Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
6/24/2019 12019 Copyright KDM Analytics
Prioritize, Measure and Quantify Cyber Security Risk
CYBERSECURITY BEST PRACTICES: AUTOMATED
MODEL-BASED RISK ASSESSMENT
Dr. Nikolai Mansourov, CTO KDM Analytics
6/24/2019 22019 Copyright KDM Analytics
CASE STUDYEPBIH PRODUCTION SCADA
6/24/2019 32019 Copyright KDM Analytics
Case Study
• System under Assessment: SCADA – EPBIH implementation -Production level▪ Only a model is assessed, NOT the real implementation
• Selected lightweight input format - Word doc with structured tables▪ 12 tables
▪ Effort ~ 3 days (mostly to understand the details of the data flows)
• Imported the description into the Blade Risk Manager (BRM) tool▪ 30 assets
▪ 28 attacker types
▪ 1294 attacks
▪ 41 identified risks
6/24/2019 3
6/24/2019 42019 Copyright KDM Analytics
The architecture diagram
6/24/2019 4
6/24/2019 52019 Copyright KDM Analytics
Using Word document as the model
6/24/2019 62019 Copyright KDM Analytics
Structured content in tables
6/24/2019 72019 Copyright KDM Analytics
System Description Table
6/24/2019 7
6/24/2019 82019 Copyright KDM Analytics
Data Flow Table (fragment)
6/24/2019 8
6/24/2019 92019 Copyright KDM Analytics
External Interface Table
6/24/2019 9
6/24/2019 102019 Copyright KDM Analytics
Data Type Table
6/24/2019 10
6/24/2019 112019 Copyright KDM Analytics
Capability Table
6/24/2019 11
6/24/2019 122019 Copyright KDM Analytics
Imported Model
6/24/2019 12
6/24/2019 132019 Copyright KDM Analytics
Architecture with “real” connections
6/24/2019 13
6/24/2019 142019 Copyright KDM Analytics
Risk Matrix
6/24/2019 14
6/24/2019 152019 Copyright KDM Analytics
Risk Matrix and Risk Inventory
6/24/2019 15
6/24/2019 162019 Copyright KDM Analytics
Evaluated some controls
6/24/2019 16
• Raw Risk (no controls)
▪ Unmitigated Risk Value is 1694.7❑ very high risks: 1
❑ high risks: 3
❑ moderate risks: 27
❑ low risks: 5
❑ very low risks: 4
• Asked BRM to automatically suggest controls that mitigate the top risk in NIST low impact baseline
▪ 76 controls are recommended
▪ mitigated risk is 503.6❑ very high risks: 0
❑ high risks: 2
❑ moderate risks: 23
❑ low risks: 11
❑ very low risks: 4
This risk is determined onlyby the means and opportunities of the attackers given the targetswithin the system
6/24/2019 172019 Copyright KDM Analytics
More controls
• Asked BRM to mitigate the next top risk in NIST low impact baseline ▪ Same 76 controls, additional targets
▪ mitigated risk is 63.4❑ very high risks: 0
❑ high risks: 0
❑ moderate risks: 6
❑ low risks: 25
❑ very low risks: 9
6/24/2019 17
This risk is a what-if scenario; given the model of the system;A possible next step might be to consider the real controls known to the system owners
6/24/2019 182019 Copyright KDM Analytics
Risk Distribution after mitigation
6/24/2019 18
6/24/2019 192019 Copyright KDM Analytics
Conclusions
• Automated risk assessment capability is
▪ Objective
▪ Systematic
▪ Repeatable
▪ Cheap to iterate (!)
• Top-down presentation of risk (risk matrix, risk distributions) help focus on proper risk framing
• Easy to steer the tool based on your policy (e.g. adjustments of criticality and opportunities for attacks)
• Full traceability of risks all the way to the input facts
• Description of the system through Word document not ideal, but reasonably quick
▪ Better to import directly from the SCU files
▪ Easy to spot inconsistencies and re-run analysis
▪ Easy to introduce additional detail
▪ Easy to copy and paste to jumpstart next project
6/24/2019 19
6/24/2019 202019 Copyright KDM Analytics
QUESTIONS ?