Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Keanini

© nCircle 2010. All rights reserved.

Computing Risk Without Numbers: A Semantic Approach to Risk Metrics

Tim “TK” Keanini, CTO

2 © nCircle 2010 All rights reserved.

Scoring Systems and Everyday Classification

• Credit-worthiness Class• Legal to drink / Legally drunk• Weight Class• Social-Economic Class• Age Class

Given a number, within a social context, we are able to infer membership to a class

* The term ‘Set’ and ‘Class’ are synonymous in this presentation


Scoring Systems: syntax and semantics

• Numbers digitize certain aspects of an observable domain– They also help ignore what is not being

counted!

• Unlike the physical domain, before we can count things in the information domain, we must all agree on what is being counted.– The challenge is that we don’t share the same

domain expertise and understanding across an enterprise

• Scoring systems are dependant on social processes that institutionalize semantics– They often fall short when asked to support

multiple perspectives and points of view


The role of Classification and Ranking

• Classification methods helps us explain how many different things are the same– Naming (enumeration) differentiates the

members of the set• Ranking methods help us explain how

the same things [members of the class] are different.

* Ranking is just one of the many methods of member differentiation


Thinking in Sets/Class and Membership

There are 3 blue triangles

Triangle

ThreeBlue

…is a member of the intersection of the set Blue, the set Triangle, and the set Three


A set whose members are vulnerabilities

Scoring Systems as a Ranking Function

• Scoring Systems help us rank the members of a certain class.– CVSS does well in ranking

members of the vulnerability class

* Omitted Temporal and Environmental Metric in this diagram

v

v vv

v

v

v

v

v

vv

v

v

v

v

v

v

v

v

vv

v

10.09.08.07.06.05.04.03.02.01.0


Scoring systems: Challenges

• Can be too Coarse?– Too many of one number?

• Can be too Precise?– Too many to be actionable

• But ultimately, we end up with a classification scheme that is actionable and meaningful to a particular communities Point of View (POV)

10.09.08.07.06.05.04.03.02.01.0

10.010.010.010.010.010.010.010.010.010.010.010.0

4723778633570357693726582245774116646601721412

F

D

C

B

A

FAIL

PASS

Fix 1 hour

Fix in 7 days

Fix in 30

days

POV 1: SCORE CARDSPOV 2: COMPLIANCEPOV 3: IT OPERATIONS

Scoring systems today do not carry with them enough information to support multiple interpretations of the numbers


Summary of Scoring System Challenges

• Ensuring that everyone understands the aspects of the scoring system the same way has been challenging– Given the heterogeneous viewpoints of an Enterprise, this could be

impractical– If it is at all practical, it may be lossful– Often too static for the dynamic nature of the world it is modeling

• The scoring system accounts for each member in isolation– Difficult to account for compositional vulnerabilities– Difficult to model the relationships between members of certain

classes

• The numbers are not precise enough or too precise• Ultimately, computing the membership to meaningful sets is

the goal


W3C Semantic Technologies


W3C Semantic Technology Stack

Identifiers: URI Character Set: UNICODE

Access: XML Query

Data Interchange: RDF

Vocabularies: RDFS

Querying: SPARQL

Ontologies: OWLOWL-FullOWL-DLOWL-Lite

Syntax: XML / Namespaces

Validation: XML Schema

Cod

ing

Stru

ctur

eIn

fere

nce


RDF – Resource Description Framework


Access: XML Query


Vocabularies: RDFS

Querying: SPARQL




Cod

ing

Stru

ctur

eIn

fere

nce

YOU ARE HERE


RDF – Labeled-Directed Graph• Data Model is a ‘labeled-directed graph’

– All nodes and arcs have some type of label (identifier)– Arcs point only in one direction

Apache

1.3.30

5/13/2009

OpenSSL

WebServer

0.9.7c

Shared Library

OpenSSL456

Apache123


RDF – Statements in the form of a triple• All statements in the form of a triple

– Subject-Predicate-Object (S,P,O)– Set of these triples begin to model a domain in the form of a

graphApache rdfs:subClassOf WebServer

Subject (S) Predicate (P) Object (O)Apache rdfs:subClassOf WebServer

Apache123 rdf:type Apache

Apache123 dct:hasVersion 1.3.30

Apache123 :installedOn 05/13/2009

Apache123 :bundles OpenSSL456

OpenSSL456 dct:hasVersion 0.9.7c

OpenSSL456 rdf:type OpenSSL

OpenSSL rdfs:subClassOf SharedLibrary


RDF – Graph ModelSubject (S) Predicate (P) Object (O)

