using contextual security policies for threat response
play

Using Contextual Security Policies for Threat Response Yohann THOMAS - PowerPoint PPT Presentation

Aug 23, 2022 •286 likes •570 views

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France Tlcom R&D - Caen, France Frdric CUPPENS - Nora CUPPENS-BOULAHIA ENST Bretagne - Rennes, France Research & Development DIMVA06 - July

  1. Using Contextual Security Policies for Threat Response Yohann THOMAS - Hervé DEBAR France Télécom R&D - Caen, France Frédéric CUPPENS - Nora CUPPENS-BOULAHIA ENST Bretagne - Rennes, France Research & Development DIMVA06 - July 13-14, 2006

  2. Information systems service goals  Performance  Response time  Number of users served  Convenience  Ease of use  Automation  Security  Confidentiality  Integrity  Availability  Security is one of many adjustment variables  Compromises are generally static at design time Research & Development 2 DIMVA06 - July 13-14, 2006

  3. But …  Security is not static  New vulnerabilities  New users and usages  New attackers  Nor are the other variables  Reflect the evolution of the IS (new hardware & software)  Maintain a better balance between the different requirements  The compromise between these variables needs to change  Respond to threat  Dynamic security policies Research & Development 3 DIMVA06 - July 13-14, 2006

  4. Threat response system  Reactivity  Automated response process  On-time deployment of response according to threats  On-time withdrawal of response  Reliability  Consistency of the threat characterization system (reliable alerts)  Relevance of selected countermeasures  Application of countermeasures to multiple enforcement points  Ease of use  Ease of deployment (avoid or limit additional systems)  Ease of countermeasures definition Research & Development 4 DIMVA06 - July 13-14, 2006

  5. How to fulfill the requirements?  Clear identification of the threat, source and victim  Policy-oriented approach  Adapt security level to the threat level (dynamic policy)  Compromise between security, performance, convenience, etc.  Avoid the deployment of additional systems  Organization-based approach  Abstract vs concrete level of rules  Provide local reactions but responding to global constraints  Context-based approach  Trigger security rules thanks to active contexts  In particular, threat contexts to trigger countermeasures Research & Development 5 DIMVA06 - July 13-14, 2006

  6. Access Control Policy (1)  Discretionary Access Control (DAC)  Manage privileges of subjects on objects  Definition of an access matrix to describe authorizations (Subject, Object, Privilege) Ex: (host1, file1, rw), Means that host1 has the privilege of read and write on file1.  Limitations  Many subjects and objects to describe  Scalability issues (definition and administration)  Poor expressiveness (static policy) Research & Development 6 DIMVA06 - July 13-14, 2006

  7. Access Control Policy (2)  Role-Based Access Control (RBAC)  Abstract subjects into roles  Manage permissions of actions Permission(Role, Action, Object) UA ⊆ UxR, user-to-role assignment Ex: Permission(group1, read, file1), with host1 ∈ group1, Means that group1, thus host1, is permitted to read file1.  Limitations  Only provides means to group subjects, but not actions and objects  Only manages permissions (no explicit prohibition)  Limited expressiveness of the security rules (static policy) Research & Development 7 DIMVA06 - July 13-14, 2006

  8. Access Control Policy (3)  Organization-Based Access Control (Or-BAC)  Manage entities through organizations  Abstract subjects into roles  Abstract actions into activities  Abstract objects into views + Empower(Organization, Subject, Role) + Consider(Organization, Action, Activity) + Use(Organization, Object, View) Research & Development 8 DIMVA06 - July 13-14, 2006

  9. Access Control Policy (3)  Organization-Based Access Control (Or-BAC)  Manage entities through organizations  Abstract subjects into roles  Abstract actions into activities  Abstract objects into views  Provide not only permissions , but also prohibitions / obligations Security_rule(Type, Organization, Role, Activity, View) + Empower(Organization, Subject, Role) + Consider(Organization, Action, Activity) + Use(Organization, Object, View) With Type={permission, prohibition, obligation} Research & Development 9 DIMVA06 - July 13-14, 2006

  10. Access Control Policy (3)  Organization-Based Access Control (Or-BAC)  Manage entities through organizations  Abstract subjects into roles  Abstract actions into activities  Abstract objects into views  Provide not only permissions , but also prohibitions / obligations  Trigger rules provided contexts ( dynamic policy) Security_rule(Type, Organization, Role, Activity, View, Context) + Empower(Organization, Subject, Role) + Consider(Organization, Action, Activity) + Use(Organization, Object, View) + Hold(Organization, Subject, Action, Object, Context) With Type={permission, prohibition, obligation} Research & Development 10 DIMVA06 - July 13-14, 2006

