CID #1 Risk Reduction
Final Report
6 January 2011
Agenda
• Technical/Management
– Introductions and overview
– Technical Architecture Discussion
•
•
•
•
•
Lessons Learned/Management Approach
Schedule discussion
Use Case Discussion
Action Items/Wrap-up
Lunch - Working
1
Public Benefits
Schedule
Phase 1
Phase 2
Phase 3
CID-1
Completion
CID-1 will:
• Integrate innovative commercial capabilities of
Akamai, BlackRidge, and HBGary,
• Accelerate respective commercial product roadmaps.
• Demonstrate significantly enhanced commercial
cyber security capabilities illustrated through an ebanking use case.
• Enable government-unique use cases such as
integrated SIPRNet endpoint authentication and trust
assessment, securely communicated to an existing
content data network or web server for threat
detection and remediation.
Core Component Capabilities
Endpoint Payloads; Hacker
“Toolmarks”; Trust Values
Secure TCP/IP session;
steganographic tokens in packet
header
Internationally deployed platform
reaching 73 countries covering 20%
of world’s web traffic
Financials & Challenges
•
CID-1 Project is fully funded (incremental)
•
Channel partnerships are going to take work by all
involved.
•
If successful; Transition partner and organization
must be identified – Use case discussion
•
Both technical and business meetings will be
scheduled.
CID-1 Target Use Cases
•
Target Capability
–
–
–
•
Enabled governmental use cases:
–
–
•
Software endpoint agent: Provide real-time, characterization of the trust level of a protected endpoint, for multiple
instances of trust assessment.
Transport access control (TAC) client and Gateway: The TAC client and the TAC Gateway are provisioned with a
multi-mode identity which conveys the identity and security posture assessment of the protected endpoint. The
TAC Gateway recovers the identity and security posture assessment.
Data center: Provide hosted web services, with the TAC gateway in-line to the data center portal, enabling a riskbased response.
The commercial use case is the government use case for protecting TIC, NIPRNet, or SIPRNet gateways and
network resources.
The ability to interface with GFE endpoint agents; the ability to use witting or unwitting host traffic; the ability to
transmit a unique tag for authenticating endpoints on the first packet, and to provide a protected communications
path; the ability to recover or redirect tagged traffic at line-rate, in real-time; and the ability to access 10-20% of
the world’s web traffic through a global content provider; all enable a range of government-unique missions.
Enabled commercial use cases: e-commerce, fraud mitigation, unauthorized and
fraudulent use detection and tracking (is the protected endpoint in a known and trusted
state or has it been compromised?)
3
Goals for CID-1
Endpoint
Cloud Services
First packet,
steganographic hash
of endpoint identity
and trust level
Protected
User Data
Endpoint
Identity
Risk
Reduction
Focus
Establish
identity and
trust prior to
TCP/IP session
Internet
NIPRNet
SIPRNet
Endpoint
Trust
Policy
Engine
Situational
Awareness
Compromises
and unknown
endpoints
across
enterprise
Protected
Web
Services
Known
endpoint,
high trust
Validation &
Remediation
Known
endpoint,
low trust
Continuous assessment of endpoint
compromise and trust level
4
Technical Architecture
• Discuss the specifics of implementation
– end-to-end
– “Whiteboard”
Dataflows
Transactions
Processing
• Use BlackRidge’s initial technical architecture.
• Define issues, actions and schedule items
• Breakdown of what can be and should be done at each of the
demonstration points. We would like to also entertain:
– What additional items we can/should demonstrate
– Where demonstrations would help you in your business marketing plan.
5
Technical Architecture
Client
Primary Server
HB Gary Security
Assessment
BlackRidge TAC
Client Driver
Microsoft XP O/S
TAC Gateway
• Verifies authenticity of sender
• Extracts security posture
indication
Trust Traffic
No-Trust Traffic
Ethernet
Switch
BlackRidge
Gateway
Ethernet
Switch
HB Gary Security
Assessment
BlackRidge TAC
Client Driver
Alternate Server
1.
2.
3.
4.
5.
Microsoft XP O/S
Client
Content provider generates web traffic distributed by a Content Delivery Network (CDN) provider
Endpoint client generates resource request
TAC Client generates TAC modal identity token with security posture assessment and inserts into
first packet of session establishment request for desired network resource.
TAC Gateway in data center recognizes token and takes action in conjunction with CDN: transport
resource session request, clone or redirect session.
Reverse C3 path via store and forward acknowledgement at TAC Gateway
6
Technical Architecture
•
Transaction Monitor
TAC Gateway
• Verifies authenticity of sender
• Extracts security posture indication
• Stops/Routes/Re-routes traffic
HBGary Customer
Support Site (HTTPS)
•
For each type of traffic…
• can be measured
• can be blocked
• can be routed either way
• can be routed both ways?
Do no harm…
• Policy engine off but in-line
Compromised Client
HB Gary Trust
Assessment
BlackRidge TAC
Client Driver
Application
Server
Trusted Client
Remediation
Server
HBGary Customer
Support Site (HTTPS)
Demonstration Clone
HB Gary Trust
Assessment
BlackRidge
TAC Client
Driver
Web Accelerator
Services
Whiteboard Exercise
Unknown Client
Questions
• What does the architecture look like for a
commercial use case?
– It is different for a SIPRNET/NIPNET application
• How is traffic routed through Akamai
– Can we do a global demonstration
• Where is the development
– Who needs what
– Who are the resource constraints
– What are the risks
Unclassified For Official Use Only
8
Approach and Lessons Learned
• Discuss the team interaction plan
• Discussion of what we learned in the CID risk
reduction to incorporate it into the plan.
