Visualizing Time Visualizing Time Patterns and Mission Patterns and Mission Impact of Cyber Security Impact of Cyber Security Breaches Breaches Contract # DAAH01-01-C-R044 20 February 2001 through 20 March 2003 Anita D’Amico Stephen Salas A Division of Applied Visions, Inc.
37
Embed
Visualizing Time Patterns and Mission Impact of Cyber Security Breaches Contract # DAAH01-01-C-R044 20 February 2001 through 20 March 2003 Anita D’Amico.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Visualizing Time Patterns and Visualizing Time Patterns and Mission Impact of Cyber Mission Impact of Cyber
Security BreachesSecurity Breaches
Visualizing Time Patterns and Visualizing Time Patterns and Mission Impact of Cyber Mission Impact of Cyber
Security BreachesSecurity Breaches
Contract # DAAH01-01-C-R044 20 February 2001 through 20 March 2003
Phase 2 Small Business Innovative Research (SBIR) contract
Cathy McCollum of DARPA ATO (formerly ISO) is program manager
Effort is part of Cyber Panel (formerly Cyber C2) Contract commenced February 20, 2001 and will
run for 20 months
4
Key Objectives of Phase II SBIRKey Objectives of Phase II SBIR
1. Field a prototype system that will visually represent time patterns in IA “events”
Enhance discovery of time trends in events Show progression of an attack Show activity patterns of attackers
2. Field a prototype system that will visually represent the mission impact of IA events
Effect of security breaches on mission-critical tasks Effect on mission-critical tasks of taking a cyber
asset off line
5
IA Analysts Want to Know …IA Analysts Want to Know …
About temporal patterns in probes and attacks Do certain types of security events* occur more frequently at
specific times of day, week, month or year? Are certain adversaries more active at specific times of day,
week, month or year? Do certain events occur in a specific sequence? Do certain host devices get attacked in a specific sequence?
*A security event can be a vulnerability, an incident that precedes an attack (e.g. a probe), or an attack.
About the progress of a security breach over time What has changed since the last time I monitored the status? When did the attack really start? How rapidly is the attack progressing? How long does it take a new vulnerability to be exploited?
6
Historical
Data
IA Analysts Want to Relate Historical InfoIA Analysts Want to Relate Historical Infoto Current Information About Security Eventsto Current Information About Security Events
IDS
Scanner
Firewall
SensorsSensors
• Management Consoles
• Visualization Aids
• Data Mining
Pattern Pattern DetectionDetection
IntrusionsIntrusions
VulnerabilitiesVulnerabilities
Access eventsAccess events
Integrated RDBMS of Security Events
Collection of Collection of Sensor DataSensor Data
Data Data RepositoryRepository
10 year old technology
< 5 year old technology
7
IA Analysts Want to Know …IA Analysts Want to Know …
* A cyber asset can be a hardware device, software applications running on that device, data files or databases, or connectivity
If a particular cyber asset* is breached, what mission-critical task won’t get done?
For a particular mission-critical task to be completed successfully, which cyber assets must be secured?
If I defensively shut down a cyber asset in order to protect it or the network from breaches, what mission-critical tasks will be impaired?
