Securi CAD by Foreseeti: A CAD Tool for Enterprise Cyber Security Management

This paper presents a CAD tool for enterprise cyber security management called securi CAD. It is a software developed during ten years of research at KTH Royal Institute of Technology, and it is now being commercialized by foreseeti (a KTH spin-off company). The idea of the tool is similar to CAD tools used when engineers design and test cars, buildings, etc. Specifically, the securi CAD user first models the IT environment, an existing one or one under development, and then securi CAD, using attack graphs, calculates and highlights potential weaknesses and avenues of attacks. The main benefits with securi CAD are, 1) built in security expertise, 2) visualization, 3) holistic security assessments, and 4) scenario comparison (decision-making) capabilities.

[1]  Atul Prakash,et al.  Distilling critical attack graph surface iteratively through minimum-cost SAT solving , 2011, ACSAC '11.

[2]  Mathias Ekstedt,et al.  A Metamodel for Web Application Injection Attacks and Countermeasures , 2012, TEAR/PRET.

[3]  Markus Buschle,et al.  Tool Support for Enterprise Architecture Analysis : with application in cyber security , 2014 .

[4]  Ruth Breu,et al.  Quantitative Assessment of Enterprise Security System , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[5]  Florian Matthes,et al.  Trends in Enterprise Architecture Research and Practice-Driven Research on Enterprise Transformation , 2012, Lecture Notes in Business Information Processing.

[6]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[7]  Mathias Ekstedt,et al.  CySeMoL: A tool for cyber security analysis of enterprises , 2013 .

[8]  Robert Lagerström,et al.  Architecture analysis of enterprise systems modifiability - Models, analysis, and validation , 2010, J. Syst. Softw..

[9]  Teodor Sommestad,et al.  A framework and theory for cyber security assessments , 2012 .

[10]  Hannes Holm,et al.  A Framework and Calculation Engine for Modeling and Predicting the Cyber Security of Enterprise Architectures , 2014 .

[11]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[12]  Robert Lagerström,et al.  Enterprise architecture analysis with extended influence diagrams , 2007, Inf. Syst. Frontiers.

[13]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[14]  Khurram Shahzad,et al.  Integrated Metamodel for Security Analysis , 2015, 2015 48th Hawaii International Conference on System Sciences.

[15]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[16]  Mathias Ekstedt,et al.  Enterprise Architecture Meta Models for IT/Business Alignment Situations , 2010, 2010 14th IEEE International Enterprise Distributed Object Computing Conference.

[17]  Alan MacCormack,et al.  Visualizing and Measuring Enterprise Application Architecture: An Exploratory Telecom Case , 2014, 2014 47th Hawaii International Conference on System Sciences.

[18]  Khurram Shahzad,et al.  A Tool for Automatic Enterprise Architecture Modeling , 2011, CAiSE Forum.

[19]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[20]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[21]  Teodor Sommestad,et al.  A quantitative evaluation of vulnerability scanning , 2011, Inf. Manag. Comput. Secur..

[22]  Khurram Shahzad,et al.  P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language , 2015, IEEE Trans. Dependable Secur. Comput..

[23]  Andy Ju An Wang Information security models and metrics , 2005, ACM-SE 43.

[24]  Robert Lagerström,et al.  A Framework for Service Interoperability Analysis using Enterprise Architecture Models , 2008, 2008 IEEE International Conference on Services Computing.

[25]  Mathias Ekstedt,et al.  The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures , 2013, IEEE Systems Journal.

[26]  Robert Lagerström,et al.  A Bayesian network for IT governance performance prediction , 2008, ICEC.

[27]  Mathias Ekstedt,et al.  A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits , 2015, Inf. Softw. Technol..