1 michael siegel james houghton advancing cybersecurity using system dynamics simulation modeling...
TRANSCRIPT
1
Michael SiegelJames Houghton
Advancing Cybersecurity Using System Dynamics Simulation Modeling
For System Resilience, Patching, and Software
Development
Interdisciplinary Consortium for Improving Critical Infrastructure
Cybersecurity (IC)3
3 Sept 2014
Mission: Resiliency of Organizations & Markets Effective and innovative solutions to cyber insecurity require coordinated efforts to support the resiliency of the cyber organizational “ecosystem”—the individuals, firms, and markets occupying the cyber domain, as well as the interactions among actors
Key questions: • Behavioral: What are the attitudes and perceptions of the
private sector about cyber security? • Managerial: What solutions can feasibly be manipulated by
the firm or sector itself, and what can be encouraged or directed by outside actors?
• Technological: What is effecting product security of key IT components?
Modeling framework to unpack cyber dynamics and provide organizational framework
2
Brief Overview of System DynamicsSDM used as modeling & simulation method over 50 years
• Eliminate limitations of linear logics and over-simplicity• Based on system structure, behavior patterns,
interconnections of positive & negative feedback loops
SDM has been applied to numerous domains• Software development projects• Process Improvement projects• Crisis and threat in the world oil market• Stability and instability of countries• … many many others …
SDM helps to uncover ‘hidden’ dynamics in system• Helps understand ‘unfolding’ of situations, • Helps anticipate & predict new modes• Explore range of unintended consequences
3
Mission: Dynamics of Threats and Resilience
Systems Notat Risk
Systems AtRisk
AffectedSystems
Risk Promotion
Risk Reduction
Attack Onset
Recovery
Adverse Behaviors &Management Risk Management
ThreatManagement
Real-WorldImplications
Financial,Data,
Integrity,Reputation
* Verizon Data Breach Report
67% were aided by significant errors (of the victim)
How did breaches (threats) occur? *
64% resulted from hacking
38% utilized Malware
Over 80% of the breaches had patches available for more than 1 year
How are security and threat processes (resilience) managed? *
75% of cases go undiscovered or uncontained for weeks or months
4
Systems Notat Risk
Systems AtRisk
AffectedSystems
Risk Promotion
Risk Reduction
Attack Onset
Recovery
Adverse Behaviors &Management Risk Management
ThreatManagement
Real-WorldImplications
Financial,Data,
Integrity,Reputation
Relating Actions to Outcomes
Key Question: What is controlling the rates of change and how can we be more anticipatory rather than reactive?
5
6
NotCompromised
Identified Attack Vectors
Compromised
AttackerCapabilities
Sector Performance
Firm KnowledgeAnd
Awareness
Indentifying Exploits
• Resources• Motivation• Skills• Awareness
• Visibility• Technical Capabilities• Process• Architecture • Info Sharing
Patching
Attack Vector Identification
Reverse Engineering
Firm Performance
VendorResilience and
Responsiveness
7
Architecture Resilience
NotCompromised
Identified Attack Vectors
Compromised
AttackerCapabilities
Sector Performance
Firm KnowledgeAnd
Awareness
System Compromising
Firm Performance
EstablishingFootholds
Remediating
Compromising
• Availability• Data Security• Public Awareness
DefensiveProcedures
Simulation Modeling Overview
NotCompromised
IdentifiedAttack Vectors
IndentifyingVulnerabilities
Compromised
Compromising
RecoveryReducingVulnerabilities
System Change
Change in Systems
<VulnerabilityIdentification Rate>
<CompromisingRate>
<Recovery Rate>
Total Systems
FractionVulnerable
FractionCompromised
<Action to ReduceVulnerabilities>
ApplicationSoftwareSecurityChange in Security
Initial ApplicationSecurity
Effect of Investment onApplication Security
Effect of Application SoftwareSecurity on Vulnerability
Identification
Base ApplicationSoftware Security
NormalizedSoftware Security
Function for Effect ofNormalized Software
Security
Test for Change inApplication Security
ApplicationSecurity Height
ApplicationSecurity Time
Application SecurityDuration
Software Security
Patch DelayChange in Patch
DelayBase Patch Delay
New Patch Delay
Time to UpdatePatch Delay
Patching
CompromisingRate
Test Input forCompromising Rate
Change inCompromising Rate
CompromisingRate Height
CompromisingRate Time
Compromising RateDuration
<Attack VectorGap>
ImpliedCompromising Rate
CompromisingDelays
Attacking
8
Making the Case
200
150
100
50
00 10 20 30 40 50 60 70 80 90 100
Week
200
170
140
110
800 10 20 30 40 50 60 70 80 90 100
Week
200
170
140
110
800 10 20 30 40 50 60 70 80 90 100
Week
Not Compromised Attack Vectors Infected
Technical
10
7.5
5
2.5
0
0 10 20 30 40 50 60 70 80 90 100Week
20
17
14
11
8
0 10 20 30 40 50 60 70 80 90 100Week
“Upstream Costs” “Downstream Costs”
Managers
2,000
1,500
1,000
500
0
0 10 20 30 40 50 60 70 80 90 100Week
Total Costs
Senior Management (CIO)
Blue is base case; red case is patching with configuration standards; green is current case
9
Summary of Results Solving problems “upstream” is more effective than
fixing them “downstream.”
Differentials in time delays in physical processes (such as patching) and behavioral processes (such as changing individual behavior) are key to understanding the efficacy of proposed interventions.
Nonlinearities and tipping points may exist due to inertia and path-dependence in systems.
10
BACKUP
11
Valuing Software Portfolios Using System Dynamics Models
Project value changes over time depending on maintenance• At first the value rises as
application development takes shape
• It then adjusts overtime according to the maintenance spend
A project may have a high initial expected value, but maintenance dynamics may erode that value over time
The graph shows the value of one application given different maintenance
Application Task Backlog
400
300
200
100
0
0 6 12 18 24 30 36 42 48 54 60Time (Month)
pac
kag
esApplication Task Backlog : test2Application Task Backlog : test1Application Task Backlog : test4Application Task Backlog : test3
Time
Value
0
100
We plan for the blue case when the red case may be more likely
Patching Dynamics
13
Downstream Dynamics
14