Security Monitoring

Chapter:
Security
Version:
Updated:
2015-09-02
Contact Person:
Olivier Bettan / Susana González Zarzosa
olivier.bettan@thalesgroup.com susana.gzarzosa@atos.net
Feedback:

Advertisement

This GE deprecated was kept raise awareness of interested parties regarding the features that would be continued through new GE in FIWARE replacong that GE and called Cyber Security. The Cyber Security GE is planned to be release in R4 and as such a dedciated entry would be created on the FIWARE Catalog.

What you get

The Security Monitoring GE is part of the overall Security Management System in FI-WARE and as such is part of each and every FI-WARE instance.

The Security Monitoring GE was designed to be offered as a services suite. The services provided, even if they can be used in isolation offer their most when used conjointly to cover the whole & primary usage pattern. Hereafter is the list of services offered by the Security Monitoring
  • MulVAL Attack Paths Engine
  • Scored Attack Paths
  • Remediation
MulVAL Attack Paths Engine MulVAL Attack Paths Engine Component is an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. MulVAL Attack Paths Engine is accessed using web browser, allowing all users to generate the attack graphs using the common stream protocol and port (HTTP on port 80). Attack graph presents a qualitative view of security discrepancies:
  • It shows what attacks are possible, but does not tell you how bad the problem is.
  • It captures the interactions among all attack possibilities in your system.

Scored Attack Paths Scored Attack Paths represents the next step, following the metrics provided by the MulVAL Attack Paths Engine. Based on the Attack Graph provided by the Mulval Attack Paths Engine, and the individual scores of each step, the objective is to yield the possible attack paths, along with a score associated to each one of the paths. The considered attack paths that will be included in the list are selected based on the target node selected in the attack graph. The score of each path reflects the risk associated to the path as a whole, based on the individual scores of each step that have been previously calculated by the MulVAL Attack Paths Engine. Additionally to the risk score metric, the score of each path will include a second scoring component that will account for the impact on the processes linked to the IT resource(s) being either

  • solely at the target node of the attack path
  • on the attack path
The main idea of scoring attack paths is to consider paths independently from one another, as opposed to the approach of the MulVAL Attack Paths Engine, composed of individual scores, the latter being computed by taking into account all the connections existing in the attack graph.

Remediation Remediation provides tools to security operators for proposing cost-sensitive remediations to attack paths. The attack paths are shown to a security operator, ordered by their scores, which allow to easily understand the severity of the consequences of the attack paths. To calculate the remediation to the chosen attack path, the tool first extracts the necessary information from the attack path to be corrected. Then, it computes several lists of remediations that could reduce / cut this attack path. Finally, it estimates the cost of each list of remediations and proposes all the lists of remediations, ordered by cost, to security operators. Operators can choose one remediation list and, thanks to the remediation validation, check whether or not the system is more secure after the application of this remediation. To compute remediations, a remediation database is needed. It will be external to the GE, as the vulnerability database. This database makes a connection between vulnerabilities (for example thanks to a Common Vulnerabilities and Exposures identifier - CVE ID) and a possible adapted remediation. Several types of remediation could be used, for example a patch (it corrects a vulnerability) or a signature of known attacks (it prevents the exploitation of a vulnerability). To build the remediation database, information about patches can be extracted from publicly available in Security Advisories (for example, coming from CERT-EU or the National Vulnerability Database). Information about signatures and the related vulnerability could be extracted from the signatures database that contains the CVE ID. The last type of remediation provided by the remediation tool can not be stored in the remediation database, because it is a topological remediation. This remediation is providing firewall rules that can prevent the intrusion of the attacker. To sort the list of remediations, a cost function is applied to compute an estimate cost of each list. This cost contains two main components: operational costs and impact costs. The operational costs represent the costs caused by the deployment of the remediations, such as:

  • Length of the deployment
  • Maintenance
  • Tests costs
whereas the impact costs represents the negative impact (side effects) that could happen following a remediation deployment.

Why to get it

MulVAL Attack Paths Engine is contributing risk management of IT infrastructure. MuVAL Attack Paths Engine allows you evaluating the security risk assessment, the potential attack paths and improves the capability to detect security breach and the cyber-resilience of infrastructures. The Scored Attack Paths offers an assessment tool that allows users to obtain the attack paths existing in an attack graph, along with their respective individual scores. The score of each attack path allows to assess the risk value and business impact for the target associated to the attack path. The Scored Attack Paths is aimed at users who want to either:
  • Utilize the Remediation asset
  • Evaluate the situation of their IT infrastructure from the security and business impact viewpoint
  • Improve the security configurations through what-if analysis
Remediation is aimed at users who want to either:
  • Show attack paths to a security operator
  • Order attack paths by their scores
  • Apply a cost function to compute an estimate cost of each list

Open Specification reference

The Open Specifications of the MulvAL Attack Paths Engine in the context of the Security Monitoring GE can be found via the following links:

The Open Specification of the Scored Attack Paths in the context of the Security Monitoring GE can be found via the following link:

The Open Specification of the Remediation in the context of the Security Monitoring GE can be found via the following link: