© 2014 Carnegie Mellon University

An Incident Management Ontology

Presenter - Samuel Perl Co-Authors - David Mundie, Robin Ruefle, Audrey Dorofee, Matthew Collins, John McCloud

2

Copyright 2014 Carnegie Mellon University and IEEE This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT® is a registered mark of Carnegie Mellon University. DM-0001613

3

Need for a common language The JASON Program within MITRE looked at practices in the scientific community for ways to make cybersecurity “more scientific” 1

They concluded the most important elements the community should adopt are

•  A common language •  A set of basic concepts •  Developing a shared understanding

In other words, an ontology.

1JASON is an independent group of scientists which advises the US government on matters of science and technology [Wikipedia]

4

The Incident Management Meta-Model In previous work, we created a Meta-Model to capture the essential processes involved in Incident Management. The Meta-Model

•  Was built using 10 standards for incident management – including ISO 27002 and NIST 800-61

•  Has 18 high-level incident management tasks •  Was organized by IM phases - Prepare, Protect, and Respond. •  Also included 5 crosscutting capabilities •  Was the heart of our Incident Management Body of Knowledge

(IMBOK)

5

IMBOK Meta-Model Phases & Tasks

Prepare •  Develop trusted relationships with external

experts •  Provide staff appropriate education and training •  Develop policies, processes, procedures •  Measure incident management performance •  Provide constituents with security education,

training, and awareness •  Develop an incident response strategy and plan •  Improve defenses

Monitor and Detect •  Assist constituents with correcting

problems identified by vulnerability assessment activities

•  Detect and report events •  Monitor networks and information

systems for security •  Perform risk assessments and

vulnerability assessments on constituent systems

Respond •  Triage Incident •  Collect and preserve evidence •  Restore and validate the system •  Perform a postmortem review of

incident management actions •  Integrate lessons learned with

problem management process •  Analyze incident, including

artifacts, causes, and correlations •  Determine and remove the cause

of the incident

Manage information Properly handle collected evidence following best practices

Manage the incident management team Communicate incidents

Track and document incidents from initial detection through final resolution

Crosscuts (across all)

6

IMBOK Meta-Model Drawbacks The IMBOK suffers in its knowledge representation :

•  Tasks are not directly linked to their subjects •  Natural language makes machine processing difficult •  No direct way to perform modeling and simulation •  Trades detail for simplicity •  Combines concepts

7

An Ontology Overcomes the Drawbacks Converting the Meta-Model to a formal Ontology overcomes these issues

•  Separating entities from relationships allows tasks to be directly linked to their subjects

•  Using classes and relationships ensures complete representation of knowledge

•  The representation is machine-processable •  Ontologies are already used to model, simulate and construct applications •  A class hierarchy allows representation of concepts at any needed detail •  Annotations make the ontology usable as a dictionary •  No pressure to collapse concepts •  OWL is widely used in the semantic web community

8

Our Method To build our IM ontology:

•  We decomposed 18 high-level tasks in the IMBOK meta-model into component concepts and their respective relationships.

•  We organized the concepts into a hierarchy of subclasses. •  We developed the relationships among classes from the incident

management tasks. •  We separated classes from relationships

9

Our Method for N-ary Relationships Many of the relationships we want to model in incident management are "n-ary" relationships among more than just two objects. We chose to create a new class to hold the relationships. To illustrate:

Original Meta-Model Tasks

(IM leaders) Develop trusted relationships with external experts. (trainers) Provide staff with appropriate education and training.

Revised Incident Management Ontology Tasks

developing external relationships: involves external groups (such as external experts) produces trusted relationships is performed by IM leaders

staff training:

is provided by either external or internal trainers is provided to IM personnel

Become

10

Ontology Top Level

activitiesservice-delivery

Thing

team-resourcesorganizational-groups

respond-activities

crosscuts

life-cycle-phases

knowledge-assets incident-components

developing-relationships

sustain-activities

developing-governance

relationships

im-personnel

coordinate

prepare-activitiesprotect-activities

permeates

quality-standards

process-improvement

it-components

has subclass

11

Other Benefits

!

Moving to a formal ontology had several other advantages:

Figure 2 – The Activity Classes in the Ontology with the Service Delivery

subclass expanded

•  Very flexible typing •  More powerful modeling •  Improved knowledge visualization

12

Intended Usage

•  We have not yet formally extended the Incident Management Ontology to real world teams

•  Example - The only service these two CSIRTs have in common is incident analysis.

•  This could also make self evaluation easier

We intend to use the ontology to document, compare, and analyze teams

A comparison of 2 fictitious teams using the ontology (Figure 4 in the paper)

13

Future Work Future work on the Incident Management Ontology will focus on studying incident management organizations.

•  Categorization of incident response organizations such as during assessments or for comparative analysis

•  Examining the differences between the functions of CSIRTs and the functions of Coordination Centers.

