Environment-Aware Security
Sp-231 on 13 Nov, 1500-1550.

When intrusion detection systems were first being developed in the 1980s and early 1990s (1) actual attacks were extremely rare, (2) only a small number of vulnerabilities were typically known at any given time, (3) few important systems were connected to open networks, (4) the variety of interactions and interdependencies between processes and systems were limited and (5) the largest open network, the Internet, was relatively small. Today, all this has changed, and because of the change, we should reconsider the role of monitoring in our information systems. This talk examines the past and present of security monitoring, and we paint a relatively utopian vision of our information systems in which everything that should happen can happen and everything that shouldn't happen cannot happen. Then we describe a path for security monitoring that will help bring us closer to that vision.

About Todd Heberlein
Todd Heberlein designed and developed the original UC Davis Network Security Monitor (NSM), the first widely deployed network-based intrusion detection system. The sensor served as the foundation for the United States Air Force's Automated Security Incident Measurement (ASIM) global sensorgrid. Lawrence Livermore National Laboratory deployed the sensor under the name Network Intruder Detector (NID), and the Defense Information Systems Agency (DISA) deployed the sensor under the name Joint Intrusion Detection System (JIDS).

More recently, Mr. Heberlein worked on an Air Force project called TrendCenter, which represented an early effort to reposition sensors from an operational model of "detect and respond" to a model of "predict and prepare". Currently Mr. Heberlein is working on a Navy STTR and ARDA effort called Environment-Aware Security, which creates a detailed understanding of our environment, the threat environment in which we operate, and interaction between the two in order to recommend an optimal path to securing our systems.