8
Analysts Grapple with AssessingAnalysts Grapple with Assessingthe Mission Impact of Cyber Security Eventsthe Mission Impact of Cyber Security Events
IA analysts in military and commercial settings want to know the mission impact or business impact of cyber security events
Currently, security officers make educated guesses about the mission impact of security breaches and of removing certain cyber services to ensure security
Almost no one currently documents the importance of a specific cyber asset to the organization’s mission-critical tasks. Exceptions: Y2K analyses Disaster recovery departments
9
IDS
Scanner
Firewall
SensorsSensors
• Management Consoles
• Visualization Aids
• Data Mining
Pattern Pattern DetectionDetection
IntrusionsIntrusions
VulnerabilitiesVulnerabilities
Access eventsAccess events
Integrated RDBMS of Security Events
Collection of Collection of Sensor DataSensor Data
Data Data RepositoryRepository
IDS
Scanner
Firewall
SensorsSensors
IDS
Scanner
Firewall
SensorsSensors
• Management Consoles
• Visualization Aids
• Data Mining
Pattern Pattern DetectionDetection
• Management Consoles
• Visualization Aids
• Data Mining
Pattern Pattern DetectionDetection
IntrusionsIntrusions
VulnerabilitiesVulnerabilities
Access eventsAccess events
Integrated RDBMS of Security Events
Collection of Collection of Sensor DataSensor Data
Data Data RepositoryRepository
IntrusionsIntrusions
VulnerabilitiesVulnerabilities
Access eventsAccess events
Integrated RDBMS of Security Events
Collection of Collection of Sensor DataSensor Data
Data Data RepositoryRepository
Historical
Data
Historical
Data
Future Systems Should Be Able To AccessFuture Systems Should Be Able To Accessand Visualize Mission Dependency Dataand Visualize Mission Dependency Data
COA Simulation &
Modeling
Mission Dependency
Tables
Progress on Temporal Displays
11
Requirements for Temporal ScenesRequirements for Temporal Scenes
1. User-selectable time gradations (e.g. seconds, minutes, hours, days, months)
2. User-selectable time range (e.g. from May 1 through June 15)
3. User ability to annotate time grid (e.g. “June 13 – Checkpoint firewall vulnerability becomes public.”)
4. Relate security events and their characteristics to time
5. Relate attack sources and their characteristics to time
6. Relate targeted assets and their characteristics to time
7. Simultaneously relate events, attack sources and target characteristics to time
12
Requirements for Temporal ScenesRequirements for Temporal Scenes
8. Depict frequencies of specific classes of events (e.g. number of probes on each day for period of May 1 - May 7)
9. View sequence of events irrespective of absolute time (e.g. at Hanscom site #125, these events occurred in sequence from May 1-7)
10. Depict duration of events (length of a DOS attacks on February 6-12; length of a telnet session or FTP session)
11. Simultaneously compare patterns of events over multiple user-specified time ranges (e.g. compare number of probes during April 1-7, May 1-7, June 1-7)
12. Show time lapse between exposure (I.e. insertion of a vulnerability) and a related exploit
13. Show differences between two user-selected times (e.g. show differences in vulnerabilities on a specific network on April 1 and June 1)
13
Additional Reqts for Temporal ScenesAdditional Reqts for Temporal Scenes
14. Show the time patterns of general level of security-related activity, irrespective of type of attack
15. Show observed time trends against a “normal” profile of time trends16. Show security events over time in comparison to typical measures
of network traffic (e.g. FTPs)17. Show time vs events vs a third variable (e.g. location) (e.g. put
location on wall and event classes on the floor)18. Show geographical movement of an attack from one location to
another vs time19. User should be able to input a sequence of events and then ask the
system to match to that sequence 20. System should suggest scenes of interest to the analyst, based on
previously identified combinations of data in the database or sequences of events
21. User should be able to apply filters to what is presented on the temporal wall (e.g. show me only events on mission-critical devices)
14
Temporal Event Wall Can Display Event Temporal Event Wall Can Display Event Frequencies, Sequences & DurationsFrequencies, Sequences & Durations
Frequencies of Each Event Over Time
Event Class (Vulnerabilities
& Attacks)
Time
User can click on frequency bar to see
which hosts were the targets of the events
Days in May
Provisional Patent Filed by Applied Visions, Inc.
15
Classes of Vulnerabilities
& Attacks
(Can be listed hierarchically)
Specific time of each event is associated to the targeted host
Event Wall Scene Links Events, Event Wall Scene Links Events, Targets & Attackers in TimeTargets & Attackers in Time
Time can be shown as a specific point in time or relative sequence
Provisional Patent Filed by Applied Visions, Inc.
