Chair: Ewan Quibell, management systems and service leader, Jisc.
09:15-09:55 - Experiences with vulnerability management as part of a overall security architecture
Speaker: Dirk Schrader, CISSP/CISM at Greenbone Networks, Khipu.
Integrating vulnerability management into your security architecture, into your workflows.
What are some of the best practices for this? What are the advantages, what are possible caveats?
09:55-10:35 - On the airwaves – trends in Wi-Fi and wireless
Speaker: Peter Thornycroft, Aruba, HPE.
This talk will give a brief overview of forthcoming developments in Wi-Fi networking, including the next Wi-Fi PHY: 802.11ax, some applications of machine learning and the implications for WLAN architectures.
2. Please switch your mobile phones to silent
19:30
No fire alarms scheduled. In the event of an
alarm, please follow directions of NCC staff
Dinner (now full)
Entrance via Goldsmith Street
16:30 -
17:30
Birds of a feather sessions
15:20 -
16:00 Lightning talks
5. Content & About
» Experiences with vulnerability
management as part of an overall
security architecture
» Integrating vulnerability
management into your security
architecture, into your workflows.
» What are some of the best practices
for this?What are the advantages,
what are possible caveats?
» Dirk Schrader
CISSP, CISM
» Khipu and Greenbone provide
the technology behind the
JiscVulnerability assessment
and information service
www.jisc.ac.uk/vulnerability-assessment-and-information-service www.khipu-networks.com www.greenbone.net
6. Vulnerability Management is required
» the ability to ensure the ongoing confidentiality,
integrity, availability and resilience of processing
systems and services
» a process for regularly testing, assessing and
evaluating the effectiveness of technical and
organisational measures for ensuring the security
of the processing
ISO 27001 control A.12.6.1 asks for the timely
identification of vulnerabilities, the assessment of
organization’s exposure to a vulnerability.
ISO 27002 lists actions like
» Make an asset inventory
» Deal with vulnerabilities through defined procedures
9. VM in a Security Architecture
prepare
identify
classify
prioritize
assign
mitigate &
remediate
store &
repeat
improve
10. ‚prepare‘ <-> Policies
prepare
identify
classify
prioritize
assign
mitigate &
remediate
store &
repeat
improve
» Install policies, standards that enforceVulnerability Management
» Make sure that responsibilities & actions are defined
› asset owner
› service owner
› system owner,
› ownership ≠ responsibility….?
» Define secure configurations, whitelist systems and applications
» Map to security controls, relate controls to responsibilities
» Start simple, enhance stepwise
11. ‚identify, classify, prioritize‘ <-> Workflows &Tools
prepare
identify
classify
prioritize
assign
mitigate &
remediate
store &
repeat
improve
» Import and/or discover assets
» Scan assets, scan them authenticated
» use CVSS, CVE, CPE
» enhance with add. SecInfo
» tag with Asset Criticality info
» use Score, Quality of Detection,
and available SolutionType
» use Asset Information
» Attack status confirms
15. ‚assign, mitigate & remediate‘ <-> Workflows &Tools
prepare
identify
classify
prioritize
assign
mitigate &
remediate
store &
repeat
improve
» use Reports, Alerts
» based on Knowlegde, Experience, and Role
» track and trace assignment
» patch and/or upgrade
» block and/or isolate
» work around
» override is also a temporary option
18. ‚store & repeat‘ <-> Workflows &Tools
prepare
identify
classify
prioritize
assign
mitigate &
remediate
store &
repeat
improve
» predict and trend assets
» handle changes in infrastructure
» time-stamped data supports Forensics
» average of 40 high severity flaws published per week
› 2017: 1,007 high severity flaws so far in 15 weeks
30. 30
802.11ax: Issues Facing Wi-Fi Networks
