Abstract
In today’s IT enterprises, security strategy determination has become exponentially complex with the increasing complexity of the network infrastructure. Various types of defenses are available with a security administrator, viz., harden, detect, isolate, deceive, and evict. These defenses have their specific purposes. Separate strategies are required for implementing each type of defense in the context of an enterprise network. The existing defense strategy selection schemes do not have explicit strategies for different classes of defenses. In this paper, we propose two separate strategies to determine the point of deployment of harden and detect defenses. These strategies would be useful in providing a better return on security investments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
References
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, USA, pp. 217–224. ACM (2002)
Anjum, F., Subhadrabandhu, D., Sarkar, S., Shetty, R.: On optimal placement of intrusion detection modules in sensor networks. In: First International Conference on Broadband Networks, pp. 690–699. IEEE (2004)
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: First International Conference on Availability, Reliability and Security (ARES’06), pp. 8-pp. IEEE (2006)
Bopche, G.S., Rai, G.N., Mehtre, B.M.: Inter-path diversity metrics for increasing networks robustness against zero-day attacks. In: Thampi, S.M., Madria, S., Wang, G., Rawat, D.B., Alcaraz Calero, J.M. (eds.) SSCC 2018. CCIS, vol. 969, pp. 53–66. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-5826-5_4
Chen, H., Clark, J.A., Shaikh, S.A., Chivers, H., Nobles, P.: Optimising IDS sensor placement. In: 2010 International Conference on Availability, Reliability and Security, pp. 315–320. IEEE (2010)
Edge, K.S., Dalton, G.C., Raines, R.A., Mills, R.F.: Using attack and protection trees to analyze threats and defenses to homeland security. In: MILCOM 2006–2006 IEEE Military Communications Conference, pp. 1–7. IEEE (2006)
Fila, B., Wideł, W.: Exploiting attack-defense trees to find an optimal set of countermeasures. In: Proceedings of the 33rd IEEE Computer Security Foundations Symposium, CSF 2020, Boston, MA, USA, 22–26 June 2020, pp. 395–410. IEEE (2020)
George, G., Thampi, S.M.: A graph-based security framework for securing industrial IoT networks from vulnerability exploitations. IEEE Access 6, 43586–43601 (2018)
Grigorescu, O., Nica, A., Dascalu, M., Rughinis, R.: CVE2ATT&CK: BERT-based mapping of CVEs to MITRE ATT&CK techniques. Algorithms 15(9), 314 (2022)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks. Standard, ISO/IEC, Geneva, CH, October 2022
Johnson, P., Lagerström, R., Ekstedt, M.: A meta language for threat modeling and attack simulations. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, Hamburg, Germany, 27–30 August 2018, pp. 38:1–38:8. ACM (2018)
Kaloroumakis, P.E., Smith, M.J.: Toward a knowledge graph of cybersecurity countermeasures. Corporation, Editor (2021)
Khouzani, M.H.R., Liu, Z., Malacaria, P.: Scalable min-max multi-objective cyber-security optimisation over probabilistic attack graphs. Eur. J. Oper. Res. 278(3), 894–903 (2019)
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6
Kuppa, A., Aouad, L., Le-Khac, N.A.: Linking CVE’s to MITRE ATT &CK techniques. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–12 (2021)
Mukherjee, P., Mazumdar, C.: Attack difficulty metric for assessment of network security. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10 (2018)
Mukherjee, P., Mazumdar, C.: “Security Concern” as a metric for enterprise business processes. IEEE Syst. J. 13(4), 4015–4026 (2019)
Mukherjee, P., Sengupta, A., Mazumdar, C.: “Security Gap” as a metric for enterprise business processes. Secur. Priv. 5(6), e263 (2022)
Noel, S., Jajodia, S.: Optimal IDS sensor placement and alert prioritization using attack graphs. J. Netw. Syst. Manag. 16, 259–275 (2008)
Ortalo, R., Deswarte, Y., Kaâniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng. 25(5), 633–650 (1999)
Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection, pp. 31–38 (2006)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, pp. 71–79 (1998)
Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2011)
Roy, A., Kim, D.S., Trivedi, K.S.: Cyber security analysis using attack countermeasure trees. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, pp. 1–4 (2010)
Sawik, T.: Selection of optimal countermeasure portfolio in IT security planning. Decis. Support Syst. 55(1), 156–164 (2013)
Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)
Sheyner, O., Haines, J.W., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, California, USA, pp. 273–284. IEEE Computer Society (2002)
Shin, Y., Kim, K., Lee, J.J., Lee, K.: Focusing on the weakest link: a similarity analysis on phishing campaigns based on the ATT &CK matrix. Secur. Commun. Netw. 2022, 1–12 (2022)
Soikkeli, J., Muñoz-González, L., Lupu, E.: Efficient attack countermeasure selection accounting for recovery and action costs. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10 (2019)
Stan, O., et al.: Heuristic approach towards countermeasure selection using attack graphs. arXiv preprint arXiv:1906.10943 (2019)
UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. John Wiley & Sons, Hoboken (2015)
van Leeuwen, R.: Cyber-Attack Containment through Actionable Awareness. Doctoral dissertation, Master’s thesis. Technical University of Eindhoven (2022)
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70567-3_22
Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Barker, S., Ahn, G.-J. (eds.) DBSec 2007. LNCS, vol. 4602, pp. 98–112. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73538-0_9
Widel, W., Mukherjee, P., Ekstedt, M.: Security countermeasures selection using the meta attack language and probabilistic attack graphs. IEEE Access 10, 89645–89662 (2022)
Xiong, W., Legrand, E., Åberg, O., Lagerström, R.: Cyber security threat modeling based on the MITRE enterprise ATT &CK matrix. Softw. Syst. Model. 21(1), 157–177 (2022)
Zheng, K., Albert, L.A., Luedtke, J.R., Towle, E.: A budgeted maximum multiple coverage model for cybersecurity planning and management. IISE Trans. 51(12), 1303–1317 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mukherjee, P., Thampi, S.M., Rohith, N., Poddar, B.K., Sen, I. (2023). Detection and Hardening Strategies to Secure an Enterprise Network. In: Muthukkumarasamy, V., Sudarsan, S.D., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2023. Lecture Notes in Computer Science, vol 14424. Springer, Cham. https://doi.org/10.1007/978-3-031-49099-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-49099-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-49098-9
Online ISBN: 978-3-031-49099-6
eBook Packages: Computer ScienceComputer Science (R0)