Identity-Based Cyber Defense March 2017
Attackers Continue to Have Success Current security products are necessary but not sufficient Assumption is you are or will be breached Focus on monitoring, detecting and remediating NextGen Firewalls Encryption Multi-factor Authentication Advanced Malware Protection Monitoring and Analytics 2
Network Security is a Major Failure Point THE FUNDAMENTAL PROBLEM WE ADDRESS Servers and clouds are vulnerable to network-based scans and attacks Network connections do not require authentication Network designs that expose services and accept unsolicited connections introduce significant risk Security leaders can reduce risks by using techniques that isolate services from the internet
What if You Could Isolate and cloak your network and services from unauthorized users Stop known and unknown attacks from occurring Protect against insider and 3rd party threats while providing identity attribution 4
BlackRidge is like Authenticated Caller-ID for the Internet Authenticates identity before answering the phone Protects networks, servers and applications from unwanted or malicious calls (network connections) Provides reduced risk and addresses compliance regulations 5
How it Works: First Packet Authentication BlackRidge fixes the vulnerability in the Network Transport Layer that is exploited in 100% of cyber BlackRidge Transport Access Control (TAC) authenticates identity and enforces security policy on the first packet, before a network session is established Scans and attacks occur during TCP Session setup time TCP/IP Session Setup Data Transfer Packet Flows time Network Session Packet Flow BlackRidge First Packet Authentication stops scans and attacks at the earliest possible time. Current security products start after network sessions are established. 6
No Network Security Measures In Place Anyone, bad or good, can access any port on the system. Port 50000 Port 3306 Port 443 Port 80 Port 53 Port 22 Port 21 March 28, 2017
Traditional Network Security Measures With a firewall you can block traffic from rogue (bad) IP addresses. Port 50000 Port 3306 Port 443 Port 80 Port 53 Port 22 However, what happens when a port scan comes from a trusted IP address? Port 21 What does refusing a connection tell you?
BlackRidge Stops Network-based Attacks and Supports Network Compliance Even scans from a trusted IP cannot get through without valid identity. Port 50000 Port 3306 Port 443 Port 80 Port 53 Port 22 It appears as if the host is not even there! Port 21
Most Networks Are Flat Networks are set up to deliver connectivity. 192.168.1.15 192.168.1.16 192.168.1.17 192.168.1.100 Without segmented routing any user can access every resource. 192.168.1.101 192.168.1.102
Remove the Flatness with BlackRidge 192.168.1.15 BlackRidge policy only forwards traffic to a resource that the identity is authorized 192.168.1.16 192.168.1.17 192.168.1.100 192.168.1.101 An organization can keep its IP schema and physical deployment and still provide network segmentation. 192.168.1.102
Isolated, Protected and Compliant You Can t Attack What You Can t See Without BlackRidge: Servers Being Scanned by Zenmap With BlackRidge Installed: Servers Not Found by Zenmap 12 Open Ports Found No Open Ports Found Cloaked, Protected and Compliant!
Use Case: Segment and Protect Management Network Trusted Client Trusted Client Switch Trusted Ingress port TAC Gateway Internet TAC Gateway Trusted Egress port Management Network Installation and test: <8 hours Branch Gateways installation and configuration No operational overhead Set it and forget it Untrusted Clients With BlackRidge, not only are we able to stop intruders from using secured network segments, they will not be able to see the castle. No approach, no breach. The BlackRidge solution represents a new way to look at cybersecurity. Bill Thirsk, CIO at Marist College
Use Case: Cloak Assets and Networks = Average soldier carry greater than six vulnerable points of network connectivity ddd Enemy forces are able to detect troops and vehicles, leaving them vulnerable to cyber and physical attack = BlackRidge Installed for Cyber Defense ddd BlackRidge cloaks networks and servers, blocking network scanning and reconnaissance and stopping attacks (stops the kill chain) 14
Case Study: DOE NREL Cybersecurity Testbed Distributed Grid Management lab project for cybersecurity and resilience requirements of the grid Function of the testbed is to emulate and demonstrate, as realistically as possible, real world environment Penetration testing performed by a 3 rd party BlackRidge provided in-line blocking to protect the Enterprise Information System and the two Advanced Substation Platforms. A Layered Solution to Cybersecurity, by Erfan Ibrahim, PhD Center Director, Cyber-Physical Systems Security & Resilience National Renewable Energy Lab Golden CO. Erfan.Ibrahim@NREL.gov http://www.blackridge.us/images/site/page-content/doe_nrel_cyber_security_testbed_whitepaper.pdf 15
End-to-End Enterprise and Cloud Deployment Virtual/Physical Appliances to Software Endpoints Data Center (Private Cloud) Data Center Branch Office Remote Users Internet Legacy LANs, VLANs Provider Router Provider Router Customer Router Security Stack 10/40/100G TAC Gateway Resources Protected by Network Gateway Security Stack Customer Router Resources Protected by Server Endpoint or Virtual Appliance Switch 1G/10G TAC Gateway TAC Endpoints Fixed and mobile Internet of Things
Lab Demo: Honeypots & Analytics BlackRidge 3110 Branch Gateway Internet Trusted User Trusted User Unmanaged Switch Untrusted Users BlackRidge 3100 Enterprise Gateway Cloud/Web Analytics & Honeypot Mgmt Protected Resource Unprotected Resource Cisco RV325 Elasticsearch Logstash Kibana (ELK)
Summary: A New Level of Real-Time Protection for Networked Systems Addresses a gap in TCP network security to stop today s advance persistent threats and attacks, and supports compliance BlackRidge is tested and validated by system and network vendors, commercial banks, Department of Defense, and intelligence services BlackRidge products available today as a physical or virtual solution for mainframe, cloud or any open system
Cyber Kill Chain THE FUNDAMENTAL PROBLEM Sequence WE ADDRESS of an Attack