Practical Metrics for Enterprise Security Engineering

Making sound security decisions when designing, operating, and maintaining a complex enterprise- scope system is a challenging task. Quantitative security metrics have the potential to provide valuable insight on system security and aid security decisions. To produce model-based quantitative security metrics, the ADversary VIew Security Evaluation (ADVISE) method was recently developed and implemented in the prototype tool Möbius-SE (Möbius Security Edition), which is suitable for use by security modeling experts. The goal of the new project is to make the Möbius-SE tool widely accessible to a broader range of users and to demonstrate its use in several critical infrastructure sectors. This project is developing the sophisticated infrastructure needed to support a dramatically simplified user input model for the Möbius-SE tool. The work will leverage the existing ADVISE method, which quantifies system security by considering both the vulnerabilities in the system (represented in an attack execution graph) and the ability and inclination of attackers to exploit those vulnerabilities to achieve their attack goals against the system (represented in an adversary profile). The enhanced Möbius-SE tool will enable users to use their domain knowledge to construct simple system block diagrams to represent connections between components. The block diagram will then be automatically combined with security- relevant details about the components to generate an attack execution graph. Security information about each component will be obtained from an ontology-based database.

The enhanced Möbius-SE tool will be evaluated via customer trials. A two-stage plan for commercialization of Möbius-SE has been defined to make the tool available to users as soon as possible.

Investigators include William H. Sanders, Ken Keefe, Carol Muehrcke (Cyber Defense Agency), and Bruce G. Barnett (GE Research).

(Funded by the Department of Homeland Security)