[IP] well worth reading djf Computer network security: "Symbiot on the Rules of Engagement"
Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 11 Mar 2004 09:45:22 -0500 (EST)
From: Andy Oram <andyo@xxxxxxxxxxx>
Subject: Computer network security: "Symbiot on the Rules of Engagement"
To: Dave Farber <dave@xxxxxxxxxx>
http://www.onlamp.com/pub/a/security/2004/03/10/symbiot.html
by [93]Andy Oram
03/10/2004
A few days ago, [94]Symbiot Security released news of a controversial
new defensive computer security service and placed a stake in the
ground of enterprise security with a white paper titled "On The Rules
of Engagement." Essentially, the new rules would allow victims of
network-based attacks to plan and execute countermeasures--effectively
fighting back. Andy Oram from the O'Reilly Network engaged the chief
officers of the company in an interview about this innovative new
service.
Oram: What is the thrust of your new security technology? How does it
differ from conventional, defensive security?
Symbiot: Symbiot's main iSIMS offering is delivered as a subscription
service complete with on-site hardware, ongoing service, technical
support, system maintenance, and vulnerability updates. Importantly, a
subscription provides regular updates to our Symbiot.NET knowledgebase
of attacker profiles, which not only keeps tabs on the activities of
attackers worldwide, but also maintains shared-risk metrics scores.
For several years, Symbiot has been researching and developing a
system that allows corporations to measure the effectiveness of their
organization's security posture. Our system relies on a uniform,
portable, standardized measure of threat, which we call a 'risk
score'. This metric is expressed as a three-digit number and bears
considerable similarity to a credit score provided by Experian or TRW.
These risk scores are used throughout our system and provide the
accountability, consistency, and standardization that we've found
lacking with the deployment of nearly all security solutions today.
Merely erecting defensive walls around the perimeter of an enterprise
network is not an adequate deterrent in today's hostile climate.
Symbiot's technology allows companies to plan and execute the
appropriate countermeasures, and respond to hostile network attacks.
Our strategy has been developed by applying the wisdom gained from
centuries of military operations, diplomatic relations, and legal
recourse to provide practical business solutions for the enterprise.
Our technology is different from existing security solutions because,
to date, no company has delivered a system to the commercial
marketplace that has the ability to strike back against network-based
attacks. Our technology's counterstrike capacity is not constrained,
but instead follows a military model for applying a "graduated
response" against malicious attackers.
Oram: You describe the response to your "Rules of Engagement" white
paper as favorable, with many people saying, "It's about time!" To
what do you attribute that visceral, gut reaction? (I will return to
the social implications of the reaction at the end.)
Symbiot: Network-based attacks are not victimless crimes. When the
CIO/CSO of a major corporation fails to defend their network from an
attack, and that attack is successful, they are held accountable to
management, the board of directors, and the company's shareholders.
Government regulations like HIPAA and Sarbanes-Oxley have raised the
stakes for CIO's and CSO's everywhere, with accountability issues
being the subject of media and regulatory scrutiny.
When an enterprise network gets attacked, that represents an assault
on the livelihood of the people responsible for the network. They can,
and do lose their jobs over security breaches and compromised customer
data.
The "visceral, gut reaction" probably comes from the fact that until
now, companies have had to sit back and see billions of dollars of
damage done to the infrastructures of enterprise without having the
opportunity to respond. Symbiot has effectively leveled the playing
field and is picking up the support of businesses no longer willing to
be victims in an information warfare campaign.
We think [98]Tim Mullen echoed the sentiment of much of the IT
security community when he said, "The moment that I begin to incur
costs, or the integrity of services that I pay for is reduced by any
degree, is the moment that I have the right to do something about it."
Oram: What is some major attention and press coverage you have
received from your press release and white paper?
Symbiot: Already, we've had countless visitors come to our web site
and download the white paper since we published it. Particular
interest is being shown by large enterprises, and, not surprisingly,
from the government and military sector. We've also received numerous
emails, requests for product demonstrations, and media requests, even
a few television appearances. We are ecstatic over the response and
look forward to taking advantage of these opportunities as well as
others as they arise.