16
Rear Plane Can Show Attacker Rear Plane Can Show Attacker Characteristics or Sensor SourcesCharacteristics or Sensor Sources
Attack Sources and the Times
That They Strike or
Sensors Reporting the
Events
Provisional Patent Filed by Applied Visions, Inc.
17
Top View Allows Simultaneous ViewingTop View Allows Simultaneous Viewingof Activities Related to Timeof Activities Related to Time
Time (in hours)
Target Hosts
Lines Show Times That
Target Hosts Were Hit
Attacker Information
(Could Also be Reporting Sensors)
Provisional Patent Filed by Applied Visions, Inc.
18
Comparison of Several User-SelectedComparison of Several User-SelectedTime RangesTime Ranges
Time (in hours)
Sun
Mon
Tues
Wed
Thur
Fri
Sat
Provisional Patent Filed by Applied Visions, Inc.
.
19
Status of Work on Temporal DisplaysStatus of Work on Temporal Displays
Software will be completed October 2001 Test installation of temporal displays at
Army’s Land Information Warfare Agency (LIWA) at Fort Belvoir in December 2001
Progress on Mission Impact Displays
21
Approach to Mission Impact DisplaysApproach to Mission Impact Displays
Starting Points We have good list of requirements We have two concepts for visualization
Mission association scene Mission dependency ring
Requirements have to be modified to align with mission model work to date
Visualization concepts will have to be modified after requirements are refined
22
Requirements for Mission Impact SceneRequirements for Mission Impact Scene
1. Illustrate all dependencies between cyber assets and mission-critical tasks
2. For a specific mission, highlight cyber assets that must be secured (I.e. top down view)
3. For a specific cyber asset, highlight the mission-critical tasks that depend on it (I.e. bottom up view)
4. Show strength of dependencies (low, medium, high) between cyber assets and mission critical tasks
5. Show “and/or” dependencies between cyber assets and mission critical tasks, I.e. substitutability (e.g. to perform ATO generation I need the Joint mapping application, the imagery database and either access to a e-mail, or access to a printer and a secure fax machine)
6. Depict the sequence in specific cyber assets are needed for a mission-critical task
23
More Requirements for Mission SceneMore Requirements for Mission Scene
7. Latest time that a critical asset can be used.
8. Show broad status of a mission-critical task (red, yellow, green)
24
Mission Association Scene Relates MissionMission Association Scene Relates Mission to Security Events or Devices to Security Events or Devices That Have Experienced EventsThat Have Experienced Events
Line thickness indicates strength of dependency
25
Mission Dependency Rings Show Dependencies Mission Dependency Rings Show Dependencies Between Cyber Resources and MissionsBetween Cyber Resources and Missions
Network Devices
Simple Cyber Resources
(hosted on devices)
Compound Cyber Resources
Mission Critical Tasks/FunctionsMissions
Provisional Patent Filed by Applied Visions, Inc.
26
Mission Dependency Rings Scene Can Mission Dependency Rings Scene Can Relate Critical Mission Function to Relate Critical Mission Function to
Specific Device CharacteristicsSpecific Device Characteristics
A specific device is selected by the user, based on its
characteristics (e.g. location, OS, organization)
Missions associated with selected device
Mission-critical tasks dependent on that
deviceCompound cyber resources to which that device contributes (e.g. e-mail)
Resource hosted by device
Provisional Patent Filed by Applied Visions, Inc.