• Many short data frames, many
users
• Overlapping BSS’s in dense
deployments block each other
from transmitting
• Improving performance in
outdoor hotspots
1
2
4
3
4
2
1
2
1
3
4
1
3
4
1
2
1
1
3
>80% of
frames
under 256B
31. 31
802.11ax: Goals
• Enhance operation in 2.4 & 5 GHz bands (11ac was only 5 GHz)
• Increase average throughput per station by at least 4x in dense deployments
• Improvements both indoor and outdoor
• Scenarios include wireless corporate office, outdoor hotspot, dense
residential apartments and stadiums
• Maintain or improve power efficiency of the stations
32. 32
802.11ax: Timeline (guess products late 2018 / early 2019)
0
mo
IEEE
802.11ax
TG kick off
May ‘14
D0.1
Jan ‘16
D1.0
Dec ‘16
D2.0
May ‘17
Predicted
Final Approval
Dec ‘18
Predicted
WFA
AX
MTG kick off
Apr ‘16
Cert Launch
Dec ‘18
Predicted
IEEE
802.11ac
Sponsor
Ballot
Mar ‘18
Predicted
TG kick off
Nov ‘08
D1.0
Jun ‘11
12 mo 24 mo 36 mo
D0.1
Jan ‘11
D2.0
Feb ‘12
48 mo
D3.0
Jun ‘12
Sponsor
Ballot
May ‘13
60 mo
Final
Approval
Oct ‘13
Publish
Dec ‘13
0
mo
12 mo 24 mo
WFA
AC MTG kick off
Jun ‘10
TTG kick off
Aug ‘11
36 mo
Plugfest #1
Aug ‘12
PF #5
Jan ‘13
Launch
Jun ‘13
2016 2017 20182015
2016 2017 2018
SIG
kick off
Aug ‘09
2014
SIG kick off
Feb ‘14
2019
2019
33. 33
802.11ax: features
Outdoor / Longer rangePower Saving
High DensitySpectral Efficiency & Area Throughput
8x8 AP
1024 QAM
25% increase
in data rate
OFDMA
Enhanced delay
spread protection-
long guard interval
Scheduled sleep and wake times
20 MHz-only clients
Spatial Reuse
DL/UL MU-MIMO
w/ 8 clients
L-STF L-LTF L-SIG RL-SIG HE-SIG-A HE-STF HE-LTF HE-LTF Data...
8µs 8µs 4µs 4µs 16µs 4µs
VariabledurationsperHE-LTFsymbol
PE
0.8us
11ac
1.6us 11ax
Extended range packet structure
3.2us 11ax
B
e
a
c
o
n
T
F
Next TWT B
e
a
c
o
n
T
F
T
F
T
F
TWT element: Implicit TWT, Next TWT, TWT Wake Interval
TWT Wake Interval
DL/UL
MU
DL/UL
MU
DL/UL
MU
DL/UL
MU
80 MHz Capable
20 MHz-only
2x increase
in throughput
ac
ax
Up to 20%
increase
in data rate
Long OFDM
Symbol
35. 35
802.11ax: MU-MIMO, UL MU transmissions
• New Trigger control frame
• UL MU transmission may be OFDMA or MU-
MIMO
• Trigger frame can be used as a
Beamforming Report Poll, MU-BAR, MU-
RTS, Buffer Status Report Poll, Bandwidth
Query Report Poll…
Trigger frame
UL MU PPDU
AP
STA1
Acknowledge
frame
UL MU PPDUSTA2
UL MU PPDUSTA3
UL MU PPDUSTA4
Frequency/
Spatialdomain
36. 36
802.11ax: BSS colouring
• To increase capacity in dense environment, we need to increase frequency reuse between BSS’s
• BSS Colouring was a mechanism introduced in 802.11ah to assign a different “colour” per BSS,
which will be extended to 11ax
• New channel access behavior will be assigned based on the colour detected
Increased Frequency Reuse
(w/ 80 MHz channels) -
All same-channel BSS blocking
1
2
4
3
4
2
1
2
1
3
4
1
3
4
1
2
1
1
3
Low Frequency Reuse
(w/ 20 MHz channels)
18
19
17
6
7
5
1
2
10
3
11
12
15
4
14
13
16
8
9
Same-channel BSS only blocked on Colour Match
1
2
4
3
2
1
2
1
3
4
3
4
1
2
1 1
2
3
2
3
4
3
4
4
1
3
2
4
4
1
2
3
4
1
3
2
4
1
2
3
37. 37
802.11ax: outdoor and longer-range features
• One of the goals of 802.11ax is improved performance outdoors
- Longer delay spreads than the 11a/n/ac guard interval of 0.8 usec. 802.11ax modifies the guard intervals
options to 0.8, 1.6, and 3.2 usec
- Possible multipath bounces off high speed vehicles. A Doppler bit indicates Doppler mode of transmission
• To expand the coverage and robustness of an outdoor hotspot
- New extended range packet format with more robust preamble
- Dual Carrier Modulation (DCM) – replicate the same information on different subcarriers for diversity gain
and narrow band interference protection, ~3.5 dB gain
- Narrower transmission bandwidth for Data field – 106 tones (~8 MHz) can be used to reduce noise
bandwidth
L-STF L-LTF L-SIG RL-SIG HE-SIG-A HE-STF HE-LTF HE-LTF Data...