  11. Proposal (1): Use of Or-BAC Define security rules at the abstract level Security_rule(perm, corp, mail_user, read_mail, mailserver, normal)  In the organization corp , the activity read_mail is permitted for the role mail_user on the view mailserver in a normal context. Research & Development 11 DIMVA06 - July 13-14, 2006

  12. Proposal (1): Use of Or-BAC Contexts are activated at the concrete level Security_rule(perm, corp, mail_user, read_mail, mailserver, normal) Hold(corp, bob, tcp/110, mel1, normal)  In the organization corp , the context normal is being held for user bob making action tcp/110 on object mel1 . Research & Development 12 DIMVA06 - July 13-14, 2006

  13. Proposal (1): Use of Or-BAC Link hold facts with security rules Security_rule(perm, corp, mail_user, read_mail, mailserver, normal) empower consider use Hold(corp, bob, tcp/110, mel1, normal)  In the organization corp , bob is a mail_user subject, tcp/110 is a read_mail action and mel1 is a mailserver object . Research & Development 13 DIMVA06 - July 13-14, 2006

  14. Proposal (1): Use of Or-BAC Derive concrete authorizations Security_rule(perm, corp, mail_user, read_mail, mailserver, normal) empower consider use Hold(corp, bob, tcp/110, mel1, normal) Bob is permitted to access tcp/110 port of mailserver mel1. Thus, he is allowed to read his mail in a normal context. Research & Development 14 DIMVA06 - July 13-14, 2006

  15. Proposal (2): Architecture for a threat response system Research & Development 15 DIMVA06 - July 13-14, 2006

  16. Proposal (2): Alert Correlation Engine (ACE)  Input: Events/alerts from sensors (Snort, Prelude, firewall logs, etc.)  Role: Provide reliable alerts reporting threats (existing tools are assumed reasonably accurate for the purpose of this work)  Output: IDMEF messages (Intrusion Detection Message Exchange Format) Research & Development 16 DIMVA06 - July 13-14, 2006

  17. Proposal (2): Policy Instantiation Engine (PIE)  Input: IDMEF messages (characterized threats)  Role: Dynamically extract new policy rules considering threats  Output: New policy rules (or instances) Research & Development 17 DIMVA06 - July 13-14, 2006

  18. Proposal (2): Policy Instantiation Engine (PIE)  Additional input: Policy definition - Generic Or-BAC policy ( security rules , i.e. abstract policy) - Context definition (conditions to trigger contexts, i.e. hold predicates) - Context data (base of additional facts, apart from alerts, such as time, cartography, etc.) Research & Development 18 DIMVA06 - July 13-14, 2006

  19. Proposal (2): Policy Decision Point (PDP)  Input: Policy rules  Role: Prepare the policy for local enforcement  Output: PEP configurations Research & Development 19 DIMVA06 - July 13-14, 2006

  20. Proposal (2): Policy Enforcement Point (PEP)  Input: PEP configurations  Role: Apply new configurations, i.e. enforce the policy  Potential output: Events/alerts (PEPs acting as sensors) Research & Development 20 DIMVA06 - July 13-14, 2006

  21. From alerts to new policies (1)  Alerts provide identification of source, victim and threat  IDMEF.Source: IP address, DNS name, network mask, etc.  IDMEF.Target: IP address, DNS name, network mask, etc.  IDMEF.Classification: Reference (ex: CVE-2005-1133)  Mapping strategy  Trigger a hold(org, subject, action, object, context) from alerts ensuring adequate response to the threat  Example - hold(corp, bob, tcp/110, mel1, pop_threat) source target reference Research & Development 21 DIMVA06 - July 13-14, 2006

  22. From alerts to new policies (2)  Derive concrete permissions/prohibitions (new policies) from security_rules and hold facts Security_rule(prohib,corp,mail_user,read_pop,mailserver,pop_threat) empower consider use Hold(corp, bob, tcp/110, mel1, pop_threat) Bob is not allowed to access tcp/110 port of mailserver mel1 since the context pop_threat is active. Research & Development 22 DIMVA06 - July 13-14, 2006

