Cyber SPK InterHost Intrusion Prevention System IHIPS

1
Cyber SPK Inter-Host Intrusion Prevention System
(IHIPS)

• Zero-day Threat Protection

2
Outline

• Evolving Cyber Threats
• Beyond Simple Perimeter Defenses
• Host Defense Options
• Zero-day Attacks The Unknown Threat
• Cyber SPK Inter-host Intrusion Prevention System
  (IHIPS)

3
Attacks are changing
Major Malware Trends
1985
1995
2005
4
Motivations of hackers are changing
By 2010, financially motivated Internet-based
attacks will represent 70 of total incidents and
will represent 80 of the incident costs incurred
by enterprises. "The most dangerous security
threat of all is the love of money and how it is
driving fraud and crime in the online world.
Hacking is not about getting your 15 minutes of
fame anymore. Cyber-crime is a multi-million
dollar global business." - Ken Durham, iDefense
5
Attacks are moving up the stack
18
71
6
Outline

• Evolving Cyber Threats
• Beyond Simple Perimeter Defenses
• Host Defense Options
• Zero-day Attacks The Unknown Threat
• Cyber SPK Inter-host Intrusion Prevention System
  (IHIPS)

7
Network defenses are necessary but not sufficient
Branch Network
WLAN providing alternate paths into the network
Firewall
Encrypted attacks over the internet
Firewall
Mobile users leaving the safety of the perimeter
IPS
Insider attacks
DMZ
Corporate Network
8
Outline

• Evolving Cyber Threats
• Beyond Simple Perimeter Defenses
• Host Defense Options
• Zero-day Attacks The Unknown Threat
• Cyber SPK Inter-host Intrusion Prevention System
  (IHIPS)

9
Host Defense Options
Block Known Bad
Allow Known Good
Evaluate Unknown
Malicious Code
Resource Shielding
Application Hardening
Behavioral Containment
7
8
9
Antivirus
System Hardening
Application Inspection
4
5
6
Attack-Facing Network Inspection
Personal Firewall
Vulnerability- Facing Network Inspection
1
2
3
Gartner Understanding the Nine Protection Styles
of Host-Based Intrusion Prevention
10
AntivirusPersonal FirewallVulnerability Patching
The time for a more complete approach to
host-based intrusion prevention is here.
Traditional antivirus and personal firewall
solutions are no longer sufficient to protect
endpoint systems against targeted
application-level attacks,
and we can't keep our systems patched as quickly
as new vulnerabilities are announced.
- Neil MacDonald, Understanding The Nine Styles
of Host-Based Intrusion Prevention Gartner
Research, May 2005
11
Signature-based Host Defense

• Signature-based techniques (such as AV)
• Require many users to be attacked before a
  signature is developed
• Are reactive, not proactive
• Break down when faced with targeted zero-day
  attacks
• Break down when overloaded by variants

Cyber-criminals working to release viruses
against computer users are testing against
antivirus software. They know what works and how
to create variants. - Robin Bloor, Hurwitz
Associates, Network World, April 2007
12
Rules-based Host Defense

• Rules-based techniques (such as firewalls)
• Breakdown when cyber-criminals conform their
  attacks to operate within allowable rules
• Create a trade-off between manageability and
  security
• More lockdown creates more rules to maintain
• Change becomes slow and difficult to manage
• Right vs. wrong rules are not readily
  apparent to average users

13
Patching A race you cant win
Vulnerability published
54 days
Patch
Source Symantec Internet Security Threat Report,
H1, 2005
14
Weaknesses of non-signature Host Intrusion
Prevention

• Reliance on users to accept or reject a
  particular behavior - most users lack the
  knowledge to make such decisions
• Too many false positives failure to discriminate
  adequately between genuine program activity and
  that of malware
• Serious degradation of system performance
• Costly and complicated installation,
  configuration and on-going management

15
Outline

• Evolving Cyber Threats
• Beyond Simple Perimeter Defenses
• Host Defense Options
• Zero-day Attacks The Unknown Threat
• Cyber SPK Inter-host Intrusion Prevention System
  (IHIPS)

16
Zero-day The Unknown Threat

• Zero-day threats are new or unknown attacks for
  which a patch or signature has not been written
• Zero-day attacks are on the rise and are aided by
  widespread usage of professional malware toolkits
• Financial incentives fuel the drive to discover
  and exploit zero-day vulnerabilities, and to keep
  exploits from being disclosed
• The window of vulnerability for zero-day attacks
  is expanding as hackers emphasize stealth in
  devising their malicious exploits

17
Zero-day Attacks Where is the last line of
defense?
Evaluate Unknown
Block Known Bad
Allow Known Good
Resource Shielding
Application Hardening
Automated Behavioral Containment
7
8
9
Malicious Code Executing
Antivirus
System Hardening
Application Inspection
4
5
6
Attack-Facing Network Inspection
Personal Firewall
Vulnerability- Facing Network Inspection
1
2
3
18
Outline

• Evolving Cyber Threats
• Beyond Simple Perimeter Defenses
• Host Defense Options
• Zero-day Attacks The Unknown Threat
• Cyber SPK Inter-host Intrusion Prevention System
  (IHIPS)

19
Cyber SPK Inter-Host Intrusion Prevention System
(IHIPS)

• Cyber SPK IHIPS is a multi-host behavioral
  containment solution that provides robust
  protection against zero-day host attacks by
  employing
• Advanced behavioral analysis techniques
• Unique inter-host data mining

Cyber SPK IHIPS detects and prevents zero-day
attacks without requiring human intervention
20
Cyber SPK Behavioral Analysis

• Cyber SPK host agents intercept data access,
  control, permissions and network related
  activities and correlate process actions based on
  their real-time behaviors
• When a potentially malicious process executes on
  a host it will attempt to perform a series of
  actions. These actions are monitored and
  correlated to determine if the activity is
  suspicious or malicious
• When malicious behavior is detected, the process
  is blocked and terminated before it can carry out
  all of its actions and the malicious process is
  prevented from running again
• Information regarding either suspicious activity
  or an actual malicious attack is forwarded to the
  Cyber SPK Central Threat Repository (CTR) for use
  in inter-host data mining
• Cyber SPKs inter-host data mining process
  results in the identification of other hosts that
  are at risk. Cyber SPK host agents (for the
  at-risk systems) are notified and take
  appropriate defensive measures to repel the
  attack

21
Cyber SPK Inter-host Data Mining

• Data indicating suspicious or malicious activity
  is collected from hosts across the network and
  deposited in the networks Central Threat
  Repository (CTR)
• If available, data is collected from network
  level third party intrusion prevention systems
  (TIPS) and deposited in the networks CTR
• The network CTR is data mined and analysis is
  performed to identify potential attacks and
  at-risk hosts
• Attack prevention commands are issued to Cyber
  SPK host agents, enabling the host agent to
  defend against the attack
• Cyber SPK IHIPS can be scaled beyond an
  individual network to provide a broader spectrum
  of host protection through Inter-Network Data
  Mining

22
Cyber SPK Inter-host Data Mining
Network CTR
SPK Host Agents send alert to CTR
CTR mines the data for risk to other hosts on the
network
23
Cyber SPK Inter-host Data Mining
Network CTR
CTR issues alert and instructs other Host Agents
how to protect from the new attackautomatically
24
Cyber SPK Inter-host Data Mining
Network CTR
Host systems are protected without human
intervention
25
Cyber SPK Inter-Network Data Mining
Master CTR
Network CTR
Network CTR
Network CTR
Suspicious/Malicious activity alert
26
Cyber SPK Inter-Network Data Mining
Master CTR
Network CTR
Network CTR
Network CTR
Suspicious/Malicious activity alert
27
Cyber SPK Inter-Network Data Mining
Master CTR
Network CTR
Network CTR
Network CTR
Suspicious/Malicious activity alert
Host Protection Command
28
Conclusions

• Signature and rules-based host defenses cannot
  protect against zero-day attacks
• Behavioral containment solutions represent the
  last line of defense against zero-day attacks
• Cyber SPK Inter-Host Intrusion Prevention System
  (IHIPS) provides multi-host behavioral
  containment without human intervention
• Cyber SPK IHIPS is uniquely scalable to enable
  inter-network data mining of threat indicators,
  which provides even greater protection against
  zero-day host attacks

29
Contact Information
Dirk Smith Cyber SPK, LLC 74 Northeastern Blvd.,
Suite 12 Nashua, New Hampshire 03062 USA Tel
(603) 386-6187 www.CyberSPK.com dirk_at_CyberSPK.com