Skip to main content
SpringerLink
Log in

Automated Cyber Risk Mitigation: Making Informed Cost-Effective Decisions

  • Chapter
  • First Online:
Adaptive Autonomous Secure Cyber Systems

Abstract

Automated and cost-effective security configuration for cyber risk management is a complex decision-making process because it requires considering many different factors, including hosts’ security weaknesses, potential threat actors, critical assets’ exposure to threat actors due to network connectivity, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan host vulnerabilities and verify their compliance with security policies, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using the network connectivity and both the hosts’ compliance reports and live threat activity.

In this chapter, we present metrics to assess the enterprise cyber risk considering the (1) network connectivity requirements, (2) the end-host security compliance reports based on vulnerabilities and configuration weaknesses, and (3) their dynamic threat indicators based on host intrusion detection and scoring tools. We then employ these metrics in a formal framework that automatically generates enterprise risk mitigation actions that encompass host-based vulnerability fixes and network access hardening actions. The risk mitigation plans generated using our framework minimize the residual risk given limited mitigation budgets to meet the expected Return On Investment (ROI). The integration of dynamic threat indicators allows our framework to automatically initiate inspection and access control hardening actions for the hosts that show potential malicious activities. We implemented our framework based on advanced formal methods using Satisfiability Modulo Theories (SMT), which has shown scalability for large-size networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. NIST. The Technical Specification for the Security Content Automation Protocol (SCAP). http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-126-Rev-3.

  2. Nessus professional. https://www.tenable.com/products/nessus/nessus-professional.

  3. Tripwire security vulnerability and risk management. https://www.tenable.com/whitepapers/tenable-network-security-support-portal.

  4. Openvas - open vulnerability assessment system. http://www.openvas.org/.

  5. John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S Raj Rajagopalan, and Anoop Singhal. Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security, 21(4):561–597, 2013.

    Article  Google Scholar 

  6. Xinming Ou, Wayne F Boyer, and Miles A McQueen. A scalable approach to attack graph generation. In Proceedings of the 13th ACM conference on Computer and communications security, pages 336–345. ACM, 2006.

    Google Scholar 

  7. Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M Wing. Automated generation and analysis of attack graphs. In Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on, pages 273–284. IEEE, 2002.

    Google Scholar 

  8. Mohammed Noraden Alsaleh, Ehab Al-Shaer, and Ghaith Husari. Roi-driven cyber risk mitigation using host compliance and network configuration. Journal of Network and Systems Management, 25(4):759–783, 2017.

    Article  Google Scholar 

  9. David Waltermire, Charles Schmidt, Karen Scarfone, and Neal Ziring. Specification for the extensible configuration checklist description format (XCCDF) v1.2. http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf, 2012.

  10. Rory Bray, Daniel Cid, and Andrew Hay. OSSEC host-based intrusion detection guide. Syngress, 2008.

    Google Scholar 

  11. Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’08/ETAPS’08, pages 337–340, Berlin, Heidelberg, 2008. Springer-Verlag.

    Google Scholar 

  12. Ehab Al-Shaer, Wilfredo Marrero, Adel El-Atawy, and Khalid Elbadawi. Network configuration in a box: Towards end-to-end verification of network reachability and security. In ICNP, pages 123–132, 2009.

    Google Scholar 

  13. Karen Scarfone and Peter Mell. The common configuration scoring system (CCSS): Metrics for software security configuration vulnerabilities, December 2010.

    Book  Google Scholar 

  14. Mirek Jahoda, Ioanna Gkioka, Robert Krátký, Martin Prpič, Tomáš Čapek, Stephen Wadeley, Yoana Ruseva, and Miroslav Svoboda. Red hat enterprise linux 7 security guide. 2017.

    Google Scholar 

  15. Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/, 2017.

  16. Common Configuration Enumeration (CCE). http://cce.mitre.org/, 2017.

  17. Aide - advanced intrusion detection environment. https://aide.github.io/.

  18. Prelude siem - intrusion detection system. https://www.prelude-siem.com/.

  19. James Hongyi Zeng and Peyman Kazemian. Mini-Stanford Backbone). https://reproducingnetworkresearch.wordpress.com/2012/07/11/atpg/, 2012.