Oram: Is it fair to compare your technologies to the threats by large
copyright holders that they could enter and damage computer systems
hosting unlawful copies of copyrighted material? How about the
self-help provisions of UCITA, which would allow software vendors to
disable their software while it runs on their customers' systems? Or
even the possibility (which the U.S. Department of Defense is
reportedly acting on) of carrying on cyber-war by trying to disrupt
and disable support systems within an enemy country? Are these
precedents for your system?
Symbiot: No, the copyright issues are not network-borne attacks. We
have not built a system that allows companies to point at a random
target and "pull the trigger". Our technology is a means for
justifiable self-defense of an enterprise network under attack. Our
solutions are not designed or developed to tackle the huge issues
surrounding DRM, software piracy, or general copyright abuse.
Our solutions provide enterprise customers with new means for
defending their network assets. Our process draws on Daniel Webster's
lawful military doctrine of necessity and proportionality. Which, in
essence, says if someone is attacking you, you don't have time to
debate the issue. You have a need to respond in kind. Most
importantly, we weigh the response in proportion to the attack.
Oram: How do you make sure you are targeting the originator (and a
purposeful, malicious originator at that) of an attack? How do you
avoid troubling innocent users whose addresses were spoofed or who
might be part of an unknown DDOS attack? In fact, how do you defend
against abuse and the kind of escalation of information warfare
whereby attackers try to attack an innocent site by triggering a
response against it by one of your customers?
Symbiot: Although this hasn't been addressed in the enterprise, in
government this is referred to as "Attacker Attribution." We maintain
a central repository of attacker profiles, Symbiot.NET, which is based
on the cooperative surveillance and reconnaissance gathered by our
customers. This provides a historical record of attackers, their
methods, and their intent, which serves to aid in properly identifying
the source of malicious attacks. By applying "triangulation" to the
attack and looking at it from several different customer endpoints, we
can determine the appropriate countermeasures to deploy.
In regards to spoofed attacks, when there is no positive
identification of the attacker (that is, we cannot positively
attribute an attack back to its source), deploying defensive
countermeasures and reporting intelligence would be most appropriate.
However, this decision (and the power to initiate an offensive
countermeasure) ultimately resides in the hands of our customer.
Oram: Let's describe the system a little bit more, then. You
accumulate reports from your customers of suspicious behavior and
eventually identify networks that you are certain are originators of
attacks?
Symbiot: That is how the attacker profiling works within our system.
The risk scores we spoke to earlier are constantly adjusted by reports
stemming from all over the world. Our profiling techniques use a
combination of factors to achieve strong correlation; especially after
long-term surveillance has been conducted. In addition, customers not
only receive the risk score being transmitted by a company in real
time, but they can compare that score to Symbiot.NET's records for
validation prior to the authorization of any network transaction.
Oram: How can your customers marshal enough resources to deliver a
credible response to an attacker? Doesn't this mean you have to be
bigger than the attacker (by a lot!)?
Symbiot: No, you do not necessarily have to be bigger than the
attacker. Symbiot's customers are empowered with the ability to mount
multilateral responses. For example, let's look at known attackers who
target the financial services sector. They often mount organized
attacks against businesses within that sector. Those businesses are
now able to coordinate a multilateral effort against the
attackers--effectively combining their resources and working together
to address a common threat.
Companies should not be considered aggressors by merely using
Symbiot's counter-strike capabilities to respond to network-based
threats. Our graduated response determines how aggressive a
countermeasure should be. Furthermore, corporate policies will bind
the individuals using our technology to be accountable for their
actions.
Oram: So, you are combining the power of your customers and focusing
it upon an attacker, rather like how the inhabitants of a frontier
town organized a posse to go after a band of robbers?
Symbiot: Not at all, posses never had to respond to threats in real
time. They were largely reactionary forces used to track down
criminals fleeing from justice. Our system doesn't allow or support
this type of action; it simply empowers customers to mount a
supportable response at the moment they are being attacked and their
network assets are placed at risk.
