Using Security Metrics Coupled with Predictive Modeling and Simulation to Assess Security Processes

(1)

Using Security Metrics Coupled with

Predictive Modeling and Simulation to

Assess Security Processes

Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu

Systems Security Lab

(2)

• How does and how should an enterprise form and

justify its security decisions and investments?

−

How well are our processes protecting us?

−

Even in the face of imperfect or patchy data

−

How well will we be protected if the threat level changes?

(and it’s changing all the time)

Security Investment & Decision Making

(and it’s changing all the time)

−

How much difference will it make to our overall level of

protection if we add extra security measures?

−

How do we get appropriate input and buy-in from all the

stakeholders?

• Let’s start with an easy example... Software

vulnerabilities.

15 October, 2009 2

(3)

Problem Statement

• How do we evaluate the effectiveness of our

vulnerability management processes and policies?

−

when we have a combination of protections and

processes: patch management, AV, HIPS, emergency

escalation, temporary workarounds

3 15 October, 2009

• How do we estimate in advance the impact on

overall protection of a change in policy or the

addition of a new security mechanism?

(4)

The Solution: Build a Model

• Stochastic model of threat environment

• Process model of organization’s protections

• Validate with experts and against known data sources

• Select metric(s)

−

For software vulnerabilities: Time until “risk mitigated”

4

−

For software vulnerabilities: Time until “risk mitigated”

• Execute the model as a discrete event simulation

−

Enough for statistically significant results (100K vulnerabilities

should do the trick)

• Now adjust the model to reflect proposed changes in

policy and see how well they perform

(5)

Vulnerability related Timeline

Discovery

_Disclosure

Mitigation Deployed

5 15 October, 2009

Risk Reduced Windows

Discovery

_Disclosure

Cannot be

measured

Some

_public

data

A lot of public

data

Patching

processes

Minus zero

day exploit

Public exploit

code

Patch Available

Patch Deployed

Only some groups aware,

no data yet

(6)

Model: BAU Patch Deployment

Vulnerability

Disclosed

Exploit

Available

Malware

Patch

Available

likelihood: 0.97 mean delay: 23 days,

exponential distribution likelihood: 0.84

mean delay: 25 days, exponential distribution

likelihood: 0.72 mean delay: 5 days,

exponential distribution

duration: 0.5–1.5 days,

uniform distribution

Vulnerability

Assessment

Test

Solution

Patch

Deployment

duration: 10–20 days, uniform distribution

mean time to target: 136 days, take-up curve:

(7)

Vulnerability

Disclosed

Exploit

Available

Malware

Patch

Available

Test

Solution

Vulnerability

Assessment

Model: Vulnerability Management

Exposed?

Early

Y

Malware

Reports?

N

Y

Patch

Deployment

Accelerated

Patching

Emergency

Patching

Early

Mitigation?

Accelerate?

Patch

Available?

Workaround

Available?

Implement

Workaround

Y

N

Y

Deploy

Mitigation

Y

(8)

Risk reduced window (from disclosure time) across all vulnerabilities

0.15

0.2

0.25

0.3

0.35 P

ro

p

o

rt

io

n

o

f

v

u

ln

e

ra

b

il

it

ie

s

Risk Reduced Window Overall

Policy dictated deadline

8 15 October, 2009

0

0.05

0.1 timeline

P

ro

p

o

rt

io

n

o

f

v

u

ln

e

ra

b

il

it

ie

s

Proportion mitigated

in early days

Proportion not

mitigated after the

policy deadline

(9)

Exploring

Investment Options

Investment in HIPS

Current situation

policy

Investment in patch automation

policy

(10)

Case Study:

User Account Provisioning

• Provisioning Management deals with Managing User Accounts and Setting and

Removing Permissions/Rights

• Poor User Provisioning could:

−

Give more rights than necessary to users

−

Prevent users from accessing legitimate resources

• The Provisioning could be subject to various failures due to:

−

User and Administrators’ Misbehaviours

−

Cultural Attitudes

−

IT and Solutions Failures

−

Attacks …

• Provisioning of User Accounts can be carried out with different levels of

Automation:

−

Ad-hoc processes

(11)

User Provisioning:

Policy Decision Makers

• The CIO or CISO is likely to define the policies

• However policy analysis and decisions require inputs and consent

(buy-in) from several stakeholders, who have different priorities and

concerns

• A set of

High-level Security Metrics

has been identified, relevant to

• A set of

High-level Security Metrics

has been identified, relevant to

the different stakeholders

Stakeholder

Metrics

Security/Compliance Officers:

• Access Accuracy

• Approval Accuracy

Application Owner (Business)

• Productivity Cost

IT Operations (IT Budget Holder)

• IAM Provisioning Costs

(12)

Metrics

Formula

Description

Access

Accuracy

1-(w1UAD+w2UAM+w3*UAH)/ (UAA)

w1, w2, w3 are relevance weights in the [0,1] range, UAD is the number of denied user accounts, UAM is the number of misconfigured user accounts, UAH is the number of hanging user accounts and UAA is the overall number of user account provisioned (for which either there has been approval or the approval process has been bypassed);

Approval

Accuracy

#Approved_Provisioning /

(#Approved_Provisioning + # Bypassed_Approvals)

User Provisioning:

Identifying Security Metrics

Accuracy

_{(#Approved_Provisioning + # Bypassed_Approvals)}

Productivity

Costs

[(join_appr_time+ change_appr_time) + (join_prov_time +

change_prov_time)] *

Unit_cost_per_day

+ [(#loss_join_appr +

#loss_join_prov) + (#loss_change_appr+#loss_change_prov)]

*

Unit_cost_lost.

takes into account loss of productivity due to waiting time (for the approval and deployment phases) and for lost of approval and deployment activities. The impact of these costs are weighted by constants for “unit cost per day” and “unit cost per loss”.

