using security assessment methods to enhance the feedback from security training jonas hallberg...
TRANSCRIPT
Using security assessment methods to enhance the feedback from
security training
Using security assessment methods to enhance the feedback from
security training
Jonas Hallberg
Division of Information SystemsSwedish Defence Research Agency (FOI)
www.foi.se/[email protected]
Jonas Hallberg
Division of Information SystemsSwedish Defence Research Agency (FOI)
www.foi.se/[email protected]
Training environmentTraining environment
Network configuration
Administration server
Game net
Red team
Internet
White teamDocumentation system
Red teamRed teamBlue team
Bot net Red teamRed team
Blue network
System model
Bots
Security assessment focusSecurity assessment focus
Administration server
Game net
Red team
Internet
White team Documentation system
Red teamRed teamBlue team
Security assessment tool
Network configuration
Security assessment contextSecurity assessment context
Network configuration
Token
Security assessment tool
Documentation
Security assessment methodXMASS - eXtended Method for Assessment of System Security Security assessment methodXMASS - eXtended Method for Assessment of System Security
Security values measurement
and aggregation
Systems modeling
Assessment results
Computations modeling
N
i 1
eii
ee SPw FPEFP
XMASS – systems modelingXMASS – systems modelingSystems are modeled as interconnected components
Two main classes of components: 1. Traffic generators, e.g. PCs and
PDAs2. Traffic mediators, e.g. firewalls
and hubsTwo types of relations:1. Physical, e.g. network
connections2. Logical, e.g. node dependencies
The abstraction level is not fixed
Systems are modeled as interconnected components
Two main classes of components: 1. Traffic generators, e.g. PCs and
PDAs2. Traffic mediators, e.g. firewalls
and hubsTwo types of relations:1. Physical, e.g. network
connections2. Logical, e.g. node dependencies
The abstraction level is not fixed
XMASS – security valuesXMASS – security valuesEntity profiles
Security profiles consist of security features with corresponding elementary security valuesFiltering profiles describes the ability of traffic mediators to block malicious traffic
Entity relationsInter-component relations are modeled with a set of functions
System-dependent security profiles Computed for each component based on component security profiles and relations
System security valuesBased on the system-dependent security profiles
Entity profilesSecurity profiles consist of security features with corresponding elementary security valuesFiltering profiles describes the ability of traffic mediators to block malicious traffic
Entity relationsInter-component relations are modeled with a set of functions
System-dependent security profiles Computed for each component based on component security profiles and relations
System security valuesBased on the system-dependent security profiles
7.0
5.0
8.0
tionAuthentica
Control Access
Audit
XMASS – tasks XMASS – tasks Requirement Collection
Filter Profile Template Security Profile Template
Physical and Logical Relation Profiles
System Model
System assessments
Security and Filter Profiles
Requirement collectionsRequirement collections
Security feature
# requirements
Access Control
19
Security Logging
12
Intrusion Prevention
17
Intrusion Detection
12
Protection against Malware
16
Security profilesSecurity profiles
k
ikiki
kk
k
kk
kkj
k
jk
nerirfv
nm
n
nm
mrfrfv
m
SP11
WorkflowWorkflow
PreparationModel networkExport network model
In actionAccept tokensUpdate model
After-action reviewDocumentation
PreparationModel networkExport network model
In actionAccept tokensUpdate model
After-action reviewDocumentation
Network cofiguration engine
Administration server
Game net
Red team
Internet
White teamDocumentation system
Red teamRed teamBlue team
Bot net Red teamRed team
Blue network
System model
Bots
Enhanced trainingEnhanced training
Support the specification of the network
Provides in-training security status overview
Supports the after-action review
Support the specification of the network
Provides in-training security status overview
Supports the after-action review