ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration

Automated cyber security configuration synthesis is the holy grail of cyber risk management. The effectiveness of cyber security is highly dependent on the appropriate configuration hardening of heterogeneous, yet interdependent, network security devices, such as firewalls, intrusion detection systems, IPSec gateways, and proxies, to minimize cyber risk. However, determining cost-effective security configuration for risk mitigation is a complex decision-making process because it requires considering many different factors including end-hosts’ security weaknesses based on compliance checking, threat exposure due to network connectivity, potential impact/damage, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan end-host vulnerabilities and verify the policy compliance, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using both the hosts’ compliance reports and network connectivity. In this paper, we present new metrics and a formal framework for automatically assessing the global enterprise risk and determining the most cost-effective security configuration for risk mitigation considering both the end-host security compliance and network connectivity. Our proposed metrics measure the global enterprise risk based on the end-host vulnerabilities and configuration weaknesses, collected through compliance scanning reports, their inter-dependencies, and network reachability. We then use these metrics to automatically generate a set of host-based vulnerability fixes and network access control decisions that mitigates the global network risk to satisfy the desired Return on Investment of cyber security. We solve the problem of cyber risk mitigation based on advanced formal methods using Satisfiability Module Theories, which has shown scalability with large-size networks.

[1]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[2]  David A. Schmidt,et al.  Aggregating vulnerability metrics in enterprise networks using attack graphs , 2013, J. Comput. Secur..

[3]  Karen A. Scarfone,et al.  The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities , 2012 .

[4]  Martín Barrère,et al.  A SAT-based autonomous strategy for security vulnerability management , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[5]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[6]  Yashwant K. Malaiya,et al.  Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics , 2011 .

[7]  Karen A. Scarfone,et al.  The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities , 2010 .

[8]  Dijiang Huang,et al.  Non-intrusive process-based monitoring system to mitigate and prevent VM vulnerability explorations , 2013, 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[9]  Ibrahim Matta,et al.  BRITE: an approach to universal topology generation , 2001, MASCOTS 2001, Proceedings Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[10]  Siv Hilde Houmb,et al.  Quantifying security risk level from CVSS estimates of frequency and impact , 2010, J. Syst. Softw..

[11]  Anoop Singhal,et al.  Security Risk Analysis of Enterprise Networks Using Attack Graphs , 2012 .

[12]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[13]  2005 IEEE Symposium on Security and Privacy (S&P 2005), 8-11 May 2005, Oakland, CA, USA , 2005, IEEE Symposium on Security and Privacy.

[14]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[15]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[16]  Neal Ziring,et al.  Specification for the Extensible Configuration Checklist Description Format (XCCDF) , 2005 .

[17]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[18]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[19]  Ehab Al-Shaer,et al.  Optimizing the RoI of cyber risk mitigation , 2016, 2016 12th International Conference on Network and Service Management (CNSM).

[20]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[21]  Yibo Liu,et al.  Real-Time Risk Assessment of Network Security Based on Attack Graphs , 2013, ISCA 2013.