Threats of various sorts can reduce the functionality, reliability, performance, availability, security and

Transcription

1 ISSA The Global Voice of Information Security By Joel Weise ISSA member, Silicon Valley, USA chapter Security Architecture and Adaptive Security The author discusses a new perspective on the characteristics of a security architecture that is capable of not only reducing threats accordingly but also anticipating threats before they are manifested, including the capability to address zero-day attacks. Threats of various sorts can reduce the functionality, reliability, performance, availability, security and integrity of IT systems. These characteristics are considered critical enough that they are typically instantiated formally into service level agreements (SLAs). As such, it is reasonable to state that there is a desire to reduce threats at least to a degree whereby one can satisfy the SLAs. This article discusses a new perspective on the characteristics of a security architecture that is capable of not only reducing threats accordingly but also anticipating threats before they are manifested, including the capability to address zero-day attacks. The approach is to use adaptive security, which is based in part on complex adaptive systems. Introduction Dan Geer et al summarize the problem we face: central enemy of reliability is complexity... Prevention of insecure operating modes in complex systems is difficult to do well and impossible to do cheaply: The defender has to counter all possible attacks; the attacker only has to find one unblocked means of attack. Putting aside the issue of cost effectiveness, the key element to be addressed using adaptive security is the notion that one must counter all possible attacks. A. Elkhodary et al agree that complexity is the major issue we face and note,...one possible solution to the increased complexity of IT security infrastructure is adaptive security. D. Geer, Monoculture on the back of the Envelope, Login (December 2005). M. Mitchell Waldrop, Complexity: The Emerging Science at the Edge of Order and Chaos, (Simon & Schuster, 1992). 10

2 Security Architecture and Adaptive Security Joel Weise Zero-day Exploit The overall approach taken to address the issue of complexity is two-fold: at the microscopic level utilize autonomic systems that mimic biologic auto-immune systems, and at the macroscopic level utilize the behaviors of an ecosystem of disparate entities in the way that a complex adaptive system is viewed. Note, there are multiple definitions of a complex adaptive system depending upon how one wishes to apply it. Since the focus of this article is on IT systems, the following definition is based in part on the work of John Holland: A complex adaptive system is a dynamic network of multiple dispersed and decentralized agents that constantly interact and learn from one another. Any coherent behavior in the system arises from the agent interaction. A security architecture that exhibits the characteristics of a complex adaptive system should be well-suited to addressing threats. To summarize, the common problems are the following: As complexity of systems increases, their security and integrity decrease A monoculture of systems will allow a pandemic to spread quickly Offensive viruses and adversarial attacks are developed faster than the development of defensive responses In addition to supporting SLAs, primary objectives of adaptive security are integrity and trustworthiness. Integrity is critical to the correct working of both individual systems as well as the entire enterprise or IT infrastructure. Ultimately, the goal of supporting integrity is to instill trust in data and processing resources, that they are trustworthy, reliable, available, and operating within acceptable parameters. Thus the objectives of adaptive security are realized as IT infrastructures: Reduce threat amplification limit the potential spread of a pandemic in a monoculture, i.e., reduce cascading failures Reduce attack surface make the target smaller Reduce attack velocity slow the attack Reduce remediation time respond to an attack faster Ensure the availability of data and processing resources Ensure correctness of data and reliability of processing resources Adaptive security Adaptive security will be discussed using biological and ecosystem metaphors as these provide interesting parallels to the issues, threats and countermeasures applicable to IT systems. Biological and ecological systems maintain integrity by reacting to known threats, adapting to unknown threats, or dying. Responses can be at a microscopic biological level, (e.g., molecular, cellular) or a macroscopic ecosystem level (e.g., system or species). As Darwin tells us, it is adapt or die. SQL Injection As Darwin tells us, it is adapt or die; and to draw a parallel, successful IT ecosystems must be capable of adapting or they will eventually fail for a variety of reasons such as being attacked by predators, being infected by viruses, or just not being able to survive as the environment around them changes. According to the IBM System Journal, by enabling computing systems to make their decisions in consistent and reliable ways, autonomic techniques will engender an extremely adaptive and dynamic operational style. It is this adaptive and dynamic operational style that will allow us to deliver secure and robust solutions capable of ensuing the integrity of data and system resources. Considering an IT infrastructure as an ecosystem comprised of many elements (systems, storage, networks, applications, etc.) similar to a natural ecosystem composed of multiple elements (people, food, air, environmental conditions such as temperature), one can evaluate and draw similarities to how a localized outbreak of a disease or even a pandemic affects these as well as how to respond against such threats. In a natural human ecosystem when a pandemic strikes, not every human will necessarily survive. Survival depends upon a number of factors such as one s specific genetic make up and environmental conditions. Some individuals will have a genetic makeup and live in certain environmental conditions, enabling them to survive the pandemic, while others with different circumstances will not survive. In the natural ecosystem although some individuals will perish, the ecosystem as a whole will survive. When extrapolating this into an IT infrastructure, it may be possible to design it such that if and when a virus strikes (or other conditions warrant), individual components may fail or be sacrificed for the benefit of the entire ecosystem, allowing the system to survive. If an IT infrastructure that can survive and maintain its security, integrity and availability is A. Elkhodary, A Survey of Approaches to Adaptive Application Security, International Workshop on Software Engineering for Adaptive and Self-Managing Systems (IEEE, 2007). D. M. Chess et al, Security in an Autonomic computing Environment, IBM System Journal (2003). 11

3 Security Architecture and Adaptive Security Joel Weise When a virus strikes, individual components may fail or be sacrificed for the benefit of the entire system, allowing the system to survive. to be constructed, we must ask what are the properties and characteristics of a secure ecosystem? A secure ecosystem must exhibit the following characteristics: Flexible and able to adaptively respond to new and different threats Self-detecting, self regulating, self-healing, and selfprotecting Able to learn about norms related to the ecosystems and to detect unauthorized modifications to data, files, file systems, operating systems, and configurations, and then: Quarantine them so that forensics can be done and the ecosystem can learn from the breach Provision resources to take the place of the affected systems to ensure continuity of service Apply corrective measures as needed Use a standardized security model that includes enforcement mechanisms to ensure compliance to a security policy When exhibiting these characteristics, the IT infrastructure would function as an autonomic system and effectively mimic both an organic immune system and a large scale ecosystem. In other words, we want the IT infrastructure to behave like a complex adaptive system. We now look at how human immune systems have moved Sentinel from reactive to adaptive in nature. The adaptive immune response provides the vertebrate immune system with the ability to recognize and remember specific pathogens (to generate immunity) and to mount stronger attacks each time the pathogen is encountered. It is adaptive immunity because the body's immune system prepares itself for future challenges. 5 Immune response mediators (e.g., T-cells) are part of one s immune system. Implementing immune response mediators is an important component to an 5 adaptive security approach. The role that such mediators play in the IT infrastructure is almost identical to their use in the biological sense. That is, they are a form of guardian agents or sentinels that would be deployed throughout the IT infrastructure and act as sensors, identifying threats before they can manifest themselves. These sentinels would work as the threat triggers in conjunction with threat response and feedback mechanisms and moderate the immune response of the IT infrastructure as they do in a biological system. Once a threat has been detected, these sentinels would contact the appropriate threat responders (or a send a message to a response creator) to direct them to the threat. Taking the notion of the sentinels further, it can be envisioned that such functionality would be directly incorporated into various application, network and OS components so that independent IDS or firewall systems would no longer be necessary. Another major aspect of the ecosystem is autonomy. Due to the level of complexity we find in today's IT infrastructures, human intervention to detect and respond to threats will be too slow to react. For this reason IT systems must be capable of analyzing threats and responding to these according to defined security policies without human intervention. Further, such threat detection and response systems must be capable of learning from past threats and then be capable of