Case Studies II

Chair: Dennis Moreau, Intel

Applying MITRE’s System of Trust to the Software Supply Chain, Robert Martin, MITRE     SLIDES
Abstract: The trust and trustworthiness of supply chains is at the center of many of today’s global security challenges. This presentation explores the details of System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices. Additionally, the framework includes a mechanism for winnowing down and tailoring the overall System of Trust to a set of concerns and investigative questions that consider the resources of your organization, the significance of the system or service to its operations, and the consequences that could result from failing to fully vet concerns. Finally, the System of Trust provides the ability to apply scoring mechanisms that can be adapted to your organization’s priorities, operational sensitivities, and experience with its type of business and partners.

Bio: Robert A. Martin, a Senior Principal Engineer at the MITRE Corporation, has dedicated his career to solving some of the world’s most difficult problems in systems and software engineering. His work focuses on the interplay of risk management, cyber security, and quality assessment and assurance. For 23 years, Robert has applied his expertise to international cybersecurity initiatives such as CVE, CAPEC, and CWE, which host large active vendor and research communities, and is now working on standardizing the Software Bill of Materials (SBoM) and the supply chain security System of Trust™.

Shifting Left the Right Way With OSCAL (Open Security Controls Assessment Language), Chris Compton, Nikita Wootten, and Alexander Stein, NIST ITL Computer Security Division    SLIDES
Abstract: Top-down and bottom-up pressure to enhance security practice is increasingly acute following high-profile breaches and regulatory responses of late. Properly documenting practices and standards for a system is both human-driven and subjective. No standard medium for describing security compliance exists, adding significant complexity to these tasks. Developers practically compose heterogenous proprietary and open-source parts to build a whole, but must clearly communicate understanding of this sloppy, messy, real-world composition as a uniform whole, and must do so with a keen eye to any and all security, privacy, and risk implications. How should developers navigate the process of documenting, assessing, and approving their increasingly complex systems in a way that lends itself to automation and leverages the benefits of good DevSecOps practices at the same time? In this case study, we explore the use of OSCAL as a means to document and facilitate the risk management of a pilot multi-party system that relies on distributed trust. The audience will be introduced to OSCAL and OSCAL tooling, as well as a pilot system designed with DevSecOps principles in mind.

Bio: Dr. Michaela Iorga is a supervisory computer scientist at the National Institute of Standards and Technology (NIST/ITL). She serves as the Strategic Outreach Director for the Open Security Controls Assessment Language (OSCAL) program, and as the senior security technical lead for cloud computing, chairing the NIST Cloud Security and Forensics Working Groups.

Dr. Iorga, a subject matter expert in cybersecurity, risk assessment, and information assurance, collaborates with industry, academia, and other government stakeholders on developing and disseminating high-level, vendor-neutral cybersecurity and forensics guidelines that meet national priorities and promote American innovation and industrial competitiveness. Dr. Iorga received her Ph.D. from the Duke University/ Pratt School of Engineering, in North Carolina, USA.

Automated Generation of Yara Classifiers for Malware, Arun Lakhotia, University of Louisiana at Lafayette and CTO & Co Founder of Cythereal    SLIDES
Abstract: Classical methods of developing ML classifiers are not suitable for creating classifiers for polymorphic malware. Instead, the industry relies either on using the file hashes of large sets of malware, collected through a global threat intelligence networks or by manually created, expert authored Yara rules.  In contrast, this case study will present the results of applying automatically generated, robust and resilient Yara rules, using just a handful of malware variants, analyzed using novel methods.

The methods employed in this comparative case study include:
- Static and dynamic analysis to extract features from malware
- Deobfuscation of polymorphic variants and code normalization
- Extraction and leveraging of "semantic features”, making detection rules resilient against many classes of code transformation and compiler optimization
- Content-based search, supporting queries for malware that employs similar constructs
- Finally, generation of Yara rules from bytecode representations of malicious functions, thus enabling detection of future malware from malware developers or their customers (subscribing malactors).

Bio: Arun has been conducting academic research in applying machine learning to malware analysis for over 15 years. The absymal failure of traditional ML methods in accurately classifying obfuscated malware, as part of the DARPA Cyber Genome project, served as an impetus for developing what is today the commercial offering of MAGIC™ (Malware Genomic Correlation). Arun has been Professor of Computer Science and a Co-Founder and CTO of Cythereal, LLC. Over the last decade he has studied the protection mechanisms used by malware and has developed methods to peer through these protections. His research, funded in part by the US Department of Defense, has led to the development of Virus Battle, an automated malware analysis web service that draws connections between malware using the semantics of their underlying code. Dr.Lakhotia earned his PhD in Computer Science from Case Western Reserve University in 1990. His research has been supported by DARPA, AFOSR, AFRL, and ARO. He is the recipient of the 2004 Louisiana Governor's Technology Leader of the Year Award.