addresses – 225,000 users – 95% is made up of 19 core systems with 1000 applications • Planned and ad hoc • Bought as a service 29 November 2013 © Crown copyright 2013 Dstl
Platforms and weapons • Increasingly cyber-enabled, connected platforms • Tighter integration with industry • Complex logistics and support • Supply-chain security 29 November 2013 © Crown copyright 2013 Dstl
“Strange and charmed” systems • Non-standard hardware, software and protocols • Legacy hardware, software and protocols • Low-bandwidth connectivity at the fringes • Outside the envelope of IA and cyber security 29 November 2013 © Crown copyright 2013 Dstl
Defence cyber S&T © Crown Copyright Dstl 2011
Defence cyber S&T programme • Part of national & MOD cyber programmes • £25m p/a and rising • Decision support • Operations • Situational awareness • Defence • Human factors 29 November 2013 © Crown copyright 2013 Dstl
The pipeline • Sponsoring research – Centre for Defence Enterprise (CDE) – Use of existing consortia – Shaping and co-sponsoring academic research – Commercial competitions • Assessing candidate technologies – Intelligent customer function • Test and evaluation – Testbed connected to MOD networks 29 November 2013 © Crown copyright 2013 Dstl
Future challenges • Scale and sophistication of threat – Situational awareness and defence – Big data • Pace of technical changes vs government – Domestic/professional co-existence, bring-your-own-device (BYOD) – Cloud – SMART • Defence-specific issues – Cyber in MOD’s mission – The “strange and charmed” © Crown Copyright Dstl 2011
Cyber Defence: Securing Against the Insider Threat CDE themed competition – launch 27 Nov 2013 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Cyber defence • Substantial efforts are focused on prevention of unauthorised access to systems or platforms • However, this does not prevent the potential abuse of legitimate credentials – Both illegitimate users of legitimate credentials and cyber insiders 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Insider threat • Employee activity (deliberate or accidental) is one of the main causes of internal IT security incidents that lead to the leakage of confidential corporate data • Potential issues for MOD – Reputational damage – Political/diplomatic fallout – National security © BBC 2013 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Aim of this CDE competition Dstl is looking for novel and innovative proofof-concept tools and techniques to detect cyber insider threats or abuse of legitimate user credentials, utilising host-based solutions 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Focus • Challenge is based on detecting anomalous behaviour – Utilising legitimate credentials Malware utilising legitimate credentials Unauthorised personnel utilising legitimate credentials • Three main aspects – Malware – Unauthorised personnel – Legitimate personnel 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED Legitimate personnel utilising legitimate credentials
Types of threat • Malware, individuals or groups Types of activities • Permanent staff, temporary staff or contractors • May be deliberate, accidental or under the influence of a third party Espionage Sabotage Fraud IP Theft Accidental damage Outcome is negative impact on confidentiality, availability and integrity of MOD data 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Anomalous behaviour • Includes that which is significantly different to the standard user behaviour for a given credential set – Especially that which increases the risk to the confidentiality, availability and integrity of MOD data • May only be obvious over time – Each individual action might be innocuous and within the users authorised scope of action • Need to consider the potential risk of actions and how this changes over time (cumulative risk) 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Insider threat • Users often go through five steps for malicious behaviour • However, later attribution is still valuable 1. Exploration 1 Detection 2. Experimentation 0.75 Likelihood 3. Exploitation 4. Execution 5. Escape/Evasion © Crown copyright 2013 Dstl Attribution 0.25 • Want to detect as early as possible 29 November 2013 0.5 0 UK UNCLASSIFIED Time
