How HP Innovates - Awt
How HP Innovates - Awt
How HP Innovates - Awt
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>How</strong> <strong>HP</strong> <strong>Innovates</strong><br />
Martin Sadler<br />
Systems Security Lab, <strong>HP</strong> Labs<br />
© 2008 Hewlett-Packard Development Company, L.P.<br />
The information contained herein is subject to change without notice
A view from <strong>HP</strong> labs<br />
• <strong>HP</strong> Labs<br />
• What we’re doing to drive the industry<br />
• Web 2.0, everything as a service<br />
• Security<br />
2 5 June, 2008
<strong>HP</strong> Labs
<strong>HP</strong> Labs<br />
• ~ $150M of $3.7B R&D budget<br />
• 23 Labs<br />
− 13 Palo Alto<br />
− 5 UK, 1 Israel, 1 Russia<br />
− China, India, Japan,<br />
• 5 themes<br />
− information explosion<br />
− dynamic cloud services<br />
− content transformation<br />
− intelligent infrastructure<br />
− sustainability<br />
Applied research:<br />
generate ‘wow’ factor,<br />
selectively lead and help<br />
shape company strategy;<br />
innovate with partners and<br />
customers<br />
4 5 June, 2008
Transfer<br />
old model:<br />
university<br />
research<br />
labs<br />
product<br />
divisions<br />
today’s model:<br />
customers<br />
customers<br />
research<br />
labs<br />
partners<br />
universities<br />
product<br />
divisions<br />
services<br />
CTOs<br />
5 5 June, 2008
What we’re doing<br />
to drive the industry
For years, the IT stack has provided control<br />
points to drive IT sales and customer loyalty<br />
Packaged applications<br />
Middleware<br />
Operating systems<br />
IT infrastructure<br />
7 5 June, 2008
In a world of Internet services, content and<br />
users are the new control points<br />
Content<br />
Packaged applications<br />
Users<br />
User visibility/value<br />
User visibility/loyalty<br />
Middleware<br />
Operating systems<br />
Profit margins<br />
User visibility/value<br />
IT infrastructure<br />
8 5 June, 2008
Innovation is moving “above the stack,”<br />
to services that connect users and content<br />
Content<br />
Users<br />
INTERNET-BASED SERVICES<br />
Packaged applications<br />
Middleware<br />
Operating systems<br />
IT infrastructure<br />
9 5 June, 2008
New devices<br />
and imagine a Moore’s law for sensors and actuators<br />
10 5 June, 2008
Converged clients<br />
personal<br />
work<br />
work<br />
personal<br />
With multiple personalities<br />
Personal<br />
Corporate<br />
Environment Personal Productivity Corporate<br />
Win/Lx/OSX Environment Productivity OS<br />
Win/Lx/OSX<br />
OS<br />
Trusted Client firmware –<br />
Trusted Trusted Client Virtualization firmware –<br />
Trusted Virtualization<br />
11 5 June, 2008
Separation: virtualisation and trust<br />
Personal<br />
Client Personae<br />
Secure Corporate<br />
Client Personas<br />
Personal Home<br />
Environment Personal<br />
banking Home<br />
Win/Lx/OSX Environment banking<br />
Win/Lx/OSX<br />
E-Govt<br />
E-Govt<br />
Remote<br />
IT Mgmt Remote<br />
IT Mgmt<br />
Corporate<br />
Productivity Corporate<br />
Productivity OS<br />
OS<br />
Corporate<br />
Production Corporate<br />
Environment Production<br />
Environment OS<br />
OS<br />
Corp.<br />
Soft Corp.<br />
Phone Soft<br />
Phone<br />
Trusted Client firmware –<br />
Trusted Trusted Client Virtualization firmware –<br />
Trusted Virtualization<br />
Trusted Personal<br />
Client Appliance<br />
Trusted Corporate<br />
Client Appliance<br />
12 October 5 June, 2008 12, 2006
Our children will write screenplays<br />
rather than stories<br />
13 5 June, 2008
A 20,000x speed up<br />
14 5 June, 2008
without needing more power<br />
15 5 June, 2008
allowing us to build utilities<br />
16 5 June, 2008
delivering anywhere, anytime<br />
+ picture stitching<br />
+ video and 3D together<br />
orientation of liquid<br />
crystal molecules near the surface<br />
of microscopic posts<br />
17 5 June, 2008
Web 2.0,<br />
everything as a service
Three core elements of Web 2.0<br />
Web<br />
technology<br />
Web<br />
community<br />
Web<br />
business<br />
Principles:<br />
• Simplicity wins<br />
• Globally linked<br />
• Network-centric<br />
• Extensible<br />
Core philosophy:<br />
“Web-as-platform”<br />
Web is primary vehicle for<br />
delivering customer value<br />
Principles:<br />
• Participation<br />
• Collaboration<br />
• Social<br />
• Transparent<br />
Core philosophy:<br />
“Provide a sandbox”<br />
Let users contribute, do<br />
marketing, and drive scale<br />
Principles:<br />
•Long-tail economics<br />
•Continuous innovation<br />
•Collaborative offerings<br />
•Open business models<br />
Core philosophy:<br />
“Data & users are king”<br />
Those who aggregate<br />
users and their data will win<br />
Source: <strong>HP</strong> analysis<br />
19 5 June, 2008
Four primary Web 2.0 business models<br />
Advertising<br />
•Profitable only in search<br />
(to date)<br />
