october 17-18, 2006 l santa clara, ca runtime intelligence a new generation of application security...

October 17-18, 2006 l Santa Clara, CA

Runtime IntelligenceA new generation of application security and performance controls

Sebastian [email protected]

PreEmptive Solutions

October 17-18, 2006 l Santa Clara, CA 2

DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT DRAFT

It’s 2:45 PMDo you know where your applications are?



The telling you what I’m going to tell you slide

• Runtime Intelligence: – what it is and why you might care

• Implications & requirements– What’s possible, what’s missing and what you can expect

• Runtime Intelligence applications and their value propositions– From software suppliers to enterprise consumers; security,

compliance and business performance

• Early commercialization– Tamper notification and application usage



What is the point of work?

Process

People Information

Information Systems




The Application

Process

People Information

Information Systems



The weakest link?

Monitor

LogAudit

Applications Applications

Legally Blind toUsage context

Deployment scopeOperational materialityStakeholder orientation

Supplier interests



Process

People Information

Information Systems


ConsumersSuppliers

Channels

Field

Finance

Users

Partners Supply chain

Regulators

Investors

service

IT

Service providers

Development

Sales

Manufacturing

CRM



Pressing issues for Runtime Intelligence

• Senior software executives want insight into channel performance, product and platform usage, quality of service and adoption

• Senior enterprise executives want IT security reassurance but lack necessary understanding

• Development managers want to align resources with security risks and platform requirements

• IT Security managers want credibility

• Product managers want insight into usage and behavior

• Businesses (and BUs) want, but are reluctant to provide, comparisons or guidance.

• Customer support needs reliable environmental data to provide better individual support, benchmark across platforms and over time.

• Information security and business executives often speak different languages

• All assessments are difficult: Too much data, not enough time.



What’s required

• Usage context– Design and development coordination

• Use case, materiality, coding and data conventions

• Deployment scope– Aggregation beyond individual IT domains

• SaaS or other managed service archipelago

• Operational materiality– Near-time integration with business metrics

• Activity monitoring & trend analysis incorporating site-specific business information, thresholds and tolerances

• Stakeholder orientation– Role-specific dashboards and reports

• Security, privacy, compliance, performance, financial, sales…

• Additional requirements– Best practices, security, privacy and liability



The development process• Develop

– Embed attributes: Entry & Exit points – tamper check methods– Utilize SDK: Attack, suspicious use case, positive use case– Application is enhanced at same stage as obfuscation

• Deploy– No boundaries

• Enterprise and supply chain• ISV customer base

• Collect– Data is sent via Web Service (SOAP) to a managed service

• Collect, burst, fire and forget• Opt-in and default is that no identifiable information is sent

• Enrich– Business information is periodically uploaded and integrated into a signal

repository • Connect supplier and supply chain to individual user, their “identify” and the business

interests they serve• Analyze and test through managed dashboards

– Benchmarking, threshold monitoring, trending and visualization• Application security, usage, compliance and business performance

• Distribute– Access to Runtime Intelligence can be delegated to constituent communities

• Increase opt-in and extend the value• Act

– Detective controls can lead to faster and more effective responses• Environmental hostility, misuse, adoption best practices, etc…



Obfuscation Development Process

Compiler

Output Assemblies

DotfuscatorObfuscatesCompactsLinks

-s

Attributes

Input Assemblies

Source Code

Map file

ExternalConfiguration

ExternalDependencies

Obfuscation Attributes



Runtime Intelligence (SO-s) Development Process

Compiler

Output Assemblies ( Including SO - s runtime)

DotfuscatorWith SO-s

Attributes

Input Assemblies

Source Code

SO-s Attributes

Obfuscation Attributes

SO-sRuntime

Assembly

Via SDK

Via Attributes

Map file

ExternalConfiguration

ExternalDependencies



SO-s Deployment

Message Buffer

SSL option Identifiable information is hashed Buffer is Tunable at development and runtime Messages optimized for performance

Runtime SO-s DLL

Application Signals

Dotfuscator Instrumentation Obfuscation Pruning & Consolidation



SO-signal

• What’s in a signal?– Anything that can be logged, monitored or audited

• Events– Application/Process/Service events

• Start/stop, tamper, exception, …• Suspicious, novel, best practice

– Account access and management events• Environmental data

– Runtime stack, application family, application ID– License key, identity

• Application data– Relevant to signal to provide context

• How are signals organized?– Consistent structures and conventions are required to enable security,

performance and other aggregation and analysis

“Internally developed applications and independent software vendors should provide log data that supports centralized application security

information and event management.”Define Application Security Log Output Standards, Amrit T. Williams,

Gartner Inc. 4 May 2006



SO-s SaaS

Data Validation & insertion into staging tablesSignal

Validation

Processing for OLAP and

source-specific access

Application Signals

Internet

Dozens of servers, load balanced with fully redundant architecture and clean separation of tiers, supporting

terabytes of extensible storage and security best practices that include regular threat modeling, 3rd party evaluation,

SAS70 Type II certified facilities, etc.

Runtime Intelligence Virtual Repository

Processing for OLAP and source-specific

accessBusiness Information

Business information

sourcesInternet

Secure WebDAV Msg queue (MSMQ)

Data Validation & insertion into staging

tables

Facilities



Software vendor monitoring field adoption

and behavior

Commercial product family

Adoption, platform utilization & stability

Tamper

Relative stability of

beta

Pipeline activity and

stability



View into active evaluations

Pipeline dependencies

Most active

Having problems?



Availability

• SO-signal: first generation of SO-s family distributed as a component of the Dotfuscator family– Available now for evaluation– Q4: Tamper notification

• 35% of the packaged software installed on personal computers (PC) worldwide in 2005 was illegal and circumvention of license controls is an increasingly common practice – Source: BSA

– Amounting to $34 billion is lost revenue– Posing material security and liability risk to consumers

– Q1: Usage, stability and environmental controls• Offering usage, stability and adoption dashboards in near-time

– Runtime Intelligence is offered on a subscription basis• Software included in existing Dotfuscator license agreements



Questions?Sebastian Holst

[email protected]

PreEmptive Solutions

october 17-18, 2006 l santa clara, ca runtime intelligence a new generation of application security...

Documents

santa clara

draft slide

information security

draft whats

application usage slide

liability slide

ca runtime intelligence

security managers