IT administrators may someday be able to simulate attacks on their networks and see the long-term impact of their security decisions though Threat Dynamics. It's a concept being fleshed out by a team of researchers from CERT and Carnegie Mellon University's CyLab.
Leading the project is Andrew Moore, senior technical staff member at CERT's Software Engineering Institute and researcher at Carnegie Mellon University's CyLab. In this Q&A, he describes the goals behind Threat Dynamics and assesses its prospects for eventual enterprise use.
What's the ultimate goal of Threat Dynamics?
Moore: Organizations have trouble mapping out a plan that incorporates how they respond to Internet threats and how it affects their business mission and their business architecture and operations. The goal is to give them a tool that allows them to bring these things into focus; to help them make better decisions so they can better support their mission and counter everyday threats. I hope this can provide a better management decision tool and be a learning tool that can help employees better understand Internet threats and how their behavior can play into those threats. This approach takes a very broad view. It doesn't just look at technology. It puts the technical side in context with the whole business and the culture.
Why should enterprise users be interested in this?
Moore: A common problem is that you have a vast array of security technologies and a lack of understanding of what those technologies will do for an organization. This can help IT administrators build a case for the tools they may choose to invest in. Businesses worry about return on investment. This technique can help them take all of the technology available out there and prioritize what is important and what they want to invest in.
What stage is your research at?
Moore: It's pretty early on. We have started looking at a number of application domains. One domain is the insider threat. We've been working with the U.S. Secret Service to study about 160 cases. One area we look at is using Threat Dynamics to capture the behavior patterns of insiders, of insider attacks, see how those attacks occur over time and what organizations can do to mitigate the threat. The goal is to have a learning tool that shows simulations of insider threats and what to do about it. Another domain is enterprise patch management.
What is the history of Threat Dynamics?
Moore: It's based on System Dynamics, which has been around since the 1950s and 1960s. Supply Chain Management is an original application of System Dynamics. System Dynamics is a method to model and analyze the holistic behavior of complex managed systems as they evolve over time. Threat Dynamics is the use of System Dynamics to study the impact of an organization's threat environment on the ability of that organization to achieve its mission objectives.
How far away are we from the day when most enterprises will use something like this?
Moore: I don't think it'll ever become something everyone uses routinely. System Dynamics has been around a long time. It has a niche user community. It's taught in business schools. I see this as a specialized skills-set that medium-to-large organizations will take on. This will likely remain a specialized niche. But the tools that are developed as a result of Threat Dynamics could become more widely used. There's big potential for the invention and marketing of new tools created as a result of issues uncovered through Threat Dynamics. Insider threat tools are a good example of this. Managers don't really understand how to manage in the face of that threat. This is a sector where Threat Dynamics itself can really find its niche.
Can you give an example of a test that showed true promise for enterprise use?
Moore: System Dynamics in general has a good history of helping organizations improve. That's not to say it will translate as effectively with information security. But System Dynamics has a good history, a solid track record. We believe many of those benefits will apply in the information security realm.
What are the biggest difficulties you've run into along the way?
Moore: Understanding what Threat Dynamics is trying to do really requires a mental shift in people. People tend to look at threats as isolated events. It's more pervasive than that. Problems are typically thought of as a root cause or an isolated event. But these events are usually tied to a bigger, underlying problem. System Dynamics helps pull apart underlying causes of problem behavior, analyzes it and helps you develop the most effective solutions. You can see solutions as better before worse or worse before better. Many managers get trapped in the better before worse mindset because they deal with one problem but not the underlying cause. You have to get over that first hump.