Abstract
Automated cyber security configuration synthesis is the holy grail of cyber risk management. The effectiveness of cyber security is highly dependent on the appropriate configuration hardening of heterogeneous, yet interdependent, network security devices, such as firewalls, intrusion detection systems, IPSec gateways, and proxies, to minimize cyber risk. However, determining cost-effective security configuration for risk mitigation is a complex decision-making process because it requires considering many different factors including end-hosts’ security weaknesses based on compliance checking, threat exposure due to network connectivity, potential impact/damage, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan end-host vulnerabilities and verify the policy compliance, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using both the hosts’ compliance reports and network connectivity. In this paper, we present new metrics and a formal framework for automatically assessing the global enterprise risk and determining the most cost-effective security configuration for risk mitigation considering both the end-host security compliance and network connectivity. Our proposed metrics measure the global enterprise risk based on the end-host vulnerabilities and configuration weaknesses, collected through compliance scanning reports, their inter-dependencies, and network reachability. We then use these metrics to automatically generate a set of host-based vulnerability fixes and network access control decisions that mitigates the global network risk to satisfy the desired Return on Investment of cyber security. We solve the problem of cyber risk mitigation based on advanced formal methods using Satisfiability Module Theories, which has shown scalability with large-size networks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
NIST. The technical specification for the security content automation protocol (SCAP). http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-126-Rev-3
Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Raj Rajagopalan, S., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561–597 (2013)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and communications Security, pp. 336–345. ACM (2006)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: 2002 IEEE Symposium on Security and privacy, 2002. Proceedings, pp. 273–284. IEEE (2002)
Waltermire, D., Schmidt, C., Scarfone, K., Ziring, N.: Specification for the extensible configuration checklist description format (XCCDF) v1.2. http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf (2012)
Common vulnerability scoring system v3.0: specification document. https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf (2015)
Scarfone, K., Mell, P.: The common configuration scoring system (CCSS): Metrics for software security configuration vulnerabilities. NIST interagency report (2010)
LeMay, E., Scarfone, K., Mell, P.: The common misuse scoring system (CMSS): Metrics for software feature misuse vulnerabilities. US Department of Commerce, National Institute of Standards and Technology (2012)
De Moura, L., Bjørner, N.: Z3: an efficient smt solver. In: Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’08/ETAPS’08, pp. 337–340. Springer, Berlin (2008)
Jahoda, M., Gkioka, I., Krtk, R., Prpi, M., Apek, T., Wadeley, S., Ruseva, Y., Svoboda, M.: Red hat enterprise linux 7 security guide (2017)
Common vulnerabilities and exposures (CVE). http://cve.mitre.org/ (2017)
Common configuration enumeration (CCE). http://cce.mitre.org/ (2017)
Al-Shaer, E., Marrero, W., El-Atawy, A., Elbadawi, K.: Network configuration in a box: towards end-to-end verification of network reachability and security. In: ICNP, pp. 123–132 (2009)
Zeng, J.H., Kazemian, P.: Mini-stanford backbone. https://reproducingnetworkresearch.wordpress.com/2012/07/11/atpg/ (2012)
Medina, A., Lakhina, A., Matta, I., Byers, J.: Brite: an approach to universal topology generation. In: Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2001. Proceedings, pp 346–353. IEEE (2001)
NOPSEC. State of vulnerability risk management. http://info.nopsec.com/sov (2015)
Houmb, S.H., Franqueira, V.N.L., Engum, E.A.: Quantifying security risk level from CVSS estimates of frequency and impact. J. Syst. Softw. 83(9), 1622–1634 (2010)
Joh, H., Malaiya, Y.K.: Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: The 2011 International Conference on Security and Management (sam) (2011)
Ou, X., Singhal, A.: Security risk analysis of enterprise networks using attack graphs. In: Quantitative Security Risk Assessment of Enterprise Networks, pp. 13–23. Springer (2011)
Yin, X., Fang, Y., Liu, Y.: Real-time risk assessment of network security based on attack graphs. In: 2013 International Conference on Information Science and Computer Applications (ISCA 2013). Atlantis Press (2013)
Barrere, M., Badonnel, R., Festor, O.: A sat-based autonomous strategy for security vulnerability management. In: Network Operations and Management Symposium (NOMS), 2014 IEEE, pp. 1–9 (2014)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Computer Security Applications Conference, 2006. ACSAC ’06. 22nd Annual, pp. 121–130 (2006)
Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2012, pp. 1–12 (2012)
Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secur. Comput. 9(1), 61–74 (2012)
Chung, C.J., Khatkar, P., Xing, T., Lee, J., Huang, D.: Nice: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Dependable Secur. Comput. 10(4), 198–211 (2013)
Chung, C.J., Cui, J., Khatkar, P., Huang, D.: Non-intrusive process-based monitoring system to mitigate and prevent VM vulnerability explorations. In: 9th International Conference Conference on Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom), 2013, pp. 21–30. IEEE (2013)
Alsaleh, M.N., Husari, G., Al-Shaer, E. : Optimizing the roi of cyber risk mitigation. In: 12th International Conference on Network and Service Management (CNSM), 2016, pp. 223–227. IEEE (2016)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Alsaleh, M.N., Al-Shaer, E. & Husari, G. ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration. J Netw Syst Manage 25, 759–783 (2017). https://doi.org/10.1007/s10922-017-9428-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-017-9428-x