  23. From alerts to new policies (3)  Concrete permissions/prohibitions managed by the PDP  Deployment: Adapt new policy instances into a concrete enforcement strategy - Block a port on a firewall, - Stop/reconfigure a service, - Etc.  Translation: Adapt policy rules to PEPs type and implementation - Type: “A firewall rule” - Implementation: “A Netfilter firewall rule”  PEPs receive new configurations by the PDP to enforce the new policy Research & Development 23 DIMVA06 - July 13-14, 2006

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background NTU / NIE is corporatized in April 2006 (Not requires to comply with IM8) Mission - To provide effective ICT resources, services and

841 views • 6 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
Stucco Situation & Threat Understanding by Correlating Contextual Observations John Gerth,

Stucco Situation & Threat Understanding by Correlating Contextual Observations John Gerth,

CYBER SECURITY DIVISION Stucco Situation & Threat Understanding by Correlating Contextual Observations John Gerth, Stanford University John R. Goodall, Oak Ridge National Laboratory January 2014 Team Profile 2 Jan '14 FloCon 2014 Need

407 views • 17 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to

Data Security Breaches: The Growing Liability Threat Crafting and Implementing Policies to Prevent and Crafting and Implementing Policies to Prevent and presents presents Respond to Inadvertent Disclosures A Live 90-Minute

1.06k views • 70 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies, and In Incident Response Dangerous Toys USB Device Impersonators USB Killers Man in the Middle Faceplates Wireless Pineapples Payload Phone

727 views • 30 slides
MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat

MENA Information Security Conference 2017 On the Verge : Combating Cyber Threats leveraging Threat Intelligence, Faster Detection & Automated Response Adaptive Security Strategy for SOC Ramy AlDamati Principle CyberSecurity Solution

680 views • 31 slides
Contextual Inquiry Take Aways Overview of Contextual Design Contextual inquiry

Contextual Inquiry Take Aways Overview of Contextual Design Contextual inquiry

Contextual Inquiry Take Aways Overview of Contextual Design Contextual inquiry Interviewing techniques Contextual Design Contextual design is: An established process for analyzing tasks people do and designing technology to

456 views • 43 slides
Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems

Security Policies Security Policies for Large Who is allowed to do what when Systems And what happens if they do CS 239 something else Security for Networks and And whos responsible for making sure System Software thats

245 views • 3 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) & MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat Landscape Customers Biggest Security Challenges Changing Dynamic Complexity Business Models Threat Landscape and Fragmentation A

550 views • 13 slides
Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit

Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit

Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit 11/10/2013 1 Overview What is the Asymmetric Threat Response and Analysis Program (ATRAP)? Data Ingestion Structured vs. unstructured

817 views • 44 slides
Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in

Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in

Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in progress with M. Unsal and D. Dorigoni Resurgence for QFT Belief: QFT observables are transseries in the couplings Generically, all series are separately

585 views • 35 slides
Derivatives of Exponential and Logarithmic Functions Michael Freeze MAT 151 UNC Wilmington

Derivatives of Exponential and Logarithmic Functions Michael Freeze MAT 151 UNC Wilmington

Derivatives of Exponential and Logarithmic Functions Michael Freeze MAT 151 UNC Wilmington Summer 2013 1 / 23 Section 4.4 :: Derivatives of Exponential Functions 2 / 23 Derivative of e x d dx ( e x ) = e x Example Find the derivative of y

586 views • 23 slides
Using Secure Internet and Technology to Support Education in Prison Agenda *** Webinar will be

Using Secure Internet and Technology to Support Education in Prison Agenda *** Webinar will be

November 7, 2019 Using Secure Internet and Technology to Support Education in Prison Agenda *** Webinar will be recorded *** Introduction from Vera Current State and Lessons Learned from North Carolina, Iowa, and Wisconsin Q&A

251 views • 21 slides
Darwinism via Forensics People Make Dumb Decisions With Todays Technology Bill Dean, CCE

Darwinism via Forensics People Make Dumb Decisions With Todays Technology Bill Dean, CCE

Darwinism via Forensics People Make Dumb Decisions With Todays Technology Bill Dean, CCE Senior Manager, LBMC Information Security February 7, 2017 Todays Agenda Digital Forensics Basics How Does it work? Applicable Case Studies

646 views • 40 slides
du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics

du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics

du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics on the map of early-modern positions. Specifically, her doctrine of substance and body. Approach: strongly internalist. I seek to reconstruct

201 views • 18 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church

The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church

The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church to recover the Holy Lands from the Moslems The Crusades What are the Crusades Crusades ? they occurred across several centuries called the

1.2k views • 91 slides

More recommend