8µs 8µs 4µs 4µs 16µs 4µs
Variable durations per HE-LTF symbol
PE
HE extended range SU PPDU format
38. 38
802.11ax: new PHY data rates
11ax 11ac
Data rate
(Mbps)
Mode gain Data rate
(Mbps)
Mode
Min 0.375 1SS, MCS0, DCM, 26-
tone
6.5 1SS, MCS0, 20 MHz
Max, 20
MHz
143.4*NSS 1024‐QAM, r=5/6,
13.6 usec symbol
65% 86.7*NSS 256-QAM, r=3/4 (256-QAM, r=5/6
only valid for NSS=3,6), 3.6 usec
symbol
Max, 40
MHz
286.8*NSS 1024‐QAM, r=5/6,
13.6 usec symbol
43% 200*NSS 256-QAM, r=5/6, 3.6 usec symbol
Max, 80
MHz
600.4*NSS 1024‐QAM, r=5/6,
13.6 usec symbol
39% 433.3*NSS 256-QAM, r=5/6, 3.6 usec symbol
Max, 160
MHz
600.4*2*NSS 1024‐QAM, r=5/6,
13.6 usec symbol
39% 433.3*2*NSS 256-QAM, r=5/6, 3.6 usec symbol
NSS = 1…8 for both 11ac and 11ax
39. 39
802.11ax: Target Wake Time for power save
• Target Wake Time
(TWT) is a power
saving mechanism in
802.11ah which allows
the STA to sleep for
periods of time, and
wake up at pre-
scheduled times to
exchange information
with its AP
doc.: IEEE 802.11-12/0823r0
Submission
Power Consumption Profiles
July 2012
Matthew Fischer, et al.
• Baseline PS-POLL
Slide 14
Beacon
Wake
LMSM RM LM/RM TM RM
UL BA
LM/RM
BADL
TMRM SM
SleepAccess
delay
Lookup +
Access delay
Beacon
LMSM RM ?M TM RM
UL BA BADL
TMRM SM
Slot delay
Wake Sleep
LMSM TM RM
UL BA BADL
TMRM SM
Wake
Sleep
• Beacon-based access
• TWT-based access
SM: Sleep Mode
LM: Listen Mode
RM: Receive Mode
TM: Transmit Mode
40. 40
802.11ax: 20 MHz-only clients
• Provide support for low
power, low complexity
devices (IOT): wearable
devices, sensors and
automation, medical
equipment, etc.
