optimizing information systems security design based on ... · security knowledge base additional...

Optimizing Information Systems Security DesignBased on Existing Security Knowledge

Andreas Schilling Brigitte Werners

Faculty of Management and EconomicsRuhr University Bochum

WISSE 2015 Stockholm—June 08, 2015

Introduction IT baseline protection catalogues Safeguard selection problem Application example

Outline

1. Introduction

2. IT baseline protection catalogues

3. Safeguard selection problem

4. Application example

Schilling (RUB) Optimizing IS Security Design June 08, 2015 2 / 21


Introduction

Goal:Providing decision support for security design of information systems

Requirements:Small data requirements (from decision maker)

Decision:Which security safeguards should be implemented?

Approach:Knowledge/data → optimization → decision



Related work

Existing models require exact input data likeI exact threat probabilitiesI exact vulnerability probabilitiesI monetary asset valuationsI ...

model first vs. data first



Outline

1. Introduction






Knowledge base: IT baseline protection catalogues (v2013)German Federal Office for Information Security (BSI)

Extensive repository of IT security knowledge (4482 pages)Safeguards

ThreatsComponents

(1244) (518) (80)

"effectiveness" "criticality"

- databases- web servers- SAP system

- Unauthorised use of IT systems- Denial of services

Examples:

- Change of preset passwords- Use of TLS/SSL



Data extraction

dataextraction

python sqlitehtml, pdf,spreadsheets

python

solver inputgeneration

.dat

knowledgebase

IT baseline protection catalogues

solverinput

(i) (ii) (iii) (iv) (v)



Layers of information

IT baseline protection catalogues

security knowledge base

additional information layer(threat criticality, safeguard effectiveness)

optimal solution (combination of safeguards)

"insights"

data extraction

parameter generation

solve

implementation & analyses

feedbackfeedback



Outline

1. Introduction






Security chain

Idea:Security of a system component depends on its most critical threat



Safeguard selection

Safeguard should reduce most critical threat first

component p

reduce

thre

at c

ritic

ality

reducereduce

component p component p

reduce

component p

t1

t2

t3

t4

t5

min cp with cp = maxi∈I{ti |Ci ,p = 1}

cp - variable criticality index of component pti - variable criticality index of threat i

C = (Ci,p) - connecting matrix (binary)Schilling (RUB) Optimizing IS Security Design June 08, 2015 11 / 21


Component criticality

Safeguard selection minimizes maximum threat criticality over allcomponents

component 1

objective

thre

at c

ritic

ality

selectingsafeguards

securitygain

objective

component 2 component 1 component 2

SSI

min[

maxp∈P

cp

]with cp = max

i∈I{ti |Ci ,p = 1}



Reducing threat criticality ti

Given:I threat criticality coefficient γi ≥ 0I safeguard effectiveness σk ∈ [0, 1]I connection matrix T = (Tk,i ) with Tk,i ∈ {0, 1}

Requirements:I safeguards may have an effect on multiple threatsI diminishing marginal utility of effectiveness

ti = γi ·∏k∈K

σksk ·Tk,i ⇒ ln (ti ) = ln (γi ) +

∑k∈K

sk · Tk,i · ln (σk)



Example: Safeguard effectiveness and threat criticalitythreats componentssafeguards

select second safeguard

add additional safeguard



Outline

1. Introduction






Application scenario: e-commerce information system

16 components, 190 threats, 337 safeguards

No. Component # Threats # Safeguards

Non-technical1 Security management 4 142 Organisation 18 173 Personnel 21 154 Handling security incidents 3 245 Outsourcing 26 176 Patch and change management 22 187 Internet use 23 16

Technical8 Data protection 13 169 Protection against malware 16 13

10 General server 33 3311 Servers under Unix 7 2612 Internet PCs 20 1713 Client under Windows 7 32 4514 Web servers 27 2715 Databases 23 3216 Web applications 39 38



Baseline solutions

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Components

-1

0

1

2

3

4

5

6

Log.

com

pone

ntcr

itica

lity

inde

x(C

CI)

Entry level certificate (177 safeguards)Unprotected systemSolution with entrylevel safeguards

