Mitigate Today's Most Pervasive
Cyber Threats with Device Identification
Steven Sprague
President & CEO
Wave Systems Corp.
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Agenda
• Only Known Devices
• Machine Health
• Adaptive Access
• Encryption Everywhere
• Secure the Cloud
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
The real cost of an attack by an unknown
machine is substantial
Lockheed Martin Hit by Unspecified Cyber Incident
Lockheed shares dropped $2.14
Market Loss of $ 712 million
Booz Allen Confirms Its Systems Were Hacked
Booz Allen shares dropped $1.59
Market Loss of $ 201 million
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Tokens were not enough
• Did we know there was a common key
• The users don’t have Advanced Persistent Threats
• It is time to embed strong authentication in all devices
• Here is your new token – Did we fix the problem??
• Organizations need their own keys not a central key
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Trusted Computing market is growing
• Global industry standards group
– Microsoft, Intel, IBM, Wave, Infineon, Lenovo, Fujitsu, Nokia, Dell, AMD
•
•
•
•
•
Over 500 Million TPMs deployed
ARM just rejoined to support mobile TPM
Established policy for acquisition - USA and UK
NIST standards leverage TPM: 800-147 & 800-155
Microsoft requires TPM on all Windows-on-ARM
– Tablets, phones…..
• Microsoft leverages TPM across WIN 8 Corporate and
Consumer OS
• TPM on Android and Chrome
Only known devices connected to your
networks and data
 Every device needs tamper resistant Identity
 TPM and MTM
 Health and State of the device are critical moving forward
 NIST 800-147 and NIST 800-155 are critical




Signed Components
Bios Integrity
Secure Boot
Assured anti-virus
 First standards based Security for all devices
What is on Your Network ???
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Future is not based on connections
 The Users have left the building
 The Apps have left the building
 New model is a network built on Identity and not on connections
APPS
The future is a
subscriber
based model
for the Service
Access
Corp
Devices
7
Every device is not created Equal
 Not a single device but many
 My personal Phone and My enterprise PC and My Ipad are not
the same
 Services must adapt to the capabilities of the device logging on
 Not just yes-no but shades of Grey
+
+
Data Encryption
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Known
Users
=
Known
Devices
REAL
SECURITY
Known Device networks cost less
 Mobile phones, cable and satellite boxes
 Billions of devices connect directly to today’s
sophisticated global networks
 Cost for Apple to manage an IPAD
 PWC deployed 85000 seats and reduce token
costs by 30-50%
 Security you already own and have deployed
across your entire organization.
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Device encryption
 Binds user to the device
 Should be embedded to eliminate performance
issues
 Medium assurance Key storage
 Encrypt every BIT
 Built-in on all new drives TCG OPAL provides
interoperability
 Need to extend to all Mobile devices
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Hardware Encryption does not impact drive performance but Software Full
Disk Encryption has a substantial impact according to Trusted Strategies
Extensive Data Read / Writes 1
Extensive Data Read /
Write performance was
nearly the same for a Self
Encrypting Drive versus
the same drive without
encryption
Write
Read
0.00
MB/Sec
10.00
20.00
30.00
40.00
Seagate Momentus 7200
50.00
60.00
70.00
80.00
90.00
Seagate Momentus 7200 SED
Drive Throughput - Heavy Data Reads 1
Drive throughput was
significantly reduced
when software encryption
was compared to Self
Encrypting Drives. This
can impact employee
performance while
waiting for data and
programs to load.
Seagate (No Encryption)
Seagate SED
Avg Software FDE
Software Encryption #1
Software Encryption #2
Software Encryption #3
MB/Second 0.00
1
10.00
20.00
30.00
40.00
50.00
Trusted Strategies LLC, "FDE Performance Comparison, Hardware versus Software Full Drive Encryption" February 9, 2010
© 2010 Wave Systems Corp. Confidential. All Rights Reserved.
11
60.00
70.00
80.00
90.00
Trusted Strategies found that reimaging computers and return from
hibernation are other factors that impact productivity
Considerable time savings
are realized when
reloading or reimaging
computers using SED
Drives. This happens
increasingly with fresh
standard images or
installing a new operating
system like Windows 7
While only seconds, the
amount of time waiting to
return from hibernation is
impacted by software
encryption. Multiple
hibernations per days can
accumulate to over a
workday lost every year
plus increase user
frustration
1
Time Required to Encrypt Drive 1
Self Encrypting Drive
0 Minutes - Data
Encryped as loaded
Software Encryption #1
3Hr 16 Min
Software Encryption #2
8 Hr 9 Min
Software Encryption #3
Minutes
23 Hr 46 Min
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Time to Return from Hibernation 1
Seagate (No Encryption)
21.42
Seagate SED / Wave Embassy
23.22
Avg Software FDE
40.80
Software Encryption #1
26.37
Software Encryption #2
54.76
Software Encryption #3
Seconds
41.26
0.00
10.00
20.00
30.00
Trusted Strategies LLC, "FDE Performance Comparison, Hardware versus Software Full Drive Encryption" February 9, 2010
© 2010 Wave Systems Corp. Confidential. All Rights Reserved.
12
40.00
50.00
60.00
Cloud services need known computing
 Cloud Services should know what devices
are attached
 Consumerization of IT - adaptive access
 A billion devices – which ones can you
trust?
 Subscriber management is essential
How will you secure access to the cloud?
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
TPM security supports multiple
network access standards
 IPsec
 SAML
 DHCP NAP
 MS Direct access
 802.1x
 SSL
Secure your tunnel
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
There is a plan
Three Key Elements of Cyber Security
Delivered by Trusted Computing
Trusted Computing is Improving Security
Device
Health
Pervasive
Encryptioi
n
Strong
Authentication
Improved Security
Today
SED
Machine
Pre-Boot
Health
Trusted
Network
Connect
Trusted
Applications
Trusted
Execution
TPM
Building security “from the ground up” to solve cyber security challenges
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
TPM Case Study: PwC
 PricewaterhouseCoopers (PwC)
 TPM-based certificates for VPN and WiFi access
 85,000 seats into their rollout
 Target: 150,000 employees, across 850 locations in 142 countries
 Virtually all of PwC’s computers had TPMs.
 Cost analysis found that smartcards were at least 2X TPM and
USB tokens were 3X TPM.
 The use of TPM proved successful in mitigating “Jailbreak” risk.
 TCG standards can be implemented in small, manageable steps
without changing the current infrastructure
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
TPM Case Study: PwC
“You may find your organization is in a similar
situation to PwC, which may lead you to use
TPM for strong authentication.”
- Karl Wagner, PwC
Director, Global IT
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
BIOS Integrity
 First code run by a PC when powered on
 The primary function of the BIOS is to
configure the hardware and load and start an
operating system
 The first job for the BIOS is to initialize and
identify system devices such as the video
display card and keyboard
 BIOS then loads software (OS) held on a
peripheral device such as a hard disk
 BIOS firmware is stored on a non-volatile ROM
Operating System
(i.e. Windows)
APT
Attack
Vectors
© 2011 Wave Systems Corp. All Rights Reserved.
CONFIDENTIAL
Application
3
Application
1
 BIOS (Basic Input Output System)
Application
2
Trusted Platform Module (TPM) with
Trusted Computing Group (TCG) BIOS IS A REFERENCE MONITOR
19
Option ROM - Drivers
BIOS
Processor Code
The TPM stores important reference information about a
computer’s startup
Platform Configuration Register (PCR) Values
 Computed by measuring platform firmware and BIOS configuration settings during the boot process (before





