There are no systems that are connected to the Internet that are completely safe. Cyber-attacks are the norm. Everyone with a web presence is attacked multiple times each week. To further complicate this scenario, government entities have been found to be weakening Web security protocols and compromising business systems in the interest of national security, and hyper-competitive companies have been caught engaging in cyber-espionage. Detection of these attacks in real-time is difficult due to a number of reasons. The primary ones being the dynamism and ingenuity of the attacker and the nature of contemporary real-time attack detection systems. In this talk, I will share insights on an alternative, i.e. quickly recognizing attacks in a short period of time after the incident using audit analysis.
2. Over twenty years in computer science.
Industry, Academia, Industry
Research, Consulting, Startups.
ProfessionalActivity
Over a hundred publications.
Over forty-five patents.
Three books on either Privacy, Security orTrust.
Memberships
Fellow – British Computer Society; Fellow – Royal Society
for the Advancement of Sciences; Fellow – Healthcare
Information Management Systems Society; Distinguished
Engineer – IEEE; Senior Member, ACM.
More at http://www.tyronegrandison.org
3. Definitions andWhat-Not
The Importance of CyberSecurity
The Current State of Affairs
The Opportunities
My Research & Commercialization Focus
Case Studies
Compliance Auditing
Exception-Based Access
FutureWork
Conclusion
4. • Perspectives on CyberSecurity
• Scope of CyberSecurity
• My Definition of CyberSecurity
5. Very wide-ranging term
Everyone has a different perspective
No standard definition
A socio-technical systems problem
6. Threat and Attack analysis and
mitigation techniques
Protection and recovery
technologies, processes and procedures
for individuals, business and
government
Policies, laws and regulation relevant to
the use of computers and the Internet
7. The field that synthesizes multiple
disciplines, both technical and non-
technical, to create, maintain, and improve
a safe environment.
• The environment normally allows for other more technical or tactical
security activities to happen, particularly at an industry or national scale.
• Traditionally done in the context of government laws, policies, mandates,
and regulations.
8. • What Factors Make CyberSecurity
Important?
• Why is it so difficult?
9. Heavy Reliance on the Internet
Commerce
Internet ofThings
Impact of Attack
Risk, Harm, Reputation, Brand
Incentive to Attack
Increased Difficulty in Defense
10.
11.
12.
13. • Corporate US Landscape
• Global Situation
• Current Insight
14. Statistics from the results of an SVB survey about cybersecurity completed by 216 C-level
executives from US-based technology and life science companies in July 2013
15. 47% of companies know they have suffered a
cyber attack in the past year
70% say they are most vulnerable through
their endpoint devices
52% rate at “average-to-non-existent” their
ability to detect suspicious activity on these
devices
2013 Cyber Security Study -What is the Impact ofToday’s Advanced Cyber
Attacks? - Bit9 and iSMG
16. First-Generation Security Solutions
Cannot Protect AgainstToday’s
Sophisticated Attackers
There is No Silver Bullet in Security
There is an Endpoint and Server
Blindspot
2013 Cyber Security Study -What is the Impact ofToday’s Advanced Cyber
Attacks? - Bit9 and iSMG
17. • What are the Hard Research Problems?
• Where are companies spending their
CyberSecurity dollars?
18. 1. Global-Scale Identity Management
2. InsiderThreat
3. Availability ofTime-Critical Systems
4. Building Scalable Secure Systems
5. Situational Understanding and Attack
Attribution
6. Information Provenance
7. Security with Privacy
8. Enterprise-Level Security Metrics
INFOSEC Research Council (2005)
19. 1. Global-scale Identity Management
2. Combatting InsiderThreats
3. Survivability ofTime-critical Systems
4. ScalableTrustworthy Systems
5. Situational Understanding and Attack Attribution
6. Provenance
7. Privacy-aware security
8. Enterprise-level metrics
9. System Evaluation Life Cycle
10. Combatting Malware and Botnets
11. Usable Security
INFOSEC Research Council (2009)
20. 2013 Cyber Security Study -What is the Impact ofToday’s Advanced Cyber Attacks? - Bit9 and
iSMG
21. • Data, Data, Data
• Detection, Detection, Detection
22. The most valuable asset of the 21st century
company - Data
CyberSecurity Realities
Proactive, Real-Time Detection impossible
Mostly a Losing Game for non-attackers
My Focus (aka next realistic move):
Proactive, near Real-Time Attack
Detection using Audit Logs
23. Audit systems are normally not switched on
When on, slows down the production system and
degrades the delivery of service.