anticipating new threats and taking appropriate defensive measures. Systems must also be capable of sharing their knowledge of threats and countermeasures with other systems they are federated with and trust. Biologic and ecosystem properties and information systems The following provides a mapping of the different properties of biological and ecological systems that are applicable to information systems. De Castro et al have likewise identified these as beneficial characteristics that would be useful in IT systems. Pattern recognition In the biological world cells recognize various proteins via pattern matching on their surface. Likewise, it is desired that IT systems be capable of matching patterns of both normal and abnormal behavior of code, command and response dialogs, different protocols, etc. Uniqueness Biological organisms possess their own unique immune system that varies from individual to individual and this uniqueness is then associated with different strengths and weaknesses of those individuals. Such uniqueness expressed in IT systems ensures that a monoculture does not exist that could be susceptible to a common computer virus and likewise allows an ecosystem of different and unique L. de Castro, Artificial Immune Systems: A New Computational Intelligence Approach, (Springer-Verlag, 2002). 12

4 Security Architecture and Adaptive Security Joel Weise organisms and IT systems the robustness necessary to survive different threats. Self identity The notion of self and not-self allows an organism to comprehend what is native and what is not, and triggers an elimination process of those not-self things that are considered a threat. In the IT world this concept would be replicated so that that which does not belong according to a specified security policy would likewise be isolated and eliminated. Part of manifesting self- and not-self includes supporting intra/intersystem communication and the sharing of information on threats, countermeasures, security policies and trust relationships between different systems and IT infrastructures. Diversity In the biological world diversity refers to the different types of elements (proteins, cells, etc.) that together embody a wide range of defenses against different threats, including innate and adaptive immunity. In IT systems diversity would manifest itself by architecting different control mechanisms such as compartmentalization via operating system virtualization or TPM-based hardware trust anchors. Disposability Disposability is the notion that no single cell or molecule in an organism is essential for the functioning of the entire immune system. Disposability in an IT infrastructure is represented by the concept of a sacrificial system. This contributes to the overall robustness of an IT infrastructure. Autonomy Autonomy in biological systems means that there is no single element controlling the immune system. The different elements of the immunity system can function autonomously to counter threats. It is likewise desired that such an ability for IT systems exists so that different security and integrity control mechanisms can function in an autonomous fashion to address threats. Multilayered Biological entities support molecular, cellular and other elements that act cooperatively to provide a comprehensive threat response capability. This is the identical notion of defense-in-depth that a well-designed security architecture maintains. No secure layer Any and all cells in an organism are at risk of being attacked at any point in time. This is simply the reality of things and has an exact parallel in the IT world and as such is the underlying assumption within any security policy. This is instantiated via a deny all security policy whereby access is only granted on a need-to-know basis. Anomaly detection In biological immune systems the notion of not-self enables that immune system to recognize and respond to those things that are not part of its known self. Likewise, an IT system should support the capability to automatically recognize and respond to things that are not considered normal behavior or are known explicitly as threats. The intention of using the above-described design approach is to further this characteristic such that one can anticipate threats before they can be manifested. Dynamically changing coverage Biological immune systems have limitations on the number and type of cells and molecules that can detect and respond to pathogens. As such, they maintain a dynamically changing set of these cells and molecules in the hope that the correct mix exists to respond to whatever threats arise. In an IT infrastructure one likewise cannot maintain an unlimited number of threat signatures and threat response mechanisms. Thus one must develop a means to intelligently predict and anticipate what threat response mechanisms should be deployed and utilized at any point in time. Distributivity The different elements of biological immune systems are widely distributed throughout an organism and not under the control of any central mechanisms. In IT terms this distributivity reduces the attack surface. Noise