IARPA VirtUE focuses on user roles for security
- By Patrick Marshall
Kerry Long, program manager at Office of the Director of National Intelligence’s Intelligence Advanced Research Projects Activity, doesn’t pull any punches in describing the vulnerability of most government computers.
The current government user environment, he said, is basically a Windows desktop that is exceedingly difficult to defend from user-based threats, such as spearfishing, web site drive-bys, users making mistakes and malicious users.
“The current user environment "was not well designed all to deal with those sorts of threats,” he said.
So when Long joined IARPA two years ago he proposed creation of VirtUE — or a Virtuous User Environment that mitigates the exploitation of legacy and cloud-based vulnerabilities.
In Phase One of the VirtUE project -- which is projected to end in February --four teams are working to develop a more secure environment that will run in the Amazon cloud and that will change the paradigm of end-user security from one based on identity to one based on roles.
The problem with the current user environment, said Long, is that “we basically run everything out in one big memory environment, and a user has multiple tasks in that environment during the day that have different risks associated with them.” That, he said, is what the bad guys take advantage of.
“Browsing email is one of the riskier things users do,” Long said. Hackers "don't really care about your email browsing all. They're praying that you do something else and that environment is more interesting, like having access to your internal SharePoint site or administering a network router.”
Rather than focusing on the user’s identity, VirtUE developers have been instructed to build environments that focus on users’ many roles -- as an email user, as a SharePoint user, as a router administrator, etc.
In VirtUE, Long said, each role will reside in its own environment with its own set of protective measures in isolation from the user’s other roles.
When Phase One wraps up, IARPA will open VirtUE to developers who can use any of the four VirtUE environments developed in the first phase and optimize it for end-user security. The goal, Long said, is “to try to make the best sensor-analytic pair you can to detect … user-based attacks.” In short, he said, “we are viewing Phase Two probably more as a challenge sort of thing.”
Patrick Marshall is a freelance technology writer for GCN.