Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea Ceccarelli, Ilaria Matteucci, Felicita Di Giandomenico Fai della Paganella - February 12, 2014 Outline 1.General description of work 2.Basics 3.Architecture/Framework 4.Use case 5.Conclusions and future works General description of the work • Security analysis and design are key activities for the protection of critical systems and infrastructure. • Traditional approaches: – Apply a qualitative threat assessment – Results used as input for the security design such that appropriate countermeasures are selected • Our work: selection and ranking of security controlling strategies driven by quantitative threat analysis – Threat analysis that identifies attack points and paths, and ranks attacks (costs, difficulty, ...) – Such enriched information is used for more elaborated controlling strategies that derive the appropriate monitoring rules and select countermeasures. Basics – Threat Analysis • Purpose is to create a data base of threats, vulnerabilities and countermeasures – Start from the identification of the assets to protect – identifies the potential vulnerabilities and the related threats – takes into account the severity of the threats – countermeasures plan are defined • A vulnerability is represented by a bug, a flaw, a weakness or exposure of an application; a system, a device or a service which could lead to issues of confidentiality, integrity or availability. • A threat represents the occurrence of a harmful event, by exploiting one or more vulnerabilities. Basics – Control strategies (1) A control strategy is defined in order to guarantee “security” at run-time. A security policy is expressed over the traces of the system. Guaranteeing security means that the controlled system satisfies security policies. Basics – Control strategies (2) • The truncation strategy recognizes bad sequences of actions and halts program execution before security property is violated, but cannot otherwise modify program behavior. • The suppression strategy can halt program execution and suppress individual program actions without terminating the program outright. • The insertion strategy can insert a sequence of actions into the program actions stream as well as terminate the program. Framework Architecture • Threat analysis supported by security models provides information on: – – – – Attackers Attacks and Attack points (as usual from threat analysis) Attack paths Relevance of the path (from a security viewpoint)/necessity of countermeasures – Weights: costs, probabilities • Security control strategies – Uses weights, relevance of the paths – Current objective: ranking of quantitative security controlling strategies – Final output is the definition of countermeasures based on the evaluation of the controlled paths High-level Workflow Requirements Threats Analysis Controlling strategies (system) functional requirements dependability and security requirements Design of security countermeasures Use case description • Critical system – Several categories of users – Heterogeneous devices • Security and Privacy requirements to protect – guarantees that authorized users do not compromise, counterfeit, steal or unnecessarily query data, or do not abuse of the data correlation and data search capacity behind what is strictly necessary for their work. ADVISE formalism 1. Attack Execution Graph (AEG) – attack graph with different nodes: attack steps, access domains, skills, and goals 2. Adversary Profile: the set of items initially owned, proficiency in attack skills, and policies: – payoff, costs, detection risk • The algorithm evaluates the reachable states for a planning horizon, and selects the most appealing E. LeMay, M.D. Ford, K. Keefe, W.H. Sanders, C. Muehrcke, “Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE)”. QEST 2011: 191-200 (Insider) Threat analysis and AEG – resulting AEG Data Theft Attack Execution Graph (insider) Threat analysis and AEG – quantitative results • Based on predefined metrics of interest – Attackers; – Critical paths, probability to follow a path; – Critical Attack Steps; – Attack costs; – ... Attributes System Administrator System Expert Skill 800 500 Cost 0 0 Detection 0.1 0.4 Payoff 1000 1000 Quantitative Control strategies • We can associate with each trace manipulation a measure, e.g., a cost. • Definition of a controller process trough a Generalized Process Algebra in which each step is associated with a value. Definition. Given a path t = (a1,k1) … (an,kn), the label of t is given by (a1 … an) belongs to Act*, and its run weight by |t| = k1 * … * kn belongs to K, where the product * denotes the product of the considered semiring K. The valuation of a process intuitively corresponds to the sum of all possible quantity of the traces belonging to the process. Is a Control strategies better than another? To select the controller strategy that better fit a set of requirements (e.g., the minimum cost) we associate to each step a value obtained by the threat analysis. ; ; where k,k’ denote these values. Next Steps • Identification of appropriate Case Study • Preliminary version of paper in progress • Iterative approach to framework