tolerance Biological immune systems do not require an absolute match to recognize pathogens. In the IT world one should likewise desire to have the ability to recognize threats without an absolute match of a virus or similar threat signature. Resilience Although various conditions can reduce the effectiveness of a biological immune system, it maintains a level of resilience that allows it to continue recognizing and countering pathogens. An IT system must similarly have such resilience so that it continues to function in spite of a reduced capacity. Fault tolerance Biological immune systems are composed of redundant elements that function in a complementary fashion. In addition, different elements can be modified to respond to pathogens that they normally would not respond to. In an IT infrastructure one should likewise desire fault tolerance such that different threat response mechanisms can be retooled or their behavior modified to respond to threats they normally would not respond to. Robustness In the biological world robustness is really the aggregate benefit of diversity and distributivity. In the IT world, it obviously makes sense that IT systems also exhibit robustness. Immune learning and memory In the biological world the immune system is by definition adaptive in nature. This adaptiveness allows for faster and more effective responses to pathogens and improves over time as the immune system learns and retains memory of pathogens. It is this adaptiveness that is desired to be mimicked, in particular, the ability to learn and remember threats over time. Predator-prey pattern of response Biological immune systems respond to pathogens via a mediated response mechanism. This allows them to scale up a response as the number of pathogens increases. Such a mediated response mechanism is likewise necessary in our IT environment so that the appropriate level of threat-response controls can be 14

5 Security Architecture and Adaptive Security Joel Weise brought to bear. The triggering and feedback mechanisms described above are used to provide such mediation. Self organization A biological system does not predetermine how it will respond to a challenge but remembers how it responded and determines the most effective response necessary. It then keeps the elements that provided that response, while other elements may be shed. In the design approach noted here, all threat response controls must be capable of adapting their behavior in a similar fashion so that they utilize the most effective countermeasures. Integration with other systems Biological organisms are made of many systems that can be used independently or in concert in a larger ecosystem. It is the intention here that IT systems exhibit the same behavior using a defense-indepth strategy. Conclusion The study of biologic and ecologic systems enables computer scientists to consider new and different means for designing, developing and managing security controls. This is especially critical as IT systems become increasingly complex. Given the rich threat environment that most organizations now operate in, we must consider new methods and mechanisms to proactively address those threats. Adaptive security is one such approach and has the advantage of not only addressing existing threats but also anticipating new threats and enabling security control mechanisms to modify their behavior before the new threats are able to manifest themselves to a critical level. Acknowledgments The author wishes to acknowledge the contributions to the original concepts discussed in this article by Rafat Alvi, Glenn Brunette and Steven Nelson. References Chao, D., (2002) Information Immune Systems. Proceedings of the First International Conference on Artificial Immune Systems. Geer, D., et al, (2003) CyberInsecurity: The cost of Monopoly. How the Dominance of Microsoft s Products Poses a Risk to Security. Liang, G., (2006) An Immunity-Based Dynamic Multilayer Intrusion Detection System, Lecture Notes In Computer Science. Springer-Verlag. Mazhar, N., (2007) BeeAIS: Artificial Immune Systems Security for Nature Inspired, MANET Routing Protocol, Bee- AdHoc, Lecture Notes In Computer Science. Springer-Verlag Santa Fe Institute, Saxena, A., et al, (2007) A Software Framework for Autonomic Security in Pervasive Environments, Lecture Notes In Computer Science. Springer-Verlag. Stevens, M. et al, (2007) Use of Trust Vectors for Cyber- Craft and the Limits of Usable Data History for Trust Vectors, Proceedings of the 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications IEEE. Ulieru, M., (2006) Autonomic Risk Management for Critical Infrastructure Protection, Integrated Computer Aided Engineering. Wiley-Interscience. About the Author Joel Weise has worked in the field of information security for over 25 years. As the principal engineer and chief technologist for the Sun Client Services Security Program Office, he designs system and application security solutions for a range of different enterprises. Joel is a charter member of the ISSA and the chairman of the ISSA Journal editorial board. He may be reached at Joel.Weise@Sun.com. 15