Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development

Size: px

Start display at page:

Download "Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development"

Gervase Stevenson
9 years ago
Views:

1 Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 12 February 2015 Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development Michael Siegel James Houghton

Cyber Security Using System Dynamics Simulation Modeling for

2 Mission: Resiliency of Organizations & Markets Effective and innovative solutions to cyber insecurity require coordinated efforts to support the resiliency of the cyber organizational ecosystem the individuals, firms, and markets occupying the cyber domain, as well as the interactions among actors Sample key questions: Behavioral: What are the attitudes and perceptions of the private sector about cyber security? Managerial: What solutions can feasibly be manipulated by the firm or sector itself, and what can be encouraged or directed by outside actors? Technological: What is effecting product security of key IT components? Modeling framework to unpack cyber dynamics and provide organizational framework 2

attitudes and perceptions of the private sector about cyber security?

3 Brief Overview of System Dynamics SDM used as modeling & simulation method over 50 years Eliminate limitations of linear logics and over-simplicity Based on system structure, behavior patterns, interconnections of positive & negative feedback loops SDM has been applied to numerous domains Software development projects Process Improvement projects Crisis and threat in the world oil market Stability and instability of countries many others SDM helps to uncover hidden dynamics in system Helps understand unfolding of situations, Helps anticipate & predict new modes Explore range of unintended consequences 3

development projects Process Improvement projects Crisis and threat in the world oil market Stability and instability of countries many others SDM helps

4 Mission: Dynamics of Threats and Resilience How did breaches (threats) occur? * 67% were aided by significant errors (of the victim) Systems Not at Risk Adverse Behaviors & Management Risk Promotion Risk Reduction Systems At Risk 64% resulted from hacking Risk Management Attack Onset Recovery Threat Management Affected Systems 38% utilized Malware How are security and threat processes (resilience) managed? * Real-World Implications Financial, Data, Integrity, Reputation Over 80% of the breaches had patches available for more than 1 year 75% of cases go undiscovered or uncontained for weeks or months * Verizon Data Breach 4 Report

resulted from hacking Risk Management Attack Onset Recovery Threat Management Affected Systems 38% utilized Malware How are security and threat processes

5 Relating Actions to Outcomes Key Question: What is controlling the rates of change and how can we be more anticipatory rather than reactive? Systems Not at Risk Adverse Behaviors & Management Risk Promotion Risk Reduction Systems At Risk Risk Management Attack Onset Recovery Threat Management Affected Systems Real-World Implications Financial, Data, Integrity, Reputation 5

Systems Not at Risk Adverse Behaviors & Management Risk Promotion Risk Reduction Systems At

6 Attack Vector Identification Patching Dynamics Vendor Resilience and Responsiveness Attacker Capabilities Resources Motivation Skills Awareness Firm Performance Not Compromised Indentifying Exploits Patching Identified Attack Vectors Compromised Firm Knowledge And Awareness Visibility Technical Capabilities Process Architecture Info Sharing 6 Reverse Engineering Sector Performance

Indentifying Exploits Patching Identified Attack Vectors Compromised Firm Knowledge And

7 System Compromising Downstream Dynamics Architecture Resilience Attacker Capabilities Firm Performance Availability Data Security Public Awareness Not Compromised Identified Attack Vectors Compromising Remediating Compromised Firm Knowledge And Awareness Defensive Procedures Establishing Footholds Sector Performance 7

Compromised Identified Attack Vectors Compromising Remediating Compromised Firm

8 Simulation Modeling Overview Change in Security Effect of Investment on Application Security Test for Change in Application Security Application Security Height Time to Update Patch Delay Application Security Time Change in Patch Delay Application Security Duration Initial Application Security Patch Delay Application Software Security Software Security Normalized Software Security Function for Effect of Normalized Software Security Change in Systems System Change Patching Base Patch Delay Base Application Software Security Effect of Application Software Security on Vulnerability Identification Not Compromised <Vulnerability Identification Rate> <Action to Reduce Vulnerabilities> Indentifying Vulnerabilities Reducing Vulnerabilities Compromising Rate Height Identified Attack Vectors Fraction Vulnerable Test Input for Compromising Rate Change in Compromising Rate Compromising Rate Time Compromising Rate Duration Attacking <Compromising Rate> Compromising Recovery <Recovery Rate> Compromising Rate Fraction Compromised Implied Compromising Rate <Attack Vector Gap> Compromised Compromising Delays New Patch Delay 8 Total Systems

Effect of Normalized Software Security Change in Systems System Change Patching Base Patch Delay Base Application Software Security Effect of Application Software Security on Vulnerability

9 Making the Case Blue is base case; red case is patching with quality standards; green is current case Technical Not Compromised Week Upstream Costs Attack Vectors Week Infected Week Downstream Costs Managers Week 2,000 Total Costs Week 1,500 Senior Management (CIO) 1, Week 9

20 200 170 140 110 Infected 80 0 10 20 30 40 50 60 70 80 90 100 Week Downstream Costs Managers 7.5 5 2.

10 Summary of Results Solving problems upstream is more effective than fixing them downstream. Differentials in time delays in physical processes (such as patching) and behavioral processes (such as changing individual behavior) are key to understanding the efficacy of proposed interventions. Nonlinearities and tipping points may exist 10

Differentials in time delays in physical processes (such as patching) and behavioral

11 Summary Cybersecurity solutions require a holistic approach Systems modeling: behavior, management, policy and technology The case of patching and software quality provide insights into timing and approaches Bug bounty programs and vulnerability markets have significant effect on security and the cyber ecosystem stay tuned for James Houghton 11

provide insights into timing and approaches Bug bounty programs and vulnerability

12 BACKUP 12

13 Patching Dynamics 13

14 Downstream Dynamics 14

15 Patching Dynamics 15

16 Downstream Dynamics 16

How To Understand And Understand Cyber Security

How To Understand And Understand Cyber Security Special Sessions on Cybersecurity Research for Critical Infrastructure Thursday, February 12, 2015 In Oceans 12 Session 1, 8:30 10:00, Oceans 12 Michael Siegel Principal Research Scientist, and Associate