SECURITY CONTENT METADATA MODEL WITH AN EFFICIENT SEARCH METHODOLOGY FOR REAL TIME MONITORING AND THREAT INTELLIGENCE presented at BlackHatAsia 2015

by Preeti Subramanian,

Summary : The Security Content Automation Protocol (SCAP) federates a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. There are a number of SCAP components such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Common Remediation Enumeration (CRE), Extensible Configuration Checklist Description Format (XCCDF), and Open Vulnerability and Assessment Language (OVAL). Malware Attribute Enumeration and Characterization (MAEC) is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. These standards render data in the form of XML. Although these standards are linked to each other, there is a lack of commonality in their XML schema definitions. There is a need for a unique common metadata schema to represent important aspects relevant for designing efficient search engines. This common metadata supports distribution of data across various repositories that render SCAP content. Across all security content databases unique identification and a short description will be common. In addition, this model makes building of references to multiple components of SCAP intuitive. Differentiating attributes of security content can be represented as a list of properties, each property being a key-value pair. For example, in the case of CVE, (CVSS, 9.4) represents the key CVSS and a score of 9.4, where CVSS is Common Vulnerability Severity Score. In this model, modifications to the schema of SCAP components can easily be accommodated by just adding or deleting a property key-value pair without changing the model. Searching on this metadata enables fast response to queries and helps interlace various SCAP components; e.g., OVAL references CVE and each CVE depends on various platforms and products denoted by CPEs. This model enables Natural Language Processing (NLP) and render meaningful responses to queries such as most vulnerable applications OVAL definitions, vulnerabilities in Adobe Reader in 2014, what was released yesterday etc. This enables recognizing dates, SCAP components requested, products, platforms, or vendors. NLP supports an understanding of the intent of search in the repositories, thereby enriching user experience while benefiting from SCAP content to measure security posture of the systems. This archetype aids to resolve vulnerabilities before an attack happens. This model helps understand an incident in your machine and analyse if it is a malware attack. It will further help to scrutinize which vulnerability was exploited by the malware and most importantly, fix this attack.