Defense trees for economic evaluation of security investments Stefano Bistarelli Fabio Fioravanti Pamela Peretti

Transcription

1 Defense trees for economic evaluation of security investments Stefano Bistarelli Fabio Fioravanti Pamela Peretti Dipartimento di Scienze Università degli Studi G. d Annunzio Pescara, Italy

2 How to protect an organization s asset? What is the problem? Loss of data Diffusion of reserved information Interruption of service

3 Motivation Create a process to identify, describe and analyze the possible vulnerabilities of a system Provide an economic balance between the economic impact of risk and the cost of risk mitigation

4 Agenda Background Qualitative approach Attack trees Quantitative approach Economic indexes Defense trees = Attack tree + countermeasures Defense trees + quantitatives labels Economic evaluation of countermeasures

5 Qualitative approach A relative evaluation of: assets threats and vulnerabilities countermeasures Scenario analysis Attack trees

6 Attack trees An attack tree [Schneier00] is a tree-based structure where: the root is an asset of an IT system the paths from the root to the leaf are the way to achieve this goal the non-leaf nodes can be: and-nodes or-nodes or-nodes and-nodes root

7 Attack trees An attack tree can be transformed to its Disjunctive Normal Form [Mauw05] ((A or B) and C)=(A and C) or (B and C) C A C B C A B

8 Quantitative approach Assigns absolute numeric attribute values to: assets (asset value) threats and vulnerabilities (exposure factor, annualized rate of occurrence) countermeasures (cost, risk mitigated) Economic Indexes

9 Economic Indexes Return on Investment (ROI) a performance measure used to evaluate the efficiency of an investment

10 Agenda Background Qualitative approach Attack trees Quantitative approach Economic indexes Defense trees = Attack tree + countermeasures Defense trees + quantitatives labels

11 Building the defense tree 1. Create an attack tree,

12 Building the defense tree 2. Defense tree = attack tree + countermeasures

13 Building the defense tree 3. Label the defense tree using quantitative indexes and computing the Return on Investment 4. Label the defense tree using quantitative indexes and computing the Return on Attack [Cremonini05]

14 Return On Investment Asset Value (AV) AV=

15 Return On Investment Exposure Factor (EF) AV Asset Value AV= EF=90% EF=93%

16 Return On Investment Single Loss Exposure (SLE=AV EF) AV EF Asset Value Exposure Fact AV= SLE= EF=90% EF=93% SLE=93.000

17 Return On Investment Annualized Rate of Occurrence (ARO) AV EF SLE Asset Value Exposure Fact Single Loss Exposure AV= SLE= EF=90% EF=93% SLE= ARO=0,10 ARO=0,10

18 Return On Investment Annualized Loss Expectancy (ALE=SLE ARO) AV= AV EF SLE Asset Value Exposure Fact Single Loss Exposure ARO Annualized Ra of Occurrence SLE= ALE=9.000 EF=90% ARO=0,10 EF=93% ARO=0,10 SLE= ALE=9.300

19 Return On Investment Risk Mitigated by a countermeasure (RM) SLE= ALE=9.000 EF=90% ARO=0,10 AV= EF=93% ARO=0,10 SLE= ALE=9.300 AV EF SLE Asset Value Exposure Fact Single Loss Exposure ARO Annualized Ra of Occurrence ALE Annualized Los Expectancy RM=70% RM=10% RM=20% RM=10% RM=50% RM=50%

20 Return On Investment Cost of a Security Investment (CSI) SLE= ALE=9.000 EF=90% ARO=0,10 AV= EF=93% ARO=0,10 SLE= ALE=9.300 AV EF SLE Asset Value Exposure Fact Single Loss Exposure ARO Annualized Ra of Occurrence ALE RM Annualized Los Expectancy Risk Mitigated RM=70% RM=10% RM=20% RM=10% SI=1.500 CSI=3.000 CSI=300 CSI=3.000 RM=50% CSI= RM=50% CSI=12.000

