View
214
Download
0
Tags:
Embed Size (px)
Citation preview
How to start a company: the NetSift story
How to start a company: the NetSift story
CSE 91 GoalsCSE 91 Goals Essence: To convince you that Computer
Science is not just programming but creatively solving the world’s problems using computers
Careers: To show there are exciting career options that can change the world
UCSD CSE: To show you that UCSD CSE has a number of cool professors doing cool work
Startups: To give you a glimpse of how CSE ideas can convert to business opportunities
Students: To showcase students like you
You may be a entrepreneur in disguiseYou may be a entrepreneur in disguise
I loved teaching and research. Disorganized, naïve about business But: passionate about ideas Circumstances swept me into
starting a company: you may too.
The Problem: Large Scale Attacks
The Problem: Large Scale Attacks
Our definition of a Large Scale AttackOur definition of a Large Scale Attack
Definition: Large scale attack is one that involves several attackers and attacked machines, or significant traffic footprint.
Examples: Worms (Code Red, Blaster), Viruses (Lovebug), DDOS (Yahoo attack), SPAM, application level DoS
Costs to customers: Worms (billions in themselves); adding viruses, spam, and DDOS make total costs astronomical
State of Products Today: Small scale attacks are solved; threat and consequence of large scale attacks were not (2004).
Worms as example of Large Scale Attack Worms as example of Large Scale Attack
Worm, virus: exploit (that takes over a single machine)
Response today: humans notice (hours), analyze (days) to create signatures.
Missing: Automatic signature extraction of new large scale attacks (e.g., worms, viruses) will be a disruptive technology.
Enterprise
Infected machine New Victim
plus propagation code
Our definition of a Large Scale AttackOur definition of a Large Scale Attack
Definition: Large scale attack is one that involves several attackers and attacked machines, or significant traffic footprint.
Examples: Worms (Code Red, Blaster), Viruses (Lovebug), DDOS (Yahoo attack), SPAM, Blended Attacks (SoBig,MyDoom)
Costs to customers: Worms (billions in themselves); adding viruses, spam, and DDOS make total costs astronomical
State of Products in 2004: Small scale attacks are solved; threat of large scale attacks growing exponentially.
Attack TrendsAttack Trends
1980 1985 1990 1995 2000
Source: CERT
IntruderKnowledge Needed
AttackSophistication
LOW
HIGH
Passwordcracking
Sessionhijacking
WormsDDOS Toolkits
DOSDDOS
1. Increased virulence: (1 in 12 emails for MyDoom vs 1 in 28 for Lovebug (2000)
2. Increased ease of use: (script kiddies, toolkits), less barriers to entry
3. Increased scale: canonical attack moves from 1 computer to many (e.g., worms)
Trends
Response time is crucialResponse time is crucialUltimate metric: how fast from onset of new attack
toclean up. Today response time is in days. Our
schemes:
Basic: seconds to obtain signatures. Fast blocking, Known exploits: Reduce time to
zero seconds (prevention) for known exploit via subscription service.
Fast blocking, unknown exploits: First infected sites relay to central site which relays to others via service. Seconds for first infection, but zero for other customers.Reducing response time to zero keeps enterprises free of attack
The Technology: Content SiftingThe Technology: Content Sifting
How it startedHow it started A student like you (barely finished BS),
Sumeet Singh, realized the problem Came to my office and said that worms
repeat, watch content signatures We helped add other ideas (checking for
sources, fast implementation) In 2 weeks, he had a prototype. He
caught Blaster when it happened. Here’s the technology in more detail
Extracting Worm Signatures by Content SiftingExtracting Worm Signatures by Content Sifting
Unsupervised learning: monitor network for strings with worm-like behavior
Signatures can then be used for detection.
SRC: 11.12.13.14.3920 DST: 132.239.13.24.5000 PROT: TCP
00F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................0100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 ............M?.w0110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 .....cd.........0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................0130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f.0140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p. . .
PACKET HEADER
PACKET PAYLOAD (CONTENT)
Kibvu.B signature captured by EarlyBird on May 14th, 2004
Worm Characteristics for LearningWorm Characteristics for Learning
Content PrevalencePayload of worm is seen frequently
Address DispersionPayload of worm is seen traversing between many distinct hosts
Can we do this learning at Gigabit speeds?
Address Dispersion Table Sources Destinations Prevalence Table
The Basic AlgorithmThe Basic Algorithm
Detector at Vantage Point
A B
cnn.com
C
DE
1 (B)1 (A)
Address Dispersion Table Sources Destinations
1
Prevalence Table
The Basic AlgorithmThe Basic Algorithm
Detector at Vantage Point
A B
cnn.com
C
DE
1 (A)1 (C)
1 (B)1 (A)
Address Dispersion Table Sources Destinations
1
1
Prevalence Table
The Basic AlgorithmThe Basic Algorithm
Detector at Vantage Point
A B
cnn.com
C
DE
1 (A)1 (C)
2 (B,D)2 (A,B)
Address Dispersion Table Sources Destinations
1
2
Prevalence Table
The Basic AlgorithmThe Basic Algorithm
Detector at Vantage Point
A B
cnn.com
C
DE
1 (A)1 (C)
3 (B,D,E)3 (A,B,D)
Address Dispersion Table Sources Destinations
1
3
Prevalence Table
The Basic AlgorithmThe Basic Algorithm
Detector at Vantage Point
A B
cnn.com
C
DE
What are the challenges?What are the challenges? Computation
– We have a total of 12 microseconds processing time for a packet at 1Gbps line rate
– Not just talking about processing packet headers, but learning frequent strings.
State– On a fully-loaded 1Gbps link the basic
algorithm could generate a 1GByte table in less than 10 seconds
What are the challenges?What are the challenges? Computation
– We have a total of 12 microseconds processing time for a packet at 1Gbps line rate
– Not just talking about processing packet headers, but learning frequent strings.
State– On 1Gbps could generate a 1GByte table in
less than 10 seconds We used some sophisticated algorithms.
Multistage filters and bitmap counters Google “Earlybird” for details in paper
Idea 1: Index fixed length substrings Idea 1: Index fixed length substrings
Approach 1: Index all substrings– Problem: too many substrings too much
computation too much state
Approach 2: Index packet as a single string– Problem: easily evadable (e.g., Witty, Email
viruses)
Approach 3: Index all contiguous substrings of a fixed length ‘S’– Will track everything that is of length ‘S’ and
larger
A B C D E F G H I J K
NetSift IDS : Initial ValidationNetSift IDS : Initial Validation
Deployment (UCSD network vantage point) – Tap on CISCO Catalyst switch – Software on Dell server– 1 Gbps line rate– no packet drops
Attack Signatures Found (with no prior knowledge!): • NetBios Attack, Code Red, Linux Slapper, Blaster,
MyDoom, Sasser, backdoor probing• Application Level DDOS from UCSD outwards etc.
Minimal false positives, no false negatives in 8 months of testing.
Button to download Sasser signatures for various blocking
devices
Fist packet payload of Sasser from which a signature (not
shown) is constructed
List of Infected Source associated with Sasser-A
Output of Dispersion Test: cumulative count of infected sources and destinations over various time periods (this plot is in days but plots can be in hours or minutes as well.
Ability to download a “FLOW” associated with this anomaly in
tcpdump format
Output of Traffic test:: cumulative count of packets containing infection over various time periods
Summary of the Anomaly and Actions the user can
take for this Anomaly
The time at which the system classified the Sasser anomaly as a WORM
VIEW: Anomaly Sasser-ATYPE: DetailsINFORMATION: Characterization
The bytes in red represent one of the content fragments of Sasser that the system is tracking
Manager selects the day old Sasser A anomaly to see current state of attack
Copyright NetSift, Inc. 2004
Manager obtained a signature of Sasser-A and used it to begin blocking the worm
Business Model: How to generate revenue
Business Model: How to generate revenue
Business Model: How to generate revenue
Business Model: How to generate revenue
Mission (Elevator Pitch)Mission (Elevator Pitch) Preventing known and unknown
large-scale attacks on enterprises without human intervention, using behavioral analysis of packet (including payload content) seen at network vantage points.
