An Interview with Arun Sood, CEO of SCIT LabsCyber Security Dispatch: Season 3, Episode 2Show Notes: Welcome back to the Cyber Security Dispatch. This is the first in the new series of interviews focused on innovative technology in cyber security where we talk about new solutions to protect our data and systems. Today on the show we welcome Arun Sood, CEO of Self Cleansing Intrusion Tolerance (SCIT) Labs. He is the co-inventor of all six SCIT technology patents that are based on the research undertaken at his research center. In this episode, we are setting the clock on why controlling time matters. Arun is an expert on moving target defense and building resilience systems. He offers a refreshing perspective on how controlling time can give security teams a key advantage in stopping attacks and limiting the impact of those attacks. It is a really fascinating perspective and one that can help you see things differently. For all this and much more be sure to tune in! Key Points From This Episode: Understanding moving target defense. The resilience requirement: continuity of operations. Providing higher levels of security through diversity and redundancy. How redundancy can be used to achieve a dual goal. Understanding the concept of diversity. How complexities affect cost: the additional expense. Why you can’t change the implementation in a redundancy based approach. Dwell time: a measure of how the server is performing. Steps of a cyber-kill chain. Understanding the SCIT system. Thinking of data in three different ways. Recovery systems in the cyber security space. How to think about measuring success: what does it mean? Two principle things to start with as a small user. Choosing your throttle time. And much more! Links Mentioned in Today’s Episode:Arun Sood — http://scitlabs.com/about-us/team Arun on LinkedIn — https://www.linkedin.com/in/arunsood/ SCIT Labs — http://scitlabs.com/ George Mason University — https://www2.gmu.edu/ Drupal — https://www.drupal.org/ WordPress — https://wordpress.com/ Introduction: Welcome back to the Cyber Security Dispatch. This is the first in the new series of interviews focused on innovative technology in cyber security where we talk about new solutions to protect our data and systems. Today on the show we welcome Arun Sood, CEO of Self Cleansing Intrusion Tolerance (SCIT) Labs. He is the co-inventor of all six SCIT technology patents that are based on the research undertaken at his research center. In this episode, we are setting the clock on why controlling time matters. Arun is an expert on moving target defense and building resilience systems. He offers a refreshing perspective on how controlling time can give security teams a key advantage in stopping attacks and limiting the impact of those attacks. It is a really fascinating perspective and one that can help you see things differently. For all this and much more be sure to tune in! TRANSCRIPT [0:01:05.5] AS: I am Arun Sood and I am a professor at George Mason University but currently, research at George Mason has led to six packets and at one stage, we decided to start a university startup, we are a group affiliated to George Mason has equity shares in the company so there is a close relationship between the two things. I’m the founder of this and currently in the CEO but I see we have a chief architect, we have lots of people who are helping with us and how this is going to evolve is only time will tell. [0:01:46.7] AA: Yeah, I think, you know, one of the things that was so interesting about what you got up to is you’re sort of focusing, you’re focused on moving target defense so that’s a concept we’ve talked a lot about on this show but for those who kind of aren't familiar with moving target defense, you just want to kind of talk about what it is and how you kind of how you kind of got involved in it. [0:02:07.3] AS: Right. There are many ways to look at this but I’m going to try something slightly different based on my experience recently at a conference in Tampa. Think of the following issue. Server security is something which everybody needs for their systems but it is becoming more and more clear that people also need resilience. Server security means the bad guys, when they come in you make sure they don’t stay in so you may have to shut the system down but that is not good enough for people who have to have continuity of operations. The resilience requirement is that you have to have continuity of operations. Now, if the two systems if you design your systems to be static, now you have a problem. If the system is static and you shut it down, it loses all the continuity of operations. We need a potentially need a dynamic solution and the moving target defense as we see it, as we have used it, as a mechanism, which it creates balance between these two things. [0:03:16.9] AA: Yeah, I think if I understand you correctly, there’s that this sort of opposition between two things, right? If you imagine, what a lot of systems are measured on is all the time, right? We are continuously to make it simple like deploying popper, right? We need to have the five nine’s right? 99.999% of the time where the system is on and then the classic way of thinking about cyber security is to actually shut things off because there’s problem there. How do you sort of square that circle? Is that, am I understanding it correctly? [0:03:48.7] AS: That’s exactly right and I think we got to make sure that we understand a resilience system is not only, has to operate continuously but it Is expected to perform even in the presence of an attack. Many of our systems are, which are operational, they may have bad guys sitting in them but they keep operating. Because of the read me generation and so on and because of the importance of the system, their continuity of operation is critical, you’re actually right. This provides a challenge, the challenge is, if you have a static system, that system is not changing and you, somebody comes and sits on it, if you shut it down, you’re in trouble, you don’t get continued service. [0:04:32.3] AA: Yeah, I’ve seen some interesting kind of models, different graphics where you’re, when you’re thinking about system design. You know, thinking about essentially redundant pathways, you know, multiple methodologies for delivering a service or allowing whatever is information travel and then essentially as you look at that design, understanding essentially assessing it based on how much of the system could be compromised and you can still essentially still deliver service or accomplish the mission, the task, et cetera. You know, I’m not a systems engineer, that’s not my background but that seems like not a concept that the majority of systems or at least many systems are built with at the offset. [0:05:20.0] AS: You're right. Many systems I see, they don’t have security as one of their requirements, it’s sort of bolted in at the end of the process, which is, makes it a challenging situation. But the idea is quite straight forward, less designer systems in such a fashion that you realize it is going to be compromised, because it is going to be compromised, we have to do something to handle the compromise and yet maintain continuity of service. There are in my view, there are two basic ways by which people provide higher levels of security and one is through diversity and the second one is through this whole idea of redundancy. The redundancy idea enables you to actually maybe can help you achieve both things that you’re able to switch things around so it’s not static. If you make the system none static, there’s a higher probability that you can achieve security as well as redundancy. [0:06:31.2] AA: Yeah, I think. Walk us through on a simple, how individuals are doing that? If you think about either together, diversity and redundancy or one and then the next. How, when a person kind of understands that those are beneficial qualities. How can you add those two a, to a system? [0:06:52.9] AS: Right. I’m going to talk a little bit how redundancy can be used in the case of diversity, we have a particular challenge and I’ll come to that in a second. Let’s talk about redundancy. The idea basically is if you want to get high availability, what do you do, you use redundancy, you want high availability, you have to serve the customer in sort of just relying on one box you may have two boxes or three boxes or let’s say you’ll have multiple servers or even if they are on the cloud, you can have multiple servers and those servers, if one of them goes down, the other one takes over the load and you are not having continuity of service all the time. That’s one paradigm. If you do redundancy now and from the view point of security, you have this redundancy, you can do continuous checking and say okay, is one of these boxes busted? If it is busted, they’re basically, you can take it offline and you can have continuative service. Fair enough? [0:08:05.5] AA: Yeah. [0:08:06.5] AS: Okay, now, let’s go to the other one to the whole idea of diversity. Diversity, you can apply at lots of levels, all the way from the application to the operating system, down to the hardware and that is in my experience, talking to CSO’s if you try to do diversity at a high level, they look at this as a very expensive proposition, there have been people who have tried to do this to elegant mechanisms but this has been a constraint so far. There are ways by which for example, is a large kind of approaches, which can provide div
