In complex and generally large scale systems and organizations such as corporate Information Technology (IT) infrastructures for example, there exist potential impacts to the security of the system. Such security vulnerabilities, even if they can be discovered and defined in a meaningful way, are typically difficult and costly to assess. This can be because of the number and nature of the vulnerabilities for example, as well as the number of assets present in such large systems, all of which can have an impact on potential solutions which vary greatly.
Typically, methodologies for examining an organization's security posture and for identifying potential gaps in security investments proceed by decomposing the overall security issue into a set of potential risks, and then using these to estimate the likelihood and impact of each risk on the organization. Accordingly, it is then typically possible to identify some form of controls for the potential risks and to define the costs associated with these controls. A residual risk once a control is deployed can then be calculated and appropriate investments in security can thus be determined.
Various features and advantages of the present disclosure will be apparent from the detailed description which follows, taken in conjunction with the accompanying drawings, which together illustrate, by way of example only, features of the present disclosure, and wherein:
In block 101, the dynamics of the outcomes determined in the identification phase are explored by constructing an executable system security model of the environment in which the security risk may exist or potentially exist in the context of its dynamic threat and economic environments. Accordingly, in this stage architectural, policy, business process, and behavioral constraints which are inherent in the security risk are captured and formalized. According to an example, threat environment characteristics such as potential attacker behavior, threat vectors and probabilities and other externalities that may influence an internal business process or human behavior in the organization are identified and captured as events. The stage can include observations of stages and decision points of the system involved. According to an example, the modeling cycle can be repeated until a model is determined to sufficiently capture the decision making situation. In the example of access control, a model can define the way in which the organization in question will be affected if (and how) certain access control systems are implemented. Accordingly, the model can be used to demonstrate a security risk for the environment in the wake of a lack of a particular implementation, or an implementation not aligned with operational characteristics of the organization or not appropriately addressing the risk.
According to an example, defining a model 101 or representation includes using a set of internal and external components to represent aspects of the environment and security risk under consideration, which aspects may influence the environment and security risk, and influence the way in which the risk affects an organization embodied by the representation of the environment. External components may correspond to a threat environment and can include the rate of discovery of vulnerabilities, a speed to develop exploits, a speed to develop patches and signatures, attacker behavior etc. Internal components can include specific tasks undertaken in security operations, a speed with which these tasks are undertaken, a length of time to undertake the tasks and specific security solutions and mechanisms and their properties. This might also include behavioral aspects that affect security, such as personnel movements and habits (such as writing a password down for example). Components can be static or dynamic—that is to say, a component can have a behavior in a model which is dependent on previous decision points, or can be a component which generates a value from an associated probability distribution such that the value can change dynamically in response to repeated runs of a model and in response to an input value received by the component (which affects the output).
In deriving a model or representation, considerations which include the investment choices which can be made, and a set of measures representing a search domain for choices can be taken into account. For example, a particular investment choice could include the provision of installing biometric sensors at various locations and with varying complexity at certain positions within an organization. Accordingly, a search domain for the choices can include ranges associated with a number, location and complexity of sensors. Variation of these parameters within the defined ranges will typically result in multiple outcomes which affect the way in which an associated security risk may (or may not) be mitigated—in this context a risk may include denying access to authorized personnel, or a failure to install a sensor in a location thereby allowing access where it should actually be more strictly controlled. According to an example, a search domain or range for a parameter can be derived in an identification phase based on characteristics of the environment to be modeled, and based on how the risk is managed in an organization embodied by the representation of the environment. It can be modified in response to an indication that the range is not suitable. For example, for a given search range, a set of outcomes can lead to a conclusion that the range needs to be altered in order to encompass a different space of results which may be more suitable for determining how to mitigate a certain risk. According to an example, a model or representation can be a graphical model or representation, or a representation provided in another form, such as a textual representation for example, in which aspects of a model are represented by respective portions of marked up text for example.
In block 102, the model of block 101 is used in order to generate data in the form of results clusters 103 which can be used for analyzing (block 104) the environment (or portion thereof) in view of the risk or solution. That is to say, using the model, behavior is simulated using the representation of a dynamic threat and economic environment by exploring the search domains in order to provide results clusters 103 which can be in the form of multiple output configurations for the environment. The output configurations can represent outcomes associated with choices which can be made to mitigate the effects of a security risk. Results and conclusions can be validated against the preferences of the decision-maker, such as the CISO for example. In case they do not match the preferences, further refinement of the risk or components can take place. Alternatively, if a search domain is determined to be unsuitable it can be widened or narrowed in scope.
