Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

Polymorphic Attacks on Data-in-
Motion Require a New Security
Approach From Both the Service
Provider and End User
Bill Balmer, May 11, 2016

© 2016 ADVA Optical Networking. All rights reserved. Confidential.2
Scary Slide - Municipal Attacks
• Industries
• 63% of healthcare companies breached last year (RSA 2016)
• 76% of energy utilities breached in past year (Dark Reading
2016)
• Municipal attacks
• Cyber attack NY Dam
• 2013 Bowman Avenue Dam used for flood control
• Unauthorized access to the city’s computer system
• Smart grids
• 2012 – Televent Canada (Schneider Electric)
• Breached firewall
• San Francisco
• 2015 - 40 fiber breaches
• FBI - attackers posed as service provider employees
• The purpose of the breaches has not been determined

Polymorphic Attacks
• Polymorphism means “change the appearance of”
• Mutation engines are bundled with Trojans and other types of malware
• Usually hidden in encrypted payloads
• Constantly mutates to avoid pattern recognition
• Polymorphic attacks are the new standard with DDoS attacks used to
cover the data breach. (North America and EMEA: The Continual
Threat to Digital Brands for 2015)
• Criminals are learning from government projects
like the Stuxnet worm used in Iran nuclear plant and NSA man-in-the-
middle attacks exposure through Snowden
• Rogue nations are hiring CaaS (Criminals-as-a-Service)

The Key to Getting In
• Stealing credentials is the point of most attacks
• Vendors
• Exploit
• Target through HAVAC
• Employees
• Poor password control
• Bribes
• Exploits in security
• IPSec aggressive mode
• Force changes in passwords make users simplify passwords
• Poorly configured servers
• Physical intrusion – man-in-the-middle
• Fiber bending
• Wiring closets

Basic Cryptographic Goals
Confidentiality (privacy) - "Encryption"
Man-in-the-middle cannot understand message
from Alice.
Diffie-Hellman key agreement/exchange is
arbitrated in the background.
Man-in-the-middle could try to manipulate key
exchange to Bob.
Solution: authenticity - “authentication"
Alice and Bob can be sure that they are really
connected.

Man-in-the-Middle Attacks

• Distributed networks instead of
a single entry point
• Complex setup based on
exception rules
• Susceptible to DDoS attacks
overloading the processor
• Becomes a tool for polymorphic
attacks
• Firewalls are becoming the
police tape around a crime
scene – CISO AT&T*
Firewall Limitations
*Carrier Network Security Strategies – Heavy Reading Dec 2 2015

Next Generation Firewalls Will Be Dynamic

Data Analytics
• Number of days before breach is
recognized: Verizon 288 days and
Microsoft 244 days*
• Data analytics can**
• Shorten discovery period
• Help enforce policies
• Through detection
• Reduce staff
• Through automation
*Carrier Network Security Strategies – Heavy Reading Dec 2, 2015
** TechForum Security Conference March 24, 2016

What To Do?
• Amit Yoran, RSA president, said no fancy, expensive product can
guarantee an organization’s safety: “There are no silver bullets in
security.”
• “The shift from volumetric towards application-layer attacks and
from single vector to polymorphic attacks is bound to accelerate –
and service provider defenses need to evolve in line with that.”
• Each layer of transport for data in motion has its own challenges

Encryption Options
Securing Data in Motion
Physical
PHY
Data link
MAC
Network layer
IP/MPLS
Transport layer
TCP, UDP
Application, presentation,
session layer
Bits
Frames
Packets
Segments
Data
1
2
3
4
7
6
5
OSIlayer
IPSec
TLS, SSH
In-flight Encryption
MACsec

Secure Network Infrastructure Model
Security on Every Network Layer
• FSP 3000 family
• Infrastructure encryption
• Optical point to point
• Cloud computing
• Data center connectivity
• Over 200 networks
IPLayer
Ethernet
Layer
Optical
Layer
Physical connectivity
Virtual connectivity
BSI approval
R&D & NVF activities
Solution available

Examples of Fiber Tapping
Joshe Ruppe Security Researcher
Techtarget: Optical network security: Inside a fiber-optic hack

Secure Data Center Interconnection
Innovation for high-performance cloud data center interconnect
Application
Technology
• Highest performance
• Lowest latency
• Maximum security
Benefits
Solution
FSP 3000

