Nothing Special   »   [go: up one dir, main page]

Skip to main content
Log in

ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Automated cyber security configuration synthesis is the holy grail of cyber risk management. The effectiveness of cyber security is highly dependent on the appropriate configuration hardening of heterogeneous, yet interdependent, network security devices, such as firewalls, intrusion detection systems, IPSec gateways, and proxies, to minimize cyber risk. However, determining cost-effective security configuration for risk mitigation is a complex decision-making process because it requires considering many different factors including end-hosts’ security weaknesses based on compliance checking, threat exposure due to network connectivity, potential impact/damage, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan end-host vulnerabilities and verify the policy compliance, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using both the hosts’ compliance reports and network connectivity. In this paper, we present new metrics and a formal framework for automatically assessing the global enterprise risk and determining the most cost-effective security configuration for risk mitigation considering both the end-host security compliance and network connectivity. Our proposed metrics measure the global enterprise risk based on the end-host vulnerabilities and configuration weaknesses, collected through compliance scanning reports, their inter-dependencies, and network reachability. We then use these metrics to automatically generate a set of host-based vulnerability fixes and network access control decisions that mitigates the global network risk to satisfy the desired Return on Investment of cyber security. We solve the problem of cyber risk mitigation based on advanced formal methods using Satisfiability Module Theories, which has shown scalability with large-size networks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. NIST. The technical specification for the security content automation protocol (SCAP). http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-126-Rev-3

  2. Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Raj Rajagopalan, S., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561–597 (2013)

    Article  Google Scholar 

  3. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and communications Security, pp. 336–345. ACM (2006)

  4. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: 2002 IEEE Symposium on Security and privacy, 2002. Proceedings, pp. 273–284. IEEE (2002)

  5. Waltermire, D., Schmidt, C., Scarfone, K., Ziring, N.: Specification for the extensible configuration checklist description format (XCCDF) v1.2. http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf (2012)

  6. Common vulnerability scoring system v3.0: specification document. https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf (2015)

  7. Scarfone, K., Mell, P.: The common configuration scoring system (CCSS): Metrics for software security configuration vulnerabilities. NIST interagency report (2010)

  8. LeMay, E., Scarfone, K., Mell, P.: The common misuse scoring system (CMSS): Metrics for software feature misuse vulnerabilities. US Department of Commerce, National Institute of Standards and Technology (2012)

  9. De Moura, L., Bjørner, N.: Z3: an efficient smt solver. In: Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS’08/ETAPS’08, pp. 337–340. Springer, Berlin (2008)

  10. Jahoda, M., Gkioka, I., Krtk, R., Prpi, M., Apek, T., Wadeley, S., Ruseva, Y., Svoboda, M.: Red hat enterprise linux 7 security guide (2017)

  11. Common vulnerabilities and exposures (CVE). http://cve.mitre.org/ (2017)

  12. Common configuration enumeration (CCE). http://cce.mitre.org/ (2017)

  13. Al-Shaer, E., Marrero, W., El-Atawy, A., Elbadawi, K.: Network configuration in a box: towards end-to-end verification of network reachability and security. In: ICNP, pp. 123–132 (2009)

  14. Zeng, J.H., Kazemian, P.: Mini-stanford backbone. https://reproducingnetworkresearch.wordpress.com/2012/07/11/atpg/ (2012)

  15. Medina, A., Lakhina, A., Matta, I., Byers, J.: Brite: an approach to universal topology generation. In: Ninth International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2001. Proceedings, pp 346–353. IEEE (2001)

  16. NOPSEC. State of vulnerability risk management. http://info.nopsec.com/sov (2015)

  17. Houmb, S.H., Franqueira, V.N.L., Engum, E.A.: Quantifying security risk level from CVSS estimates of frequency and impact. J. Syst. Softw. 83(9), 1622–1634 (2010)

    Article  Google Scholar 

  18. Joh, H., Malaiya, Y.K.: Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: The 2011 International Conference on Security and Management (sam) (2011)

  19. Ou, X., Singhal, A.: Security risk analysis of enterprise networks using attack graphs. In: Quantitative Security Risk Assessment of Enterprise Networks, pp. 13–23. Springer (2011)

  20. Yin, X., Fang, Y., Liu, Y.: Real-time risk assessment of network security based on attack graphs. In: 2013 International Conference on Information Science and Computer Applications (ISCA 2013). Atlantis Press (2013)

  21. Barrere, M., Badonnel, R., Festor, O.: A sat-based autonomous strategy for security vulnerability management. In: Network Operations and Management Symposium (NOMS), 2014 IEEE, pp. 1–9 (2014)

  22. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Computer Security Applications Conference, 2006. ACSAC ’06. 22nd Annual, pp. 121–130 (2006)

  23. Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2012, pp. 1–12 (2012)

  24. Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secur. Comput. 9(1), 61–74 (2012)

    Article  Google Scholar 

  25. Chung, C.J., Khatkar, P., Xing, T., Lee, J., Huang, D.: Nice: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Dependable Secur. Comput. 10(4), 198–211 (2013)

    Article  Google Scholar 

  26. Chung, C.J., Cui, J., Khatkar, P., Huang, D.: Non-intrusive process-based monitoring system to mitigate and prevent VM vulnerability explorations. In: 9th International Conference Conference on Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom), 2013, pp. 21–30. IEEE (2013)

  27. Alsaleh, M.N., Husari, G., Al-Shaer, E. : Optimizing the roi of cyber risk mitigation. In: 12th International Conference on Network and Service Management (CNSM), 2016, pp. 223–227. IEEE (2016)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mohammed Noraden Alsaleh.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alsaleh, M.N., Al-Shaer, E. & Husari, G. ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration. J Netw Syst Manage 25, 759–783 (2017). https://doi.org/10.1007/s10922-017-9428-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-017-9428-x

Keywords

Navigation