The growing adoption of cloud technologies and the trend to virtualise applications are inexorably re-shaping the traditional security paradigms, due to the increasing usage of infrastructures outside of the enterprise perimeter and shared with other users. The need for more...
The growing adoption of cloud technologies and the trend to virtualise applications are inexorably re-shaping the traditional security paradigms, due to the increasing usage of infrastructures outside of the enterprise perimeter and shared with other users.
The need for more agility in software development and maintenance has also fostered the transition to micro-services architectures, and the wide adoption of this paradigm has led service developers to protect their virtualised applications by including virtualised instances of security appliances in their design. Unfortunately, this often results in security being managed by people without enough skills or specific expertise, it may not be able to cope with threats coming from the virtualization layer itself (e.g., hypervisor bugs), and also exposes security appliances to the same threats as the other application components. It also complicates legal interception and investigation when some applications or services are suspected of illegal activity.
To overcome the above limitations, the ASTRID project aims at shifting the detection and analysis logic outside of the service graph, by leveraging descriptive context models and their usage in ever smarter orchestration logic, hence shifting the responsibility for security, privacy, and trustworthiness from developers or end users to service providers. Overall, the main benefits from the ASTRID approach will be better visibility over cloud-based services and more automation in the detection and response processes. In this respect, specific technical objectives to achieve the overall goal are:
• Decoupling the service business logic from the (necessary) security management, by shifting the detection logic outside the service graph and deploying pervasive, capillary, and programmable security hooks in the execution environment.
• Automate security management and response to threats, security incidents, attacks, by leveraging orchestration to automatically change the behaviour of the system (monitoring, inspection, detection, reaction) according to specific strategies expressed as security policies.
• Reduce the run-time overhead of security processing, by introducing efficient technologies for local monitoring, inspection, and aggregation of security-related data and events.
The main results in the first period can by briefly summarized as follows:
1) The definition of the project concept and vision.
2) The identification of the usage scenarios and technical requirements.
3) The definition of two Use Cases, together with demonstration and validation methodology.
4) The analysis of the SoA has selected relevant technologies for the Project and identified current gaps.
5) The design of the ASTRID architecture.
6) The development of a programmable framework to collect logs, system calls, and network measurements and to collect them in a centralized repository, based on the ELK framework.
7) The design of security policies to automatically configure and install firewalling rules on a virtual service.
8) The definition of novel remote attestation procedures on the software, which inspect the sequence of system calls as detected by the monitoring framework.
9) The initial design of a web-based GUI to interact with the ASTRID framework, in order to change its run-time behaviour, define reaction and mitigation policies, notify attacks and anomalies.
Demonstration activities have been slightly anticipated with respect to the workplan to create early ASTRID demos that show discrete components designed and developed in WP2 and WP3. They have been already partially used for scientific publications and are expected to be described through technical videos on the website.
Regarding communication activities, it is worth noting the great effort in clustering with other EU projects. ASTRID co-organized its 1st SecSoft workshop with all other projects funded under the same Call (namely SPEAR, REACT, and CYBERTRUST) and two additional projects dealing with cybersecurity aspects for NFV (namely, SHIELD and 5GENESIS).
The same approach has been followed for the 2nd Project Workshop as well, by contacting additional EU Projects that are complementary with the ASTRID objectives (namely, FutureTPM, PROMETHEUS, and PAPAYA.).
The ASTRID Project explicitly addresses the shortcomings of outdated security paradigms (still largely based on the security perimeter model) to effectively protect new computing and networking paradigms, which make extensive usage of virtualization, multi-tenancy, and dynamic composition techniques. Specific advances with respect to current practice include:
1) More efficient Security-as-a-Service paradigms in virtualised environments. ASTRID goes beyond the legacy paradigm, by pursuing the creation of a large security context fabric, which collects data and measurements from the whole service, and feeds a logically centralized detection logic, also leveraging big data, machine learning, and other modern analysis techniques.
2) Orchestration to automate the response to new threats and attacks, according to specific intention and needs of users. The ambition is the development of formal approaches that, while providing final assurance levels similar to the ones of the state-of-the-art formal verification techniques, are incorporated into the secure orchestration process.
3) Flexible and dynamic monitoring and inspection. ASTRID will exploit multiple and advanced programmability features of the data plane to perform monitoring, inspection and enforcing tasks, ranging from applications running in VMs or containers (e.g., LXC), OpenFlow rules, eBPF progrmas, and/or P4-based applications.
4) Identification of software threats and vulnerabilities. In ASTRID the vision is to design a hybrid vulnerability assessment technique tool that leverages fuzzing and concolic execution in a complementary manner, to find deeper vulnerabilities.
The main potential impacts brought by the ASTRID approach include:
- Improved detection and response time to advanced cyber security threats, by providing deep visibility over whole services through a common context fabric that collects security data and events from heterogeneous sources.
- Increase society’s resilience to advanced cyber-security threats: through tight integration with the software orchestration process, ASTRID can trigger de-provisioning, re-configuration, and re-deployment of virtual services in an automated way, so to quickly and effectively recover from attacks.
- Progress in technologies and processes needed to improve organisations’ capabilities to detect and respond to advance attacks, by developing a framework which automates operations based on high-level policies.
This will ultimately improve detection and response time to advanced cyber security threats, as well as the resilience to attacks, especially for dynamic services that evolve and morph at run-time in a (at least partially) unpredictable way.
More info: https://www.astrid-project.eu/.