Accordingly, a system according to an example uses a model corresponding to a characterization of a risk or issue in a dynamic threat environment determined in an identification phase to provide a set of output calculations which are used to determine a solution, perhaps including refinement of the initial risk identification and/or model. As indicated by dotted lines in
According to an example, the model engine 200 can be functionally linked to a processor 205 (CPU) for performing calculations for the engine. Other connections to the model engine 200 have been omitted in
Typically, an investment 203 will be a financial investment, either direct or indirect—for example, implementing a new process, tool, product or workflow to mitigate the effects of an identified security risk, and/or releasing some proportion of a workforce to perform tasks aimed at mitigating the risk, and/or engaging additional workforce. Some investments may be less straightforward to quantify. For example, an investment in a behavioral change such as a change in a process or workflow which is performed by some proportion of a workforce, can be parameterized in various different ways. One possible way to parameterize such an investment could be by determining a temporal range as a result of possible delays to some portion of a workflow as a result of a change intended to make the workflow more robust, such as by a person interposing on certain actions to verify consistency and/or accuracy for example.
According to an example, engine 200 is therefore used to generate a model 207 for a system or environment in which there may be a security risk using multiple ones of the internal 201 and external 202 components, which components define adjustable elements of the model 207. The components and the relationships and functional links between the components define the model (relationships can be causal, communication of data, links to shared resources or queues, etc.). The generated model is used to perform a set of calculations to explore a space of outcomes using different intervals for multiple parameters 204, such as under different investment choices or under specific conditions in the threat environment for example. According to an example, a risk analyzer is used to perform calculations in a consistent manner. It supports the process of defining discrete combinations of parameter variations (experimental cases) and can generate/manage structures to hold simulation data, perform repeated randomized runs within each experimental case, and gather basic statistics for each experimental case, including confidence intervals (standard error) for example.
Accordingly, a set of parameters 204 of a model 207 are varied in a set of repeated randomized simulation runs 301 according to an experiment plan 305 which includes data representing which of parameters 204 to vary, a range for the variation, and an associated granularity for the variation (such that variations are performed in integer multiples of units of the parameter in question, or some other multiple for example). An experiment plan 305 and a results plan 307 can be provided in terms of a simple text format or in another marked up format such as XML for example. In order to cause randomization in the runs, each run within each case is provided with a random seed that is used to prime a pseudo-random number generator that provides for the randomized choices made during a simulation. These initial ‘seed’ values are provided in terms of an independently generated list of random integers (a seed file). For example, if a model of an environment E in which there exists a security risk S1 comprises multiple components {C}=[C1, C2, . . . Cn], with an associated set of parameters {P}=[P1, P2, . . . Pm] representing adjustable measures for the components (wherein each component in {C} may have multiple parameters associated with it), an experiment plan 305 can define which of the {P} are adjusted and a range for adjustment. So for example, if experiment plan 305 describes that a subset of {P} be used, an initial seed can be used to generate random numbers which are used to determine values for these parameters (within their respective ranges). Each set of values for parameters forms a ‘run’, so that multiple runs are performed within the search scope of parameters, thereby providing results clusters 103, 302 (i.e. multiple output configurations calculated using the risk analyzer 300). In this way, the search space for parameters can be explored. That is to say, repeated runs of model simulations 301 are performed according to the experiment plan within the search intervals defined and using the list of random numbers. The output from a set of repeated runs forms a results cluster 103, 302 representing the set of possible outcomes according to the randomized runs using the model in view of the experiment plan. An analysis module 303 can take the clusters 103, 302 as input and can aggregate the results 304 according to the results plan 307. In this connection, aggregating results in block 304 of analyzer 300 allows data from multiple experiments (multiple results clusters 103, 302) to be presented in a manner that is comprehensible to the stakeholders and that usefully shows outcomes in terms of risk exposure. Representation can be done in the form of charts and tables and to support this, a charting and report generation component 306 can be used. Component 306 can calculate statistical results/information gathered over runs. For example, histograms can be calculated to show frequency plots of how many values fall within particular ranges (bins). These can be useful descriptions of probability information and indicate where the most frequent range of values arises. Also, time series charts can be provided to show how selected quantities vary over time.
A different experiment plan can specify that a different subset of {P} is used—for example, to explore the way in which different investment choices can affect a situation or risk. Accordingly, corresponding clusters of results can be obtained which may be different even though the same model is used. According to an example, a specific investment choice can be explored using outputs from risk analyzer 300 operating under different experiment plans 305.