IAM

Automation

Cost

Fixed_Costs + Variable_Costs*Num_IAM_Automated_Apps

Estimated costs of running automated IAM provisioning processes, depending of fixed costs (e.g. fixed yearly fee) and variable costs (e.g. additional license fees depending on the number of provisioned applications)

IAM Effort

#

IAM_automated_provisioning_activities

Ad-hoc Effort

(13)

User Joins User User Leaves Changes Role

Events

For each affected

:

User Profile - Role

- Set of req. Apps - Location/Region

App Profile

- ad-hoc/centrally managed - Admin Location/Region - Entitle mgmt team & profile - Available IAM Controls

User Profile

- Role

User Profile

- Roles

For each

Application/Service Profiles

- ad-hoc/centrally managed - Admin Location/Region

- Provisioning mgmt team & profile - Available IAM Controls

Types of Changes on Affected apps? “Leaving” Application/Service Profiles - ad-hoc/centrally managed - Admin Location/Region

Provisioning Model: Details

Application

:

For each affected Application: “Joining” For each affected Application: “Changing”

User

Joining:

IAM Provisioning

Management

Process

User

Changing Role:

IAM Provisioning

Management

Process

User

Leaving:

IAM Provisioning

Management

Process

(14)

Request for each affected Application: Prob. Loss Approval Request? Measure: # Lost Approval Requests (Denied Access) YES YES Application Profile - ad-hoc/centrally managed - Admin Location/Region

User Joining: Provisioning Management Process

Dependency on:

- regional/local attitudes

- presence of automation (e.g.

notification workflow)

Dependency on:

- regional/local attitudes

- available resources (admin, mgmt).

- presence of automation (e.g.

IAM provisioning solution)

- type of applications

Carry on,

Provisioning Model: Details

Waiting time To Process Approval

Request

Measure: User Joins - time to get

Approval Request? Waiting time To Deploy/COnfig Measure: time to deploy (conf. account) Prob. Loss Deployment Activity? NO NO (Denied Access) YE S Prob. Misconfig? Measure: #Misconfigured Account YE S YES _Measure: #Lost Deployment Activities NO YES

Dependency on:

- regional/local attitudes

- available resources

- presence of IAM automation:

provisioning & deployment

Dependency on:

- regional/local attitudes

- available resources

- presence of IAM automation:

provisioning & deployment

Dependency on:

- regional/local attitudes

available resources

- presence of IAM automation:

provisioning & deployment

Carry on, without auth.

(15)

Experiments

Core Business Applications

(5 Apps)

Non Core Business Applications

(100 Apps)

CASE #1 – Provisioning

CURRENT SITUATION

automation:

2 Apps

ad-hoc: 3 Apps

automation:

10 Apps

ad-hoc : 90 Apps

What-If Analysis – Experiments

Acting on the “Automation Lever”:

ad-hoc: 3 Apps

ad-hoc : 90 Apps

CASE #2

(WHAT-IF CASE)

automation:

3 Apps

ad-hoc : 2 Apps

automation :

40 Apps

ad-hoc : 60 Apps

CASE #3

(WHAT-IF CASE)

automation:

4 Apps

ad-hoc : 1 Apps

automation :

70 Apps

ad-hoc : 30 Apps

CASE #4

(WHAT-IF CASE)

automation:

5 Apps

ad-hoc : 0 Apps

automation:

100 Apps

ad-hoc: 0 Apps

(16)

Case #1

0.83 0.89 0.94 0.99 0.84 0.90 0.95 1

Access

Accuracy

Approval

Accuracy

Productivity

Cost

IDM Provisioning

Costs

Case #2

Case #3

Case #4

A

c

u

ra

c

y

M

e

a

s

u

re

s

1

0.5

1

0

4

0

3

2

0

5

0

0 What-If Analysis: Simulation Outcomes

Case #1

Current

State

Effort

Level

3480

1032

₂₂₈₁

₂₂₃₀

1134

3378

4512

#Ad-Hoc Provisioning Activities

# Automated Prov. Activities

Case #2

Case #3

Case #4

C

o

s

t

M

e

a

s

u

re

s

1 0 0 0 0 2 0 0 0 0 3 0 0 0 0 4 0 0 0 0

3

8

5

2

5

7

5

3

1

7

9

4

9

1

0

4

0

3

11

2

0

1

4

3

0

1

7

4

0

2

0

5

0

(17)

Conclusion: In what ways do models

contribute to measuring security?

• Assess an organization’s security processes under

current conditions

• Compare alternative security solutions and policies

in advance of implementing them

• Estimate how well the security processes will

perform in the future as conditions change

• Produce consistent metrics at different levels of

abstraction for different stakeholders

• Assess the security metrics themselves, by

(18)

Some Future Directions

• More detailed model of threat environment

−

vary the organization’s strategy according to

classification of vulnerability

• Experiment with using models to evaluate and

select appropriate metrics

−

exercise the model to see how metrics vary under

different conditions

−

see which conditions are reflected well in the metrics

• Economic techniques

−

utility functions and preferences elicitation to discover

optimal decisions