Download Slides

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
Document related concepts

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Transcript 
Selling Unikernels:
The CyberChaff Story
Adam Wick
QCon SF 2016
This am going to
say
Last year, I talked on and on, and then said:
^
selling
“The trick to developing unikernels is not to
build a unikernel until you absolutely have to.”
sell
(because complexity)
© 2016 Galois, Inc.
The QConSF Unikernel Talk Trilogy
My goal with these talks is to provide answers to the questions
you might face trying to adopt unikernels in your technology
stack.
2014: What the hell are these things?
2015: How do they affect my development cycle?
2016: How do they affect my sales?
© 2016 Galois, Inc.
Let’s Attack a Network
Because nothing says “fun” like teaching more people the
basics of how to cause massive economic damage across a
variety of industries.
Step #1: Deploy Cat Pictures
© 2016 Galois, Inc.
Step #1: Deploy Cat Cute Animal Picture
© 2016 Galois, Inc.
Step #2: Pivot & Attack
© 2016 Galois, Inc.
Let’s Subdivide
Let’s subdivide these steps even further:
Deploy cute animal pictures.
Gain a foothold on a network.
Observe and Orient: Where am I? What’s around me?
Decide: What’s my best next target?
Act: Attack that system.
© 2016 Galois, Inc.
So What?
What is the mean time between someone
gaining access to your network and you
detecting them?
146 days
(or about 4½ months)
© 2016 Galois, Inc.
© 2016 Galois, Inc.
So You Want To Defend A Network
You want to do this. It makes you a hero!
Defending a Network
Thus, one way to defend a network is to consider this diagram and
find ways to impair the attacker’s ability to function at each of
these steps.
Dear users: Please stop
opening cat pictures…
Deploy cute animal pictures.
Gain a foothold on a network.
Add more email and spam
filters, attachment filters
Observe and Orient: Where am I? What’s around me?
Decide: What’s my best next target?
Network and Host
Hardening, Least Privilege!
Act: Attack that system.
Intrusion Detection
SIEM
© 2016 Galois, Inc.
Step #2: Pivot & Attack
© 2016 Galois, Inc.
Step #2 with CyberChaff
© 2016 Galois, Inc.
CyberChaff in a Nut Shell
CyberChaff is a network defense capability that uses
many lightweight virtual machines to generate false
nodes on a network.
Key Features:
• Can emulate a wide variety of operating systems
and services.
• Add 400+ CyberChaff nodes using few resources:
an Intel NUC or a standard 1U server.
• Each Chaff node runs minimal software in its own
virtual machine, limiting the possibility of
compromise.
© 2016 Galois, Inc.
What The Hell, Adam?
Why have you spent all this time talking about CyberChaff? I
thought this was supposed to be about unikernels and
“Modern CS in the Real World”?
Every CyberChaff Node Is A Unikernel
Service
Implementations
Custom,
Customizable
Network Stack
Network and
Console Card
Driver
 Haskell
C
HaLVM
16-32MB per node
Emulates 4000+ OSes
All The Great Services
Credential Trapping
Protocol Passthrough
No OS required
No unused code
No unused drivers
No buffer overruns
Cloud-ready
© 2016 Galois, Inc.
The Thing About Selling Unikernels
… is that generally speaking, you don’t need to mention the fact
that you’re selling unikernels.
So You Want To Build A Unikernel
There are five steps to building a Unikernel:
Don’t.
1.1. Don’t
2. Test & Measure.
3. Do.
4. Test (Part II)
5. Deploy.
25
© 2015 Galois, Inc.
© 2016 Galois, Inc.
Engineering Sales 101
… although the precise technology
does influence these …
Problem?
no
yes
Idea Solves
Problem?
no
yes
$?
no
yes
no
Installs?
yes
© 2016 Galois, Inc.
Selling New Technology
Idea Solves
Problem?
$?
Installs?
Unikernels: Provide a dramatically
Doesimproved
your brand
new posture
technology
help
security
by using
in solving
the problem,
or does itwith
make
lightweight
virtual machines
a
things
more difficult?
particularly
difficult attack surface.
reduced
DoesUnikernels:
your brandDramatically
new technology
cost
virtual
machine
costs
through
reduced
more than existing techniques?
memory and CPU footprints. *
Unikernels: … EC2? *
Does
your new Don’t
technology
make
it to
CyberChaff:
really have
much
easier
or harder
to deploy?
do with
this, since
we’re mostly selling
hardware. *
© 2016 Galois, Inc.
OK, It’s Not All Rainbows and Dance Parties
But it never is.
Does your brand new technology cost
more than existing techniques?
As it happens, unikernel developers
are a little thin on the ground, so
development costs can be higher.
Does your new technology make it
easier or harder to deploy?
We do have some trouble with
software installs that don’t involve Xen.
© 2016 Galois, Inc.
Selling CyberChaff
Let’s talk about the sales thing.
Selling CyberChaff, Phase 1
Deploy cute animal pictures.
Gain a foothold on a network.
Observe and Orient: Where am I? What’s around me?
CyberChaff™
OMG 146 DAYS ON YOUR NETWORK!1!
Decide: What’s my best next target?
Act: Attack that system.
© 2016 Galois, Inc.
Selling CyberChaff, Phase 1 Results
1. “That’s great! I’m in! Here’s my credit card!”
This never happens.
2. “Thank you for coming by.”
“I will never get this hour back, you jerks.”
3. “That’s really interesting. Do you have a white paper or
technical document describing this further that you could
email to me?”
“ … so my insane workload can deal with you.”
4. “Interesting. I have some questions …”
© 2016 Galois, Inc.
Their Questions
Are not about us, and in general not really about CyberChaff (in
some sense), but rather about how CyberChaff can work in their
environment:
•
•
•
•
•
•
•
Can it emulate <our operating system of choice>? Yes.
How about our <services of choice>? Yes.
How do you deploy CyberChaff? Well, we have ...
What logging systems do you support? Most.
How does this compare to a Honey Pot? Smaller and …
Isn’t that a lot of IP addresses? Yes.
Doesn’t that just add a huge attack surface to my network?
Unikernels inside!
© 2016 Galois, Inc.
Unikernels: I’M SO GLAD YOU ASKED
Let’s just remind ourselves about what a unikernel is.
Unikernels are specialised, single address space machine images
constructed using library operating systems.
- Wikipedia
or
Unikernels : Virtual Machines :: Exokernels : Physical Machines
or
Unikernels are single-process programs compiled to run directly on
(usually virtual) hardware, rather than within a full-featured OS.
© 2016 Galois, Inc.
© 2016 Galois, Inc.
Lower operating costs
Faster response to events
Smaller attack surface
© 2016 Galois, Inc.
Which means!
Every CyberChaff node is in its own virtual machine.
It is running Haskell from the ground (driver level) up.
In fact, only the bits of Haskell you need to run that CyberChaff
node.
So good luck to your attackers.
© 2016 Galois, Inc.
Their Questions
Are not about us, and in general not really about CyberChaff (in
some sense), but rather about how CyberChaff can work in their
environment:
•
•
•
•
•
•
•
Can it emulate <our operating system of choice>? Yes.
How about our <services of choice>? Yes.
How do you deploy CyberChaff? Well, we have ...
What logging systems do you support? Most.
How does this compare to a Honey Pot? Smaller and …
Isn’t that a lot of IP addresses? Yes.
Doesn’t that just add a huge attack surface to my network? No.
© 2016 Galois, Inc.
That’s Pretty Much It, Unikernel-wise
Honestly, no one really cares all that much.
© 2016 Galois, Inc.
The Down Sides
As it turns out, unikernels are not the magic pill that will make all
your problems go away and cause your customers and funders to
fawn all over you.
It rarely adds some complication to your explanations … and
complication is not great.
It does cause some potentially-strange shifts in your roadmap that
can be surprising to some customers.
Staffing, particularly for “senior” staff, is a challenge.
© 2016 Galois, Inc.
Let’s Wrap Up
Unikernels
(awesome)
© 2016 Galois, Inc.
CyberChaff
(also awesome)
© 2016 Galois, Inc.
And you’ve made how much … ?
I can’t tell you. But I will say:
• CyberChaff is installed all around the world.
• Some of those folks pay us.
• They include:
 Reed College
 A Fortune 50 electronics company
 A couple Defense Department contractors
• It has been shown to be effective
• We also have some resellers working their own deals
© 2016 Galois, Inc.
New Technology
New technology can be a lot of fun. It can:
• Enable some really cool capabilities
• Simplify your development process
• Provide you with differentiation from your competitors
But it can also be scary:
• How is it going to affect sales?
When you go for it, go for it, and remember:
• Stifle your urge to gush about the tech
• Focus on how you solve the problem
• Accentuate the positive
© 2016 Galois, Inc.
Adam Wick
[email protected]
Twitter: @acwpdx
Any questions?
http://cyberchaff.com
http://unikernel.org
http://halvm.org
All trademarks, service marks, trade names, trade dress, product names and
logos appearing in these slides are the property of their respective owners,
including in some instances Galois, Inc.
All rights are reserved.
© 2016 Galois, Inc.
Related documents
Field Extension
Field Extension
Period F
Period F
32nd IEEE International Conference on Data Engineering May 16
32nd IEEE International Conference on Data Engineering May 16
Dr. D.R. Khanna Professor and Ex. Head Department of Zoology
Dr. D.R. Khanna Professor and Ex. Head Department of Zoology
Economic Overview Christine Whitehead London School of
Economic Overview Christine Whitehead London School of
ALGEBRAIC NUMBER THEORY
ALGEBRAIC NUMBER THEORY
IEEE SSCI 2016 / CIDM 2016 Computational intelligent techniques
IEEE SSCI 2016 / CIDM 2016 Computational intelligent techniques
Fourth International Conference on Computational Science and
Fourth International Conference on Computational Science and
Journal of Complex and Intelligent Systems
Journal of Complex and Intelligent Systems
OLS-North Conference Tip Sheet Series Virtual Reality
OLS-North Conference Tip Sheet Series Virtual Reality
Changes in Climate over the South China Sea and Adjacent
Changes in Climate over the South China Sea and Adjacent