Baseline SSIEntry level SSI

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Components

-1

0

1

2

3

4

5

6

Log.

com

pone

ntcr

itica

lity

inde

x(C

CI)

ISO 27001 certificate (270 safeguards)Unprotected systemSolution with ISO 27001safeguards

Baseline SSIISO 27001 SSI

BSI entry level certificate ISO 27001 certificate



Increasing security

0 10 20 30 40 50 60 70 80 90 100

# Safeguards (N)

-1

0

1

2

3

4

5

Log.

syst

emse

curit

yin

dex

(SS

I)

SSI comparisonOptimal SSIEntry level SSIISO 27001 SSI



Entry level certificate vs. optimal solutions

75 safeguards 100 safeguards

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Components

-1

0

1

2

3

4

5

6

Log.

com

pone

ntcr

itica

lity

inde

x(C

CI)

Entry level certificate (177 vs. 75 safeguards)Solution with entrylevel safeguardsOptimal solution with75 safeguards

Entry level SSIOptimal SSI with75 safeguards

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Components

-1

0

1

2

3

4

5

6

Log.

com

pone

ntcr

itica

lity

inde

x(C

CI)

Entry level certificate (177 vs. 100 safeguards)Solution with entrylevel safeguardsOptimal solution with100 safeguards

Entry level SSIOptimal SSI with100 safeguards

All optimized CCIs with 75 safeguards ≤ entry level CCIs⇒ 102 less safeguards (≈ 57 % less)



Outlook

Future research:

I Integrating uncertainty (robust approach)I Extending the scope (e.g., multi-period, adaptive)I Prototype (decision support system)



Contact

Andreas Schilling, M.Sc.Chair of Operations Research and Accounting

Ruhr University BochumFaculty of Management and EconomicsUniversitaetsstrasse 15044780 BochumGermany

[email protected]


Appendix


Additional information layer (1)Threat criticality γ

Safeguard qualification levelsImportance for security (high to low):

A - B - C - Z - W

Generate threat criticality based on existing data

If a threat has more and higher qualified safeguards associated with it, thisis an indicator that it is more critical.

γi =∑k∈K

Tk,i · g(σk) with g(x) =√

x


Additional information layer (2)Safeguard effectiveness σ

Safeguard qualification levelsImportance for security (high to low):

A - B - C - Z - WHigher qualified safeguards are more effective

σk =

0.5 if qualification level = A

0.6 if qualification level = B

0.7 if qualification level = C

0.8 if qualification level = Z

0.9 if qualification level = W


Parameters and decision variables

Indices and setsP Index set of components (indexed by p)I Index set of threats (indexed by i)K Index set of safeguards (indexed by k)Parametersσk Effectiveness coefficient of a safeguardγi Criticality coefficient of a threatCi,p Connection between component and threat, Ci,p ∈ {0, 1}Tk,i Connection between threat and safeguard, Tk,i ∈ {0, 1}N Maximum number of safeguardsDecision variablessk Selection of safeguards, sk ∈ {0, 1}ti Threat criticality indexcp Component criticality index


Nonlinear Model

min[

maxp∈P

cp

](1)

s.t. cp = maxi∈I{ti |Ci ,p = 1} ∀ p ∈ P (2)

ti = γi ·∏k∈K

σksk ·Tk,i ∀ i ∈ I (3)

∑k∈K

sk ≤ N (4)

sk ∈ {0, 1} ∀ k ∈ K (5)

ti ≥ 0 ∀ i ∈ I (6)


MILP Model

min[

maxp∈P

ln (cp)]

(7)

s.t. ln (cp) = maxi∈I{ln (ti )|Ci ,p = 1} ∀ p ∈ P (8)

ln (ti ) = ln (γi ) +∑k∈K

sk · Tk,i · ln (σk) ∀ i ∈ I (9)

∑k∈K

sk ≤ N (10)

sk ∈ {0, 1} ∀ k ∈ K (11)


Exemplary e-commerce information system

exte

rnal

ly h

oste

d

VM VM VM

relational database instance

shop application

Internet attackers

editorialstaff

administrativestaff

warehousestaff

customers

PC PC PC


optimizing information systems security design based on ... · security knowledge base additional...

Documents