Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, May 12, 2008

New Intrusion Tolerance Technology Treats Attacks as Inevitable

First there was intrusion detection, then intrusion prevention, and now, intrusion tolerance.  A professor and researcher at George Mason University is readying the commercial rollout of a new, patent-pending technology that basically assumes an attack or infection on a server is inevitable, so it instead minimizes the impact of an intrusion.  Called self-cleansing intrusion tolerance (SCIT), the new security method doesn’t replace IDS, IPS, firewalls, or other traditional security tools, but rather adds another layer that minimizes the damage of an attack, says Arun Sood, professor of computer science and director of the Laboratory of Interdisciplinary Computer Science at GMU in Fairfax, Va.

It’s about how you contain” an intrusion, Sood says.  “Intrusion tolerance is different than intrusion detection and intrusion prevention—it doesn’t do any detection and prevention,” he says.  “....we try to contain the losses by reducing the exposure time of the server to the Internet.”

Sood, who will outline his SCIT technology this week at IntrusionWorld in Baltimore, says the basic idea is to regularly rotate Web, DNS, or other servers on- and offline to “cleanse” the exposed machine to a previously unblemished state that’s never been online—and automatically have another clean (virtual) machine take its place.

It’s a fatalistic approach to Internet-borne attacks: “Because servers are online for such a long time, if someone wants to deliberately intrude, he has a sitting duck on which he can work,” Sood says.  The goal is to keep servers exposed to the Internet at sub-minute intervals, but without disrupting the application.  “This seems like yet another scheme that forgets that attacks take milliseconds, not days.”

Meanwhile, Sood is licensing SCIT from GMU for his new startup called SCIT Labs.  The GMU professor and his colleagues first came up with the SCIT concept over five years ago, but that was when virtualization was new, and it rendered SCIT inoperable due to performance reasons.

Posted on 05/12