october 17-18, 2006 l santa clara, ca runtime intelligence a new generation of application security...
TRANSCRIPT
October 17-18, 2006 l Santa Clara, CA
Runtime IntelligenceA new generation of application security and performance controls
Sebastian [email protected]
PreEmptive Solutions
October 17-18, 2006 l Santa Clara, CA 2
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
It’s 2:45 PMDo you know where your applications are?
October 17-18, 2006 l Santa Clara, CA 5
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
The telling you what I’m going to tell you slide
• Runtime Intelligence: – what it is and why you might care
• Implications & requirements– What’s possible, what’s missing and what you can expect
• Runtime Intelligence applications and their value propositions– From software suppliers to enterprise consumers; security,
compliance and business performance
• Early commercialization– Tamper notification and application usage
October 17-18, 2006 l Santa Clara, CA 6
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
What is the point of work?
Process
People Information
Information Systems
October 17-18, 2006 l Santa Clara, CA 7
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
What is the point of work?
The Application
Process
People Information
Information Systems
October 17-18, 2006 l Santa Clara, CA 8
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
The weakest link?
Monitor
LogAudit
Applications Applications
Legally Blind toUsage context
Deployment scopeOperational materialityStakeholder orientation
Supplier interests
October 17-18, 2006 l Santa Clara, CA 9
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
Process
People Information
Information Systems
What is the point of work?
ConsumersSuppliers
Channels
Field
Finance
Users
Partners Supply chain
Regulators
Investors
service
IT
Service providers
Development
Sales
Manufacturing
CRM
October 17-18, 2006 l Santa Clara, CA 10
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
Pressing issues for Runtime Intelligence
• Senior software executives want insight into channel performance, product and platform usage, quality of service and adoption
• Senior enterprise executives want IT security reassurance but lack necessary understanding
• Development managers want to align resources with security risks and platform requirements
• IT Security managers want credibility
• Product managers want insight into usage and behavior
• Businesses (and BUs) want, but are reluctant to provide, comparisons or guidance.
• Customer support needs reliable environmental data to provide better individual support, benchmark across platforms and over time.
• Information security and business executives often speak different languages
• All assessments are difficult: Too much data, not enough time.
October 17-18, 2006 l Santa Clara, CA 11
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
What’s required
• Usage context– Design and development coordination
• Use case, materiality, coding and data conventions
• Deployment scope– Aggregation beyond individual IT domains
• SaaS or other managed service archipelago
• Operational materiality– Near-time integration with business metrics
• Activity monitoring & trend analysis incorporating site-specific business information, thresholds and tolerances
• Stakeholder orientation– Role-specific dashboards and reports
• Security, privacy, compliance, performance, financial, sales…
• Additional requirements– Best practices, security, privacy and liability
October 17-18, 2006 l Santa Clara, CA 12
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
The development process• Develop
– Embed attributes: Entry & Exit points – tamper check methods– Utilize SDK: Attack, suspicious use case, positive use case– Application is enhanced at same stage as obfuscation
• Deploy– No boundaries
• Enterprise and supply chain• ISV customer base
• Collect– Data is sent via Web Service (SOAP) to a managed service
• Collect, burst, fire and forget• Opt-in and default is that no identifiable information is sent
• Enrich– Business information is periodically uploaded and integrated into a signal
repository • Connect supplier and supply chain to individual user, their “identify” and the business
interests they serve• Analyze and test through managed dashboards
– Benchmarking, threshold monitoring, trending and visualization• Application security, usage, compliance and business performance
• Distribute– Access to Runtime Intelligence can be delegated to constituent communities
• Increase opt-in and extend the value• Act
– Detective controls can lead to faster and more effective responses• Environmental hostility, misuse, adoption best practices, etc…
October 17-18, 2006 l Santa Clara, CA 13
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
Obfuscation Development Process
Compiler
Output Assemblies
DotfuscatorObfuscatesCompactsLinks
-s
Attributes
Input Assemblies
Source Code
Map file
ExternalConfiguration
ExternalDependencies
Obfuscation Attributes
October 17-18, 2006 l Santa Clara, CA 14
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
Runtime Intelligence (SO-s) Development Process
Compiler
Output Assemblies ( Including SO - s runtime)
DotfuscatorWith SO-s
Attributes
Input Assemblies
Source Code
SO-s Attributes
Obfuscation Attributes
SO-sRuntime
Assembly
Via SDK
Via Attributes
Map file
ExternalConfiguration
ExternalDependencies
October 17-18, 2006 l Santa Clara, CA 15
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
SO-s Deployment
Message Buffer
SSL option Identifiable information is hashed Buffer is Tunable at development and runtime Messages optimized for performance
Runtime SO-s DLL
Application Signals
Dotfuscator Instrumentation Obfuscation Pruning & Consolidation
October 17-18, 2006 l Santa Clara, CA 16
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
SO-signal
• What’s in a signal?– Anything that can be logged, monitored or audited
• Events– Application/Process/Service events
• Start/stop, tamper, exception, …• Suspicious, novel, best practice
– Account access and management events• Environmental data
– Runtime stack, application family, application ID– License key, identity
• Application data– Relevant to signal to provide context
• How are signals organized?– Consistent structures and conventions are required to enable security,
performance and other aggregation and analysis
“Internally developed applications and independent software vendors should provide log data that supports centralized application security
information and event management.”Define Application Security Log Output Standards, Amrit T. Williams,
Gartner Inc. 4 May 2006
October 17-18, 2006 l Santa Clara, CA 17
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
SO-s SaaS
Data Validation & insertion into staging tablesSignal
Validation
Processing for OLAP and
source-specific access
Application Signals
Internet
Dozens of servers, load balanced with fully redundant architecture and clean separation of tiers, supporting
terabytes of extensible storage and security best practices that include regular threat modeling, 3rd party evaluation,
SAS70 Type II certified facilities, etc.
Runtime Intelligence Virtual Repository
Processing for OLAP and source-specific
accessBusiness Information
Business information
sourcesInternet
Secure WebDAV Msg queue (MSMQ)
Data Validation & insertion into staging
tables
Facilities
October 17-18, 2006 l Santa Clara, CA 18
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
Software vendor monitoring field adoption
and behavior
Commercial product family
Adoption, platform utilization & stability
Tamper
Relative stability of
beta
Pipeline activity and
stability
October 17-18, 2006 l Santa Clara, CA 19
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
View into active evaluations
Pipeline dependencies
Most active
Having problems?
October 17-18, 2006 l Santa Clara, CA 20
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
October 17-18, 2006 l Santa Clara, CA 21
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
Availability
• SO-signal: first generation of SO-s family distributed as a component of the Dotfuscator family– Available now for evaluation– Q4: Tamper notification
• 35% of the packaged software installed on personal computers (PC) worldwide in 2005 was illegal and circumvention of license controls is an increasingly common practice – Source: BSA
– Amounting to $34 billion is lost revenue– Posing material security and liability risk to consumers
– Q1: Usage, stability and environmental controls• Offering usage, stability and adoption dashboards in near-time
– Runtime Intelligence is offered on a subscription basis• Software included in existing Dotfuscator license agreements
October 17-18, 2006 l Santa Clara, CA 22
DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT
Questions?Sebastian Holst
PreEmptive Solutions