Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development



Similar documents
How To Understand And Understand Cyber Security

Intrusion Tolerance to Mitigate Attacks that Persist

Into the cybersecurity breach

Cybersecurity Awareness. Part 1

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

NATIONAL CYBER SECURITY AWARENESS MONTH

Protecting against cyber threats and security breaches

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

PENETRATION TESTING GUIDE. 1

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Information Security Services

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

NCCIC CYBER INCIDENT SCORING SYSTEM OVERVIEW

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL


Be Prepared. For Anything. Cyber Security - Confronting Current & Future Threats The role of skilled professionals in maintaining cyber resilience

Capabilities for Cybersecurity Resilience

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012

Defensible Strategy To. Cyber Incident Response

Click to edit Master title style

Defending Against Data Beaches: Internal Controls for Cybersecurity

Software that provides secure access to technology, everywhere.

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

The Cybersecurity Threat Protecting Big Data

Developing a robust cyber security governance framework 16 April 2015

Seven Strategies to Defend ICSs

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Things To Do After You ve Been Hacked

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Introduction to Information Security Management

Cyber intelligence in an online world

Cybersecurity Awareness for Executives

RETHINKING CYBER SECURITY

Attachment A. Identification of Risks/Cybersecurity Governance

Is security awareness a waste of time?

North Texas ISSA CISO Roundtable

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Logging In: Auditing Cybersecurity in an Unsecure World

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

Supplier Vigilance: A Critical Layer of Defense

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

CYBERSPACE SECURITY CONTINUUM

Presented by Frederick J. Santarsiere

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

GEARS Cyber-Security Services

CYBER SECURITY TRAINING SAFE AND SECURE

The Four-Step Guide to Understanding Cyber Risk

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

RETHINKING CYBER SECURITY

SECURITY CONSIDERATIONS FOR LAW FIRMS

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

Cybersecurity Vulnerability Management:

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Future Threat Landscape - How will technology evolve and what does it mean for cyber security?

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

How To Protect Water Utilities From Cyber Attack

Advanced Threat Protection with Dell SecureWorks Security Services

"Advanced Vulnerability Management new approach to solve critical controls. Andrzej Kleśnicki Technical Account Manager Central Eastern Europe

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

IBM Security Strategy

defense through discovery

NASCIO 2015 State IT Recognition Awards

Managing the Ongoing Challenge of Insider Threats

Protecting Organizations from Cyber Attack

Cyber Security Incident Management

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Intelligence Driven Security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

1. Do particular business sectors or company types lack sufficient incentives to make cybersecurity investments more than others? If so, why?

Cybersecurity on a Global Scale

Why you should adopt the NIST Cybersecurity Framework

Security & privacy in the cloud; an easy road?

Cybersecurity. Are you prepared?

Malware isn t The only Threat on Your Endpoints

Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Anatomy of a Social Engineering Attack Exploiting Human Behaviors

Data Breach Response Planning: Laying the Right Foundation

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Transcription:

Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 12 February 2015 Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development Michael Siegel James Houghton

Mission: Resiliency of Organizations & Markets Effective and innovative solutions to cyber insecurity require coordinated efforts to support the resiliency of the cyber organizational ecosystem the individuals, firms, and markets occupying the cyber domain, as well as the interactions among actors Sample key questions: Behavioral: What are the attitudes and perceptions of the private sector about cyber security? Managerial: What solutions can feasibly be manipulated by the firm or sector itself, and what can be encouraged or directed by outside actors? Technological: What is effecting product security of key IT components? Modeling framework to unpack cyber dynamics and provide organizational framework 2

Brief Overview of System Dynamics SDM used as modeling & simulation method over 50 years Eliminate limitations of linear logics and over-simplicity Based on system structure, behavior patterns, interconnections of positive & negative feedback loops SDM has been applied to numerous domains Software development projects Process Improvement projects Crisis and threat in the world oil market Stability and instability of countries many others SDM helps to uncover hidden dynamics in system Helps understand unfolding of situations, Helps anticipate & predict new modes Explore range of unintended consequences 3

