Date post: | 15-May-2015 |
Category: |
Business |
Upload: | security-b-sides |
View: | 1,002 times |
Download: | 3 times |
© nCircle 2010. All rights reserved.
Computing Risk Without Numbers: A Semantic Approach to Risk Metrics
Tim “TK” Keanini, CTO
2 © nCircle 2010 All rights reserved.
Scoring Systems and Everyday Classification
• Credit-worthiness Class• Legal to drink / Legally drunk• Weight Class• Social-Economic Class• Age Class
Given a number, within a social context, we are able to infer membership to a class
* The term ‘Set’ and ‘Class’ are synonymous in this presentation
3 © nCircle 2010 All rights reserved.
Scoring Systems: syntax and semantics
• Numbers digitize certain aspects of an observable domain– They also help ignore what is not being
counted!
• Unlike the physical domain, before we can count things in the information domain, we must all agree on what is being counted.– The challenge is that we don’t share the same
domain expertise and understanding across an enterprise
• Scoring systems are dependant on social processes that institutionalize semantics– They often fall short when asked to support
multiple perspectives and points of view
4 © nCircle 2010 All rights reserved.
The role of Classification and Ranking
• Classification methods helps us explain how many different things are the same– Naming (enumeration) differentiates the
members of the set• Ranking methods help us explain how
the same things [members of the class] are different.
* Ranking is just one of the many methods of member differentiation
5 © nCircle 2010 All rights reserved.
Thinking in Sets/Class and Membership
There are 3 blue triangles
Triangle
ThreeBlue
…is a member of the intersection of the set Blue, the set Triangle, and the set Three
6 © nCircle 2010 All rights reserved.
A set whose members are vulnerabilities
Scoring Systems as a Ranking Function
• Scoring Systems help us rank the members of a certain class.– CVSS does well in ranking
members of the vulnerability class
* Omitted Temporal and Environmental Metric in this diagram
v
v vv
v
v
v
v
v
vv
v
v
v
v
v
v
v
v
vv
v
10.09.08.07.06.05.04.03.02.01.0
7 © nCircle 2010 All rights reserved.
Scoring systems: Challenges
• Can be too Coarse?– Too many of one number?
• Can be too Precise?– Too many to be actionable
• But ultimately, we end up with a classification scheme that is actionable and meaningful to a particular communities Point of View (POV)
10.09.08.07.06.05.04.03.02.01.0
10.010.010.010.010.010.010.010.010.010.010.010.0
4723778633570357693726582245774116646601721412
F
D
C
B
A
FAIL
PASS
Fix 1 hour
Fix in 7 days
Fix in 30
days
POV 1: SCORE CARDSPOV 2: COMPLIANCEPOV 3: IT OPERATIONS
Scoring systems today do not carry with them enough information to support multiple interpretations of the numbers
8 © nCircle 2010 All rights reserved.
Summary of Scoring System Challenges
• Ensuring that everyone understands the aspects of the scoring system the same way has been challenging– Given the heterogeneous viewpoints of an Enterprise, this could be
impractical– If it is at all practical, it may be lossful– Often too static for the dynamic nature of the world it is modeling
• The scoring system accounts for each member in isolation– Difficult to account for compositional vulnerabilities– Difficult to model the relationships between members of certain
classes
• The numbers are not precise enough or too precise• Ultimately, computing the membership to meaningful sets is
the goal
9 © nCircle 2010 All rights reserved.
W3C Semantic Technologies
10 © nCircle 2010 All rights reserved.
W3C Semantic Technology Stack
Identifiers: URI Character Set: UNICODE
Access: XML Query
Data Interchange: RDF
Vocabularies: RDFS
Querying: SPARQL
Ontologies: OWLOWL-FullOWL-DLOWL-Lite
Syntax: XML / Namespaces
Validation: XML Schema
Cod
ing
Stru
ctur
eIn
fere
nce
11 © nCircle 2010 All rights reserved.
RDF – Resource Description Framework
Identifiers: URI Character Set: UNICODE
Access: XML Query
Data Interchange: RDF
Vocabularies: RDFS
Querying: SPARQL
Ontologies: OWLOWL-FullOWL-DLOWL-Lite
Syntax: XML / Namespaces
Validation: XML Schema
Cod
ing
Stru
ctur
eIn
fere
nce
YOU ARE HERE
12 © nCircle 2010 All rights reserved.
RDF – Labeled-Directed Graph• Data Model is a ‘labeled-directed graph’
– All nodes and arcs have some type of label (identifier)– Arcs point only in one direction
Apache
1.3.30
5/13/2009
OpenSSL
WebServer
0.9.7c
Shared Library
OpenSSL456
Apache123
13 © nCircle 2010 All rights reserved.
RDF – Statements in the form of a triple• All statements in the form of a triple
– Subject-Predicate-Object (S,P,O)– Set of these triples begin to model a domain in the form of a
graphApache rdfs:subClassOf WebServer
Subject (S) Predicate (P) Object (O)Apache rdfs:subClassOf WebServer
Apache123 rdf:type Apache
Apache123 dct:hasVersion 1.3.30
Apache123 :installedOn 05/13/2009
Apache123 :bundles OpenSSL456
OpenSSL456 dct:hasVersion 0.9.7c
OpenSSL456 rdf:type OpenSSL
OpenSSL rdfs:subClassOf SharedLibrary
14 © nCircle 2010 All rights reserved.
RDF – Graph ModelSubject (S) Predicate (P) Object (O)
Apache rdfs:subClassOf WebServer
Apache123 rdf:type Apache
Apache123 dct:hasVersion 1.3.30
Apache123 :installedOn 05/13/2009
Apache123 :bundles OpenSSL456
OpenSSL456 dct:hasVersion 0.9.7c
OpenSSL456 rdf:type OpenSSL
OpenSSL rdfs:subClassOf SharedLibrary
Apache
1.3.30
5/13/2009
OpenSSL
WebServer
0.9.7c
Shared Library
OpenSSL456
Apache123
15 © nCircle 2010 All rights reserved.
RDF – Different Syntax
• How one would express:– Apache is a member of the set Webserver
• RDF/XML
• N3
• RDF/XML-ABBREV
• SeeAlso: TURTLE and N-TRIPLE
:Apache rdf:type :Webserver .:Apache a :Webserver .
<rdf:Description rdf:about="#Apache"><rdf:type rdf:resource="#Webserver"/>
</rdf:Description>
<Webserver rdf:ID="Apache"/>
16 © nCircle 2010 All rights reserved.
RDF - Nodes and Arcs are first-class entities
hasVulnerability
hasCVEid
subProperty
OS
subClass
Linux hasBugtraqID
subProperty
If X is a member of the Set Linux;Then X is a member of the Set OS;
If A hasCVE B;Then A hasVulnerability B;
Assertion: OpenSSL_0.9.7c hasCVEid CVE-2004-0112
Inference: OpenSSL_0.9.7c hasVulnerability CVE-2004-0112
Assertion: RedHat rdf:type Linux
Inference: RedHat rdf:type OS
17 © nCircle 2010 All rights reserved.
Quick Review
• RDF is a Labeled-Directed Graph• An RDF statement is made up of a Subject-Predicate-
Object sometimes called a “Triple”• Both nodes and arcs are first-class• Next Stop: The Power of Inference
18 © nCircle 2010 All rights reserved.
RDF Schema
Identifiers: URI Character Set: UNICODE
Access: XML Query
Data Interchange: RDF
Vocabularies: RDFS
Querying: SPARQL
Ontologies: OWLOWL-FullOWL-DLOWL-Lite
Syntax: XML / Namespaces
Validation: XML Schema
Cod
ing
Stru
ctur
eIn
fere
nce
YOU ARE HERE
19 © nCircle 2010 All rights reserved.
RDF Schema (RDF-S)
• RDF Vocabulary Description Language 1.0: RDF Schema– Vocabulary defined with RDF statements (triples)
• RDF-S Vocabulary is small– Relation between classes (Class , subClassOf)– Relation between properties (Property, subPropertyOf)– Class membership of individuals via properties (domain, range)
• Provides some sense of “meaning” to the RDF data– Meaning = what we can explicitly infer from the data– Axioms that express exactly what inference can be drawn– Semantics expressed through the mechanism of inference– Lets explore in the next slides how this works
20 © nCircle 2010 All rights reserved.
Type Propagation
• rdfs:Class :Root_Kit rdf:type rdfs:Class .:Malware rdf:type rdfs:Class .
• rdfs:subClassOf:Root_Kit rdfs:subClassOf :Malware .:foobar rdf:type :Root_Kit .we can then infer the triple
:foobar rdf:type :Malware .
AXIOMIFA rdfs:subClassOf B .r rdf:type A .THENr rdf:type B .
Malware
rdfs:subClassOf
Root_Kit foobar
foobar
21 © nCircle 2010 All rights reserved.
Relationship Propagation
• rdfs:Property:hasBrother rdf:type rdfs:Property .:hasSibling rdf:type rdfs:Property .
• rdfs:subPropertyOf:hasBrother rdfs:subPropertyOf :hasSibling .:alice :hasBrother :bob .we can infer the triple
:alice :hasSibling :bob .
AXIOMIFP rdfs:subPropertyOf R .A P B .THENA R B .
22 © nCircle 2010 All rights reserved.
Property-Oriented versus Object-Oriented
• Semantic data is focused on the relationship between entities and thus Property-Oriented
• In Object-Oriented models, an entity is understood to be a member of a class because the class acts as a “template” for its birth
• In Property-Oriented models, an entity is understood to be a member of a class because of its relationships
• <DOMAIN> property_P <RANGE>– The domain is the collection of types that use the property– The range is the types of values this property describes– Example: domain:CPE :hasVulnerability range:CVE
23 © nCircle 2010 All rights reserved.
Class Membership through Relationships
• Similar to domain and range in math:property_P rdfs:domain D-class .:property_P rdfs:range R-class .Domain applies to the SubjectRange applies to the Object
• Example::usesSharedLib rdfs:domain :Application .:usesSharedLib rdfs:range :SharedLib .– Assertion:Apache :usesSharedLib :OpenSSL .– Inference:Apache rdf:type :Application .:OpenSSL rdf:type :SharedLib .
AXIOM (object)IF P rdfs:range R-class .andx P y .THENy rdf:type R-class .
AXIOM (subject)IF P rdfs:domain D-class .andx P y .THENx rdf:type D-class .
24 © nCircle 2010 All rights reserved.
What are the limits to RDFS?
• RDFS may not have enough detail for your modeling– No localized range and domain constraints
• Can’t say that “the domain of hasParent is Child when applied to Human and Calf when applied to Elephants”
– No existence/cardinality constraints• Can’t say that “all instances of person have a mother that is
also a person”, or that persons have exactly 2 parents
– No transitive, inverse or symmetrical properties• Can’t say that isAncestorOf is a transitive property• Can’t say that bundles is the inverse of isBundledBy• Can’t say that isMarriedTo or isPeeredWith is symmetrical
© nCircle 2010. All rights reserved.
How can we compute the membership to a class?
26 © nCircle 2010 All rights reserved.
How does inference work?
• Basic RDF Triple• Basic RDFS Model• Assert an RDF Triple• Results are new RDF
Triples that were inferred from the model
Subject Predicate Object
rdfs:domainCVEhasScore
Vulnerability
rdfs:subClassOf
CVE-2003-0818 hasScore 10.0
rdfs:rangeScorehasScore
CVE-2003-0818rdf:type
CVE
CVE-2003-0818 rdf:type Vulnerability
10.0 rdf:type Score
“We compute the membership through one objects relationship to another “
27 © nCircle 2010 All rights reserved.
Meaningful classes within the security domain
Secure
Mission Critical
Compliant
Top Secret
• Consider these sets• Also consider their compliments
– Insecure– Expendable– Not Compliant– Public
• The objective is to compute membership into some meaningful set
28 © nCircle 2010 All rights reserved.
Computing membership into meaningful classes
Secure
Mission Critical
Compliant
Top Secret
Insecure
Expendable
Not Compliant
Public
If x hasTopSecretData y; then x is a member of TopSecret SLA: FIX NOW
SLA: FIX 4hr
SLA: FIX in 24hr
SLA: FIX in 24hr
Any member of TopSecret that is also a member of Insecure, assign to SLA: FIX NOW
Asserted: Host33 hasTopSecretData “file44”Host33 hasCVE “CVE-2007-1748”
Host33
If x hasCVE “CVE-2007-1748”; then x is a member of Insecure
Inferred: Host33 rdf:type SLA:FIX NOW
Host33
Host33
Model:
29 © nCircle 2010 All rights reserved.
Change in feasibility for an entire class of attacks
• DNS Cache Poisoning– CVE-2008-1447
• If a X/Y are a DNS server, and has CVE-2008-1447; assign hosts (a/b) who have resolvers pointing at members X/Y to a class called Urgent-Investigation
CVE-2008-1447
DNSserver
X YServers
Clients
Urgent-Investigation
a b
ab
30 © nCircle 2010 All rights reserved.
Complex Vulnerability Representation
• All of these vulnerabilities would not have a very high CVSS score in isolation
• Model of the Compositional Vulnerability– Attacker PushExploitTo WindowsWebServerDMZ– WindowsWebServerDMZ isExploitedWith MS08-067– WindowsWebServerDMZ hasPrivateConnectionto Int-SQLServer– Int-SQLServer isExploitedWith MS09-004– Int-SQLServer floodsNetworkWith Web-Proxy-Auto-Detect-WPAD
• updates for a MaliciousProxy– WebClients PullExploitsFrom MaliciousProxy
• Members who satisfy the model are assigned to a set COMPRIMISED
• This can be modeled in OWL and reasoning engines can compute the appropriate membership to meaningful classes
31 © nCircle 2010 All rights reserved.
Summary
• Challenges today– Sharing the same semantics across the enterprise is difficult– The models are too static; Dynamic environments require
dynamic modeling– Does not facilitate the modeling of relationships and what is
being counted in isolation
• Numbers are the means, membership to a meaningful class is the end goal
• Using the W3C semantic technology stack, we can compute the membership to classes through the mechanism of inference