Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 12 February 2015 Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development Michael Siegel James Houghton
Mission: Resiliency of Organizations & Markets Effective and innovative solutions to cyber insecurity require coordinated efforts to support the resiliency of the cyber organizational ecosystem the individuals, firms, and markets occupying the cyber domain, as well as the interactions among actors Sample key questions: Behavioral: What are the attitudes and perceptions of the private sector about cyber security? Managerial: What solutions can feasibly be manipulated by the firm or sector itself, and what can be encouraged or directed by outside actors? Technological: What is effecting product security of key IT components? Modeling framework to unpack cyber dynamics and provide organizational framework 2
Brief Overview of System Dynamics SDM used as modeling & simulation method over 50 years Eliminate limitations of linear logics and over-simplicity Based on system structure, behavior patterns, interconnections of positive & negative feedback loops SDM has been applied to numerous domains Software development projects Process Improvement projects Crisis and threat in the world oil market Stability and instability of countries many others SDM helps to uncover hidden dynamics in system Helps understand unfolding of situations, Helps anticipate & predict new modes Explore range of unintended consequences 3
Mission: Dynamics of Threats and Resilience How did breaches (threats) occur? * 67% were aided by significant errors (of the victim) Systems Not at Risk Adverse Behaviors & Management Risk Promotion Risk Reduction Systems At Risk 64% resulted from hacking Risk Management Attack Onset Recovery Threat Management Affected Systems 38% utilized Malware How are security and threat processes (resilience) managed? * Real-World Implications Financial, Data, Integrity, Reputation Over 80% of the breaches had patches available for more than 1 year 75% of cases go undiscovered or uncontained for weeks or months * Verizon Data Breach 4 Report
Relating Actions to Outcomes Key Question: What is controlling the rates of change and how can we be more anticipatory rather than reactive? Systems Not at Risk Adverse Behaviors & Management Risk Promotion Risk Reduction Systems At Risk Risk Management Attack Onset Recovery Threat Management Affected Systems Real-World Implications Financial, Data, Integrity, Reputation 5
Attack Vector Identification Patching Dynamics Vendor Resilience and Responsiveness Attacker Capabilities Resources Motivation Skills Awareness Firm Performance Not Compromised Indentifying Exploits Patching Identified Attack Vectors Compromised Firm Knowledge And Awareness Visibility Technical Capabilities Process Architecture Info Sharing 6 Reverse Engineering Sector Performance
System Compromising Downstream Dynamics Architecture Resilience Attacker Capabilities Firm Performance Availability Data Security Public Awareness Not Compromised Identified Attack Vectors Compromising Remediating Compromised Firm Knowledge And Awareness Defensive Procedures Establishing Footholds Sector Performance 7
Simulation Modeling Overview Change in Security Effect of Investment on Application Security Test for Change in Application Security Application Security Height Time to Update Patch Delay Application Security Time Change in Patch Delay Application Security Duration Initial Application Security Patch Delay Application Software Security Software Security Normalized Software Security Function for Effect of Normalized Software Security Change in Systems System Change Patching Base Patch Delay Base Application Software Security Effect of Application Software Security on Vulnerability Identification Not Compromised <Vulnerability Identification Rate> <Action to Reduce Vulnerabilities> Indentifying Vulnerabilities Reducing Vulnerabilities Compromising Rate Height Identified Attack Vectors Fraction Vulnerable Test Input for Compromising Rate Change in Compromising Rate Compromising Rate Time Compromising Rate Duration Attacking <Compromising Rate> Compromising Recovery <Recovery Rate> Compromising Rate Fraction Compromised Implied Compromising Rate <Attack Vector Gap> Compromised Compromising Delays New Patch Delay 8 Total Systems
Making the Case Blue is base case; red case is patching with quality standards; green is current case Technical 200 150 100 50 Not Compromised 0 0 10 20 30 40 50 60 70 80 90 100 Week 10 200 170 140 110 Upstream Costs Attack Vectors 80 0 10 20 30 40 50 60 70 80 90 100 Week 20 200 170 140 110 Infected 80 0 10 20 30 40 50 60 70 80 90 100 Week Downstream Costs Managers 7.5 5 2.5 17 14 11 0 0 10 20 30 40 50 60 70 80 90 100 Week 2,000 Total Costs 8 0 10 20 30 40 50 60 70 80 90 100 Week 1,500 Senior Management (CIO) 1,000 500 0 0 10 20 30 40 50 60 70 80 90 100 Week 9
Summary of Results Solving problems upstream is more effective than fixing them downstream. Differentials in time delays in physical processes (such as patching) and behavioral processes (such as changing individual behavior) are key to understanding the efficacy of proposed interventions. Nonlinearities and tipping points may exist 10
Summary Cybersecurity solutions require a holistic approach Systems modeling: behavior, management, policy and technology The case of patching and software quality provide insights into timing and approaches Bug bounty programs and vulnerability markets have significant effect on security and the cyber ecosystem stay tuned for James Houghton 11
BACKUP 12
Patching Dynamics 13
Downstream Dynamics 14
Patching Dynamics 15
Downstream Dynamics 16