Automated Cyber Risk Mitigation: Making Informed Cost-Effective Decisions

Automated and cost-effective security configuration for cyber risk management is a complex decision-making process because it requires considering many different factors, including hosts’ security weaknesses, potential threat actors, critical assets’ exposure to threat actors due to network connectivity, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan host vulnerabilities and verify their compliance with security policies, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using the network connectivity and both the hosts’ compliance reports and live threat activity.

[1]  David A. Schmidt,et al.  Aggregating vulnerability metrics in enterprise networks using attack graphs , 2013, J. Comput. Secur..

[2]  Karen A. Scarfone,et al.  The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities , 2010 .

[3]  Ehab Al-Shaer,et al.  Optimizing the RoI of cyber risk mitigation , 2016, 2016 12th International Conference on Network and Service Management (CNSM).

[4]  Anoop Singhal,et al.  Security Risk Analysis of Enterprise Networks Using Attack Graphs , 2012 .

[5]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[6]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[7]  Siv Hilde Houmb,et al.  Quantifying security risk level from CVSS estimates of frequency and impact , 2010, J. Syst. Softw..

[8]  Andrew Hay,et al.  OSSEC Host-Based Intrusion Detection Guide , 2008 .

[9]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[10]  Информатика Advanced Intrusion Detection Environment , 2010 .

[11]  Ibrahim Matta,et al.  BRITE: an approach to universal topology generation , 2001, MASCOTS 2001, Proceedings Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[12]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[13]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[14]  Martín Barrère,et al.  A SAT-based autonomous strategy for security vulnerability management , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[15]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[16]  Yibo Liu,et al.  Real-Time Risk Assessment of Network Security Based on Attack Graphs , 2013, ISCA 2013.

[17]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[18]  Ehab Al-Shaer,et al.  ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration , 2017, Journal of Network and Systems Management.

[19]  Dijiang Huang,et al.  Non-intrusive process-based monitoring system to mitigate and prevent VM vulnerability explorations , 2013, 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[20]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.