Baseline behaviour • To spot changes in behaviour, a baseline is needed – Requires minimum burden – Learns regular patterns (diurnal, seasonal, familiarity, aging) – Ideally can account for changes of role (resulting in changed patterns) – Flags, and ideally prioritises, different types of anomalous behaviour for investigation and mitigation – Can account for variance in background behaviour 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Pattern of life baseline M T W T F S S 1 Regular 2 Deadline 3 Remote 4 Change Host 5 Deployed 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Socio-technical indicators Including, but not limited to, aspects such as: Experiences Forensic linguistics etc Contextual Forensic authorship, structural semantic analysis etc Behavioural Aspects of the interaction between the user and the host or platform Physical Potential physical aspects of the user that can be tested and evaluated 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Socio-technical Indicators Including, but not limited to, aspects such as: Connectivity Levels of connectivity, location, bandwidth, access etc Data access Is this consistent with role, are new data sources being sought, etc Exploration Storage & offload 29 November 2013 © Crown copyright 2013 Dstl Is the user exploring new areas unrelated to them, are they trying to access different hosts, seeking new (and unrelated) data sources etc Is the user storing large quantities of data on the local host, are they trying to offload this etc UK UNCLASSIFIED
Socio-technical methods Including, but not limited to, methods such as: Heuristics Al/Bots/Neural Networks Grid Based/Vector Space/Frequency Analysis Statistical Algorithms 29 November 2013 © Crown copyright 2013 Dstl Both behavioural and technical – can we forecast what abnormal looks like for the host? Is it possible to train systems to identify anomalous behaviour? What are the signals of insider threat? Can we identify the stages of activity? Identifying weak signals within a noisy background – individual activities might be innocuous UK UNCLASSIFIED
Socio-technical indicators • No single indicator is likely to give a complete picture • Suppliers need to indentify relevant and complementary indicators that allow for detection of anomalous behaviour – Even when spread over a long time period • Indicators should allow for prioritisation of risk – Which activities are more likely to lead to serious impact to MOD digital assets? 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Host-based solution 29 November 2013 All images taken from theUK UNCLASSIFIED defence image database © Crown copyright 2013 © Crown copyright 2013 Dstl
Different types of host Analysis undertaken on an inline host Analysis directly on the host itself Inline Host Platform (eg ship’s plant) Host 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Central analysis Central analysis Host Host Host Host Potential to perform some central analysis. However, solutions must perform a level of analysis on the host – cannot merely undertake full packet capture 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Testing concept demonstrators • Suppliers are expected to be able to demonstrate the benefits of their chosen approach Data Metrics Suppliers need to have access to a suitable data source to test and refine their choice approach Suppliers need to choose appropriate metrics to demonstrate the benefits of their chosen approach Must be able to demonstrate to Dstl why their data source is applicable Must include computational burden, sensitivity and specificity 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
What we want • Novel and innovative proof-of-concept demonstrators at Technology Readiness Level (TRL) 1-4 • Success metrics for the approach • An initial test plan against relevant exemplar data • A development plan beyond the initial proof-ofconcept phase • Solutions that consider the breadth of MOD hosts 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
What we don’t want • Existing higher TRL solutions or network analysis tools • Proposals that: – Add substantial burden – Expand the threat surface – Force users to alter their behaviour – Do not include some form of demonstrator – Are proprietary black box solutions 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Levels of funding • Dstl have committed up to £1M of funding for the initial proof-of-concept demonstrators • No cap on the value of proposals – However more likely that a larger number of lower-value proposals (eg £50k - £150k) will be funded at this stage • Aiming for an initial demonstration within 3-5 months Submissions via the CDE Portal 17:00 Thursday 9 January 2014 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
Every little helps... • Problem space is broad, complex and challenging • Requires interaction between physical and social sciences • Individual suppliers may only be able to provide a solution to part of the problem space – These pieces are still potentially of value – Networking and collaborating 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED © Dstl 2013
• Technical questions cybersecurityCDE@dstl.gov.uk • CDE questions cde@dstl.gov.uk 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
In conclusion • Opportunity! • Innovation • Demonstration • Focus – Host-based solutions – Abuse of legitimate credentials – “Strange and charmed” • Closing date - Thursday 9 January 2014 at 17:00 hrs! 29 November 2013 © Crown copyright 2013 Dstl