•Dominated by Google ad<br />
network<br />
•Strategy behind Microsoft Live<br />
Transaction broker<br />
•Trading fees<br />
−eBay<br />
•Service commissions<br />
−Mechanical Turk<br />
from Amazon<br />
Subscription<br />
•Software as a service<br />
−Salesforce.com<br />
•Mobile operators<br />
−Vodafone, RIM<br />
Digital to physical/<br />
“Bits to objects”<br />
•Creation & consumption of oneof-a-kind<br />
objects<br />
−Snapfish, LogoWorks, Etsy<br />
•Key: Monetize users and their<br />
data at scale<br />
20 5 June, 2008
The entire value chain ― from idea to finished<br />
product ― is now delivered via the Internet<br />
Market<br />
researchers<br />
Engineers<br />
Industrial<br />
designers<br />
Attorneys<br />
Advertising<br />
professionals<br />
Focus group<br />
facilitators<br />
Product<br />
developers<br />
Accountants<br />
Graphic<br />
Designers<br />
Media<br />
buyers<br />
21 5 June, 2008
For example:<br />
Logo for the 2012 London Olympics<br />
22 5 June, 2008
The power of web-based services…<br />
$800,000 $599<br />
23 5 June, 2008
Security
25 5 June, 2008<br />
And cyber criminals will seek to …
… disrupt our world<br />
• More dependence on ICT<br />
• Increase in organised cybercrime<br />
• Very limited understanding of<br />
− how software is produced<br />
− how systems are designed and solutions deployed<br />
− security mechanisms and the epidemiology of attacks<br />
− economic drivers<br />
• New SOA and social networking tools<br />
• A lot of out of date<br />
awareness<br />
26 5 June, 2008
Estonia, “Titan rain” and evidence<br />
• Recent high profile attacks on national<br />
infrastructures and government departments<br />
− hactivists<br />
− organised crime<br />
− government sponsored<br />
− terrorist groups<br />
• Within <strong>HP</strong><br />
present different challenges<br />
− machines that call “home”<br />
− smart botnets<br />
− login information, like bank account details, comes<br />
cheap<br />
27 5 June, 2008
Changing threats<br />
• Increased mobility<br />
− chance of physical asset being lost or compromised<br />
− where’s the original? is it the only copy?<br />
• Applications the new weakest link<br />
• Supply chains<br />
• Firmware<br />
• Social networking and Web 2.0 tools make it<br />
much easier to extract information<br />
• The pace of change<br />
28 5 June, 2008
Understanding threats<br />
29 05/06/2008
Blue pill time line of attack<br />
Vendor<br />
patch<br />
produced<br />
Organisations<br />
patch<br />
Proof of<br />
concept code<br />
released<br />
Time<br />
Vulnerability<br />
found<br />
Vendor<br />
advisory<br />
released<br />
Patch reverse<br />
engineered<br />
Attack<br />
code<br />
circulates<br />
30 05/06/2008
Red pill time line of attack<br />
0-day<br />
developed<br />
& used<br />
‘VSC’ pays<br />
for<br />
vulnerability<br />
Further leaking<br />
of vulnerability<br />
info<br />
Vendor<br />
patch<br />
available<br />
Knowledge Leakage<br />
Time<br />
Vulnerability<br />
discovered<br />
for 1 st time<br />
0-day<br />
trades/sells<br />
in the<br />
'underground'<br />
‘VSC’<br />
members<br />
informed<br />
Blue pill time line<br />
starts here<br />
Vendor<br />
advisory<br />
released
The influence of money on threat<br />
Increasing potential<br />
to make money<br />
illegally<br />
More reason to keep<br />
new vulnerabilities<br />
quiet<br />
Attack landscape is changing<br />
More money paid for<br />
vulnerabilities<br />
More vulnerabilities<br />
found, more complex<br />
techniques developed<br />
Increasing impetus to<br />
find vulnerabilities &<br />
do in depth research
Security lifecycle<br />
policy<br />
understand<br />
risk<br />
deploy<br />
technology<br />
threats<br />
regulation<br />
accreditation<br />
compliance<br />
trusted<br />
infrastructure<br />
33 5 June, 2008
Customer attention<br />
policy<br />
decision making<br />
plumbing<br />
understand<br />
risk<br />
deploy<br />
technology<br />
threats<br />
regulation<br />
accreditation<br />
compliance<br />
trusted<br />
infrastructure<br />
34 5 June, 2008
Towards a trusted infrastructure<br />
• Move to trusted virtualisation for both clients and servers<br />
− Trusted Computing Group, OpenTC (FP6)<br />
• Compartment the network<br />
• Encrypt everything<br />
Dealing with cybercrime<br />
• Understand the economics<br />
• Automate security policy<br />
• Monitor indicators and report<br />
• Certify software<br />
.<br />
Dealing with assurance<br />
35 5 June, 2008
Reducing threats<br />
• Understand the economics<br />
− Trust economics<br />
• Compartment the network<br />
• Move to trusted virtualisation<br />
− Trusted Computing Group<br />
• Encrypt everything<br />
• Automate security policy,<br />
− role based access control<br />
• Monitor indicators and report<br />
• Accelerate red-teaming<br />
• Certify software<br />
• Understand consumers<br />
• Share?<br />
36 5 June, 2008