using contextual security policies for threat response
play

Using Contextual Security Policies for Threat Response Yohann THOMAS - PowerPoint PPT Presentation

Aug 23, 2022 •286 likes •570 views

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France Tlcom R&D - Caen, France Frdric CUPPENS - Nora CUPPENS-BOULAHIA ENST Bretagne - Rennes, France Research & Development DIMVA06 - July

  1. Using Contextual Security Policies for Threat Response Yohann THOMAS - Hervé DEBAR France Télécom R&D - Caen, France Frédéric CUPPENS - Nora CUPPENS-BOULAHIA ENST Bretagne - Rennes, France Research & Development DIMVA06 - July 13-14, 2006

  2. Information systems service goals  Performance  Response time  Number of users served  Convenience  Ease of use  Automation  Security  Confidentiality  Integrity  Availability  Security is one of many adjustment variables  Compromises are generally static at design time Research & Development 2 DIMVA06 - July 13-14, 2006

  3. But …  Security is not static  New vulnerabilities  New users and usages  New attackers  Nor are the other variables  Reflect the evolution of the IS (new hardware & software)  Maintain a better balance between the different requirements  The compromise between these variables needs to change  Respond to threat  Dynamic security policies Research & Development 3 DIMVA06 - July 13-14, 2006

  4. Threat response system  Reactivity  Automated response process  On-time deployment of response according to threats  On-time withdrawal of response  Reliability  Consistency of the threat characterization system (reliable alerts)  Relevance of selected countermeasures  Application of countermeasures to multiple enforcement points  Ease of use  Ease of deployment (avoid or limit additional systems)  Ease of countermeasures definition Research & Development 4 DIMVA06 - July 13-14, 2006

  5. How to fulfill the requirements?  Clear identification of the threat, source and victim  Policy-oriented approach  Adapt security level to the threat level (dynamic policy)  Compromise between security, performance, convenience, etc.  Avoid the deployment of additional systems  Organization-based approach  Abstract vs concrete level of rules  Provide local reactions but responding to global constraints  Context-based approach  Trigger security rules thanks to active contexts  In particular, threat contexts to trigger countermeasures Research & Development 5 DIMVA06 - July 13-14, 2006

  6. Access Control Policy (1)  Discretionary Access Control (DAC)  Manage privileges of subjects on objects  Definition of an access matrix to describe authorizations (Subject, Object, Privilege) Ex: (host1, file1, rw), Means that host1 has the privilege of read and write on file1.  Limitations  Many subjects and objects to describe  Scalability issues (definition and administration)  Poor expressiveness (static policy) Research & Development 6 DIMVA06 - July 13-14, 2006

  7. Access Control Policy (2)  Role-Based Access Control (RBAC)  Abstract subjects into roles  Manage permissions of actions Permission(Role, Action, Object) UA ⊆ UxR, user-to-role assignment Ex: Permission(group1, read, file1), with host1 ∈ group1, Means that group1, thus host1, is permitted to read file1.  Limitations  Only provides means to group subjects, but not actions and objects  Only manages permissions (no explicit prohibition)  Limited expressiveness of the security rules (static policy) Research & Development 7 DIMVA06 - July 13-14, 2006

  8. Access Control Policy (3)  Organization-Based Access Control (Or-BAC)  Manage entities through organizations  Abstract subjects into roles  Abstract actions into activities  Abstract objects into views + Empower(Organization, Subject, Role) + Consider(Organization, Action, Activity) + Use(Organization, Object, View) Research & Development 8 DIMVA06 - July 13-14, 2006

  9. Access Control Policy (3)  Organization-Based Access Control (Or-BAC)  Manage entities through organizations  Abstract subjects into roles  Abstract actions into activities  Abstract objects into views  Provide not only permissions , but also prohibitions / obligations Security_rule(Type, Organization, Role, Activity, View) + Empower(Organization, Subject, Role) + Consider(Organization, Action, Activity) + Use(Organization, Object, View) With Type={permission, prohibition, obligation} Research & Development 9 DIMVA06 - July 13-14, 2006

  10. Access Control Policy (3)  Organization-Based Access Control (Or-BAC)  Manage entities through organizations  Abstract subjects into roles  Abstract actions into activities  Abstract objects into views  Provide not only permissions , but also prohibitions / obligations  Trigger rules provided contexts ( dynamic policy) Security_rule(Type, Organization, Role, Activity, View, Context) + Empower(Organization, Subject, Role) + Consider(Organization, Action, Activity) + Use(Organization, Object, View) + Hold(Organization, Subject, Action, Object, Context) With Type={permission, prohibition, obligation} Research & Development 10 DIMVA06 - July 13-14, 2006