Recomendados

Selling to The IT Department
Selling to The IT DepartmentSelling to The IT Department
Selling to The IT Department
3VR Inc.
 
Interoperability and the Internet of Things – To standardize or not to standa...
Interoperability and the Internet of Things – To standardize or not to standa...Interoperability and the Internet of Things – To standardize or not to standa...
Interoperability and the Internet of Things – To standardize or not to standa...
Real-Time Innovations (RTI)
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Ben Rothke
 
Making sense of big data
Making sense of big dataMaking sense of big data
Making sense of big data
bis_foresight
 
Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.
Marlon Domingus
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
Michael Chastain
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss Prevention
Nicholas Davis
 

Recomendados

Selling to The IT Department
Selling to The IT DepartmentSelling to The IT Department
Selling to The IT Department
3VR Inc.
 
Interoperability and the Internet of Things – To standardize or not to standa...
Interoperability and the Internet of Things – To standardize or not to standa...Interoperability and the Internet of Things – To standardize or not to standa...
Interoperability and the Internet of Things – To standardize or not to standa...
Real-Time Innovations (RTI)
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Ben Rothke
 
Making sense of big data
Making sense of big dataMaking sense of big data
Making sense of big data
bis_foresight
 
Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.
Marlon Domingus
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
Michael Chastain
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss Prevention
Nicholas Davis
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
Nicholas Davis
 
Collaborative defence strategies for network security
Collaborative defence strategies for network securityCollaborative defence strategies for network security
Collaborative defence strategies for network security
sonukumar142
 
Network security
Network securityNetwork security
Network security
Ujjwal 'Shanu'
 
Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44
Jisc
 
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
Real-Time Innovations (RTI)
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
lisaabe
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
Lumension
 
9 September 2014: automating cyber defence responses CDE themed competition
9 September 2014: automating cyber defence responses CDE themed competition9 September 2014: automating cyber defence responses CDE themed competition
9 September 2014: automating cyber defence responses CDE themed competition
Defence and Security Accelerator
 
18 Dec 2013 - CDE enduring challenge competition webinar
18 Dec 2013 - CDE enduring challenge competition webinar18 Dec 2013 - CDE enduring challenge competition webinar
18 Dec 2013 - CDE enduring challenge competition webinar
Defence and Security Accelerator
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
NetIQ
 
Precision Timing and Navigation - CDE themed call launch 23 April 2013
Precision Timing and Navigation - CDE themed call launch 23 April 2013Precision Timing and Navigation - CDE themed call launch 23 April 2013
Precision Timing and Navigation - CDE themed call launch 23 April 2013
Defence and Security Accelerator
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
Abhishek Kumar Sinha
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
Schneider Electric
 
Network Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.pptNetwork Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.ppt
AkfeteAssefa
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
Imperva
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)
Huntsman Security
 
9780840024220 ppt ch01
9780840024220 ppt ch019780840024220 ppt ch01
9780840024220 ppt ch01
Kristin Harrison
 
The National Archives cloud storage and digital preservation
The National Archives cloud storage and digital preservationThe National Archives cloud storage and digital preservation
The National Archives cloud storage and digital preservation
The-National-Archives
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Ulf Mattsson
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Emulex Corporation
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
Peter Wood
 

Más contenido relacionado

La actualidad más candente

Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
Nicholas Davis
 

La actualidad más candente (7)

Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
 
Collaborative defence strategies for network security
Collaborative defence strategies for network securityCollaborative defence strategies for network security
Collaborative defence strategies for network security
 
Network security
Network securityNetwork security
Network security
 
Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44
 
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 

Similar a 27 Nov 2013 Cyber defence CDE themed competition presentations

Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
Schneider Electric
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
Imperva
 
The National Archives cloud storage and digital preservation
The National Archives cloud storage and digital preservationThe National Archives cloud storage and digital preservation
The National Archives cloud storage and digital preservation
The-National-Archives
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Emulex Corporation
 

Similar a 27 Nov 2013 Cyber defence CDE themed competition presentations (20)

The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
 
9 September 2014: automating cyber defence responses CDE themed competition
9 September 2014: automating cyber defence responses CDE themed competition9 September 2014: automating cyber defence responses CDE themed competition
9 September 2014: automating cyber defence responses CDE themed competition
 
18 Dec 2013 - CDE enduring challenge competition webinar
18 Dec 2013 - CDE enduring challenge competition webinar18 Dec 2013 - CDE enduring challenge competition webinar
18 Dec 2013 - CDE enduring challenge competition webinar
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Precision Timing and Navigation - CDE themed call launch 23 April 2013
Precision Timing and Navigation - CDE themed call launch 23 April 2013Precision Timing and Navigation - CDE themed call launch 23 April 2013
Precision Timing and Navigation - CDE themed call launch 23 April 2013
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
Network Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.pptNetwork Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.ppt
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)
 
9780840024220 ppt ch01
9780840024220 ppt ch019780840024220 ppt ch01
9780840024220 ppt ch01
 
The National Archives cloud storage and digital preservation
The National Archives cloud storage and digital preservationThe National Archives cloud storage and digital preservation
The National Archives cloud storage and digital preservation
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
 
27 Nov 2013 CDE enduring challenge competition briefings
27 Nov 2013 CDE enduring challenge competition briefings27 Nov 2013 CDE enduring challenge competition briefings
27 Nov 2013 CDE enduring challenge competition briefings
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 

Más de Defence and Security Accelerator

Más de Defence and Security Accelerator (20)

