The Future of Security from the NSA Trusted Computing Conference
I am just flying back from attending my first NSA Trusted Computing Conference in Orlando, Florida. While this is not an ICS or SCADA security conference, if you want to get a glimpse of what security technologies to expect in the next decade, this is a good show to attend.
With all the talk in the past year about Stuxnet and USB keys, one exhibit that caught my attention was the General Dynamics booth. General Dynamics is developing a management system (initially for government or military applications) that allows a security operation center (SOC) to collect and correlate network information from an amazing variety of sources.
General Dynamics’ Security Operation Center
The demonstration begins with a small applet that runs on the operator’s laptop. This applet checks if any removable drives (i.e. USB drives) are connected to the laptop and passes that information to a central data exchange server.
At the same time, a different applet (from a endpoint security company called Triumfant) monitors a smart identity card to determine who is logged into the laptop. It also sends this information to the central server along with details on the person’s role in the organization. At this point, a security manager can see who is logged in to what computers, their role and level in the company and what they have been doing with USB keys. Nice, but not amazing.
But then it gets interesting. Yet another vendor’s firewall has subscribed to the server. It has asked to be immediately informed if a USB key is inserted in any computer by people below a certain role and privilege level. The moment it is, the firewall changes its rules so that access to a key web server is cut off and alarms are raised.
Using proprietary interfaces, integrating this information to drive firewall policy would be a challenge, but using IF-MAP, it is straight-forward. It sure beats filling USB ports with silicon.
Eric Byres at the Tofino Security / Juniper
demo in the Trusted Computing Booth at NSA.
The IF-MAP Standard Makes it Possible
What make this all possible is an emerging standard called IF-MAP (Interface for Metadata Access Protocol). Scott discussed IF-MAP in some detail in a blog article last spring but what is important to know is that IF-MAP acts like a clearing house for real-time event data from any device that cares to publish to it. It is open and fully documented, so equipment from multiple vendors can be combined to create sophisticated and highly flexible systems.
The number of IF-MAP compatible devices at the NSA conference was exciting. In a booth across the aisle, an open source Snort intrusion detection system (IDS) was monitoring for network scans and password cracking attempts and reporting that to the MAP server.
A VPN client in an Android phone used that information to allow or block the phone from connecting to the corporate network. In yet another booth (run by Infoblox), an employee badge scanner was reporting physical security information to a MAP server.
In the same Infoblox booth, a Tofino Security Appliance was using MAP event information to decide whether to allow an HMI to connect over an encrypted tunnel to a PLC (for more on the Tofino PLC application see our Application Note: Securing Critical Industrial Processes in Real Time).
The Tofino Security demo in the Infoblox booth at NSA.
We see a lot of hope for IF-MAP as a truly open and unified standard for security information management. Currently there are just too many different protocols (public and proprietary) to make true security integration across different systems viable. If the industry can settle on IF-MAP as the standard, security, both in the office and on the plant floor, has a chance to make a major leap forward.
Related Content to Download
Note: you need to be a member of tofinosecurity.com and logged in to have access to the documents below. Register here to become a member.
Application Note - "Securing Critical Industrial Processes in Real Time"
Notes about IF-MAP and MAP
• In general, MAP refers to a server and IF-MAP refers to the communication protocol that other devices use to talk to the MAP server
• IF-MAP is generally pronounced: “I” “F” “MAP”
• IF-MAP: A New Standard for SCADA Security that You Should Know About. Scott Howard’s blog article provides an introduction and overview of MAP.
• PDF iLabs IF MAP white paper April 28 08. This is an old but clear third party White Paper. It is a good summary if you only have a few minutes to get a grasp of IF-MAP basics.
• Infoblox web information on IF-MAP. This is a great vendor website on IF-MAP. It does a good job of explaining the concepts, and the animation is particularly helpful.
• Trusted Computing Group information on IF-MAP. This page includes approved public documents on IF-MAP, and a NDA is not required.
• IF-MAP Website. A website featuring a collection of IT professionals and vendors who believe deeply in the power of IF-MAP.
© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand