AutoBerry—a game changer in mobile device security and assurance
With more than 1.8 billion smartphones expected to be in use by 2013, the security of these and other digital devices are of critical concern to national security and global commerce. Daryle Deloatch and Mark Haney, analysts in NSA's Information Assurance Directorate, have made a significant contribution to maintaining that security with their patented Method of Tampering Detection for Digital Devices, or AutoBerry. AutoBerry rapidly scans digital devices in search of any anomaly that could indicate tampering or other malicious activity. By essentially "fingerprinting" each device, the scanning software extracts application and operating system files and compares the results to a known good baseline to reveal any changes.
The scan takes from 5 to 17 minutes depending on the device—a dramatic reduction from the 1.5 hours typically required to do a manual security check—and requires minimal technical training. As a result, security personnel, administrators, and other users can quickly identify devices that have been compromised and seek additional forensics support as necessary.
Fixmo was a small start-up developing management and security applications for BlackBerry devices and had a booth at the 2010 conference of the Cellular Telecommunications Industry Association (CTIA). When Fixmo's Chief Executive Officer Rick Segal took a wrong turn on his way back to his booth, he accidentally stumbled upon the NSA TTP booth. As luck would have it, the TTP, along with inventors Haney and Deloatch, just happened to be demonstrating the AutoBerry technology in an effort to attract potential licensees.
On seeing the demonstration and meeting the inventors, Segal immediately expressed interest in exploring a licensing agreement. The inventors recognized that Fixmo was a "black belt" in BlackBerry application development. Segal then scheduled a two-day session with the inventors. "We were building the technology on our own, but after we met the NSA team at the show and learned more about their technology, we decided to abandon what we were doing and use the great work done by the NSA inventors," said Segal.
Although several companies expressed interest after seeing AutoBerry at CTIA, Fixmo quickly stood out as the best potential partner. The company realized that as smartphones evolved into personal computers, the demand for management, monitoring, and security of mobile devices and enterprise infrastructure would skyrocket. Transfer of the AutoBerry technology occurred in just weeks.
Discussions between NSA and Fixmo began in March 2010 and an exclusive Patent License Agreement (PLA) and short-term consulting Cooperative Research and Development Agreement (CRADA) were signed in June 2010. Within 60 days, Fixmo had gathered user requirements from the existing customer base and started development of an upgraded version of the software.
Credit for this astonishing timeframe—unprecedented at NSA and unheard of in many other federal laboratories—goes in large part to the partners' shared vision of how commercialization would not only support but enhance the AutoBerry technology. The inventors and TTP realized that Fixmo had both the vision and the resources to take AutoBerry to the next level and provide enhancements, upgrades, and add-ons.
In February 2011, NSA and Fixmo entered into a second CRADA, enabling them to collaborate on the enhancement and development of a range of mobile enterprise and risk management technologies.
Autoberry inventors receive tech transfer award
On May 3, 2012, the Federal Laboratory Consortium (FLC) presented Autoberry inventors Daryle Deloatch and Mark Haney with an Award for Excellence in Tech Transfer. The FLC award recognizes employees of FLC member laboratories who have accomplished outstanding work in the process of transferring federally developed technology.
The NSA engineers began developing AutoBerry in 2006 after being unable to find an automated tamper detection product on the market to speed up forensic analysis. Though they started working on their invention without knowing that they could patent and commercialize the result, Deloatch and Haney became determined champions when the technology transfer process got under way. In addition to working with a NSA patent attorney on submission of a patent application in 2008, both gave several company demonstrations to interested commercial partners. Deloatch also presented the technology at a day-long government technology showcase hosted by Johns Hopkins Applied Physics Lab in 2007 as well as at the CTIA show in 2010 where it drew the interest of several companies including Fixmo.
After the Fixmo PLA was signed, Deloatch and Haney quickly realized the potential of the partnership and strongly advocated for an expanded relationship. They continue to work closely with Fixmo to implement the current CRADA, frequently visiting or hosting the team to review customer recommendations and further additional research and development.
About the FLC: It was organized in 1974 and formally chartered by the Federal Technology Transfer Act of 1986 to promote and strengthen technology transfer nationwide. In consonance with the Federal Technology Transfer Act of 1986 and related federal policy, the mission of the FLC is to promote and facilitate the rapid movement of federal laboratory research results and technologies into the mainstream of the US economy. Today, approximately 300 federal laboratories and centers and their parent departments and agencies are FLC members.
Fixmo's biggest impact on the product was the enhancement of AutoBerry from a manual communications security function that required tethering the device to a server to an "over-the-air" provisioned system providing real-time security services. This enhancement alone has resulted in huge man-hour and cost savings as well as enhanced security.
Fixmo has launched three versions of its Sentinel product line since the PLA was signed in June 2010:
Sentinel Desktop is Fixmo's no charge product offering for government users that provides enhanced AutoBerry features for BlackBerry, Android, iOS, and Good devices. It is also available as a SteelCloud appliance.
Fixmo Sentinel™ is the flagship mobile risk management solution providing all of the advantages of Sentinel Desktop in an enterprise offering for government and industry.
Sentinel Server Compliance Check (SCC) is Fixmo's newest product and is the commercial version of AutoBES, NSA technology developed under the CRADA that automatically audits, corrects, and confirms server configuration. Under the CRADA, Sentinel SCC is available at no charge for government agencies.
Fixmo now has more than 650,000 mobile devices under management with a customer base that includes many government agencies around the world as well as commercial enterprises. Its potential is staggering given that the mobile device management component of mobile risk management is a $300 million industry with a projected growth rate of 70 percent year-over-year.