Audit systems contain a lot of information
Not all of it is useful
Access to real data
Shrouded in mystery due to ramifications
25. Companies are required to comply with many laws
concerning the collection, use and disclosure of
sensitive information
Health Insurance Portability and Accountability Act of
1996 (HIPAA) Privacy Rule
Compliance with 21 CFR Part 11 auditing requirements
Compliance with these laws is difficult to implement
and monitor
Auditing viewed as a nuisance, etc. etc.
Companies need a way to automate enforcement of
these laws and verify compliance
26. Data
Tables
2004-02…
2004-02…
Timestamp
publicTelemarketingJohnSelect …2
OursCurrentJaneSelect …1
RecipientPurposeUserQueryID
Query Audit Log
Database
Layer
Query with purpose, recipient
Generate audit record
for each query
Updates, inserts, deletes
Backlog
Database triggers
track updates to
base tables
Audit
Database
Layer
Audit query
IDs of log queries having
accessed data specified by
the audit query
• Audits whether particular
data has been disclosed in
violation of the specified
policies
• Audit expression specifies
what potential data
disclosures need monitoring
• Identifies logged queries
that accessed the specified
data
• Analyze circumstances of
the violation
• Make necessary corrections
to procedures, policies,
security
27. Jane complains to the department of Health and Human
Services saying that she had opted out of the doctor
sharing her medical information with pharmaceutical
companies for marketing purposes
The doctor must now review
disclosures of Jane’s
information in order to
understand the circumstances
of the disclosure, and take
appropriate action
Sometime later, Jane
receives promotional
literature from a
pharmaceutical
company, proposing over
the counter diabetes
tests
Jane has not been feeling well and decides to
consult her doctor
The doctor uncovers that Jane’s blood sugar level is
high and suspects diabetes
28. audit T.disease
from Customer C, Treatment T
where C.cid=T.pcid and C.name =„Jane‟
Who has accessed Jane’s disease information?
29. Given
A log of queries executed over a database
An audit expression specifying sensitive data
Precisely identify
Those queries that accessed the data specified by
the audit expression
30. “Candidate” query
Logged query that accesses all columns specified by the audit
expression
“Indispensable” tuple (for a query)
A tuple whose omission makes a difference to the result of a query
“Suspicious” query
A candidate query that shares an indispensable tuple with the audit
expression
Query Q: Addresses of people with diabetes
Audit A: Jane’s diagnosis
Jane’s tuple is indispensable for both;
hence query Q is“suspicious” with respect to A
31. sPA(sPQ(T ´ R´S)) ¹j
))((
))((
STA
RTQ
AOA
QOQ
PC
PC
Theorem - A candidate query Q is suspicious with respect to an audit
expression A iff:
The candidate query Q and the audit expression A are of the form:
Query Graph Modeler (QGM) rewrites Q and A into:
)))((("" SRTQAi PPQ
33. ID Timestamp Query User Purpose Recipient
1 2004-02… Select … James Current Ours
2 2004-02… Select … John Telemarketing public
Query Log
Audit expression
Filter Queries
Candidate queries
Eliminate queries that
could not possibly
have violated the
audit expression
Accomplished by
examining only the
queries themselves
(i.e., without
running the queries)
OAQ CC
34. Replace each table with it‟s backlog to restore the
version of the table to the time of each query
QGM is a graphical representation of a queryBoxes represent operators, such as select
Lines represent input/output
relationships between operators
Candidate
Query 1
Candidate
Query 2
Audit
Expression
Union
Combine individual candidate
queries and the audit expression
into a single query graph
Combine the audit expression with individual
candidate queries to identify suspicious queries
T1 T2
Boxes with no inputs are tables
35. Merge logged queries and audit expression into a single query graph
Customer
c, n, …, t
audit expression := T.p=C.c and
C.n= „Jane‟
T.s
Select := T.s=„diabetes‟ and T.p=C.c
