An Incident Management Ontology

Transcription

1 An Incident Management Ontology Presenter - Samuel Perl Co-Authors - David Mundie, Robin Ruefle, Audrey Dorofee, Matthew Collins, John McCloud 2014 Carnegie Mellon University

2 Copyright 2014 Carnegie Mellon University and IEEE This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT is a registered mark of Carnegie Mellon University. DM

3 Need for a common language The JASON Program within MITRE looked at practices in the scientific community for ways to make cybersecurity more scientific 1 They concluded the most important elements the community should adopt are A common language A set of basic concepts Developing a shared understanding In other words, an ontology. 1 JASON is an independent group of scientists which advises the US government on matters of science and technology [Wikipedia] 3

4 The Incident Management Meta-Model In previous work, we created a Meta-Model to capture the essential processes involved in Incident Management. The Meta-Model Was built using 10 standards for incident management including ISO and NIST Has 18 high-level incident management tasks Was organized by IM phases - Prepare, Protect, and Respond. Also included 5 crosscutting capabilities Was the heart of our Incident Management Body of Knowledge (IMBOK) 4

5 IMBOK Meta-Model Phases & Tasks Prepare Develop trusted relationships with external experts Provide staff appropriate education and training Develop policies, processes, procedures Measure incident management performance Provide constituents with security education, training, and awareness Develop an incident response strategy and plan Improve defenses Monitor and Detect Assist constituents with correcting problems identified by vulnerability assessment activities Detect and report events Monitor networks and information systems for security Perform risk assessments and vulnerability assessments on constituent systems Respond Triage Incident Collect and preserve evidence Restore and validate the system Perform a postmortem review of incident management actions Integrate lessons learned with problem management process Analyze incident, including artifacts, causes, and correlations Determine and remove the cause of the incident Crosscuts (across all) Manage information Properly handle collected evidence following best practices Manage the incident management team Communicate incidents Track and document incidents from initial detection through final resolution 5

6 IMBOK Meta-Model Drawbacks The IMBOK suffers in its knowledge representation : Tasks are not directly linked to their subjects Natural language makes machine processing difficult No direct way to perform modeling and simulation Trades detail for simplicity Combines concepts 6

7 An Ontology Overcomes the Drawbacks Converting the Meta-Model to a formal Ontology overcomes these issues Separating entities from relationships allows tasks to be directly linked to their subjects Using classes and relationships ensures complete representation of knowledge The representation is machine-processable Ontologies are already used to model, simulate and construct applications A class hierarchy allows representation of concepts at any needed detail Annotations make the ontology usable as a dictionary No pressure to collapse concepts OWL is widely used in the semantic web community 7

8 Our Method To build our IM ontology: We decomposed 18 high-level tasks in the IMBOK meta-model into component concepts and their respective relationships. We organized the concepts into a hierarchy of subclasses. We developed the relationships among classes from the incident management tasks. We separated classes from relationships 8

9 Our Method for N-ary Relationships Many of the relationships we want to model in incident management are "n-ary" relationships among more than just two objects. We chose to create a new class to hold the relationships. To illustrate: Original Meta-Model Tasks Revised Incident Management Ontology Tasks (IM leaders) Develop trusted relationships with external experts. (trainers) Provide staff with appropriate education and training. Become developing external relationships: involves external groups (such as external experts) produces trusted relationships is performed by IM leaders staff training: is provided by either external or internal trainers is provided to IM personnel 9

10 Ontology Top Level Thing organizational-groups team-resources life-cycle-phases it-components has subclass knowledge-assets incident-components crosscuts relationships quality-standards im-personnel coordinate activities permeates service-delivery developing-relationships respond-activities sustain-activities process-improvement developing-governance prepare-activities protect-activities 10

11 Other Benefits Moving to a formal ontology had several other advantages: Very flexible typing More powerful modeling Improved knowledge visualization Figure 2 The Activity Classes in the Ontology with the Service Delivery subclass expanded 11

12 Intended Usage We intend to use the ontology to document, compare, and analyze teams We have not yet formally extended the Incident Management Ontology to real world teams Example - The only service these two CSIRTs have in common is incident analysis. This could also make self evaluation easier A comparison of 2 fictitious teams using the ontology (Figure 4 in the paper) 12

13 Future Work Future work on the Incident Management Ontology will focus on studying incident management organizations. Categorization of incident response organizations such as during assessments or for comparative analysis Examining the differences between the functions of CSIRTs and the functions of Coordination Centers. Formally distinguishing CSIRTs and Coordination Centers using defined classes 13

