Douglas Lee Schales

Cloud security is not (just) virtualization security: a short paper

Cloud infrastructure commonly relies on virtualization. Customers provide their own VMs, and the cloud provider runs them often without knowledge of the guest OSes or their configurations. However, cloud customers also want effective and efficient security for their VMs. Cloud providers offering security-as-a-service based on VM introspection promise the best of both worlds: efficient centralization and effective protection. Since customers can move images from one cloud to another, an effective solution requires learning what guest OS runs in each VM and securing the guest OS without relying on the guest OS functionality or an initially secure guest VM state. We present a solution that is highly scalable in that it (i) centralizes guest protection into a security VM, (ii) supports Linux and Windows operating systems and can be easily extended to support new operating systems, (iii) does not assume any a-priori semantic knowledge of the guest, (iv) does not require any a-priori trust assumptions into any state of the guest VM. While other introspection monitoring solutions exist, to our knowledge none of them monitor guests on the semantic level required to effectively support both white- and black-listing of kernel functions, or allows to start monitoring VMs at any state during run-time, resumed from saved state, and cold-boot without the assumptions of a secure start state for monitoring.

FCCE: Highly scalable distributed Feature Collection and Correlation Engine for low latency big data analytics

In this paper, we present the design, architecture, and implementation of a novel analysis engine, called Feature Collection and Correlation Engine (FCCE), that finds correlations across a diverse set of data types spanning over large time windows with very small latency and with minimal access to raw data. FCCE scales well to collecting, extracting, and querying features from geographically distributed large data sets. FCCE has been deployed in a large production network with over 450,000 workstations for 3 years, ingesting more than 2 billion events per day and providing low latency query responses for various analytics. We explore two security analytics use cases to demonstrate how we utilize the deployment of FCCE on large diverse data sets in the cyber security domain: 1) detecting fluxing domain names of potential botnet activity and identifying all the devices in the production network querying these names, and 2) detecting advanced persistent threat infection. Both evaluation results and our experience with real-world applications show that FCCE yields superior performance over existing approaches, and excels in the challenging cyber security domain by correlating multiple features and deriving security intelligence.

Stream computing for large-scale, multi-channel cyber threat analytics

The cyber threat landscape, controlled by organized crime and nation states, is evolving rapidly towards evasive, multi-channel attacks, as impressively shown by malicious operations such as GhostNet, Aurora, Stuxnet, Night Dragon, or APT1. As threats blend across diverse data channels, their detection requires scalable distributed monitoring and cross-correlation with a substantial amount of contextual information. With threats evolving more rapidly, the classical defense life cycle of post-mortem detection, analysis, and signature creation becomes less effective. In this paper, we present a highly-scalable, dynamic cybersecurity analytics platform extensible at runtime. It is specifically designed and implemented to deliver generic capabilities as a basis for future cybersecurity analytics that effectively detect threats across multiple data channels while recording relevant context information, and that support automated learning and mining for new and evolving malware behaviors. Our implementation is based on stream computing middleware that has proven high scalability, and that enables cross-correlation and analysis of millions of events per second with millisecond latency. We report the lessons we have learned from applying stream computing to monitoring malicious activity across multiple data channels (e.g., DNS, NetFlow, ARP, DHCP, HTTP) in a production network of about fifteen thousand nodes.

BAYWATCH: Robust Beaconing Detection to Identify Infected Hosts in Large-Scale Enterprise Networks

Sophisticated cyber security threats, such as advanced persistent threats, rely on infecting end points within a targeted security domain and embedding malware. Typically, such malware periodically reaches out to the command and control infrastructures controlled by adversaries. Such callback behavior, called beaconing, is challenging to detect as (a) detection requires long-term temporal analysis of communication patterns at several levels of granularity, (b) malware authors employ various strategies to hide beaconing behavior, and (c) it is also employed by legitimate applications (such as updates checks). In this paper, we develop a comprehensive methodology to identify stealthy beaconing behavior from network traffic observations. We use an 8-step filtering approach to iteratively refine and eliminate legitimate beaconing traffic and pinpoint malicious beaconing cases for in-depth investigation and takedown. We provide a systematic evaluation of our core beaconing detection algorithm and conduct a large-scale evaluation of web proxy data (more than 30 billion events) collected over a 5-month period at a corporate network comprising over 130,000 end-user devices. Our findings indicate that our approach reliably exposes malicious beaconing behavior, which may be overlooked by traditional security mechanisms.