C.n, C.a, C.z
C
C
Treatment
p, r, …, t
T
T
36. Customer
c, n, …, t
audit expression := X.n= „Jane‟
„Q1‟
Select := T.s=„diabetes‟ and C.c=T.p
C.n
View of Customer (Treatment) is a
temporal view at the time of the query
was executed
The audit expression now ranges over the
logged query. If the logged query is
suspicious, the audit query will output the
id of the logged query
Treatment
p, r, ..., t
X
C
T
37. 0
50
100
150
200
250
5 20 35 50
# of versions per tuple
Time(minutes)
Composite
Simple
No Index
No Triggers
7x if all tuples are updates
3x if a single tuple is updated
Negligible
by using
Recovery
Log to build
Backlog tables
39. SQL Rewrite Engine
JDBC and
SQL
Request Processor Result Processor
Log Retrieval
Layer
Log RetrievalAPI
AuditSpecification/Searching
Audit Result Browsing/
ReportGeneration
Audit Application
Query Logs BacklogTables
Auditing ArchitectureAccess and DisclosureTracking
• Audit trails provide detailed
information about data access,
changes, insertions and deletions.
• Facilitates investigations of data
access, use, and disclosure.
ComplianceVerification
• Determines whether a particular
disclosure or transaction was
compliant with policies (e.g., legal
requirements).
Data Recovery
• Reconstructs the exact state of any cell
in the database at a given point in
time.
Audit Flags
• Alert companies to suspicious data
access and disclosures or policy
violations.
40. The overhead on query processing is
small, involving primarily the logging of each
query string along with other minor annotations.
Database triggers are used to capture updates in
a backlog database.
At the time of audit,
a static analysis phase selects a subset of logged
queries for further analysis.
These queries are combined and transformed into an
SQL audit query, which when run against the backlog
database, identifies the suspicious queries efficiently
and precisely.
42. A lot of the information in audit logs is
misleading
Audit logs are bypassed by people legitimately
doing their jobs 70% of the time.
Thus, logs contain legal activity, unformalized
activity and security breaches.
Goals:
Reduce wasted effort on differentiating between
undocumented legal behavior and a cyber-attack.
Enable security/privacy policy to encapsulate rules.
43. 43
Formalizing Policy Refinement Process
Introduce the notion of Policy Coverage
Design the algorithm for Policy Refinement
PRIvacy Management Architecture (PRIMA)
An architecture designed to perform Policy
Refinement
Leverages data mining and Hippocratic Database
(HDB) technology
44.
45. Consider an Organization (HO):
Ideal Workflow WIdeal:
HO‟s policy embodies regulations, legislations, laws. Essentially, what
HO would ideally like to follow
Real Workflow WReal:
HO‟s policy as represented by the audit trail of system accesses over a
period of time
The real workflow of HO, primarily filled with exception-based accesses
Our Goal is to reduce of gap between real and ideal workflows
The formal model is used to represent
the privacy specification notation, which comprises the WIdeal
the artifacts that the system manipulates, which comprises the WReal
the mapping from the terms in WIdeal to the corresponding terms in WReal
46. RuleTerm:
Models the assignment of attributes in a policy rule
Rule:
Models a specific combination of attribute assignments
Two types of RuleTerms and Rules:
Ground- If comprises entirely of atomic attributes
Composite – Otherwise
A policy is ground when represented only in terms of ground rules
48. Coverage is computed by comparing PAL and PPS
PALis the policy found in the audit logs representing the real state of system
PPS is the policy found in the policy store representing ideal state of system
Informally:
Coverage is the overlap between PAL and PPS
Formally:
Given
RangeP as the set containing all the rules in a ground policy P, and # RangeP as the
cardinality of RangeP
Coverage of Px in relation to Py is given by
# (RangePx ∩ RangePy) ÷ # RangePy
Goal is to have complete coverage, i.e. RangePx ∩ RangePy = RangePy
49.
