Beruflich Dokumente
Kultur Dokumente
Tom Tuduc
1
tomtuduc@webarches.com 09/25/08
Introduction
2
tomtuduc@webarches.com 09/25/08
Summary
Homeland Security is complex and include uncommon and/or hypothetical
uncertainties. It takes both qualitatively and quantitatively models to
consider hundreds of intelligences with different credibility and accuracy.
Topics:
3
tomtuduc@webarches.com 09/25/08
Table of Content
Introduction
Summary
Table of Content
What is Security Analytics?
Security Risk Methodology - the Four Steps
Risk Management: Dealing with Uncertainty Homeland Security Infrastructures & Assets
Example of Security Application Areas
Characteristics of complex risk problem, Homeland Security - System View
Decision Analysis & Influence Diagrams Homeland Security - Decision View
Tradeoffs & Risk Preference Infrastructure Elements
Differences between Trees and Diagrams Homeland Security
Certainty Equivalence, Utility & Risk Premium Decision Analysis & Influence Diagrams Exam
Risk taking
Risk averse
Example 1
Tutorial Example Overarching Influence Diagram
Best Policy and value of Control Example 2: Site Profiler
Risk Profiles Architecture & Influence Network
Gaining Insights Example 3 – Using Analytica
Sensitivity Analysis
Similar security ROI starting point Security Categories
Similar Intrusion Detection problem Where are the numbers
A more complex party problem Tools & Resources
A more complex security ROI problem Conclusion
Complex Intrusion-Aware Model
4
tomtuduc@webarches.com 09/25/08
Overview
DEFINITION: Security Analytics (Table1) are the use of analytics to
optimize security and security ROI.
Applications:
– Model
– Processes
– Policies
– Systems
Probability Dynamic
Statistics
Stochasti programming
c
Information
Utilit
theory Negotiations
y
theor
y 5
tomtuduc@webarches.com 09/25/08
Security Methodology - the Four Steps
1. Determine risk:
– Assets and risk to assets.
– Making security ROI known.
2. Analyze risk: *
– Qualitative
– Quantitative: Analytics
3. Design and Implement: policies, architectures, technologies, trainings,
and countermeasures
4. Management: Monitoring, audits, and evaluate
* "One of the major problems is that security risk assessment and the benefits of using the
results of risk assessment cannot be measured in any sufficiently accurate to provable
way... Positive benefit is absence of unknown possible loss" Tom Peltier, "Risk Analysis
Vs. Security Controls." NetSec 2002
6
tomtuduc@webarches.com 09/25/08
Risk Management: Dealing with Uncertainty
Fundamental Approaches
Frequentist
Bayesian
– Based on personal experience.
– Probability is different for people having different past experiences.
7
tomtuduc@webarches.com 09/25/08
Example of Security Applications
Security ROI
Risk assessment and management
Knowledge management and Information retrieval (1)
SPAM filtering (2)
Intrusion Detection Systems
Other examples: Search engines, portfolio management, polling, etc.
8
tomtuduc@webarches.com 09/25/08
Characteristics of complex problems
9
tomtuduc@webarches.com 09/25/08
Decision Analysis/ Influence Diagram (DAID)
Advantages
10
tomtuduc@webarches.com 09/25/08
Modeling
(1) Will the real risk-preference stand up: A popular misconception is that security
managers in private sectors are risk-averse and overspend on security. IDC research
data shows otherwise. A typical organization of 5,000 employees, on average spends
$1 million on security products ($200/person, or $500 for each $1 million in
revenues).
11
tomtuduc@webarches.com 09/25/08
Tradeoffs & Risk Preference
12
tomtuduc@webarches.com 09/25/08
Differences between Decision Trees and Influence Diagrams
13
tomtuduc@webarches.com 09/25/08
14
tomtuduc@webarches.com 09/25/08
Certainty Equivalence, Utility & Risk Premium
15
tomtuduc@webarches.com 09/25/08
RISK TAKING
16
tomtuduc@webarches.com 09/25/08
RISK AVERSE
Even though EV is higher now (50 versus 23), Certainty equivalence is lower (25 versus -5)
Risk premium = 50 - 5 = $55.
CE is less than EV
17
tomtuduc@webarches.com 09/25/08
Tutorial Example
18
tomtuduc@webarches.com 09/25/08
19
tomtuduc@webarches.com 09/25/08
Best Policy and Value of Control
The Influence Diagram and Decision Tree show the Location Decision is
made independent of knowing the weather
Conclusion:
If we don't know what the weather will be, we should locate it on the
porch because that has the highest payoff of $38 million.
