CSIAC

Cyber Security and Information Systems Information Analysis Center

/ Journal Issues / Cyber Science & Technology at the Army Research Laboratory (ARL) / Information Security Continuous Monitoring (ISCM)

Information Security Continuous Monitoring (ISCM)

Published in Journal of Cyber Security and Information Systems
Volume: 5 Number: 1 - Cyber Science & Technology at the Army Research Laboratory (ARL)
Authors: Akhilomen Oniha, Greg Weaver, Curtis Arnold and Thomas Schreck
| Leave a Comment

Risk Management Approach

Similar to first four ISCM widgets, the risk management widget (RMW) is designed to provide situational awareness from the command level down to the asset level. The ARL team’s initial approach towards risk management provides a mechanism for stakeholders to prioritize the systems with the highest risk of compromise, based upon the NVD common vulnerabilities and exposures (CVE) and other factors. Fig. 4 above illustrates how ISCM visually represents the count of hosts (line graph) and the count of risks (bar graph) associated with a particular enclave. Each risk factor is a vulnerability identified through the installed software and CVE as depicted in Fig. 5.

The two primary functions of the RMW are risk identification and risk scoring. The functionality that determines the cause of the risk, identifies issues that are mitigated in order to eliminate a particular risk at the asset or site level. Issues are prioritized by their influence on risk. The relative risk scoring functionality uses vulnerability discovery results to estimate risk where risk score is based on the exposure of vulnerable services to external networks. Risk scores are presented by site, asset, or vulnerability.

The ARL team began by leveraging the generic algorithm for cyber risk, where risk is a function of threats, vulnerabilities and impact, R = ƒ (T × V × I). We supplemented the equation with additional characteristics that were critical to the defensive operations mission, including:

Confidence Level: The belief that an asset is exposed to a particular vulnerability by taking into account all relevant observations (i.e. output from all tools: HBSS, ACAS, etc.) This value is a derived percentage, currently implemented using term frequency–inverse document frequency algorithm [19] and represents the certainty that the host in question actually has the factors deemed to be vulnerable (i.e. software version, patch version, operating system, etc.)

Threat Multiplier: A factor associated with the exposure of a vulnerability to an external network for remote exploitation. Vulnerabilities exposed to a wide area network and remotely exploitable, produce the highest threat multiplier.

Temporal Certainty Multiplier: A factor associated with the age and freshness of the vulnerability scan reports. As scan information ages, the potential risk from vulnerabilities that cannot be confirmed as mitigated increases. The temporal certainty multiplier represents the increase as a factor, which is multiplied against the vulnerability instance risk score. The time period is determined by comparing the greatest last seen of all risk factors to current time.

Exposure Duration Multiplier: A factor indicating how long an unresolved risk was first detected. The time period is determined by comparing the earliest first seen of all risk factors to current time.

Exploit Threat Multiplier: A dynamic factor that allows a security analyst to amplify/decrease the weighting of a CVE risk score throughout the system. The value is set on the user interface through a RESTful service, which updates the entity model. The factor values can be very low, low, moderate, high and very high, depending upon the level of exploitation and other threat intelligence. If no multiplier is stored in the entity model, then the default value is moderate as depicted in Fig. 5.

ISCM’s current approach to risk management satisfies its initial goal of aiding stakeholders in the comparison and prioritization of higher-risk versus lower-risk assets. However, when looking at assets independently, the risk score does not provide the context necessary to assess the actual risk of an asset being compromised. The ARL team is actively implementing a probabilistic risk scoring widget, primarily based upon research performed at Massachusetts Institute of Technology – Lincoln Laboratory [20] and Johns Hopkins University Applied Physics Laboratory [21].

Fig. 4 ISCM user interface – host count and risk score visualization

Fig. 5 ISCM user interface – example host risk posture and score

References

  1. Burwell, S. M. (2013, November 18). “Enhancing the Security of Federal Information and Information Systems” [Memorandum]. Washington, DC: Office of Management and Budget. Retrieved from https://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-03.pdf
  2. “Implementing Continuous Risk Monitoring at the Department of State” (2010, May). Retrieved from http://www.state.gov/documents/organization/156865.pdf
  3. Splunk. http://www.splunk.com/en_us/products/splunk-enterprise/features.html
  4. PostgreSQL. https://www.postgresql.org/about/
  5. Python. https://www.python.org/about/
  6. Apache Hadoop. http://hadoop.apache.org/
  7. Richardson, R. D. (n.d.). “INSCOM - Big Data”. Retrieved from https://info.publicintelligence.net/INSCOM-BigData.pdf
  8. Bart, D. V. (2016, April 22). “Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC)”. Retrieved from http://www.disa.mil/~/media/Files/DISA/News/Conference/2016/AFCEA-Symposium/4-Bart_Big-Data_Platform_Cyber.pdf
  9. “DISA’s Big Data Platform and Analytics Capabilities” (2016, May 16). Retrieved from http://www.disa.mil/NewsandEvents/News/2016/Big-Data-Platform
  10. Apache Storm. http://storm.apache.org/
  11. Apache Accumulo. https://accumulo.apache.org/
  12. ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS). Retrieved July 20, 2016 from http://www.disa.mil/cybersecurity/network-defense/acas
  13. ANTI-VIRUS/ANTI-SPYWARE SOLUTIONS. Retrieved July 20, 2016 from http://www.disa.mil/Cybersecurity/Network-Defense/Antivirus
  14. Long, K. S. (2004, December). “CATCHING THE CYBER SPY: ARL’S INTERROGATOR”. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA432198
  15. National Vulnerability Database. https://nvd.nist.gov/
  16. Apache Spark. http://spark.apache.org/
  17. Hadoop MapReduce. https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html#Overview
  18. Elasticsearch. https://www.elastic.co/products/elasticsearch
  19. Term Frequency-Inverse Document Frequency (n.d.) Retrieved from http://www.tfidf.com/
  20. Lippmann, R.P, Riordan J.F, Yu T.H, and Watson K.K. (2012, May 22). “Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics,” [Whitepaper]. MIT-Lincoln Labs. Retrieved from https://www.ll.mit.edu/mission/cybersec/publications/publication-files/full_papers/2012_05_22_Lippmann_TechReport_FP.pdf
  21. Watkins, L.A., Hurley, J.S. “Cyber Maturity as Measured by Scientific Risk-Based Metrics” Journal of Information Warfare (2015) 14.3: 60-69. Retrieved from https://www.researchgate.net/publication/280953172_Cyber_Maturity_as_Measured_by_Scientific_Risk-Based_Metrics

Authors

Akhilomen Oniha
Akhilomen Oniha
Mr. Akhilomen Oniha has over a decade of experience in the areas of information technology, Linux systems engineering, distributed computing and security engineering. Mr. Oniha is the Lead for Technical Architecture at the U.S. Army Research Laboratory (ARL) Sustaining Base Network Assurance Branch (SBNAB). Mr. Oniha holds a BS in Computer Science and a 2nd BS in Information Technology from University of Maryland University College. He also holds an MS in Computer Science with a focus on Information Assurance from Johns Hopkins University. His research interests include data science techniques, malware reverse engineering and vulnerability analysis.
Greg Weaver
Greg Weaver
Mr. Greg Weaver is currently serving as member of the Sustaining Base Network Assurance Branch at the U.S. Army Research Laboratory. The Sustaining Base Network Assurance Branch is responsible for performing a wide-range of Information Assurance activities from Research & Development to providing 24/7 Computer Network Defense services. Mr. Weaver has supported cybersecurity defense policy, operations and services for over 15 years and is an industry certified incident handler and information security professional.
Curtis Arnold
Curtis Arnold
Mr. Curtis Arnold is the Chief of the Sustaining Base Network Assurance Branch at the U.S. Army Research Laboratory. The Sustaining Base Network Assurance Branch is responsible for performing a wide-range of Information Assurance activities from Research & Development to providing 24/7 Computer Network Defense services. Computer Network Defense Services include oversight of more than 100 external customers and monitoring of over 300 intrusion detection sensors around the world. Mr. Arnold has supported ARL for over 10 years in a variety of leadership, policy, and technical roles. Before joining ARL, Mr. Arnold was a Non-Commissioned Officer in the U.S. Army Judge Advocate General’s Corps. Mr. Arnold holds a BS in Information Security and an M.S. in Information Technology from Johns Hopkins University. Mr. Arnold is currently pursuing his Doctorate in Information Assurance from Capitol College.
Thomas Schreck
Thomas Schreck
Mr. Thomas Schreck has 13 years of varied development experience from distributed computing, cryptography, user interface design, and legacy systems. Mr. Schreck is the lead KeyW Corporation analytics team developer, working on the Information Security Continuous Monitoring (ISCM) project for U.S. Army Research Laboratory (ARL). Mr. Schreck holds a BS in Computer Science and completed the course requirements for a BS in Applied Mathematics at New Jersey Institute of Technology. He also holds an MS in Computer Science with a focus in Information Assurance from Johns Hopkins University.

Reader Interactions

Leave a Comment