(Less Formal) What Norton Antivirus does in a day using humans, we do automatically in minutes
A Value HierarchyA Value Hierarchy Give away your work to maximize impact
(DRR), zero dollars, intangibles File a patent and market to companies,
(IP Lookups), 100K to 1 Million Create a technology you can find a buyer
for: 1 to 5 million Create a product and find some initial
customers: (NetSift), 10 to 100 million Create a product and market: 500M-1B Standalone company, and IPO: > 1 B Venture Capitalists will require last few
steps
The Venture ProcessThe Venture Process VCs are like a high-risk mutual fund.
Generally manage 100M to 1 Billion Only a few partners: so can do only a
few gigs. Must put money to work Given that 1 in 10 companies fail,
they look for TAMs of 1 Billion and possible exits only as a line of defense
If VC values you at 3 million (pre-money) and gives you 3 million:– Post money = 6M, VC owns 50% (3/6)
Our Business Model (Tom Clancy)Our Business Model (Tom Clancy) TAM Upper Limit for worms: Tens of
billions ($300-1000 per host, Code Red itself > 2 billion) in worm costs alone. Pain
TAM Lower Limit: Global 2000 companies, each spending at least 250K on IDS = 1 Billion. Failure of IDS.
Exits: IDS companies (NetScreen, Cisco, Intruvert). Typical acquisutions: 50 Mill
The Pitch: Presenting the IdeaThe Pitch: Presenting the Idea
Elements of a PitchElements of a Pitch Problem: (show its important, 2 -3
slides, see start on Large Scale Attacks) The Technology (cool, different,
defensible). Content Sifting. 2-3 slides The Business opportunity (see earlier) The Competitive Landscape (why you
are better than others (2-3 slides) The Team (why you can deliver, 1 slide)
Competitive Landscape (NetSift example)Competitive Landscape (NetSift example)
Firewalls: screening based on headers ~ fails, worms masquerade using headers of legitimate traffic
Signature Based End-point detection: Norton, Symantec (screening based on content strings in packets)~ expensive, install at every end-node, not a few network devices.
Signature Based Network detection: Snort, Cisco NBAR, Tipping Point ~ blocking ifast, signature extraction by human too slow. Detection in more 30 mins: implies infection spreads to entire enterprise.
Behavioral based end-point detection: Okena, (zero-day attack detection) analogous to detecting suspicious behavior.~ expensive at every host, can only detect attacks against itself!
Behavioral based network detection: NetSift
Differentiator: sophisticated behavioral tests to automatically extract signatures that can be blocked by existing signature based blocking devices
Signature Based
Behavior Based
NetSift Positioning NetSift Positioning
BEHAVIORALSIGNATURE BASED
ENDPOINT BASED
NETWORK BASED
Symantec, McAfee etc
SourceFire, TippingPoint
Cisco, NetScreen, IntruShield
Okena, WholeNetwork Entercept, Harris, Sana
NetSift
We use new behavioral tests to extract signatures that can be blocked using signature-based hardware
Key DifferentiatorsKey DifferentiatorsSummary: All existing network security products
have trouble with one or more of the following:
1) False positives: too many alerts
2) Performance: too slow, unscalable
3) Lack of agility: cannot handle new or polymorphic attacks.
We claim to address all three issues.