Mission: Dynamics of Threats and Resilience How did breaches (threats) occur? * 67% were aided by significant errors (of the victim) Systems Not at Risk Adverse Behaviors & Management Risk Promotion Risk Reduction Systems At Risk 64% resulted from hacking Risk Management Attack Onset Recovery Threat Management Affected Systems 38% utilized Malware How are security and threat processes (resilience) managed? * Real-World Implications Financial, Data, Integrity, Reputation Over 80% of the breaches had patches available for more than 1 year 75% of cases go undiscovered or uncontained for weeks or months * Verizon Data Breach 4 Report

Relating Actions to Outcomes Key Question: What is controlling the rates of change and how can we be more anticipatory rather than reactive? Systems Not at Risk Adverse Behaviors & Management Risk Promotion Risk Reduction Systems At Risk Risk Management Attack Onset Recovery Threat Management Affected Systems Real-World Implications Financial, Data, Integrity, Reputation 5

Attack Vector Identification Patching Dynamics Vendor Resilience and Responsiveness Attacker Capabilities Resources Motivation Skills Awareness Firm Performance Not Compromised Indentifying Exploits Patching Identified Attack Vectors Compromised Firm Knowledge And Awareness Visibility Technical Capabilities Process Architecture Info Sharing 6 Reverse Engineering Sector Performance

System Compromising Downstream Dynamics Architecture Resilience Attacker Capabilities Firm Performance Availability Data Security Public Awareness Not Compromised Identified Attack Vectors Compromising Remediating Compromised Firm Knowledge And Awareness Defensive Procedures Establishing Footholds Sector Performance 7

Simulation Modeling Overview Change in Security Effect of Investment on Application Security Test for Change in Application Security Application Security Height Time to Update Patch Delay Application Security Time Change in Patch Delay Application Security Duration Initial Application Security Patch Delay Application Software Security Software Security Normalized Software Security Function for Effect of Normalized Software Security Change in Systems System Change Patching Base Patch Delay Base Application Software Security Effect of Application Software Security on Vulnerability Identification Not Compromised <Vulnerability Identification Rate> <Action to Reduce Vulnerabilities> Indentifying Vulnerabilities Reducing Vulnerabilities Compromising Rate Height Identified Attack Vectors Fraction Vulnerable Test Input for Compromising Rate Change in Compromising Rate Compromising Rate Time Compromising Rate Duration Attacking <Compromising Rate> Compromising Recovery <Recovery Rate> Compromising Rate Fraction Compromised Implied Compromising Rate <Attack Vector Gap> Compromised Compromising Delays New Patch Delay 8 Total Systems

Making the Case Blue is base case; red case is patching with quality standards; green is current case Technical 200 150 100 50 Not Compromised 0 0 10 20 30 40 50 60 70 80 90 100 Week 10 200 170 140 110 Upstream Costs Attack Vectors 80 0 10 20 30 40 50 60 70 80 90 100 Week 20 200 170 140 110 Infected 80 0 10 20 30 40 50 60 70 80 90 100 Week Downstream Costs Managers 7.5 5 2.5 17 14 11 0 0 10 20 30 40 50 60 70 80 90 100 Week 2,000 Total Costs 8 0 10 20 30 40 50 60 70 80 90 100 Week 1,500 Senior Management (CIO) 1,000 500 0 0 10 20 30 40 50 60 70 80 90 100 Week 9

Summary of Results Solving problems upstream is more effective than fixing them downstream. Differentials in time delays in physical processes (such as patching) and behavioral processes (such as changing individual behavior) are key to understanding the efficacy of proposed interventions. Nonlinearities and tipping points may exist 10

Summary Cybersecurity solutions require a holistic approach Systems modeling: behavior, management, policy and technology The case of patching and software quality provide insights into timing and approaches Bug bounty programs and vulnerability markets have significant effect on security and the cyber ecosystem stay tuned for James Houghton 11

BACKUP 12

Patching Dynamics 13

Downstream Dynamics 14

Patching Dynamics 15

Downstream Dynamics 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information