14 Related Work Building an Incident Management Body of Knowledge Mundie and Ruefle Formalizing Information Security Knowledge Fenz Security Ontologies: Improving quantitative risk analysis Ekelhart, Fenz, Klemen, and Weippl And many more (see References) 14

15 References 1 McMorrow, D.: Science of Cyber-Security, in Editor (Ed.)^(Eds.): Book Science of Cyber-Security (DTIC Document, 2010, edn.), pp. 2 Mundie, D.A., and Ruefle, R.: Building an Incident Management Body of Knowledge, in Editor (Ed.)^(Eds.): Book Building an Incident Management Body of Knowledge (Citeseer, 2012, edn.), pp ISO, I., and Std, I.: ISO 27002: 2005, Information Technology-Security Techniques-Code of Practice for Information Security Management. ISO, NIST, S.: , Computer Security Incident Handling Guide, 2004, pp Miller, G.A.: The magical number seven, plus or minus two: some limits on our capacity for processing information, Psychological review, 1956, 63, (2), pp Motik, B., Patel-Schneider, P.F., Parsia, B., Bock, C., Fokoue, A., Haase, P., Hoekstra, R., Horrocks, I., Ruttenberg, A., and Sattler, U.: Owl 2 web ontology language: Structural specification and functional-style syntax, W3C recommendation, 2009, 27, (65), pp Hitzler, P., Krötzsch, M., Parsia, B., Patel-Schneider, P.F., and Rudolph, S.: OWL 2 web ontology language primer, W3C recommendation, 2009, 27, (1), pp Brachman, R.J., and Schmolze, J.G.: An Overview of the KL-ONE Knowledge Representation System*, Cognitive science, 1985, 9, (2), pp Baader, F.: The description logic handbook: theory, implementation, and applications (Cambridge university press, ) 10 Organization, W.H.: International classification of diseases (ICD), Singhal, A.: Introducing the knowledge graph: things, not strings, Official Google Blog, May, Antoniou, G., and Van Harmelen, F.: Web ontology language: Owl : Handbook on ontologies (Springer, 2004), pp Noy, N., Rector, A., Hayes, P., and Welty, C.: Defining n-ary relations on the semantic web, W3C Working Group Note, 2006, 12, pp Ontology, P.: Knowledge Acquisition System, See protege.stanford.edu, Beebe, N.L., and Clark, J.G.: A hierarchical, objectives-based framework for the digital investigations process, Digital Investigation, 2005, 2, (2), pp facetmap.com/ Ellson, J., Gansner, E., Koutsofios, L., North, S.C., and Woodhull, G.: Graphviz open source graph drawing tools, in Editor (Ed.)^(Eds.): Book Graphviz open source graph drawing tools (Springer, 2002, edn.), pp Fenz, S., and Ekelhart, A.: Formalizing information security knowledge, in Editor (Ed.)^(Eds.): Book Formalizing information security knowledge (ACM, 2009, edn.), pp Osorno, M., Laurel, M., Millar, T., Team, E.R., and Rager, D.: Coordinated Cybersecurity Incident Handling, in Editor (Ed.)^(Eds.): Book Coordinated Cybersecurity Incident Handling (2011, edn.), pp. 21 Magklaras, G., and Furnell, S.: Insider threat prediction tool: Evaluating the probability of IT misuse, Computers & Security, 2001, 21, (1), pp Wang, J.A., and Guo, M.: OVM: an ontology for vulnerability management, in Editor (Ed.)^(Eds.): Book OVM: an ontology for vulnerability management (ACM, 2009, edn.), pp Chiang, T.J., Kouh, J.S., and Chang, R.-I.: Ontology-based Risk Control for the Incident Management, IJCSNS International Journal of Computer Science and Network Security, 2009, 9, (11), pp Division, O.o.C.a.C.N.C.S.: Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development, Lambo, T.: ISO/IEC 27001: The future of infosec certification, ISSA Journal, Information Systems Security Organization ( issa. org), Ekelhart, A., Fenz, S., Klemen, M., and Weippl, E.: Security ontologies: Improving quantitative risk analysis, in Editor (Ed.)^(Eds.): Book Security ontologies: Improving quantitative risk analysis (IEEE, 2007, edn.), pp. 156a-156a 27 Schlenoff, C., Gruninger, M., Tissot, F., Valois, J., Lubell, J., and Lee, J.: The process specification language (PSL) overview and version 1.0 specification (Citeseer, ) 15

16 Acknowledgements This material is based upon work funded and supported by the Department of Defense under Contract No. FA C with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. This material has been approved for public release and unlimited distribution. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM

17 Contact Info: End Samuel Perl 4500 Fifth Ave, Pittsburgh, PA,