Closing the loop: Network and in-host monitoring tandem for comprehensive cloud security visibility

Cloud computing has not only become attractive for organizations and end-users but also for attackers that use cloud environments to exploit the offered economies of scale—a cloud environment consists of a large set of systems with an excellent network connectivity setup and similar configurations. In this paper, we propose a comprehensive approach towards monitoring cloud computing environments by building an awareness framework combining passive network monitoring principles with in-host monitoring. Passive network monitoring is able to detect suspicious activities from observations on the network layer but cannot provide any attribution to processes on cloud computing instances. In contrast, in-host auditing subsystem monitoring provides fine-grained information of events within a given instance but misses the higher-level perspective of events across the environment. We have devised a system using a big data approach combining analytics on both levels. The analytics complement each other to detect advanced cyber security attacks and provide contextual links to security analysts investigating these attacks. We demonstrate the utility and efficacy of the framework by means of a study of a sophisticated advanced persistent threat style internal spear-phishing attack on a large-scale productive cloud environment.

Passive security intelligence to analyze the security risks of mobile/BYOD activities

As enterprises embrace mobile technologies and enable their employees to bring their own devices, traditional security mechanisms are challenged by the col-location of personal and business activities on employee-owned mobile devices on the enterprise network. This presents a new risk to enterprises as employee-owned devices can now be used as stepping stones for bypassing traditional enterprise perimeter security. Current Bring Your Own device (BYOD) programs usually either do not manage employee-owned devices or are limited by self-enrollment and device heterogeneity challenges. In this paper, we introduce a novel, nonintrusive big data analytics methodology to obtain visibility into mobile device usage. At the heart of the methodology is an inference algorithm that uses a dynamic decision tree in near real-time to fingerprint mobile devices and their usage by analyzing passively collected network data. Information, such as device type, device model, and operating systems/versions, as well as applications and their patch level, can be inferred—all without an agent installed on the devices. We correlate such information with supplemental security intelligence (e.g., vulnerability information) to discover previously unknown mobile devices on an organizations network and to establish their security posture and risk. Our evaluation on a major corporate network indicates that mobile devices can be reliably identified while mitigating their potential threats, thus demonstrating that our methodology provides valuable insights to enterprise security administrators

Threat Intelligence Computing

Cyber threat hunting is the process of proactively and iteratively formulating and validating threat hypotheses based on security-relevant observations and domain knowledge. To facilitate threat hunting tasks, this paper introduces threat intelligence computing as a new methodology that models threat discovery as a graph computation problem. It enables efficient programming for solving threat discovery problems, equipping threat hunters with a suite of potent new tools for agile codifications of threat hypotheses, automated evidence mining, and interactive data inspection capabilities. A concrete realization of a threat intelligence computing platform is presented through the design and implementation of a domain-specific graph language with interactive visualization support and a distributed graph database. The platform was evaluated in a two-week DARPA competition for threat detection on a test bed comprising a wide variety of systems monitored in real time. During this period, sub-billion records were produced, streamed, and analyzed, dozens of threat hunting tasks were dynamically planned and programmed, and attack campaigns with diverse malicious intent were discovered. The platform exhibited strong detection and analytics capabilities coupled with high efficiency, resulting in a leadership position in the competition. Additional evaluations on comprehensive policy reasoning are outlined to demonstrate the versatility of the platform and the expressiveness of the language.