the OS loads).
PCRs 0-11 are relevant to the boot process – total of 24 registers.
Stored and protected by the TPM
Can be used to verify the integrity of the BIOS and MBR on the platform when it is powered on
A quoting key is used to verify the identity of the platform which generated the measurements
Reporting of PCR measurements uses public key cryptography, called “quoting,” to guarantee that the
measurements are not spoofed
© 2011 Wave Systems Corp. All Rights Reserved.
CONFIDENTIAL
20
Wave Endpoint Monitor (WEM) Pre-OS Software Stack Integrity
Process
Wave Client
1
Wave ERAS Server
Policy
Management
Policy Enforcement
Wave
Middleware
ERAS Client
Connector
2
BIOS
Option
ROM
MBR
© 2011 Wave Systems Corp. All Rights Reserved.
Other
PCRs
CONFIDENTIAL
3
TPM
Management
ERAS
Database
1. Set Client Policy &
Configuration
2. Measure Pre‐OS
Stack
3. Report Measurement using Wave
Client to Server
4. Automated
Analysis, Alerts and
Reports
Wave Endpoint Monitor
Analysis
4
Reporting
21
Monitoring
Repository
Query
ALERTS
NOTIFICATIONS
Output to
Analytics
MTM-Enabled Enterprise Applications
Interoperability with PC-Based Applications
Measured
MLTM
MRTM
Boot App:
Management Management
Reporting,
Enable, Auth,
Enable,
Remediation,
Policies
Permissions
Settings
Wave SDK:
Wave
Measure, Report,
Services
Verify, Seal, Crypto
Pre-OS
Applications
ROM,
Bootloader,
Early OS
Other Apps
3rd Party
WaveSupported
Services
Other
Services
Applications
Application
Framework
Measurement,
Verification.,
Secure Boot
Middleware Libraries and Software Abstraction:
PKCS #11, TMSS, & GlobalPlatform TEE
Libraries
Early Boot Driver
MTM Hardware Abstraction Layer & Drivers
OS Kernel
MTM
- HW MTM
- TEE Hardware Virtualization
- SW MTM (for Legacy Platforms)
© 2012 Wave Systems Corp. Confidential. All Rights Reserved.
- HW TPM + FW
- TEE Software Virtualization
Something NEW – Securing Social Media
• Scrambls.com
–
–
–
–
The first application to Secure your content on the WEB
Empowering privacy and control in the hands of the consumer
TPM not required but will be supported
Securing: Facebook, Linked-in, Twitter, Yammer, Google +, Gmail,
Yearbook……..
– Compelling revenue in Enterprise and consumer markets
– Alpha since December 2011
– Launch in April 2012
Bringing real security to everyone on the web
Recommendation
Choose Trusted Computing choose standards

Add self-encrypting drives to all new laptop orders

If using BitLocker, ensure TPMs are used for BL key protection
and they are managed

Protect your VPN and WiFi software certificates with the TPM

Restrict network and application access to only known devices

Add port and device control to stop data from leaking

Consider platform integrity to defend against APTs

Register all new devices with TPM protected keys
Ask us how
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
Transforming the best technologies
into the best solutions
EMBASSY® TRUSTED
SUITE
EMBASSY REMOTE
ADMIN
SERVER (ERAS)
CORP.
NETWORK
CLIENT PC
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.
877-228-WAVE
sales@wavesys.com
www.wave.com
Visit our web site for case studies
and white papers.
© 2011 Wave Systems Corp. Confidential. All Rights Reserved.