Apache rdfs:subClassOf WebServer

Apache123 rdf:type Apache

Apache123 dct:hasVersion 1.3.30

Apache123 :installedOn 05/13/2009

Apache123 :bundles OpenSSL456

OpenSSL456 dct:hasVersion 0.9.7c

OpenSSL456 rdf:type OpenSSL

OpenSSL rdfs:subClassOf SharedLibrary

Apache

1.3.30

5/13/2009

OpenSSL

WebServer

0.9.7c

Shared Library

OpenSSL456

Apache123


RDF – Different Syntax

• How one would express:– Apache is a member of the set Webserver

• RDF/XML

• N3

• RDF/XML-ABBREV

• SeeAlso: TURTLE and N-TRIPLE

:Apache rdf:type :Webserver .:Apache a :Webserver .

<rdf:Description rdf:about="#Apache"><rdf:type rdf:resource="#Webserver"/>

</rdf:Description>

<Webserver rdf:ID="Apache"/>


RDF - Nodes and Arcs are first-class entities

hasVulnerability

hasCVEid

subProperty

OS

subClass

Linux hasBugtraqID

subProperty

If X is a member of the Set Linux;Then X is a member of the Set OS;

If A hasCVE B;Then A hasVulnerability B;

Assertion: OpenSSL_0.9.7c hasCVEid CVE-2004-0112

Inference: OpenSSL_0.9.7c hasVulnerability CVE-2004-0112

Assertion: RedHat rdf:type Linux

Inference: RedHat rdf:type OS


Quick Review

• RDF is a Labeled-Directed Graph• An RDF statement is made up of a Subject-Predicate-

Object sometimes called a “Triple”• Both nodes and arcs are first-class• Next Stop: The Power of Inference


RDF Schema


Access: XML Query


Vocabularies: RDFS

Querying: SPARQL




Cod

ing

Stru

ctur

eIn

fere

nce

YOU ARE HERE


RDF Schema (RDF-S)

• RDF Vocabulary Description Language 1.0: RDF Schema– Vocabulary defined with RDF statements (triples)

• RDF-S Vocabulary is small– Relation between classes (Class , subClassOf)– Relation between properties (Property, subPropertyOf)– Class membership of individuals via properties (domain, range)

• Provides some sense of “meaning” to the RDF data– Meaning = what we can explicitly infer from the data– Axioms that express exactly what inference can be drawn– Semantics expressed through the mechanism of inference– Lets explore in the next slides how this works


Type Propagation

• rdfs:Class :Root_Kit rdf:type rdfs:Class .:Malware rdf:type rdfs:Class .

• rdfs:subClassOf:Root_Kit rdfs:subClassOf :Malware .:foobar rdf:type :Root_Kit .we can then infer the triple

:foobar rdf:type :Malware .

AXIOMIFA rdfs:subClassOf B .r rdf:type A .THENr rdf:type B .

Malware

rdfs:subClassOf

Root_Kit foobar

foobar


Relationship Propagation

• rdfs:Property:hasBrother rdf:type rdfs:Property .:hasSibling rdf:type rdfs:Property .

• rdfs:subPropertyOf:hasBrother rdfs:subPropertyOf :hasSibling .:alice :hasBrother :bob .we can infer the triple

:alice :hasSibling :bob .

AXIOMIFP rdfs:subPropertyOf R .A P B .THENA R B .


Property-Oriented versus Object-Oriented

• Semantic data is focused on the relationship between entities and thus Property-Oriented

• In Object-Oriented models, an entity is understood to be a member of a class because the class acts as a “template” for its birth

• In Property-Oriented models, an entity is understood to be a member of a class because of its relationships

• <DOMAIN> property_P <RANGE>– The domain is the collection of types that use the property– The range is the types of values this property describes– Example: domain:CPE :hasVulnerability range:CVE


Class Membership through Relationships

• Similar to domain and range in math:property_P rdfs:domain D-class .:property_P rdfs:range R-class .Domain applies to the SubjectRange applies to the Object

• Example::usesSharedLib rdfs:domain :Application .:usesSharedLib rdfs:range :SharedLib .– Assertion:Apache :usesSharedLib :OpenSSL .– Inference:Apache rdf:type :Application .:OpenSSL rdf:type :SharedLib .

AXIOM (object)IF P rdfs:range R-class .andx P y .THENy rdf:type R-class .

AXIOM (subject)IF P rdfs:domain D-class .andx P y .THENx rdf:type D-class .


What are the limits to RDFS?

• RDFS may not have enough detail for your modeling– No localized range and domain constraints

• Can’t say that “the domain of hasParent is Child when applied to Human and Calf when applied to Elephants”

– No existence/cardinality constraints• Can’t say that “all instances of person have a mother that is

also a person”, or that persons have exactly 2 parents

– No transitive, inverse or symmetrical properties• Can’t say that isAncestorOf is a transitive property• Can’t say that bundles is the inverse of isBundledBy• Can’t say that isMarriedTo or isPeeredWith is symmetrical

© nCircle 2010. All rights reserved.

How can we compute the membership to a class?


How does inference work?

• Basic RDF Triple• Basic RDFS Model• Assert an RDF Triple• Results are new RDF

Triples that were inferred from the model

Subject Predicate Object

rdfs:domainCVEhasScore

Vulnerability

rdfs:subClassOf

CVE-2003-0818 hasScore 10.0

rdfs:rangeScorehasScore

CVE-2003-0818rdf:type

CVE

CVE-2003-0818 rdf:type Vulnerability

10.0 rdf:type Score

“We compute the membership through one objects relationship to another “


Meaningful classes within the security domain

Secure

Mission Critical

Compliant

Top Secret

• Consider these sets• Also consider their compliments

– Insecure– Expendable– Not Compliant– Public

• The objective is to compute membership into some meaningful set


Computing membership into meaningful classes

Secure

Mission Critical

Compliant

Top Secret

Insecure

Expendable

Not Compliant

Public

If x hasTopSecretData y; then x is a member of TopSecret SLA: FIX NOW

SLA: FIX 4hr

SLA: FIX in 24hr

SLA: FIX in 24hr

Any member of TopSecret that is also a member of Insecure, assign to SLA: FIX NOW

Asserted: Host33 hasTopSecretData “file44”Host33 hasCVE “CVE-2007-1748”

Host33

If x hasCVE “CVE-2007-1748”; then x is a member of Insecure

Inferred: Host33 rdf:type SLA:FIX NOW

Host33

Host33

Model:


Change in feasibility for an entire class of attacks

• DNS Cache Poisoning– CVE-2008-1447

• If a X/Y are a DNS server, and has CVE-2008-1447; assign hosts (a/b) who have resolvers pointing at members X/Y to a class called Urgent-Investigation

CVE-2008-1447

DNSserver

X YServers

Clients

Urgent-Investigation

a b

ab


Complex Vulnerability Representation

• All of these vulnerabilities would not have a very high CVSS score in isolation

• Model of the Compositional Vulnerability– Attacker PushExploitTo WindowsWebServerDMZ– WindowsWebServerDMZ isExploitedWith MS08-067– WindowsWebServerDMZ hasPrivateConnectionto Int-SQLServer– Int-SQLServer isExploitedWith MS09-004– Int-SQLServer floodsNetworkWith Web-Proxy-Auto-Detect-WPAD

• updates for a MaliciousProxy– WebClients PullExploitsFrom MaliciousProxy

• Members who satisfy the model are assigned to a set COMPRIMISED

• This can be modeled in OWL and reasoning engines can compute the appropriate membership to meaningful classes


Summary

• Challenges today– Sharing the same semantics across the enterprise is difficult– The models are too static; Dynamic environments require

dynamic modeling– Does not facilitate the modeling of relationships and what is

being counted in isolation

• Numbers are the means, membership to a meaningful class is the end goal

• Using the W3C semantic technology stack, we can compute the membership to classes through the mechanism of inference

Date post:	15-May-2015
Category:	Business
Upload:	security-b-sides
View:	1,002 times
Download:	3 times

Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Keanini

Business