According to an example, each model component can have a unique shape type associated with it which has a corresponding class which contains machine readable instructions for communicating with the model engine 200. The shape type can be used as part of an interface for a system as described below. According to an example, the shape type for a component can be provided as a graphical representation for the component which is distinct from other components thereby allowing a user of the system to distinguish between components, such as when altering or creating a model for example. A link between graphical representations provides a logical flow for a model. The model 207 as compiled by the model engine 200 is used by the risk analyzer 300 in order to generate a set of output configurations as described above.
In block 306, chart and report generation uses the results from risk analyzer 300. An interface 401 can be used according to an example to allow users to explore and conduct investigations quickly by using the output from a modeled situation, or by allowing a user some degree of control over the way in which a situation is investigated. More specifically, interface 401 can use parameters 204 from the model engine 200 to provide multiple user adjustable options which can be used to modify parameters and/or ranges in response to output configurations. The adjustments made can cause the risk analyzer to calculate multiple new output configurations on the basis of the adjustments made without the need for a model to be regenerated in model engine 200. Accordingly, interface 401 provides an easy to understand and efficient way of allowing multiple parties to see in real time the effects that changes may have to a risk or environment. For example, for a given security risk relating to the provision of access control, an interface can allow a user to modify parameters or ranges relating to the number of points in an infrastructure adapted to increase access control. An interface 401 can also be provided which gives a user control over a model or template as will be described below.
Similarly, a results plan library 508 includes a set of multiple files of machine readable instructions defining multiple different ways in which results which have been calculated can be processed and displayed. For example, for a given model and experiment plan, results clusters 103, 302 can be generated. A results plan can use the clusters to extract certain data of interest, which can then be used in chart and report generation 306. For a given model/experiment plan combination, multiple results plans can be used to extract different data from multiple corresponding results clusters 103, 302.
According to an example, a package can be provided including a model template with an associated experiment and results plan which is defined to be applicable to a particular type of system. For example, in the field of access control, a generic and adjustable model template can be provided to model a system, and an experiments plan can be included which is predefined for generating multiple configurations for the system in response to changes in access controls. Similarly, a packaged results plan can provide access to results geared for a determination and analysis of data relating to access control.
The system of
Results interface engine 503 drives a results view interface 504. The results view interface allows a user to make queries of the system using results which have already been generated in risk analyzer 300. For example, a given model from model library 400 in combination with an experiment plan from experiment plan library 507 and results plan from results plan library 508 are used in order to calculate clusters of results for a specific security risk. The results plan used specifies that certain data is extracted and used in chart and report generation 306 in order to provide a user with some predefined (according to the results plan) results, such as a set of graphs for example. The results view interface allows a user with appropriate permissions to initiate chart and report generation using calculated data in order to provide results outside of the scope of the results plan. According to an example, the results used for such chart and report generation are pre-existing—that is, the use of the results view interface does not cause new data to be calculated, it allows a user to query data already present and which may not have been displayed to the user (such as data not displayed to a user because it is outside of the results pan scope for example). A results interface engine 503 is therefore able to use data in existing results clusters 103, 302.
Experiments interface engine 505 drives an experiments view interface 506 to provide a mode of operation of the system of
Model interface engine 501 drives a model view interface 502 to provide a mode of operation of the system of
According to an example, database 601 can store data representing packages as described above. In addition to unified packages/projects, database 601 can include information about people who have rights to access a package or project and a description of the package or project. The information can be stored as metadata for example.
A user may interact (e.g., enter commands or data) with system 700 using input devices 709 (e.g., a keyboard, a computer mouse, a microphone, joystick, and touch pad or touch sensitive display screen). Information may be presented through a user interface that is displayed to a user on the display 711 (implemented by, e.g., a display monitor which can be touch sensitive, including a capacitive, resistive or inductive touch sensitive surface for example), and which is controlled by a display controller 713 (implemented by, e.g., a video graphics card). Accordingly, any one of the interfaces 502, 504, 506 can be presented to a user using display 711. A user can then interact with the interface using input devices 709 in order to cause CPU 205 and memory 701 to effect aspects of the system 700.
The system 700 also typically includes peripheral output devices, such as speakers and a printer. A remote computer may be connected to the system 700 through a network interface card (NIC) 715. Alternatively, system 700 can upload retrieved data, or a pointer thereto, to a remote storage service such as cloud based service for example. For example, a database 601 can be stored on a cloud based storage service, and results clusters 103, 302 stored in database 601 can be queried over the network 602 using controller 715.
As shown in