50. Use storage efficient, contextually rich logs
Log management and usability is better
Use logs in a pro-active process, as opposed to after-the-fact
Consolidate all logs in one place
Fix a schema for the log entries
Current schema is
(time,tj ), (op,Xj ),(user,uj ), (data,dj ), (purpose,pj ), (authorized,aj
), (status,sj) where
tj is the entry's timestamp
Xj is either 0 (disallow) or 1 (allow)
uj is the entity that requested access
dj is the data to be accessed
pj is the purpose for which the data is accessed
aj is the authorization category (e.g. role) of the entity that requested access, and sj is
either 0 (exception-based access) or 1 (regular access).
51. Leverage audit logs
Analyze all entries that are regular accesses
Define new rules based on analysis
Improve the policy coverage
Coverage is the ratio of accesses addressed by the
policy to all access recorded by the system
Gradually embed policy controls
Essentially, a feedback loop between ideal and real
policy
52. Filter
Flag exceptions to distinguish them from regular accesses
▪ Analyze only the regular accesses for possible patterns
Extract
Find informal clinical patterns from audit logs
Apply algorithm to extract candidate patterns
▪ Simple matching:
▪ Assumes pruned data, looks for term combinations, returns frequency of occurrence
▪ Richer data mining:
▪ Not only syntactic but also semantics matching
▪ Does not assume pruning, considers relationship between artifacts
▪ Reduces probability of violations being reported for analysis phase
Get usefulness ratings of patterns
Prune
Incorporate or discard patterns based on usefulness threshold
Assume a training period
▪ Set a threshold appropriate to the target environment
▪ Act when threshold is reached over a period of time
53. Time Op
(1:allow)
User Data
(Category)
Purpose Authorized
(Role)
Status
(0: Exception)
t1 1 John Prescription Treatment Nurse 1
t2 1 Tim Referral Treatment Nurse 1
t3 1 Mark Referral Registration Nurse 0
t4 1 Sarah Psychiatry Treatment Doctor 0
t5 1 Bill Address Billing Clerk 1
t6 1 Jason Prescription Billing Clerk 0
t7 1 Mark Referral Registration Nurse 0
t8 1 Tim Referral Registration Nurse 0
t9 1 Bob Referral Registration Nurse 0
t10 1 Mark Referral Registration Nurse 0
Audit trail, PAL, for a system
Policy coverage
is 30% (3/10)
54. Time Op
(1:allow)
User Data
(Category)
Purpose Authorized
(Role)
Status
(0: Exception)
t3 1 Mark Referral Registration Nurse 0
t4 1 Sarah Psychiatry Treatment Doctor 0
t6 1 Jason Prescription Billing Clerk 0
t7 1 Mark Referral Registration Nurse 0
t8 1 Tim Referral Registration Nurse 0
t9 1 Bob Referral Registration Nurse 0
t10 1 Mark Referral Registration Nurse 0
55. 55
SELECT A.Data, A.Purpose, A.Authorized
FROM PAL A
WHEREA.Status = „0’
GROUP BY A.Data, A.Purpose, A.Authorized
HAVING COUNT(*) > 5 AND
COUNT(DISTINCT(A.User)) > 1;
56. Time Op
(1:allow)
User Data
(Category)
Purpose Authorized
(Role)
Status
(0: Exception)
t3 1 Mark Referral Registration Nurse 0
t4 1 Sarah Psychiatry Treatment Doctor 0
t6 1 Jason Prescription Billing Clerk 0
t7 1 Mark Referral Registration Nurse 0
t8 1 Tim Referral Registration Nurse 0
t9 1 Bob Referral Registration Nurse 0
t10 1 Mark Referral Registration Nurse 0
Pattern found:
Referral: Registration : Nurse
occurred in the log at least 5 times
observed for at least 2 different users
57. Formally introduced the problem of Policy Coverage
to help mitigate the issues in privacy management
resulting from exception-based accesses
Defined the notion of Policy Refinement for
improving policy coverage through a
systematic, non-disruptive, approach that aims to
gradually embed privacy controls within the
workflow based on actual practices of the
organization.