27
Requirements for Populating Requirements for Populating Current Mission Impact ScenesCurrent Mission Impact Scenes
Type of information that needs to be stored in a database Network devices and their characteristics (type of platform; location;
OS; organization to which they are assigned) Resources (e.g. services, data, communications) hosted by devices
(resource x device dependency) Critical tasks and missions dependent on those resources (mission task
x resource dependency) Strength of each dependency (none, low, medium, high) Specific time and sequence requirements for each resource needed for
a mission critical task Substitutability of cyber assets
User should be able to enter mission date manually Capture network data from a network manager (e.g. CA Unicenter
stores “business process” information)
28
Status of Work on Status of Work on Mission Impact DisplaysMission Impact Displays
Additional requirements are being gathered To be completed in December 2001
Display concepts will be modified to conform to new requirements and human factors principles
Software development will commence in February 2002
Test sites are being sought for installation in October 2002
Technologies Underlying
Temporal and Mission Impact
Visual Scenes
30
SecureScope Console and Server Have Been SecureScope Console and Server Have Been Modified So That Temporal & Mission Impact Modified So That Temporal & Mission Impact
Scenes Can Interface Easily to Customer RDBMSScenes Can Interface Easily to Customer RDBMS
Console Server
Java RMI JDBC
Windows 32-bit client, C++,
Cortona 3-D Viewer
Central repository for security event data
Receives scene data requests from console and fetches necessary data from database.
Handles complexity of data storage.
Responsible for building and rendering of 3D visualizations.
User interface
Customer’s Relational Database
Java Oracle 7.3, 8i, Access, etc…
31
Technology Needed to Run Temporal and Technology Needed to Run Temporal and Mission Impact Scenes At Customer SiteMission Impact Scenes At Customer Site
Secure Decisions Provides Proprietary SecureScope visualization software that includes
association, temporal and mission impact scenes Parallel Graphics’ Cortona 3-D Viewer licensed software Sun Microsystems and Microsoft XML parsers JDBC driver for the customer’s relational database Sun Microsystems Java Runtime Environment (JRE)
Customer Provides Pentium III hardware platform with 256 MB RAM and 100 MB
free hard disk space Windows 2000 (or NT 4.0 for older version) Microsoft Internet Explorer Commercial RDBMS Database schema
D’Amico, A. “Cyber Defense Situational Awareness.” Computer Security in a Collaborative Research Environment, Brookhaven National Laboratory Symposium, Brookhaven, NY, June 27, 2000.
D’Amico, A. “Cyber Defense Situational Awareness.” InfoWarCon, Washington, DC, September 13, 2000.
D’Amico, A. and Larkin, M. “Methods of Visualizing Temporal Patterns in and Mission Impact of Computer Security Breaches”, Accepted for DISCEX conference, June 2001
35
Key StaffKey Staff
Anita D’Amico, P.I. Manages program; Provides overall direction; Gathers user
requirements; Guides changes to display designs
Stephen Salas, Project Engineer Directs software implementation and installation of prototype
system; Develops software
John O’Hara, Sub-Contractor Provides access to human factors requirements for 3-D displays
from other industries
David Spector, Sub-Contractor Provides commercial information security expertise as input into
user requirements
36
Visualization of Temporal Patterns inVisualization of Temporal Patterns inand Mission Impact of Cyber Security Breachesand Mission Impact of Cyber Security Breaches
• Implement visualization aids to the discovery and analysis of time patterns in cyber security breaches
• Implement visualization aids to understanding the impact of cyber security breaches on mission-critical tasks
• Develop methods for easily interfacing visualization aids to most database schema containing temporal & mission impact data
New Ideas
Frequencies of Each Event Over Time
Event Class (Vulnerabilities
& Attacks)
Time
User can click on frequency bar to see
which hosts were the targets of the events
User can click on frequency bar to see
which hosts were the targets of the events
Days in May
Provisional Patent Filed by Applied Visions, Inc.
• Speeds IA analysts’ access to information about the progression, sequence and time urgency of an impending cyber attack
• Improves speed of comprehending the impact of cyber threats to critical missions
• Improves maintenance of critical mission operations in the presence of cyber threats
ImpactTASK
1. Implement temporal displays
2. Integrate temporal displays at test site
3. Cooperate with mission model programs
4. Modify mission impact displays
5. Implement mission impact displays
6. Integrate mission displays at test site
7. Document results
8. Prepare commercialization report
9. Manage project
FY 01 FY 02 FY 03
Quarterly ReportsProgram Reviews
Schedule
A Division of Applied Visions, Inc. www.SecureDecisions.com