21 Return On Investment AV Asset Value EF Exposure Fact SLE Single Loss Exposure AV= ARO Annualized Ra of Occurrence SLE= ALE=9.000 EF=90% ARO=0,10 EF=93% ARO=0,10 SLE= ALE=9.300 ALE RM Annualized Los Expectancy Risk Mitigated CSI Cost Security Investment RM=70% RM=10% RM=20% RM=10% SI=1.500 CSI=3.000 CSI=300 CSI=3.000 ROI=3,20 ROI=-0,70 ROI=5,20 ROI=-0,69 RM=50% CSI= ROI=-0,62 RM=50% CSI= ROI=-0,61

22 Return F.W. On Investment Consider EF as Uncertain variable with values in an interval (70<EF<95) (and similar for RM) Compute ROI/ROA indexes as intervals Study operations between intervals and notions of Optimistic combination Pessimistic combination Robustness (See works by Gervet-Yorke-Smith) AV= AV EF SLE Asset Value Exposure Fact Single Loss Exposure ARO Annualized Ra of Occurrence ALE RM CSI Annualized Los Expectancy Risk Mitigated Cost Security Investment SLE= ALE=9.000 EF=90% ARO=0,10 EF=93% ARO=0,10 SLE= ALE=9.300 RM=70% RM=10% RM=20% RM=10% SI=1.500 CSI=3.000 CSI=300 CSI=3.000 ROI=3,20 ROI=-0,70 ROI=5,20 ROI=-0,69 RM=50% CSI= ROI=-0,62 RM=50% CSI= ROI=-0,61

23 Return On Attack Gain that an attacker expects from an attack GI=30.000

24 Return On Attack Cost of an attack GI expected gain GI= Cost=4.000 Cost=4.200

25 Return On Attack Additional cost (loss) caused by a countermeasure S GI expected gain Cost cost before S GI= Cost=4.000 Cost=4.200 s= Loss=1.000 Loss=200 Loss= Loss= Loss= 1.500

26 Return On Attack GI expected gain Cost cost before S Loss loss caused by GI= Cost=4.000 Cost=4.200 s= Loss=1.000 Loss=200 Loss= ROA=5,00 ROA=6,00 ROA=6,82 ROA=5,77 Loss= ROA=5,45 Loss= ROA=5,26

27 Putting together the evaluations Maximize ROI minimize ROA max ROI min ROA a Pareto-optimal solution maximize a user-defined function of ROI and ROA F.W. CP-Nets

28 Putting together the evaluations Maximize ROI ROI=3,20 ROI=-0,70 ROI=5,20 ROI=-0,69 ROA=5,00 ROA=6,00 ROA=6,82 ROA=5,77 ROI=-0,62 ROI=-0,61 ROA=5,45 ROA=5,26

29 Putting together the evaluations Minimize ROA ROI=3,20 ROI=-0,70 ROI=5,20 ROI=-0,69 ROA=5,00 ROA=6,00 ROA=6,82 ROA=5,77 ROI=-0,62 ROI=-0,61 ROA=5,45 ROA=5,26

30 Putting together the evaluations max ROI min ROA ROI=3,20 ROI=-0,70 ROI=5,20 ROI=-0,69 ROA=5,00 ROA=6,00 ROA=6,82 ROA=5,77 ROI=-0,62 ROI=-0,61 ROA=5,45 ROA=5,26

31 Putting together the evaluations The Pareto-optimal countermeasure for the first attack ROA 10 c3 c2 c1 c1 c ROI c3

32 Putting together the evaluations The Pareto-optimal countermeasure for the second attack ROA 10 c5 c4 c4 c5 c ROI c6

33 F.W. CP-Nets Relations between possibilistic logic and cp-nets Uncertainties of attacks modelled as probability/possibility distribution (See: CP-Net, Possibility Theory (Prade, Dubois), Uncertainty and CP-Net (?Brent Phd Thesis?)) A 1 f A 2 A 1 c 1 f c 2 f c 3 A 2 c 4 f c 2 f c 3 c 4 f c 1 f c 2 f c 3

34 Conclusion and Future Work From Attack to Defense trees Defense trees + quantitative labels ROI ROA Evaluation of multiple attacks and countermeasure Heuristics to find the best configuration Minimum (cost) set cover Game Theory analysis Defense Graphs Constraint intervals to represent uncertain indexes (RM, ARO, EF)