Encryption using G.709 / OTH Link Protocol
1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080
1
2
3
4
Column number
OTU/ODU
overhead
ROW
OPU
overhead
Encryption
FEC
areaEncrypted Payload
OCH Overhead Och payload FEC data
Optical channel frame structure
5TCE link protocol
• Supports
• OTU-2
• OTU-2e
• OTU-2f
AES 256
encrypted
OPU2 payload
Automatic
key exchange
using DH
Key Exchange

Media Transport Network - Solution
Metro
Core
Event site
Event site
Event site
TV studio A TV studio B
Metro

Optical Security Suite
Encryption
Security-hardened software
Physical layer monitoring
Power tracking and intrusion detection
Time-domain reflectometer (OTDR/cable integrity)
Access line monitoring (ALM)
Continuity check messages (CCM)
RADIUS
Secure shell
SNMPv3
AES-256
Authentication
Diffie-Hellman
A complete and integrated solution leveraging advanced technology
122842636

• FSP 150 family
• 1.75 million deployed
• Infrastructure encryption
• ProNID™
• ProVM™
• Enterprise encryption
• MacSec Plus
• Certes CryptoFlow™ NFV
• Who?
• Service providers
• Local government
• Branch offices – small count
• Cloud providers
IPlayer
Ethernet
layer
Optical
layer
BSI approval
R&D & NFV activities
Solution available

• Highest flexibility
• Minimum overhead
• Maximum security
Secure Access in Virtual Networks
Innovation for flexible cloud access in fixed and mobile applications
Application
Technology
Benefits
Solution
FSP 150

IPsec Challenges – Technical Aspects
• Delay is measured
in msec instead of
µsec
Latency
• Up to 50% addi-
tional bandwidth
overhead
Efficiency
• No wire-speed
performance up to
100Gbit/s
Scalability
• Exposed
sender/reciever
Confidentiality
• Only works for
IP traffic
Compatibility
• Issues scale
linearly with links
and endpoints
Complexity

Flexible MACsec Data Encryption and Integrity
• L2 secure connectivity using standard MACsec format with VLAN bypass
• Works with MEF E-Line (EPL and EVPL)
• Supports point-to-point and hub-and-spoke secure connectivity
• Encryption directly at the Ethernet layer – line rate
• State of the art symmetric encryption algorithms: AES 128, AES 256
• Low latency, bandwidth efficiency
• Dynamic and secure key exchange
• Password-authenticated Diffie-Hellman algorithm
• Intrusion proof key storage
ConnectGuardTM Ethernet – flexibility and data security altogether

MACsec+ No Need for SP Switch Decrypt
Site A
LAN
LAN
Site B

XG210C
XG210C
XG210C
Clinic
Regional hospital
Satellite hospital
Regional hospital
Regional hospital
ProVM-C
ProNID-C
Case Study – WellSpan Healthcare

• Enterprise encryption
• ProVM™
• FSP 150 vSE
• Certes CryptoFlow™
• Layer 3 and 7
• Cloud applications
• Key management
• Who?
• Big box companies
• Branch offices
• Universities
• Local government
IPlayer
Ethernet
layer
Optical
layer
BSI approval
R&D & NFV activities
Solution available

Future Proofing Security through Virtualization
• Firewalls – future
• Interactive updates from security centers
• Matching patterns of attacks
• Updates to combat new threats
• Data analytics
• Remote probes
• Live monitoring
• Filters / traps
• Application security
• Micro-segmentation to limit damage
• Policy management

VNF Versus Assured VNF
Example: Encryption








Encryption as VNF
OVS
Storage NetworkCompute
IPsec
Encryption as an assured VNF
OVS
Storage NetworkCompute
Latency
Cost @ 1Gbit/s
Cost @ 10Mbit/s
Resource consumption

A1
A2
Physical test, monitoring, enforcement
L2/L3 low latency, sync, MACSEC
Hardware data plane
The Assured Model
Multicore x86 server
Flexible
L3/4/7
service
creation
Network interface
Compute host
infrastructure
VM-1 VM-2
VNF VNF
VM-2 VM-2
VNF VNF
N1
Hardware
equivalent
OVS
ovs

IP Layer ProVM/Security NFV

• How we travel
• Get ticket online or at the airport
• Prove who you are
• Go through security checkpoint
• Get into terminal
• Boarding checks
• Do you belong on the flight?
Security Is a Fact of Life
How data should travel

Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this
presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or
implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental,
consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

More Related Content

What's hot (20)

Similar to Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User (20)

More from ADVA (20)

Recently uploaded (20)

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

Editor's Notes