Abstract
Automated and cost-effective security configuration for cyber risk management is a complex decision-making process because it requires considering many different factors, including hosts’ security weaknesses, potential threat actors, critical assets’ exposure to threat actors due to network connectivity, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan host vulnerabilities and verify their compliance with security policies, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using the network connectivity and both the hosts’ compliance reports and live threat activity.
In this chapter, we present metrics to assess the enterprise cyber risk considering the (1) network connectivity requirements, (2) the end-host security compliance reports based on vulnerabilities and configuration weaknesses, and (3) their dynamic threat indicators based on host intrusion detection and scoring tools. We then employ these metrics in a formal framework that automatically generates enterprise risk mitigation actions that encompass host-based vulnerability fixes and network access hardening actions. The risk mitigation plans generated using our framework minimize the residual risk given limited mitigation budgets to meet the expected Return On Investment (ROI). The integration of dynamic threat indicators allows our framework to automatically initiate inspection and access control hardening actions for the hosts that show potential malicious activities. We implemented our framework based on advanced formal methods using Satisfiability Modulo Theories (SMT), which has shown scalability for large-size networks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
NIST. The Technical Specification for the Security Content Automation Protocol (SCAP). http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-126-Rev-3.
Nessus professional. https://www.tenable.com/products/nessus/nessus-professional.
Tripwire security vulnerability and risk management. https://www.tenable.com/whitepapers/tenable-network-security-support-portal.
Openvas - open vulnerability assessment system. http://www.openvas.org/.
John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S Raj Rajagopalan, and Anoop Singhal. Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security, 21(4):561–597, 2013.
Xinming Ou, Wayne F Boyer, and Miles A McQueen. A scalable approach to attack graph generation. In Proceedings of the 13th ACM conference on Computer and communications security, pages 336–345. ACM, 2006.
Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M Wing. Automated generation and analysis of attack graphs. In Security and privacy, 2002. Proceedings. 2002 IEEE Symposium on, pages 273–284. IEEE, 2002.
Mohammed Noraden Alsaleh, Ehab Al-Shaer, and Ghaith Husari. Roi-driven cyber risk mitigation using host compliance and network configuration. Journal of Network and Systems Management, 25(4):759–783, 2017.
David Waltermire, Charles Schmidt, Karen Scarfone, and Neal Ziring. Specification for the extensible configuration checklist description format (XCCDF) v1.2. http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf, 2012.
Rory Bray, Daniel Cid, and Andrew Hay. OSSEC host-based intrusion detection guide. Syngress, 2008.
Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’08/ETAPS’08, pages 337–340, Berlin, Heidelberg, 2008. Springer-Verlag.
Ehab Al-Shaer, Wilfredo Marrero, Adel El-Atawy, and Khalid Elbadawi. Network configuration in a box: Towards end-to-end verification of network reachability and security. In ICNP, pages 123–132, 2009.
Karen Scarfone and Peter Mell. The common configuration scoring system (CCSS): Metrics for software security configuration vulnerabilities, December 2010.
Mirek Jahoda, Ioanna Gkioka, Robert Krátký, Martin Prpič, Tomáš Čapek, Stephen Wadeley, Yoana Ruseva, and Miroslav Svoboda. Red hat enterprise linux 7 security guide. 2017.
Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/, 2017.
Common Configuration Enumeration (CCE). http://cce.mitre.org/, 2017.
Aide - advanced intrusion detection environment. https://aide.github.io/.
Prelude siem - intrusion detection system. https://www.prelude-siem.com/.
James Hongyi Zeng and Peyman Kazemian. Mini-Stanford Backbone). https://reproducingnetworkresearch.wordpress.com/2012/07/11/atpg/, 2012.
Alberto Medina, Anukool Lakhina, Ibrahim Matta, and John Byers. Brite: An approach to universal topology generation. In Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2001. Proceedings. Ninth International Symposium on, pages 346–353. IEEE, 2001.
NOPSEC. State of vulnerability risk management. http://info.nopsec.com/sov, 2015.
Siv Hilde Houmb, Virginia N.L. Franqueira, and Erlend A. Engum. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9):1622–1634, 2010.
HyunChul Joh and Yashwant K Malaiya. Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In The 2011 international conference on security and management (sam), 2011.
Xinming Ou and Anoop Singhal. Security risk analysis of enterprise networks using attack graphs. In Quantitative Security Risk Assessment of Enterprise Networks, pages 13–23. Springer, 2011.
Xiaochuan Yin, Yan Fang, and Yibo Liu. Real-time risk assessment of network security based on attack graphs. In 2013 International Conference on Information Science and Computer Applications (ISCA 2013). Atlantis Press, 2013.
M. Barrere, R. Badonnel, and O. Festor. A sat-based autonomous strategy for security vulnerability management. In Network Operations and Management Symposium (NOMS), 2014 IEEE, pages 1–9, May 2014.
K. Ingols, R. Lippmann, and K. Piwowarski. Practical attack graph generation for network defense. In Computer Security Applications Conference, 2006. ACSAC ’06. 22nd Annual, pages 121–130, Dec 2006.
M. Albanese, S. Jajodia, and S. Noel. Time-efficient and cost-effective network hardening using attack graphs. In Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pages 1–12, June 2012.
a N. Poolsappasit, R. Dewri, and I Ray. Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1):61–74, Jan 2012.
Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. Nice: Network intrusion detection and countermeasure selection in virtual network systems. IEEE transactions on dependable and secure computing, 10(4):198–211, 2013.
Chun-Jen Chung, JingSong Cui, Pankaj Khatkar, and Dijiang Huang. Non-intrusive process-based monitoring system to mitigate and prevent vm vulnerability explorations. In Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom), 2013 9th International Conference on, pages 21–30. IEEE, 2013.
Mohammed Noraden Alsaleh, Ghaith Husari, and Ehab Al-Shaer. Optimizing the roi of cyber risk mitigation. In Network and Service Management (CNSM), 2016 12th International Conference on, pages 223–227. IEEE, 2016.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Alsaleh, M.N., Al-Shaer, E. (2020). Automated Cyber Risk Mitigation: Making Informed Cost-Effective Decisions. In: Jajodia, S., Cybenko, G., Subrahmanian, V., Swarup, V., Wang, C., Wellman, M. (eds) Adaptive Autonomous Secure Cyber Systems. Springer, Cham. https://doi.org/10.1007/978-3-030-33432-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-33432-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-33431-4
Online ISBN: 978-3-030-33432-1
eBook Packages: Computer ScienceComputer Science (R0)