Unclassified For Official Use Only
9
Implementation Approach
• Initial Kick-off meeting – this meeting
– Face-to-face discussion
• Weekly Tag-ups – More ?
– Quick team discussion to determine issues
that need to be worked
• Engineer-to-Engineer working discussions
– The real work to include informal deliveries /
integration drops
– Blackridge provided integration infrastructure
• Tools
– Teleconference – used for tag-ups
– Collaboration
– File share
Unclassified For Official Use Only
10
Observations & Lessons’ Learned
• Project Management
– Confusion on team common goal verses external company managing a standard
project with deliverables separable from commercial product roadmap
– Terminology – Program management versus systems engineering
– LL: Re-emphasize common channel partnership verses standard prime/sub
government contract
• Channel Partnerships
– Kick-off was well attended – could have been longer and should have included
technical discussion since all players were in the same place
– Great initial interaction - technical “riff” of what partnerships could include
– Follow-ups have been difficult to schedule and mature
– Confusion on how all parties are to interact – channel partnerships to provide
integration.
– Re-affirmation needed to focus out-comes to be commercially beneficial as
opposed to just completing the deliverables
– LL: Channel partnerships take work and priority over other activities. Schedule
specific channel partnership discussions in addition to technical dialogs.
11
Observations & Lessons’ Learned
• Implementation/Integration
– Good use of Interface control documents
• LL: API specifications should include operational assumptions
including interrupt operating levels, call restrictions and timing and
latency requirements.
• LL: Topological assumptions should include operational assumptions
including LAN, Network, Transport and Application addressing with
examples and walkthroughs.
– Engineering teams worked well together to troubleshoot and bugfix through integration testing
• LL: Differences existed in product drop maturity (prototype versus
production) that needs to be part of project kick-off
12
Observations & Lessons’ Learned
• Implementation/Integration
– Strategy for integration platform was not initially identified – this
will be an issue for all CIDs
• Recommendation: Establish a live integration test environment
which team-mates can access securely (VPN, VMWare, etc)
• LL: A demonstration that includes Malware or any security
compromise will be a CM concern within an engineering testbed.
– Integration schedule between individuals was difficult to work at
times – people are busy
• Recommendation: Establish online project calendar with availability
of key personnel and project milestones
13
Schedule
• Discuss schedule of activities for us to generate
an integrated schedule.
Schedule
Phase 1
Phase 2
Phase 3
CID-1
Completion
• These demonstrations should help you sell!
14
Schedule – Demo 1
•
Demonstrate identification and security trust insertion at the protected endpoint:




•
What needs to be completed to really demonstrate this capability?
•
•
•
Endpoint security library shall be integrated with TAC client
A protected endpoint shall be provisioned with the client, and configured to demonstrate good security trust with
respect to the assessment.
A protected endpoint shall be provisioned with the client, and configured to demonstrate bad security trust with respect
to the assessment.
The demonstration shall differentiate between good and bad trust at the endpoint in the presence of endpoint
compromises, for a reasonable set of threat vectors.
Blackridge TAC product baseline
HBGary client update / client product
What additional functionality would you like to see integrated?
•
IP Blacklisting?
Whiteboard Exercise
This briefing includes Blackridge and HBGary proprietary information – use of this information for
other purposes requires permission from the respective parties
15
Schedule – Demo 2
•
Identification and security trust response at the protected data center
–
–
–
–
–
–
The TAC Gateway shall be installed, configured and provisioned at the data center.
The TAC Gateway shall be provisioned to identify a multi-mode TAC identity. This allows the protected
communication of both identity and endpoint state.
The demonstration website shall be provisioned with HTTPS support at the data center.
The application will be a mock financial website, using HTTPS for the protocol to demonstrate compatibility
with encrypted traffic.
Demonstrate reception of inserted identification and security trust at the data center.
Differentiate between identities and trust states of the endpoint in the presence of attempted attacks, for a
reasonable set of threat vectors.
Whiteboard Exercise
This briefing includes Blackridge and HBGary proprietary information – use of this information for
other purposes requires permission from the respective parties
16
Schedule – Demo 3
•
…based on sponsor feedback, use case and business model considerations for the
commercial partners, and lessons learned from the initial six month effort, additional
features will be demonstrated...notional requirements of the demonstration:
–
–
–
–
–
Lightweight endpoint security library at the endpoint, suitable for remote provisioning.
Tagging and redirection of live sessions at the TAC appliance, based on identity and security policy.
Quality of service tailored to identity and security policy.
Exposure to large volumes of non-participating live traffic, to assess optimum configurations for operational
systems.
Integration of additional client-side security capabilities (all or subset) with additional server-side application
layer security capabilities.
Whiteboard Exercise
This briefing includes Blackridge and HBGary proprietary information – use of this information for
other purposes requires permission from the respective parties
17
Use Case Discussion
• Talk about additional scenarios to include what
would be required for the capabilities to truly be
meaningful to the NIPRNET/SIPRNET and or
other commercial thrusts.
Whiteboard Exercise
This briefing includes Blackridge and HBGary proprietary information – use of this information for
other purposes requires permission from the respective parties
18
Actions
This page includes Blackridge and/or HBGary proprietary information – use of this information for
other purposes requires permission from the respective parties
19
Channel Partner Discussion
• Here is the notional order for breakout sessions
1. Akamai/BlackRidge
2. Akamai/HB Gary
3. BlackRidge/HB Gary
• Discuss areas (commercial and government) in
which cooperation would yield value to each
company
This briefing includes Blackridge and HBGary proprietary information – use of this information for
other purposes requires permission from the respective parties
20