Under the CRADA, the NSA inventors continue to work closely with Fixmo's technical team to enhance the existing technology and develop new, best-in-class, commercial off-the-shelf solutions for government implementation. To date, Fixmo has applied for three additional patents for Autoberry-related technology.
Former NSA engineer licenses NSA technology to form network analytics company
For 18 minutes on April 8, 2010, approximately 15 percent of all Internet destination traffic was routed through servers belonging to China Telecom. The reroute affected US government and military networks, including the the Office of the Secretary of Defense, the Department of Commerce, NASA, and the US Senate, as well as the Army, Navy, Air Force, and Marine Corps. Commercial sites, including those belonging to Microsoft, Dell, and Yahoo, were also affected.
Former NSA engineer Greg Virgin knows all too well how vulnerable network traffic can be. As one of the lead developer's of NSA's Analytic Metadata Producer (AMP) application, Greg has heard these stories all too often. AMP is a high-end, large-scale, analytical application used for network assurance. When AMP is coupled with TRICKLER, a passive network analysis tool, network administrators and security personnel can monitor data traffic and produce reports that can potentially identify threats, vulnerabilities, covert channels, insider threats, denial of service attacks, and spammers.
AMP is the metadata-producing sensor software that derives data for TRICKLER. AMP generates custom records of network traffic independent of specific network hardware and delivers more accurate data records with better precision and reliability than router-generated flow systems.
TRICKLER, on the other hand, efficiently and passively collects repetitive portions of network data and leverages that data to identify network assets without using signatures. The TRICKLER architecture consists of a front-end user interface and a knowledge base stored as MySQL metadata.
The TRICKLER knowledge base combines flow data for combination with operating system fingerprinting technology and a vulnerability database from the National Institute of Standards and Technology, called the National Vulnerability Database. Notable attributes of TRICKLER include the following:
Robust handling of enormous data flows,
A set of alarm files listing protocols detected on uncommon ports,
A list of server and client banner strings pulled from set regions of common protocols, and
A list of Internet protocol (IP) addresses exhibiting Internet relay chat botnet behavior.
When Virgin left NSA to form his own company, REDJACK, he licensed the AMP/TRICKLER technology from NSA. Virgin and his team continue to enhance and develop the product, for example, adding IPv6 functionality.
According to Virgin, "AMP now handles a number of new network protocols, network protocol encapsulation, as well as IPv6. Additionally, AMP now adopts a more advanced data format and postprocessing mechanism that allows for more flexible analytics and effective use of the data." REDJACK now provides the application to industry. When asked how well his product was working, Virgin replied, "Let's just say that AMP has enabled the detection of several incidents and network activities that were previously undetected." As an example, one of Virgin's customers used AMP to discover that all of its Google traffic was being rerouted.
NetTop: One technology path—many roads to success
NetTop is a cross domain solution that provides access to multiple network domains with different classification levels from a single system over a single wire. NetTop integrates commercial off-the-shelf products to create multiple secure virtual machines utilizing mandatory access controls (MAC) based on Secure Enhanced Linux. Each virtual machine (VM) can be independently attached to a different network to provide complete isolation from other VMs running on the same system without compromising the security of any attached network. These operating systems may be fat or thin clients providing secure access to the cloud.
NetTop was unique from the beginning. According to inventors Bob Meushaw and Don Simard, the goal for NetTop was as much about developing new technology transfer approaches as it was about developing new technology. In order to provide potential licensees some level of protection, one of the first steps was to file a patent application to gain control of the intellectual property embodied in NetTop. (One of the original criticisms was that without intellectual property protection, there would be no competitive advantage to potential licensees.) In addition, NSA also decided to seek a trademark for the name NetTop; this would prove to be very useful in later phases of the marketing program. Having protected NetTop's intellectual property and name, the team began a search for industry partners capable of commercializing it. And to help with market development, the NetTop team used what was then a relatively new NSA program—the TTP.
Shortly after the decision to pursue a technology transfer path for NetTop through the licensing of the intellectual property, the NetTop team initiated a series of meetings with potential commercial partners. The most promising partner, initially, was the federal division of Compaq Computers. Compaq management saw potential in NetTop to help them build a market in security-related IT.
Discussions with Compaq were positive but were soon interrupted because of a possible merger with HP. After the merger in 2001, discussions resumed with the new federal division of HP. But it was not until November 2002 that a NetTop license was finally negotiated.
Today, HP continues to enhance NetTop to meet the needs of its customer base, including adding additional security enhancements into the technology. In addition, HP is using this experience to develop more advanced capabilities using newer technology to meet the requirements of an access cross domain solution.
While the NetTop team worked with HP to help them refine the technology, they continued to seek other commercial partners since the team believed that a competitive market would be even better for the government. After two more years of discussions with other potential partners, the team negotiated a second NetTop license with Trusted Computer Solutions (TCS). TCS was much smaller than HP but very well established in the government market for security products, and they were highly experienced at working with the security accreditation process. TCS' strengths seemed like an excellent complement to HP's for developing a significant market for NetTop.
NetTop depended upon having Mandatory Access Control (MAC) mechanisms available in a commercially supported operating system. According to Meushaw, early efforts to find commercial partners to adopt MAC were unsuccessful, so one option was to explore placing the technology into the open-source community. The research organization's strategy was to integrate MAC mechanisms into Linux modules—which later became known as SELinux. These modules were merged into the mainline kernel and released in August 2003. Eventually, the SELinux kernel migrated its way into Red Hat's Enterprise Linux product. NetTop is not only notable for its breakthrough technology, but also for the number of licenses that have been negotiated. NetTop is currently licensed by HP, Raytheon TCS, and Blue Ridge Networks.
View PDF version of this article (875 KB)