Metrics-Focused Analysis of Network Flow Data Timothy Shimeall, Ph.D.
Distribution Statements Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT Coordination Center® and FloCon® are registered marks of Carnegie Mellon University. DM-0004323
Overview Security Content Automation Protocol (SCAP) Network Management Metrics Focused Analysis
Security Content Automation Protocol Common Vulnerability Enumeration Identity Severity score (CVSS) Systems affected Common Checklist Enumeration Checklist items Common Platform Enumeration http://nvd.nist.gov/
Network Management Metrics Homogeneity (fraction of hosts made up by most common configuration) Out-of-date (fraction of hosts in use that are no longer supported) Modification rate of platforms Arrival rate of platforms Arrival rate of vulnerabilities Departure rate of vulnerabilities Recurrence of vulnerabilities Arbaugh W., Fifthen, W., McHugh, J. “Windows of Vulnerability, A Case Study Analysis.” IEEE Computer. December 2000. pp. 52-59.
Example 1: Assessing Patch Efficiency Patch Efficiency – mitigations are applied for significant (serious and exploitable) vulnerabilities prior to exploitation Metrics: Modification rate of platforms Arrival rate of vulnerabilities Departure rate of vulnerabilities Flow Analysis: Response to scanning Bytes/Packet/Second classification Service abnormalities Campbell, G. “MEASURES and METRICS In CORPORATE SECURITY.” Security Executive Council Publication Series. January 2008.
Example 2: Quantifying Vulnerability Exposure Vulnerability exposure – Probable loss associated with vulnerabilities in a given network service Metrics: Arrival rate of vulnerabilities Departure rate of vulnerabilities Recurrence of vulnerabilities Flow Analysis: Filter by service Bytes/packet/second clustering Responses to scanning Service baseline use Compare to overall network usage
Example 3: Measuring APT Vulnerability Advanced Persistent Threat Vulnerability: opportunities for threats to exploit collateral vulnerabilities between units within the organization to penetrate and establish permanency in local networks. Metrics: CVSS scoring Common vulnerability prevalence between units Arrival rate of vulnerabilities Flow Analysis: Response to scanning Usage of vulnerable services between units Measuring dependencies between units Mateski, M. et. al. “Cyber Threat Metics.” Technical Report SAND2012-2427. Sandia National Labs. March 2012.
Summary Pivoting between data can enable advanced analysis Metrics focus the interaction Configuration information for structural view Traffic information for dependency view Combined information for threat view