DASA Security Showcase - Department for International Trade Presentation
DASA Security Showcase - Department for International Trade PresentationDASA Security Showcase - Department for International Trade Presentation
DASA Security Showcase - Department for International Trade Presentation
 
DASA Security Showcase - UK Fire Service Presentation
DASA Security Showcase - UK Fire Service Presentation DASA Security Showcase - UK Fire Service Presentation
DASA Security Showcase - UK Fire Service Presentation
 
DASA Security Showcase - Department for Transport and Home Office Presentation
DASA Security Showcase - Department for Transport and Home Office PresentationDASA Security Showcase - Department for Transport and Home Office Presentation
DASA Security Showcase - Department for Transport and Home Office Presentation
 
DASA Security Showcase - DASA Presentation
DASA Security Showcase - DASA PresentationDASA Security Showcase - DASA Presentation
DASA Security Showcase - DASA Presentation
 
DASA Security Showcase - Bank of England Presentation
DASA Security Showcase - Bank of England PresentationDASA Security Showcase - Bank of England Presentation
DASA Security Showcase - Bank of England Presentation
 
Finding, funding and exploiting innovation for the benefit of UK Defence and ...
Finding, funding and exploiting innovation for the benefit of UK Defence and ...Finding, funding and exploiting innovation for the benefit of UK Defence and ...
Finding, funding and exploiting innovation for the benefit of UK Defence and ...
 
DASA Jim Pennycook - challenge and opportunity - DSEI 2017
DASA Jim Pennycook - challenge and opportunity - DSEI 2017DASA Jim Pennycook - challenge and opportunity - DSEI 2017
DASA Jim Pennycook - challenge and opportunity - DSEI 2017
 
27 July 2017 Innovation nework event: how to create a great proposal
27 July 2017 Innovation nework event: how to create a great proposal27 July 2017 Innovation nework event: how to create a great proposal
27 July 2017 Innovation nework event: how to create a great proposal
 
27 July 2017 Innovation nework event: Working with the Accelerator
27 July 2017 Innovation nework event: Working with the Accelerator 27 July 2017 Innovation nework event: Working with the Accelerator
27 July 2017 Innovation nework event: Working with the Accelerator
 
Improving crowd resilience themed competition slides
Improving crowd resilience themed competition slidesImproving crowd resilience themed competition slides
Improving crowd resilience themed competition slides
 
Accelerator First Innovation Fund network event Session 1
Accelerator First Innovation Fund network event Session 1Accelerator First Innovation Fund network event Session 1
Accelerator First Innovation Fund network event Session 1
 
CDE themed comp -syn-bio part 2
CDE themed comp -syn-bio part 2CDE themed comp -syn-bio part 2
CDE themed comp -syn-bio part 2
 
CDE themed comp - synbio part 1
CDE themed comp - synbio part 1CDE themed comp - synbio part 1
CDE themed comp - synbio part 1
 
Beyond battery power: future autonomy
Beyond battery power: future autonomy Beyond battery power: future autonomy
Beyond battery power: future autonomy
 
CDE themed challenge - Beyond battery power: the technical challenge and futu...
CDE themed challenge - Beyond battery power: the technical challenge and futu...CDE themed challenge - Beyond battery power: the technical challenge and futu...
CDE themed challenge - Beyond battery power: the technical challenge and futu...
 
Beyond battery power - CDE themed competition part 2
Beyond battery power - CDE themed competition part 2Beyond battery power - CDE themed competition part 2
Beyond battery power - CDE themed competition part 2
 
Beyond battery power - CDE themed competition part 1
Beyond battery power - CDE themed competition part 1Beyond battery power - CDE themed competition part 1
Beyond battery power - CDE themed competition part 1
 
Beyond battery power - how the competition will work
Beyond battery power - how the competition will workBeyond battery power - how the competition will work
Beyond battery power - how the competition will work
 
Introduction to the Centre for Defence Enterprise and introducing the Defence...
Introduction to the Centre for Defence Enterprise and introducing the Defence...Introduction to the Centre for Defence Enterprise and introducing the Defence...
Introduction to the Centre for Defence Enterprise and introducing the Defence...
 
CDE Competition on FASS - technology challenge 1
CDE Competition on FASS - technology challenge 1CDE Competition on FASS - technology challenge 1
CDE Competition on FASS - technology challenge 1
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

27 Nov 2013 Cyber defence CDE themed competition presentations

  • 1. Room 1 Cyber Defence: Securing Against the Insider Threat Centre for Defence Enterprise (CDE) themed competition 29 November 2013 © Crown copyright 2013 Dstl
  • 2. Defence challenges in cyber security © Crown Copyright Dstl 2011
  • 3. The threat, the risk • Increasing in complexity and scale • Diverse, asymmetric & symmetric • “Non-traditional” cyber threats – Electromagnetic attack • MOD’s business – Working in dangerous situations – An obvious target 29 November 2013 © Crown copyright 2013 Dstl
  • 4. MOD networks • Large and varied – 70+ countries – 1200 UK sites – 800,000 IP addresses – 225,000 users – 95% is made up of 19 core systems with 1000 applications • Planned and ad hoc • Bought as a service 29 November 2013 © Crown copyright 2013 Dstl
  • 5. Platforms and weapons • Increasingly cyber-enabled, connected platforms • Tighter integration with industry • Complex logistics and support • Supply-chain security 29 November 2013 © Crown copyright 2013 Dstl
  • 6. “Strange and charmed” systems • Non-standard hardware, software and protocols • Legacy hardware, software and protocols • Low-bandwidth connectivity at the fringes • Outside the envelope of IA and cyber security 29 November 2013 © Crown copyright 2013 Dstl
  • 7. Defence cyber S&T © Crown Copyright Dstl 2011
  • 8. Defence cyber S&T programme • Part of national & MOD cyber programmes • £25m p/a and rising • Decision support • Operations • Situational awareness • Defence • Human factors 29 November 2013 © Crown copyright 2013 Dstl
  • 9. The pipeline • Sponsoring research – Centre for Defence Enterprise (CDE) – Use of existing consortia – Shaping and co-sponsoring academic research – Commercial competitions • Assessing candidate technologies – Intelligent customer function • Test and evaluation – Testbed connected to MOD networks 29 November 2013 © Crown copyright 2013 Dstl
  • 10. Future challenges • Scale and sophistication of threat – Situational awareness and defence – Big data • Pace of technical changes vs government – Domestic/professional co-existence, bring-your-own-device (BYOD) – Cloud – SMART • Defence-specific issues – Cyber in MOD’s mission – The “strange and charmed” © Crown Copyright Dstl 2011
  • 11. Cyber Defence: Securing Against the Insider Threat CDE themed competition – launch 27 Nov 2013 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 12. Cyber defence • Substantial efforts are focused on prevention of unauthorised access to systems or platforms • However, this does not prevent the potential abuse of legitimate credentials – Both illegitimate users of legitimate credentials and cyber insiders 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 13. Insider threat • Employee activity (deliberate or accidental) is one of the main causes of internal IT security incidents that lead to the leakage of confidential corporate data • Potential issues for MOD – Reputational damage – Political/diplomatic fallout – National security © BBC 2013 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 14. Aim of this CDE competition Dstl is looking for novel and innovative proofof-concept tools and techniques to detect cyber insider threats or abuse of legitimate user credentials, utilising host-based solutions 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 15. Focus • Challenge is based on detecting anomalous behaviour – Utilising legitimate credentials Malware utilising legitimate credentials Unauthorised personnel utilising legitimate credentials • Three main aspects – Malware – Unauthorised personnel – Legitimate personnel 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED Legitimate personnel utilising legitimate credentials
  • 16. Types of threat • Malware, individuals or groups Types of activities • Permanent staff, temporary staff or contractors • May be deliberate, accidental or under the influence of a third party Espionage Sabotage Fraud IP Theft Accidental damage Outcome is negative impact on confidentiality, availability and integrity of MOD data 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 17. Anomalous behaviour • Includes that which is significantly different to the standard user behaviour for a given credential set – Especially that which increases the risk to the confidentiality, availability and integrity of MOD data • May only be obvious over time – Each individual action might be innocuous and within the users authorised scope of action • Need to consider the potential risk of actions and how this changes over time (cumulative risk) 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 18. Insider threat • Users often go through five steps for malicious behaviour • However, later attribution is still valuable 1. Exploration 1 Detection 2. Experimentation 0.75 Likelihood 3. Exploitation 4. Execution 5. Escape/Evasion © Crown copyright 2013 Dstl Attribution 0.25 • Want to detect as early as possible 29 November 2013 0.5 0 UK UNCLASSIFIED Time