58. • Made first steps to solve:
• Create efficient auditing systems
• Pruning audit systems
• Implemented in the context of multiple client
engagement.
• Applicable to multiple fields.
59. • Fundamental technologies for critical
infrastructure protection
• Privacy-preserving and secure solutions for
enabling Cloud and Big Data Analytics
• Solutions for Securing Mobile systems
60. • Cybersecurity is about protecting, repelling and
recovering from cyberattacks
• Cyberattacks are a silent norm
• Our greatest near-term impact lies in using
efficient audit systems to detect and respond to
security incidents.
62. 2013 Cyber Security Study -What is the Impact ofToday’s Advanced Cyber
Attacks? - Bit9 and iSMG
INFOSEC Research Council (2005)
INFOSEC Research Council (2009)
ClaudioA. Ardagna, Sabrina De Capitani diVimercati, Sara
Foresti,TyroneW. Grandison, Sushil Jajodia, and Pierangela Samarati.
"Access control for smarter healthcare using policy spaces." Computers &
Security 29, no. 8 (2010): 848-858.
Christopher Johnson, Tyrone Grandison, "Compliance with Data
Protection Laws Using Hippocratic DatabaseActive Enforcement and
Auditing," IBM Systems Journal,Vol. 46, No. 2, April 2007.
RakeshAgrawal, Roberto J. Bayardo Jr., Christos Faloutsos, Jerry
Kiernan, Ralf Rantzau, Ramakrishnan Srikant:Auditing Compliance with
a Hippocratic Database.VLDB 2004: 516-527
Rafae Bhatti, Tyrone Grandison. "Towards Improved Privacy Policy
Coverage in Healthcare Using Policy Refinement".The Proceedings of the
4thVLDBWorkshop on Secure Data Management 2007.
Vienna,Austria, Sept 2007.
Notas del editor
Abstract: There are no systems that are connected to the Internet that are completely safe. Cyber-attacks are the norm. Everyone with a web presence is attacked multiple times each week. To further complicate this scenario, government entities have been found to be weakening Web security protocols and compromising business systems in the interest of national security, and hyper-competitive companies have been caught engaging in cyber-espionage. Detection of these attacks in real-time is difficult due to a number of reasons. The primary ones being the dynamism and ingenuity of the attacker and the nature of contemporary real-time attack detection systems. In this talk, I will share insights on an alternative, i.e. quickly recognizing attacks in a short period of time after the incident using audit analysis.
Normally includes all aspects of ensuring the protection of citizens, businesses and critical infrastructures from threats that arise from their use of computers and the Internet.Everyone has a different perspective:Information SecurityData SecurityComputer SecurityControl Systems SecurityNetwork SecurityInformation Risk ManagementEtc.Even debating whether there’s a “space” between cyber and securityCyberSecurity is often confused with:Computer securitySecurity engineeringEncryptionComputer crimeComputer forensicsSecurity problems almost always stem from a mix of technical, human and organizational causes (BRUCE SCHNEIER, IAN SOMMERVILLE)
Attack Models‣ The Internet Architecture‣ Attacks‣ Denial-of-service‣ Trojan horse‣ Phishing‣ Man-in-the-middle‣ Social Network attacks‣ Insiders
This is my personal definition and the one that will be assumed during the presentation.Happens at multiple levels in the stack: Network, Application, Data.Involves Monitoring, Detection, Response.
There are no systems that are connected to the Internet that are completely safe. Cyber-attacks are the norm. Everyone with a web presence is attacked multiple times each week. To further complicate this scenario, government entities have been found to be weakening Web security protocols and compromising business systems in the interest of national security, and hyper-competitive companies have been caught engaging in cyber-espionage. Detection of these attacks in real-time is difficult due to a number of reasons. The primary ones being the dynamism and ingenuity of the attacker and the nature of contemporary real-time attack detection systems. In this talk, I will share insights on an alternative, i.e. quickly recognizing attacks in a short period of time after the incident using audit analysis.
