A threat-driven security protection paradigm is usually employed in commercial security prod- ucts and systems. This chapter introduces a new, asset protection-driven security paradigm to overcome the limitation of the threat-driven security protection paradigm. Security policies and an asset protection-driven security architecture, which enable the new paradigm, are described.
3.1 LIMITATIONS OF A THREAT-DRIVEN SECURITY
PROTECTION PARADIGM
Security protection solutions, such as firewalls and IDS, have typically been added onto an existing computer and network system to enhance its security [1]. These add-on security protection solutions, such as commercial security products in [2–12], usually employ a threat- driven security protection paradigm. Specifically, the threat-driven security protection relies on the knowledge base of known security incidents from which events in those security incidents are derived and data is taken from a specific computer and network platform (e.g., Windows, Linux, or UNIX-based operating system) to detect those events. Hence, the knowledge about incidents, events and data is derived in a top-down manner as shown in Figure 3.1. When a new kind of security incident is identified, events and data involved in the new security incident are derived, and the new knowledge about the incident, events and data is added to the knowledge base.
Security protection solutions using the threat-driven security paradigm protect a computer and network system against only a limited number of known threats. As discussed in Chapter 1, the set of all system vulnerabilities is expected to be much larger than the set of known vul- nerabilities exploited in known threats. Hence, the threat-driven security protection paradigm has a limited threat coverage.
Secure Computer and Network Systems: Modeling, Analysis and Design Nong Ye C
2008 John Wiley & Sons, Ltd
Incidents:
Events:
Data:
Top-down forming of knowledge about incident, event and data
Windows Linux UNIX
Figure 3.1 The top-down formation of knowledge about incidents, events and data in a threat-driven security protection paradigm.
Moreover, data collected from existing facilities and tools on computer and network plat- forms may not be sufficient or efficient enough to detect specific events in known security inci- dents. For example, as discussed in Chapter 2, header fields of network data packets are often collected for cyber attack detection. However, header fields of network data packets were origi- nally designed for controlling and coordinating data communication over networks, rather than detecting security events. Not all header fields of data packets are useful in detecting security events. Since attacks can occur intermittently, skipping a data packet while monitoring network traffic data can result in missing a critical attack step. This requires continuously monitoring all data packets and thus processing massive amounts of network data packets which contain much irrelevant information and present a challenge in achieving detection efficiency. Collect- ing specific, relevant network data is more efficient than collecting all network data packets.
3.2 A NEW, ASSET PROTECTION-DRIVEN PARADIGM
OF SECURITY PROTECTION
A new, asset protection-driven paradigm of security protection aims to protect computer and network assets and their vulnerabilities, regardless of what threats may be present to attack the assets and exploit their vulnerabilities. That is, the new paradigm focuses on assets and
A new, asset protection-driven paradigm of security protection 41 vulnerabilities rather than threats in the asset risk framework defined in Chapter 1. Specifically, the asset protection-driven security protection takes assets and asset attributes as data to mon- itor, mismatches of asset attributes as events to detect, and cause–effect chains of mismatch events as incidents to analyze and respond. Data, events and incidents in the asset protection driven paradigm of security protection are described below.
3.2.1 Data to monitor: assets and asset attributes
The asset risk framework defined in Chapter 1 provides a new structure to define the data to monitor when protecting computer and network assets. Assets and asset attributes in the asset risk framework capture a comprehensive set of activities, state changes and performance changes on a computer and network system. Assets and asset attributes record data evidence of activities, state changes and performance changes that occur on various computer and network assets in the cause–effect chain of an attack. Hence, assets and asset attributes in the asset risk framework provide data to monitor from the perspective of protecting computer and network assets.
3.2.2 Events to detect: mismatches of asset attributes
By monitoring the data of assets and asset attributes, events to detect are defined as mismatches of asset attributes in the asset protection driven paradigm of security protection, because mis- matches of asset attributes indicate the presence of vulnerabilities. That is, detecting mismatch events of asset attributes provides security protection against vulnerabilities, rather than se- curity protection against limited known threats, as in the threat-driven security protection paradigm.
Take an example of a buffer overflow vulnerability of a web server process. An indicator of
this vulnerability is a mismatch between two attributes of the process asset: Process\Input rep-
resenting the input to the process and PROCESS\Configuration\Availability\Storage\Input
representing the available capacity configuration of the storage for the input of the process. Take another example of a vulnerability due to an origin validation error which can be exploited by the threat of a spoofing attack through email phishing. The threat involves two assets, the PROCESS of receiving an email and the PROVIDER of the email. In this threat, the process of receiving an email has an input field containing the identity of the email’s provider which does not match the true identity of the email provider—the origin of the email. Hence, an indicator
of the vulnerability is a mismatch event between two asset attributes, PROCESS\Input and
PROVIDER\Identity. In this example, asset attributes, which produce a mismatch, come from
more than one asset.
Detecting mismatches of asset attributes as indicators of vulnerabilities, i.e. has advantages over detecting system design, coding and configuration faults as causes of vulnerabilities in generality, robustness, adaptability and consistency of security protection. Detecting system design, coding and configuration faults has to deal with specific details of the system design, coding and configuration which vary with different computer and network systems running on specific computer and network platforms with specific applications, program implemen- tations, etc. In contrast, detecting mismatches of asset attributes in the asset risk framework, which can be defined independent of specific system details, enables generality, robustness and
adaptability of security protection. Moreover, detecting mismatch events of asset attributes can be performed in the run time of computer and network operations, enabling system design, coding and configuration faults to be examined and captured all at the same time in a con- sistent, comprehensive manner. Hence, the run-time detection of mismatch events provides a comprehensive, consistent protection against various faults and resulting vulnerabilities which are introduced at different points in the system life cycle.
3.2.3 Incidents to analyze and respond: cause–effect chains
of mismatch events
A security incident consists of a series of mismatch events in a cause–effect chain on a computer and network system. Hence, incidents to analyze and respond must link and correlate individual events of asset attributes which are parts of a security incident, producing an accurate picture of the incident’s cause–effect chain with information about the incident’s origin, path, impact and development. That is, a security incident is defined as a cause–effect chain of asset attribute mismatch events produced by a threat attacking the system assets through exploiting system vulnerabilities.
3.2.4 Proactive asset protection against vulnerabilities
Monitoring assets and asset attributes defines the scope of security protection in the new paradigm of asset protection driven security protection. Detecting mismatch events of asset attributes defines the focus of security protection in the new paradigm. As soon as a mis- match event of asset attributes is detected, a pending computer/network operation producing the mismatch can be blocked from execution, which protects the system security in a proactive way. For example, before a web process in response to a web request is executed, the process
is examined to determine if it presents a mismatch between Process\Input and PROCESS\
Configuration\Availability\Storage\Input, which is an indicator of a risk from a buffer over-
flow attack. If this mismatch is present, the web process can be halted and the web request can be rejected to prevent the buffer overflow attack. Correlating a series of blocked mismatch events, which might be parts of an attempted attack, can reveal the risk of a security inci- dent which will trigger system responses of strengthening its security and investigating and correcting the causes of the vulnerabilities leading to the mismatches.
Hence, proactive asset protection against vulnerabilities has the following components:
r
monitor data of assets and asset attributes;r
detect mismatch events of asset attributes;r
block pending computer and network operations which produce mismatch events;r
analyze the risk of a security incident by correlating a series of blocked mismatch events,and call for a system response of strengthening the system security and investigating and correcting vulnerabilities which lead to mismatch events if necessary.
Digital security policies and policy-based security protection 43