effective layering of defenses
play

Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo - PowerPoint PPT Presentation

ALDR: A New Metric for Measuring Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University 12/6/2011 Layered Assurance Workshop 1 Motivation Buy security product X? Am I secure? 12/6/2011 Layered


  1. ALDR: A New Metric for Measuring Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University 12/6/2011 Layered Assurance Workshop 1

  2. Motivation • Buy security product X? • Am I secure? 12/6/2011 Layered Assurance Workshop 2

  3. Current Answers • Compliance checklist • “Best Practices” • Evaluate class of products • Penetration testing • Defense in Depth • Can we do better? 12/6/2011 Layered Assurance Workshop 3

  4. Defense in Depth AV Logs IDS 12/6/2011 Layered Assurance Workshop 4

  5. Defense in Depth AV IDS Logs 12/6/2011 Layered Assurance Workshop 5

  6. Compare Different Layers • Compare apples to oranges • Measure detection of ‘Attacks’ • ‘Attacks’ – Source domain – Network traffic – Executable – And many more… 12/6/2011 Layered Assurance Workshop 6

  7. 12/6/2011 Layered Assurance Workshop 7

  8. All Layer Detection Rate (ALDR) • Test each security project • # attacks detected / total attacks • Total attacks detected by a set of products 12/6/2011 Layered Assurance Workshop 8

  9. ALDR: 0.875 (14/16) AV Logs IDS 12/6/2011 Layered Assurance Workshop 9

  10. ALDR – Key Attributes • Products tested individually • Expandable framework – Measure education benefit – Social engineering attacks – Any ‘attack’ representable • Evaluate products in context 12/6/2011 Layered Assurance Workshop 10

  11. Additional Metrics • False Positives • Redundancy – Good redundancy vs bad – Classify detection method 12/6/2011 Layered Assurance Workshop 11

  12. What Should I Buy? • Calculate increase in TP, FP, redundancy • Organization specific • Testing not organization specific! • Measure/Predict relative security change 12/6/2011 Layered Assurance Workshop 12

  13. Am I secure? • Given a set of products • Specific attack dataset • Measure how many attacks evade • Find product(s) to fix • Increase relative security 12/6/2011 Layered Assurance Workshop 13

  14. Challenges – Data Sets • How to link ‘attacks’ • Define ‘attacks’ • Future attacks differ? 12/6/2011 Layered Assurance Workshop 14

  15. Challenges • Not all attacks equal • Past predicts future? • Create a future data set? 12/6/2011 Layered Assurance Workshop 15

  16. Future Work - Experiments • Require data sets – Linked attacks – Ground truth • Drive-by downloads? • Historical data? 12/6/2011 Layered Assurance Workshop 16

  17. Conclusion • New metrics needed • Security products are not isolated • Many challenges, no show stoppers • Measure relative security 12/6/2011 Layered Assurance Workshop 17

  18. Questions? 12/6/2011 Layered Assurance Workshop 18

Recommend


More recommend