Oram: Could your attack hurt innocent victims, such as ISPs or hubs
that have to carry the increased traffic along its way, or (as
mentioned earlier) unwitting perpetrators of a DDOS attack? Perhaps
the perpetrator has opened a temporary account that he can abandon at
small inconvenience to himself, and melt away while letting his host
bear the brunt of the response. Is there no such thing as an innocent
bystander any more?
Symbiot: There is always the possibility of collateral damage.
Intermediaries such as ISPs are already caught in the middle when one
of their customers is engaged in, or is the target of a network-based
attack. Our philosophy is most certainly not one of "shoot first and
ask questions later." However, when a zombied host or an infected
computer has been clearly identified as the source of an attack, it is
our responsibility to empower customers to defend themselves. An
infected machine, one no longer under the control of its owner, is no
longer an innocent bystander.
Oram: Something's going to go wrong sometime. Who bears legal
liability? Could your company, as service provider or vendor, be
dragged into a lawsuit or a criminal proceeding over an unjust attack
carried out by a customer because of misconfiguration or poor
judgment? By coordinating customer responses, you maintain some
control over the delivery of the attack. That would seem to make you
squarely responsible for any legal questions raised by it.
Symbiot: The legal environment surrounding the use, misuse, and
operation of a system for active network self-defense has many
unexplored issues. However, the legal liability is borne by the
attacker. The determination of how to respond and what strength to
apply is controlled by the system's operator. The legal implications,
jurisdiction, and liabilities arising from the system's use are
presently very important for us all to consider. There are several
levels of decision involved in executing countermeasures, each with
its own chain of accountability.
Oram: It seems that no single customer can flag a site as an attacking
site. The identification of attackers grows from information gathered
from multiple sources. Is that protection against the possibility of
launching a counter-attack against a site that doesn't deserve it?
Symbiot: Very much so! For any well-measured and justifiable action to
be taken against another network presence, we feel that a robust
collection of evidence, with a strong chain of custody must be
collected and relied on. It is very important that the proper
procedures are being followed when planning and executing
countermeasures.
Oram: Here's the social implications question. The gusto with which
many readers greeted your paper seems to reveal a reservoir of
vindictiveness within society. It is reminiscent of the U.S. war on
Afghanistan after the September 11, 2001 attacks--a war that had clear
practical goals, but was also meant to prove that "America could still
stand tall." Do the free-floating fears over terror and crime in the
twenty-first century get wrapped up in your proposal and its positive
reception by many people?
There are clearly social implications here. We believe greater
corporate accountability implies a greater responsibility to society.
With the number of malicious attacks increasing exponentially, people
are no longer willing to be victimized. In that sense, the
psychological dimension to our approach and its reception by the
public has to do with accountability. Which is why we are developing
and publishing new Rules of Engagement.
As a company, Symbiot is looking primarily at corporate conflicts in
transnational contexts, that is, across many jurisdictions. We have
counterstrike technology that, at the end of the day, will force both
sides to come to the table and negotiate a resolution. Most of the
time, however, situations do not escalate to force; instead the threat
of force empowers civil resolutions. Law does not exist without threat
of force.
"What causes opponents to come of their own accord is the prospect of
gain. What discourages opponents from coming is the prospect of harm."
--Sun Tzu, Art of War, first century, A.D.
[99]Andy Oram is an editor at O'Reilly & Associates, specializing in
books on Linux and programming. Most recently, he edited
[100]Peer-to-Peer: Harnessing the Power of Disruptive Technologies.
_________________________________________________________________
Copyright © 2000-2004 OReilly Media, Inc. All Rights Reserved.
All trademarks and registered trademarks appearing on the O'Reilly
Network are the property of their respective owners.
For problems or assistance with this site, email
References
93. http://www.onlamp.com/pub/au/36
94. http://symbiot.com/
98. http://securityfocus.com/columnists/203
99. http://www.onlamp.com/pub/au/36
100. http://www.oreilly.com/catalog/peertopeer/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/