  11. Proposal (1): Use of Or-BAC Define security rules at the abstract level Security_rule(perm, corp, mail_user, read_mail, mailserver, normal)  In the organization corp , the activity read_mail is permitted for the role mail_user on the view mailserver in a normal context. Research & Development 11 DIMVA06 - July 13-14, 2006

  12. Proposal (1): Use of Or-BAC Contexts are activated at the concrete level Security_rule(perm, corp, mail_user, read_mail, mailserver, normal) Hold(corp, bob, tcp/110, mel1, normal)  In the organization corp , the context normal is being held for user bob making action tcp/110 on object mel1 . Research & Development 12 DIMVA06 - July 13-14, 2006

  13. Proposal (1): Use of Or-BAC Link hold facts with security rules Security_rule(perm, corp, mail_user, read_mail, mailserver, normal) empower consider use Hold(corp, bob, tcp/110, mel1, normal)  In the organization corp , bob is a mail_user subject, tcp/110 is a read_mail action and mel1 is a mailserver object . Research & Development 13 DIMVA06 - July 13-14, 2006

  14. Proposal (1): Use of Or-BAC Derive concrete authorizations Security_rule(perm, corp, mail_user, read_mail, mailserver, normal) empower consider use Hold(corp, bob, tcp/110, mel1, normal) Bob is permitted to access tcp/110 port of mailserver mel1. Thus, he is allowed to read his mail in a normal context. Research & Development 14 DIMVA06 - July 13-14, 2006

  15. Proposal (2): Architecture for a threat response system Research & Development 15 DIMVA06 - July 13-14, 2006

  16. Proposal (2): Alert Correlation Engine (ACE)  Input: Events/alerts from sensors (Snort, Prelude, firewall logs, etc.)  Role: Provide reliable alerts reporting threats (existing tools are assumed reasonably accurate for the purpose of this work)  Output: IDMEF messages (Intrusion Detection Message Exchange Format) Research & Development 16 DIMVA06 - July 13-14, 2006

  17. Proposal (2): Policy Instantiation Engine (PIE)  Input: IDMEF messages (characterized threats)  Role: Dynamically extract new policy rules considering threats  Output: New policy rules (or instances) Research & Development 17 DIMVA06 - July 13-14, 2006

  18. Proposal (2): Policy Instantiation Engine (PIE)  Additional input: Policy definition - Generic Or-BAC policy ( security rules , i.e. abstract policy) - Context definition (conditions to trigger contexts, i.e. hold predicates) - Context data (base of additional facts, apart from alerts, such as time, cartography, etc.) Research & Development 18 DIMVA06 - July 13-14, 2006

  19. Proposal (2): Policy Decision Point (PDP)  Input: Policy rules  Role: Prepare the policy for local enforcement  Output: PEP configurations Research & Development 19 DIMVA06 - July 13-14, 2006

  20. Proposal (2): Policy Enforcement Point (PEP)  Input: PEP configurations  Role: Apply new configurations, i.e. enforce the policy  Potential output: Events/alerts (PEPs acting as sensors) Research & Development 20 DIMVA06 - July 13-14, 2006

  21. From alerts to new policies (1)  Alerts provide identification of source, victim and threat  IDMEF.Source: IP address, DNS name, network mask, etc.  IDMEF.Target: IP address, DNS name, network mask, etc.  IDMEF.Classification: Reference (ex: CVE-2005-1133)  Mapping strategy  Trigger a hold(org, subject, action, object, context) from alerts ensuring adequate response to the threat  Example - hold(corp, bob, tcp/110, mel1, pop_threat) source target reference Research & Development 21 DIMVA06 - July 13-14, 2006

  22. From alerts to new policies (2)  Derive concrete permissions/prohibitions (new policies) from security_rules and hold facts Security_rule(prohib,corp,mail_user,read_pop,mailserver,pop_threat) empower consider use Hold(corp, bob, tcp/110, mel1, pop_threat) Bob is not allowed to access tcp/110 port of mailserver mel1 since the context pop_threat is active. Research & Development 22 DIMVA06 - July 13-14, 2006