•  Formally distinguishing CSIRTs and Coordination Centers using defined classes

14

Related Work •  “Building an Incident Management Body of Knowledge”

—  Mundie and Ruefle

•  “Formalizing Information Security Knowledge” —  Fenz

•  “Security Ontologies: Improving quantitative risk analysis” —  Ekelhart, Fenz, Klemen, and Weippl

•  And many more (see References)

15

References 1 McMorrow, D.: ‘Science of Cyber-Security’, in Editor (Ed.)^(Eds.): ‘Book Science of Cyber-Security’ (DTIC Document, 2010, edn.), pp. 2 Mundie, D.A., and Ruefle, R.: ‘Building an Incident Management Body of Knowledge’, in Editor (Ed.)^(Eds.): ‘Book Building an Incident Management Body of Knowledge’ (Citeseer, 2012, edn.), pp. 507-513 3 ISO, I., and Std, I.: ‘ISO 27002: 2005’, Information Technology-Security Techniques-Code of Practice for Information Security Management. ISO, 2005 4 NIST, S.: ‘800-61’, Computer Security Incident Handling Guide, 2004, pp. 800-861 5 Miller, G.A.: ‘The magical number seven, plus or minus two: some limits on our capacity for processing information’, Psychological review, 1956, 63, (2), pp. 81 6 Motik, B., Patel-Schneider, P.F., Parsia, B., Bock, C., Fokoue, A., Haase, P., Hoekstra, R., Horrocks, I., Ruttenberg, A., and Sattler, U.: ‘Owl 2 web ontology language: Structural specification and functional-style syntax’, W3C recommendation, 2009, 27, (65), pp. 159 7 Hitzler, P., Krötzsch, M., Parsia, B., Patel-Schneider, P.F., and Rudolph, S.: ‘OWL 2 web ontology language primer’, W3C recommendation, 2009, 27, (1), pp. 123 8 Brachman, R.J., and Schmolze, J.G.: ‘An Overview of the KL-ONE Knowledge Representation System*’, Cognitive science, 1985, 9, (2), pp. 171-216 9 Baader, F.: ‘The description logic handbook: theory, implementation, and applications’ (Cambridge university press, 2003. 2003) 10 Organization, W.H.: ‘International classification of diseases (ICD)’, 2012 11 Singhal, A.: ‘Introducing the knowledge graph: things, not strings’, Official Google Blog, May, 2012 12 Antoniou, G., and Van Harmelen, F.: ‘Web ontology language: Owl’: ‘Handbook on ontologies’ (Springer, 2004), pp. 67-92 13 Noy, N., Rector, A., Hayes, P., and Welty, C.: ‘Defining n-ary relations on the semantic web’, W3C Working Group Note, 2006, 12, pp. 4 14 Ontology, P.: ‘Knowledge Acquisition System’, See http://protege.stanford.edu, 2007

15 Beebe, N.L., and Clark, J.G.: ‘A hierarchical, objectives-based framework for the digital investigations process’, Digital Investigation, 2005, 2, (2), pp. 147-167 16 http://protegewiki.stanford.edu/wiki/OntoGraf2014 17 facetmap.com/2014 18 Ellson, J., Gansner, E., Koutsofios, L., North, S.C., and Woodhull, G.: ‘Graphviz—open source graph drawing tools’, in Editor (Ed.)^(Eds.): ‘Book Graphviz—open source graph drawing tools’ (Springer, 2002, edn.), pp. 483-484 19 Fenz, S., and Ekelhart, A.: ‘Formalizing information security knowledge’, in Editor (Ed.)^(Eds.): ‘Book Formalizing information security knowledge’ (ACM, 2009, edn.), pp. 183-194 20 Osorno, M., Laurel, M., Millar, T., Team, E.R., and Rager, D.: ‘Coordinated Cybersecurity Incident Handling’, in Editor (Ed.)^(Eds.): ‘Book Coordinated Cybersecurity Incident Handling’ (2011, edn.), pp. 21 Magklaras, G., and Furnell, S.: ‘Insider threat prediction tool: Evaluating the probability of IT misuse’, Computers & Security, 2001, 21, (1), pp. 62-73 22 Wang, J.A., and Guo, M.: ‘OVM: an ontology for vulnerability management’, in Editor (Ed.)^(Eds.): ‘Book OVM: an ontology for vulnerability management’ (ACM, 2009, edn.), pp. 34 23 Chiang, T.J., Kouh, J.S., and Chang, R.-I.: ‘Ontology-based Risk Control for the Incident Management’, IJCSNS International Journal of Computer Science and Network Security, 2009, 9, (11), pp. 181-189 24 Division, O.o.C.a.C.N.C.S.: ‘Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development’, 2007 25 Lambo, T.: ‘ISO/IEC 27001: The future of infosec certification’, ISSA Journal, Information Systems Security Organization (http://www. issa. org), 2006 26 Ekelhart, A., Fenz, S., Klemen, M., and Weippl, E.: ‘Security ontologies: Improving quantitative risk analysis’, in Editor (Ed.)^(Eds.): ‘Book Security ontologies: Improving quantitative risk analysis’ (IEEE, 2007, edn.), pp. 156a-156a 27 Schlenoff, C., Gruninger, M., Tissot, F., Valois, J., Lubell, J., and Lee, J.: ‘The process specification language (PSL) overview and version 1.0 specification’ (Citeseer, 2000. 2000)

16

Acknowledgements This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C- 0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. This material has been approved for public release and unlimited distribution. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0001433

17

End

Contact Info: Samuel Perl sjperl@cert.org 4500 Fifth Ave, Pittsburgh, PA, 15213