  • 19. Baseline behaviour • To spot changes in behaviour, a baseline is needed – Requires minimum burden – Learns regular patterns (diurnal, seasonal, familiarity, aging) – Ideally can account for changes of role (resulting in changed patterns) – Flags, and ideally prioritises, different types of anomalous behaviour for investigation and mitigation – Can account for variance in background behaviour 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 20. Pattern of life baseline M T W T F S S 1 Regular 2 Deadline 3 Remote 4 Change Host 5 Deployed 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 21. Socio-technical indicators Including, but not limited to, aspects such as: Experiences Forensic linguistics etc Contextual Forensic authorship, structural semantic analysis etc Behavioural Aspects of the interaction between the user and the host or platform Physical Potential physical aspects of the user that can be tested and evaluated 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 22. Socio-technical Indicators Including, but not limited to, aspects such as: Connectivity Levels of connectivity, location, bandwidth, access etc Data access Is this consistent with role, are new data sources being sought, etc Exploration Storage & offload 29 November 2013 © Crown copyright 2013 Dstl Is the user exploring new areas unrelated to them, are they trying to access different hosts, seeking new (and unrelated) data sources etc Is the user storing large quantities of data on the local host, are they trying to offload this etc UK UNCLASSIFIED
  • 23. Socio-technical methods Including, but not limited to, methods such as: Heuristics Al/Bots/Neural Networks Grid Based/Vector Space/Frequency Analysis Statistical Algorithms 29 November 2013 © Crown copyright 2013 Dstl Both behavioural and technical – can we forecast what abnormal looks like for the host? Is it possible to train systems to identify anomalous behaviour? What are the signals of insider threat? Can we identify the stages of activity? Identifying weak signals within a noisy background – individual activities might be innocuous UK UNCLASSIFIED
  • 24. Socio-technical indicators • No single indicator is likely to give a complete picture • Suppliers need to indentify relevant and complementary indicators that allow for detection of anomalous behaviour – Even when spread over a long time period • Indicators should allow for prioritisation of risk – Which activities are more likely to lead to serious impact to MOD digital assets? 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 25. Host-based solution 29 November 2013 All images taken from theUK UNCLASSIFIED defence image database © Crown copyright 2013 © Crown copyright 2013 Dstl
  • 26. Different types of host Analysis undertaken on an inline host Analysis directly on the host itself Inline Host Platform (eg ship’s plant) Host 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 27. Central analysis Central analysis Host Host Host Host Potential to perform some central analysis. However, solutions must perform a level of analysis on the host – cannot merely undertake full packet capture 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 28. Testing concept demonstrators • Suppliers are expected to be able to demonstrate the benefits of their chosen approach Data Metrics Suppliers need to have access to a suitable data source to test and refine their choice approach Suppliers need to choose appropriate metrics to demonstrate the benefits of their chosen approach Must be able to demonstrate to Dstl why their data source is applicable Must include computational burden, sensitivity and specificity 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 29. What we want • Novel and innovative proof-of-concept demonstrators at Technology Readiness Level (TRL) 1-4 • Success metrics for the approach • An initial test plan against relevant exemplar data • A development plan beyond the initial proof-ofconcept phase • Solutions that consider the breadth of MOD hosts 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 30. What we don’t want • Existing higher TRL solutions or network analysis tools • Proposals that: – Add substantial burden – Expand the threat surface – Force users to alter their behaviour – Do not include some form of demonstrator – Are proprietary black box solutions 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 31. Levels of funding • Dstl have committed up to £1M of funding for the initial proof-of-concept demonstrators • No cap on the value of proposals – However more likely that a larger number of lower-value proposals (eg £50k - £150k) will be funded at this stage • Aiming for an initial demonstration within 3-5 months Submissions via the CDE Portal 17:00 Thursday 9 January 2014 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 32. Every little helps... • Problem space is broad, complex and challenging • Requires interaction between physical and social sciences • Individual suppliers may only be able to provide a solution to part of the problem space – These pieces are still potentially of value – Networking and collaborating 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED © Dstl 2013
  • 33. • Technical questions cybersecurityCDE@dstl.gov.uk • CDE questions cde@dstl.gov.uk 29 November 2013 © Crown copyright 2013 Dstl UK UNCLASSIFIED
  • 34. In conclusion • Opportunity! • Innovation • Demonstration • Focus – Host-based solutions – Abuse of legitimate credentials – “Strange and charmed” • Closing date - Thursday 9 January 2014 at 17:00 hrs! 29 November 2013 © Crown copyright 2013 Dstl