  23. From alerts to new policies (3)  Concrete permissions/prohibitions managed by the PDP  Deployment: Adapt new policy instances into a concrete enforcement strategy - Block a port on a firewall, - Stop/reconfigure a service, - Etc.  Translation: Adapt policy rules to PEPs type and implementation - Type: “A firewall rule” - Implementation: “A Netfilter firewall rule”  PEPs receive new configurations by the PDP to enforce the new policy Research & Development 23 DIMVA06 - July 13-14, 2006

Recommend

Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background NTU / NIE is corporatized in April 2006 (Not requires to comply with IM8) Mission - To provide effective ICT resources, services and

841 views • 6 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
Stucco Situation & Threat Understanding by Correlating Contextual Observations John Gerth,

Stucco Situation & Threat Understanding by Correlating Contextual Observations John Gerth,

CYBER SECURITY DIVISION Stucco Situation & Threat Understanding by Correlating Contextual Observations John Gerth, Stanford University John R. Goodall, Oak Ridge National Laboratory January 2014 Team Profile 2 Jan '14 FloCon 2014 Need

407 views • 17 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to Prevent and Crafting and Implementing Policies to Prevent and presents presents Respond to Inadvertent Disclosures A Live 90-Minute

1.06k views • 70 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies, and In Incident Response Dangerous Toys USB Device Impersonators USB Killers Man in the Middle Faceplates Wireless Pineapples Payload Phone

727 views • 30 slides
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response Adaptive Security Strategy for SOC Ramy AlDamati Principle CyberSecurity Solution

680 views • 31 slides
Contextual Inquiry Take Aways Overview of Contextual Design Contextual inquiry

Contextual Inquiry Take Aways Overview of Contextual Design Contextual inquiry

Contextual Inquiry Take Aways Overview of Contextual Design Contextual inquiry Interviewing techniques Contextual Design Contextual design is: An established process for analyzing tasks people do and designing technology to

456 views • 43 slides
Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems And what happens if they do CS 239 something else Security for Networks and And whos responsible for making sure System Software thats

245 views • 3 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) & MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat Landscape Customers Biggest Security Challenges Changing Dynamic Complexity Business Models Threat Landscape and Fragmentation A

550 views • 13 slides
Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit

Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit

Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit 11/10/2013 1 Overview What is the Asymmetric Threat Response and Analysis Program (ATRAP)? Data Ingestion Structured vs. unstructured

817 views • 44 slides
CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Threat Modeling Professor Qiang Zeng Spring 2020 Previous Class The CIA Triad as security objectives Threat: potential Attack: attempt Compromise: success Vulnerability: security

660 views • 29 slides
Security Summer 2016 Cornell University 1 Today Security policies Enforcement

Security Summer 2016 Cornell University 1 Today Security policies Enforcement

CS 4410 Operating Systems Security Summer 2016 Cornell University 1 Today Security policies Enforcement Authenticating people Passwords 2 Security policy Security policies prescribe what must be done and what must not be

431 views • 13 slides
Response-Based Contextual Analysis Social Material Conditions Responses Situation to Social

Response-Based Contextual Analysis Social Material Conditions Responses Situation to Social

1 Child Protection and Children in Care: Honouring the Dignity & Situational Intelligence Of Children. Cathy Richardson, Ph.D With Panel of Yukon Intelligensia Response-Based Contextual Analysis Social Material Conditions Responses

454 views • 42 slides
Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats Security policies Confidentiality Policies Policy The Bell-LaPadula Model Specification Integrity Policies The Biba

698 views • 49 slides
Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems

Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems

Security Principles, Policies, and Tools CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 2 Page 1 CS 236 Online Outline Security design principles Security policies Basic concepts Security

419 views • 12 slides
Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

IN3210 Network Security Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure Computer Security Security of computers and networks Protection of digital assets Axioms of Computer Security:

240 views • 23 slides
Contextual Analysis SWEN-444 Contextual analysis Systematic analysis of contextual user work

Contextual Analysis SWEN-444 Contextual analysis Systematic analysis of contextual user work

Contextual Analysis SWEN-444 Contextual analysis Systematic analysis of contextual user work activity data Identification, sorting, organization, interpretation, consolidation, and communication For purpose of understanding work context for

449 views • 26 slides
Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA

Nuclear Security Culture As a Tool to Address Insider Threat Dr. Igor Khripunov at The IAEA International Conference on Physical Protection, 13-17 November 2017, Vienna, Austria Overview Insider threat and the role of Nuclear Security

552 views • 15 slides

More recommend