42. 42
Artificial Intelligence and Machine Learning
• Drawing inferences from large amounts of data
− First obtain a large amount of training data (labelled for supervised learning)
− Then train the ML model to get the ‘right’ result from the training data
− Now let the model loose on new data
• Can be applied to different problems
− Network Management
− Misbehaving devices or users
− Device discovery & classification (e.g. IoT)
• Can close the loop with suggested changes or automated actions
43. 43
Architecture for Machine Learning
On-premise
data collector
Network data sources
• Span ports
• Firewalls
• WLAN
• Network
Management
• Authentication
• DHCP
• …
send to cloud
Identify
anomalies
Cluster
anomalies
Root cause
& fixes
alerts
actions
44. 44
Network management: Benefits
Better network operations
Real-time insights with root cause analysis
and remedy recommendation
– “A large fraction of Lync calls fail in
building A, because of non-WiFi
interference”
– “On July 7th, 38 users in building B
suffered slow Wi-Fi speed due to
suboptimal channel allocation”
– “45 users failed to connect to Wi-Fi,
because of Radius server overload”
Better network planning
Macro insights with long-term
recommendations
– “Compared to similar buildings, users in
building A achieve 20% lower data rate”
– “In building B, peak hour traffic grows
by 2.3% month-to-month. This will
become a network bottleneck in 14
months”
45. 45
Network Management: Environment type detection
User density
Connection
life time
Cluster 1
• low user density
• high connection life time
• Example: Office space
Cluster 2
• high user density
• high connection life time
• Example: Lecture hall
Cluster 3
• high user density
• low connection life time
• Example: Cafeteria area
Automatic granularity: subdivide buildings
based on Wi-Fi characteristics
− Example:
library entrance area vs. library archive stacks
46. 46
Network management: Data-driven anomaly detection
• Detect anomalous values of network metrics, while accounting for the
circumstances
− AP experiences high air utilization (uplink + downlink + ambient), given time of day and band
− Client station has uplink/downlink rate imbalance, given its device type and band
− Client station is using low downlink rate, given its RSSI, band and device type
− No manual thresholds are needed, separate models for each environment type mantain low false alarm rate
50. 50
Security: finding the malicious in the anomalous
Behavioral
Analytics
SUPERVISED
MACHINE LEARNING
DLP
Sandbox
Firewalls
STIX
Rules
Etc.
THIRD PARTY ALERTS
51. 51
IoT: Security Starts with Identifying Devices
Seeing totals and mix of devices helps understand risk. CCTV
cameras from XiongMai Technologies can be an issue.
Visibility needed to make accurate planning decisions - bandwidth
usage, firewall rules, etc.
1
2
3
Having Information useful during internal and external audits.
52. 52
IoT: Comprehensive Profiler Methods
• DHCP Fingerprinting (support for IP-Helper and use of SPAN/RSPAN
mirroring)
• SNMP/Network Discovery (MIB reads to identify static IP addressed devices)
• WMI (useful for Windows)
• SSH (useful for Linux)
• CDP, LLDP (useful in Cisco networks)
• HTTP User-Agent (useful for Apple)
• MAC OUI (useful for Android)
• ARP Reads, Subnet Scans
• Active Sync Plugin
• Nmap Port scans
• TCP
56. 56
Network architecture
• The network hollows out
• The edge is used for sensing and reporting
• Policy definitions allow the network to dynamically
reconfigure in response to traffic & external events
• APIs allow the network to dynamically reconfigure in
response to external requirements
• Big Data is accumulated locally or in the cloud
• Machine Learning is applied to many networking
problems
Virtualization makes definition of responsibilities kind of difficult
Actions & Consequences
NAC
CMDB
Threat Intel
NAC
CMDB
Threat Intel
NAC
CMDB
Threat Intel
NAC
CMDB
Threat Intel / SIEM
Ticket System, IT Service Management
UpdateServer
Ticket System, IT Service Management
UpdateServer
Ticket System, IT Service Management
UpdateServer, i.e WSUS, SCCM
OK rather a rare case
VM of course provides Data for Analysis, Timeline Review, identifying the ‚window of vulnerability‘ of an affected system for the actual attack.
Ever changing landscape of vulnerabilities (new ones and updates to known ones)
A known vulnerability sometimes changes its characteristics
Half-time value of facts gathered about your security posture
Improve questions to ask:
Where do people try to circumvent security policies and why?
One contributing factor to non-compliance by users is an extensive workload caused by security mechanisms.
That is: 1) There is no clear reason to comply
2) The cost of compliance is too high
3) There is an inability to comply (encrypted USB drives too small to carry the needed files)
Recommended reading ‘The psychology of Information Security’