Statistics from the results of an SVB survey about cybersecurity completed by 216 C-level executives from US-based technology and life science companies in July 2013
2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? by Bit9 and iSMGThis survey was conducted online during the summer of 2013. Nearly 250 respondents participated in this international study.Key characteristics of the respondent base:»» 62 percent are from the U.S., with 10 percent from the UK and Europe;»» Top responding industries are:• Banking/financial services – 36 percent• Technology – 12 percent• Healthcare – 10 percent»» 47 percent of respondent organizations employ 500 or fewer employees, while 22 percent employ more than 10,000.»» 59 percent of respondents deploy only Windows-based endpoints in their organizations, while 1 percent are all-Mac shops. The remainder offer a mix of endpoint devices, with 31 percent saying more PCs than Macs.
First-Generation Security Solutions Cannot Protect Against Today’s Sophisticated Attackers.It seems like each day there is a new attack reported in the news: advanced attacks such as Flame, Gauss and the Flashback Trojan that attacked 600,000 Macs. These “public” cyber attacks are, unfortunately, just the tip of the iceberg. The number and variety of attackers and their differing goals and motivations are overwhelming. The 2013 Cyber Security Survey shows proof that traditional, signature-based security defenses cannot keep up with today’s advanced threats and malware:»» 66 percent of survey respondents say their organizations’ ability to protect endpoints and servers from emerging threats for which no signature is known is “average” to “nonexistent.”»» 40 percent of respondents state that malware that landed on their endpoints and servers got there because it bypassed antivirus.First-generation security solutions, such as signature-based antivirus, can’t keep up with the tidal wave of widely targeted malware (400+ million variants), let alone advanced attacks that target specific organizations.There is No Silver Bullet in Security.Organizations increasingly rely on new-generation network security solutions as a primary defense against cyberthreats. This is a step in the right direction, but not a silver bullet. According to the survey:»» 27 percent of respondents say malware was able to land on their endpoints and servers because it bypassed network security.»» 30 percent responded that they don’t know how it got there. The digital assets that you need to protect reside on your endpoints and servers, or are at least accessible from your endpoints and servers, and it is inevitable that some malware is going to make it to this critical infrastructure. How does it happen? It could be that a user fell victim to social engineering, a laptop was disconnected from your network and network security, a user plugged in an infected USB device or mobile phone to his or her PC, or anadvanced threat slipped past your AV.To combat the APT, you need to fortify your endpoints and servers with security solutions that work together to give you a unified, holistic approach. A defense-in-depth strategy is necessary, where you are not counting on just one security control to stop an attack.There is an Endpoint and Server Blind SpotThe survey results indicate that there is also an “endpoint and server blind spot.”»» 59 percent say that when it comes to real-time monitoring of files that attempt to execute on servers and endpoints, their organizations’ abilities rate from “average” to “non-existent.”»» 61 percent say that once a file is determined to be malicious, the organization’s ability to determine how many endpoints and servers are infected rates from “average” to “nonexistent.”
Global-Scale Identity Management: Global-scale identification, authentication, access control, authorization, and management of identities and identity information Insider Threat: Mitigation of insider threats in cyber space to an extent comparable to that of mitigation in physical space Availability of Time-Critical Systems: Guaranteed availability of information and information services, even in resource-limited, geospatially distributed, on demand (ad hoc) environments Building Scalable Secure Systems: Design, construction, verification, and validation of system components and systems ranging from crucial embedded devices to systems composing millions of lines of code Situational Understanding and Attack Attribution: Reliable understanding of the status of information systems, including information concerning possible attacks, who or what is responsible for the attack, the extent of the attack, and recommended responses Information Provenance: Ability to track the pedigree of information in very large systems that process petabytes of information Security with Privacy: Technical means for improving information security without sacrificing privacy Enterprise-Level Security Metrics: Ability to effectively measure the security of large systems with hundreds to millions of users
If you expect a budget increase, where do you believe your organization will prioritize your spending?
Purpose of this work is to demonstrate that it is possible to create a low-footprint audit system, where you can still perform quick auditing offline.