TeamTeam George Varghese (Founder and CTO): Inventions used in real
products (timing wheels, Linux; DRR, Cisco GSR, IP Lookups;
Windows), designed 40 Gbps Procket lookup engine Packet
Processing Algorithms
Sumeet Singh (Founder & Chief Scientist): UCSD Ph.D student, co-
founded NetVisions (75 persons at peak) for E-business. Invented
and coded fastest software packet classification algorithm.
Software prototyping
Stefan Savage (Consultant): co-founder Asta Networks for DDOS
detection, invented IP Traceback, DOS Detection via Backscatter;
seminal paper on worm spreading rates. Domain expertise and
innovation in attack detection.
Growing Engineering Team:
– Bashir Eghbali (ex Cisco IOS), Mike Semanko (ex Entropia), John Huber
(ex Yunni Networks), Clifton Mclellan (ex Enosys), Sri Narayan (ex
Hughes)
Overall SummaryOverall Summary Importance of large-scale attacks: growing, billions in damage
due to each of worms, viruses, spam, DDOS
Unique Approach: first behavioral based network approach that automatically extracts attack signatures for signature blockers.
New Algorithms: Scalable (can run at 10 Gbps) algorithms to identify abstract characteristics of new, blended, and polymorphic attacks. Found Blaster, MyDoom signatures within 5 seconds despite polymorphism. No false positives in 8 months of testing.
Team track record: world-class team with track record of inventing fast scalable network algorithms (George Varghese) and innovative solutions to security problems (Stefan Savage).
New Products: LIDS box that can detect standard intrusions as well as automatically identify large scale attacks; LIPS box that can prevent attacks; Host software to block detected attacks.
Mechanics: Starting and Proceeding
Mechanics: Starting and Proceeding
Starting and ProceedingStarting and Proceeding Need to make a pitch to VCs till a deal is
reached (like buying a house, get comps) Need a lawyer to help draw up a Term
Sheet (legal document w/ Cap Table). VCs help you outsource: finding space,
paying salary, taxes, insurances. You need to hire employees, buy
equipment, build first product, Everyone has do everything: e.g., write
manual though can hire part-timers Money must last till next value creating
inflection point (e.g., build product or exit)
Capital TableCapital Table Employees: CEO (8-12%), VPs
(3%), Engineers: Senior 1, mid 0.3, start 0.1
VCs (40-60%)
Employees Founders
(20-30%) (20-30%)
TimelinesTimelines Feb 2004: Conception, prototype, results Sep 2004: Decision to make a company Sep – March 2004: Pitch SD,SJ April 2004: First round (3M), 1 room Aug 2004: Real space, 10 employees Sept 2004: Prototype running at 1 ISP Oct 2004: VP Eng, VP Marketing (no CEO) Dec 2004: Cisco, first talks, break down Feb 2005: Cisco re-engages March 2005: First term sheet, many-way
negotiation
MotivationsMotivations While our employees all did well
(including recent UCSD grads), no guarantee of financial success.
Need to be excited about the mission (automatically identifying attacks), the technology, and learning.
A good atmosphere of joy in the journey is crucial. Have fun!
Some things we did rightSome things we did right Pitched widely: Von Liebig, KP, NEA. Pitches
matter! Good books exist. Hired UCSD Grads: they were the best in SD Used friends who had done it before: review
term sheet, hires, options, board member Did not hire a CEO at early stage Hired a very good VP Eng (Hunt) and
Marketing (Mehta). Cachet helped sale Had high quality VCs (Stensrud, board of
Juniper, Clancy, Conn) Sold at right time: next step in value had
much more risk, hard for VCs though Did the right thing by employees: all did
well
Some things I wished we had doneSome things I wished we had done
Assumed experts knew it all: instead common sense and diligence goes a long way– Negotiation with VPs – Negotiation with University– Negotiation with Cisco
Hired without sufficient diligence. Too eager to believe good things.– Firing can be traumatic. Better to hire with
care
Should have trusted more and opened up more of the technology early.
Students like you . . . Sumeet Singh, UCSD 02Students like you . . . Sumeet Singh, UCSD 02