Best case saving: (60-38) or $22 million. This is Value of Control *
20
tomtuduc@webarches.com 09/25/08
Risk Profiles
Locating the party by the pool can give negative utility if it rains. But if it’s sunny it’s the
best decision. If it’s cloudy, it might rain.
21
tomtuduc@webarches.com 09/25/08
Gaining Insights
1. If we know what the weather will
be, we can make a better decision.
Thus the new expected payoff is now
$47 million, instead of $38 million.
22
tomtuduc@webarches.com 09/25/08
Sensitivity Analysis
23
tomtuduc@webarches.com 09/25/08
Similar Security ROI starting point
24
tomtuduc@webarches.com 09/25/08
Similar Intrusion Detection problem
25
tomtuduc@webarches.com 09/25/08
26
tomtuduc@webarches.com 09/25/08
27
tomtuduc@webarches.com 09/25/08
Complex Intrusion-Aware Model
28
tomtuduc@webarches.com 09/25/08
29
tomtuduc@webarches.com 09/25/08
Homeland Security Infrastructures & Assets
30
tomtuduc@webarches.com 09/25/08
Homeland Security- System View
31
tomtuduc@webarches.com 09/25/08
Homeland Security- Decision View
32
tomtuduc@webarches.com 09/25/08
Infrastructure elements
33
tomtuduc@webarches.com 09/25/08
Homeland Security
Decision Analysis & Influence Diagrams Examples
34
tomtuduc@webarches.com 09/25/08
Example 1 & Influence Diagram
Probabilistic Modeling of Terrorist Threats: A Systems Analysis Approach to
Setting Priorities Among Countermeasures. Elisabeth Paté-Cornell and Seth
Guikema. Department of Management Science and Engineering. Stanford
University. Military Operations Research, Vol. 7, No 4, pp. 5-20 December
2002.
SUMMARY
OBJECTIVE:
- Prioritize the protection of US infrastructures, networks and socio-economic
components
- Discover most effective means of reducing the overall threat, i.e. the
disruption of the terrorists’ supply chain
- Prioritize intelligence information that needs to be gathered given accuracy,
time, and constraints.
35
tomtuduc@webarches.com 09/25/08
36
tomtuduc@webarches.com 09/25/08
Example 2 – Architecture and Diagram
Site Profiler, a system developed by Bryan Ware, Anthony Beverina, Lester Gong,
and Brian Colder at Booz Allen Hamilton and Digital Sandbox. Site Profiler is
used in bio-terrorism early warning systems, passenger and cargo profiling,
vulnerability assessments, threat warnings and dissemination. Site Profiler
applies DAID to combined data from various sources.
SUMMARY
PROBLEM: Build a system to sift through massive amount of information to
determine terrorist risk
OBJECTIVE: Determine the following:
how likely a terrorist will attempt attacks including tactic, weapon, delivery
system against an asset
how likely the terrorist will succeed
consequences of successful attacks
CHALLENGES:
High volumes of data.
Disparate sources of data and information
Diverse forms of information
Significant organizational friction among producers, owners, and consumers of
information
37
tomtuduc@webarches.com 09/25/08
38
tomtuduc@webarches.com 09/25/08
39
tomtuduc@webarches.com 09/25/08
Example 3 – Using Analytica
Using Analytica to model and analyze the cost and benefit of Toxin
Containment (Adopted from Analytica’s Toxic Emission Control)
SUMMARY
PROBLEM: Determine costs and benefits of containing an airborn toxin
that is potentially fatal.
40
tomtuduc@webarches.com 09/25/08
Problem: how much to contain and eliminate certain toxins
including the option of reducing them by zero.
41
tomtuduc@webarches.com 09/25/08
42
tomtuduc@webarches.com 09/25/08
Security Categories
Access Controls, Authentication Media Protection Safes
Anti-eavesdropping Media Security
Anti Virus Physical/Facility Security - Anti-
Virus protection/detection Theft Devices
Automated Patch Management Physical/Facility Security
Biometrics Authentication of -Entrance Control Systems
users/terminals Physical/Facility Security -
Business Continuity & Disaster Environmental Controls
Recovery Physical/Facility Security - Power
Content Delivery Network Security Management
Email spam filters
Risk Management Risk Analysis
Encryption
Security Incident Management
Extranet Security Integration
Single Sign On
Firewalls and Internet Security
Software Controls
Intrusion Detection & Network
Telecom & Remote Access
Monitoring Security
Media Security Destruction Devices
Wireless Security
43
tomtuduc@webarches.com 09/25/08
Where to find statistics
44
tomtuduc@webarches.com 09/25/08
Tools
45
tomtuduc@webarches.com 09/25/08
The End
46
tomtuduc@webarches.com 09/25/08