  20. Alberto Medina, Anukool Lakhina, Ibrahim Matta, and John Byers. Brite: An approach to universal topology generation. In Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2001. Proceedings. Ninth International Symposium on, pages 346–353. IEEE, 2001.

    Google Scholar 

  21. NOPSEC. State of vulnerability risk management. http://info.nopsec.com/sov, 2015.

  22. Siv Hilde Houmb, Virginia N.L. Franqueira, and Erlend A. Engum. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9):1622–1634, 2010.

    Article  Google Scholar 

  23. HyunChul Joh and Yashwant K Malaiya. Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In The 2011 international conference on security and management (sam), 2011.

    Google Scholar 

  24. Xinming Ou and Anoop Singhal. Security risk analysis of enterprise networks using attack graphs. In Quantitative Security Risk Assessment of Enterprise Networks, pages 13–23. Springer, 2011.

    Google Scholar 

  25. Xiaochuan Yin, Yan Fang, and Yibo Liu. Real-time risk assessment of network security based on attack graphs. In 2013 International Conference on Information Science and Computer Applications (ISCA 2013). Atlantis Press, 2013.

    Google Scholar 

  26. M. Barrere, R. Badonnel, and O. Festor. A sat-based autonomous strategy for security vulnerability management. In Network Operations and Management Symposium (NOMS), 2014 IEEE, pages 1–9, May 2014.

    Google Scholar 

  27. K. Ingols, R. Lippmann, and K. Piwowarski. Practical attack graph generation for network defense. In Computer Security Applications Conference, 2006. ACSAC ’06. 22nd Annual, pages 121–130, Dec 2006.

    Google Scholar 

  28. M. Albanese, S. Jajodia, and S. Noel. Time-efficient and cost-effective network hardening using attack graphs. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pages 1–12, June 2012.

    Google Scholar 

  29. a N. Poolsappasit, R. Dewri, and I Ray. Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1):61–74, Jan 2012.

    Article  Google Scholar 

  30. Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. Nice: Network intrusion detection and countermeasure selection in virtual network systems. IEEE transactions on dependable and secure computing, 10(4):198–211, 2013.

    Article  Google Scholar 

  31. Chun-Jen Chung, JingSong Cui, Pankaj Khatkar, and Dijiang Huang. Non-intrusive process-based monitoring system to mitigate and prevent vm vulnerability explorations. In Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom), 2013 9th International Conference on, pages 21–30. IEEE, 2013.

    Google Scholar 

  32. Mohammed Noraden Alsaleh, Ghaith Husari, and Ehab Al-Shaer. Optimizing the roi of cyber risk mitigation. In Network and Service Management (CNSM), 2016 12th International Conference on, pages 223–227. IEEE, 2016.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Eastern Michigan University, Ypsilanti, MI, USA

    Mohammed Noraden Alsaleh

  2. University of North Carolina at Charlotte, Charlotte, NC, USA

    Ehab Al-Shaer

Authors
  1. Mohammed Noraden Alsaleh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ehab Al-Shaer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammed Noraden Alsaleh .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, Fairfax, VA, USA

    Sushil Jajodia

  2. Thayer School of Engineering, Dartmouth College, Hanover, NH, USA

    George Cybenko

  3. Department of Computer Science, Dartmouth College, Hanover, NH, USA

    V.S. Subrahmanian

  4. MS T310, MITRE Corporation, McLean, VA, USA

    Vipin Swarup

  5. Computing and Information Science Division, Army Research Office, Durham, NC, USA

    Cliff Wang

  6. Computer Science & Engineering, University of Michigan, Ann Arbor, MI, USA

    Michael Wellman

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Alsaleh, M.N., Al-Shaer, E. (2020). Automated Cyber Risk Mitigation: Making Informed Cost-Effective Decisions. In: Jajodia, S., Cybenko, G., Subrahmanian, V., Swarup, V., Wang, C., Wellman, M. (eds) Adaptive Autonomous Secure Cyber Systems. Springer, Cham. https://doi.org/10.1007/978-3-030-33432-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-33432-1_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-33431-4

  • Online ISBN: 978-3-030-33432-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation