SSTIC10 - Visualization and Dynamic Risk Assessment for Cyber Defence

Paper and presentation about visualization and dynamic risk assessment for cyber defence, presented at the SSTIC symposium on June 9 2010.

This paper presents two research and development projects from the NATO C3 Agency in the area of cyber defence: CIAP (Consolidated Information Assurance Picture) and DRA (Dynamic Risk Assessment). Currently, cyber defence is performed using a variety of security tools and products such as Intrusion Detection Systems (IDS), Vulnerability Assessment (VA) tools, antivirus engines, and Security Information and Event Managers (SIEM) to collect and correlate events. When monitoring large information systems and networks spread across several sites, it quickly becomes very difficult to correlate and analyze all available information sources in real time, to detect anomalies and incidents in timely manner and respond effectively. This complexity is due to the amount of generated data, the lack of interoperability between tools, and missing visualization capabilities.

The goal of the CIAP project is to address these gaps by investigating how all the information required to perform cyber defence may be consolidated in a comprehensive system, based on a common data model using standards and on a distributed data repository. CIAP also provides various visualization options to monitor consolidated data, including network and geographical views, in order to improve situational awareness.

Another major issue in cyber defence is that understanding the actual impact of a vulnerability or an IDS alert is usually done by a human analyst, who needs to make the link between all the technical information and his/her knowledge of all business services or processes that depend on the affected machines. The goal of the DRA prototype is to continually perform a risk assessment in order to automatically determine the impact of the security posture of the system and the network. It uses an automated attack graph generation tool to determine which vulnerabilities are actually exploitable by an attacker according to the system architecture. It then determines the resulting risks on assets, services and missions of the organization, in order to prioritize issues and to suggest suitable responses.