Cyber Security Division’s TTP Program Hosts Tech Showcase Series
14-Jul-2016 4:05 PM EDT
A recently completed series of Transition to Practice (TTP) Technology Demonstration events successfully brought together government-developed, transition-ready cybersecurity technologies with cybersecurity professionals and stakeholders from the financial, energy, and other critical infrastructure sectors that need the technologies to boost their cyber posture.
The demo events—hosted by the Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Cyber Security Division (CSD)—showcased technologies developed by Department of Energy national laboratories, Department of Defense-affiliated labs, and National Science Foundation-funded university projects. They also featured researchers demonstrating their work to cyber experts from the energy and finance sectors, the government, and cybersecurity companies.
Each event was staged in cities largely synonymous with those industries: Houston for energy, New York City for finance, and Washington, D.C. for the federal government and commercial cybersecurity developers.
“These TTP events are a great way for mature technologies developed in federal government facilities by incredibly talented researchers to be introduced to cybersecurity experts from various relevant industries,” said Michael Pozmantier, CSD TTP program manager. “The purpose of the events is to show off outstanding cyber technologies for constituencies that are in a position to help transition the technology into the cybersecurity marketplace by piloting the technologies or licensing them for commercial development.”
Established in 2012, the TTP program supports DHS’s mission of improving the nation’s government and private-sector cybersecurity capabilities. It dovetails with CSD’s mission of enhancing the security and resilience of critical national infrastructure by transitioning cybersecurity research into the marketplace where it can have the greatest impact.
TTP seeks to improve the long-term ability for federal government research labs to transition technology more efficiently by creating lasting relationships between government labs, end users, and the private sector.
Each year, TTP selects an average of eight technologies with a high probability of successful transition to use within a three-year timeframe. Through demonstrations and other TTP activities, S&T generates awareness of these government-developed technologies and facilitates the connection between cybersecurity researchers and interested parties.
The federally supported research technologies presented during the three most recent showcase events included: •REnigma: A Tool to Reverse Engineer Malware—REnigma helps malware analysts regain the upper hand against advanced malware techniques by transparently and precisely recording the execution of malware. •Socrates: Graph Analytics for Discovering Patterns and Relationships in Large Data Sets—SOCRATES is a flexible, easy-to-use graph analytics tool that discovers patterns and relationships in large-scale and complex data sets, including cyber and cybersecurity data. •PcapDB: Optimized Full Network Packet Capture for Fast and Efficient Retrieval—PcapDB gives cyber analysts and incident responders fast search and retrieval capabilities while limiting disk access. •REDUCE: Collaborative, Statistically Guided Exploration of Malware Similarities— REDUCE enables cybersecurity analysts to rapidly discover relationships between malware samples, extract temporal threat intelligence and develop actionable signatures for known and emerging threats. •Dynamic Flow Isolation (DFI)—DFI improves network security by dynamically changing access control in response to the current operational state or business need. •Timely Randomization Applied to Commodity Executables at Runtime (TRACER)—TRACER protects closed-source Windows applications against sophisticated attacks by automatically and transparently re-randomizing sensitive internal data and layout. •FLOWER: Network FLOW AnalyzER—FLOWER performs real-time deep IPv4/IPv6 packet header inspection to collect bi-directional network conversations between computers and automatically combines unidirectional Internet Protocol (IP) packets into bi-directional network flows. •SilentAlarm—SilentAlarm enables the detection of zero-day attacks and polymorphic malware without needing prior knowledge of their specific characteristics.
•Autonomic Intelligent Cyber Sensor (AICS)—AICS provides autonomous cybersecurity and state awareness for Ethernet-based industrial control networks. •Situ: Discovering and Explaining Suspicious Behavior—Situ is a scalable, real-time platform for discovering and explaining suspicious behavior undetectable by current technologies. •Scalable Reasoning System (SRS)—SRS automates data collection from various sources, analyzes the data to identify trends and hot topics and provides a visual interface to explore the information. •Dynamic Defense: Proactively Defending Control Systems against Emerging Threats—Using dynamic defense techniques, machine-learning algorithms detect system patterns that deviate from normal operation and respond in an appropriate manner depending on the scenario. •Moving Target Defense for Computer Systems—This solution efficiently randomizes IP addresses, application port numbers, and network communication paths while maintaining network connectivity, functionality, and performance. •Sandia Cyber Omni Tracker (—SCOT is a cybersecurity incident response management system and knowledgebase that manages security alerts, analyzes data for deeper patterns, coordinates team efforts, and captures team knowledge. •AMICO: Accurate Behavior-Based Detection of Malware Downloads—AMICO is an open-source software system for accurate behavior-based detection of malware downloads in live web traffic. •ZeroPoint: Advanced Weaponized Document Detection and Analytics—ZeroPoint provides highly effective, high-throughput, next-generation detection and diagnostics of exploit payloads embedded in documents distributed via email and the web—content used in so-called drive-by downloads and attacks on network servers.