Configuration vulnerabilities are a major cause of system downtime and cyberattacks. Hackers successfully exploit configuration vulnerabilities and errors – such as incorrect enablement of privileges or erroneous file access – in many of the most disruptive, extensive, and costly internet outages. What if we could reduce the risk by configuring systems not only for high performance, but also to minimize the cyberattack surface?
Complex systems, including computer and communications networks, robots and autonomous vehicles, industrial control systems, military platforms, and critical infrastructure, are comprised of large numbers of components. These components have many configuration variables whose settings define logical interconnections and determine system behavior. Setting values for thousands of configuration variables to simultaneously meet hundreds of functional and performance requirements is a daunting computational task. Even modest-sized systems will have more possible configurations than stars in the universe! This configuration space offers an immense attack surface, which is vulnerable to intrusion, malware, and other cyberthreats.
Peraton Labs has developed a novel solution that not only configures systems for correct operation and high performance, but also minimizes the configuration attack surface. Our solution, Optimized Context-Specific Configuration for Attack-Surface Minimization (OCCAM), applies simulation, machine learning, and our innovative constrained optimization engine to produce compliant, secure configurations. It solves the daunting computational task automatically and quickly, resolving in minutes problems for which the number of possible configurations is 10 raised to the 105th power. OCCAM also provides what-if analyses and helpful explanations to aid users in understanding the design space and its trade-offs.
Here’s how OCCAM works:
OCCAM can be used on any complex system, including industrial process control systems, positive train control, and shipboard and small business networks. It can also be used to repair faulty configurations and to help systems, such as robots and autonomous systems, recover from attacks.
To learn more about OCCAM and our other research on ensuring security-by-design, contact us at [email protected].
Complex systems, including computer and communications networks, robots and autonomous vehicles, industrial control systems, military platforms, and critical infrastructure, are comprised of large numbers of components. These components have many configuration variables whose settings define logical interconnections and determine system behavior. Setting values for thousands of configuration variables to simultaneously meet hundreds of functional and performance requirements is a daunting computational task. Even modest-sized systems will have more possible configurations than stars in the universe! This configuration space offers an immense attack surface, which is vulnerable to intrusion, malware, and other cyberthreats.
Peraton Labs has developed a novel solution that not only configures systems for correct operation and high performance, but also minimizes the configuration attack surface. Our solution, Optimized Context-Specific Configuration for Attack-Surface Minimization (OCCAM), applies simulation, machine learning, and our innovative constrained optimization engine to produce compliant, secure configurations. It solves the daunting computational task automatically and quickly, resolving in minutes problems for which the number of possible configurations is 10 raised to the 105th power. OCCAM also provides what-if analyses and helpful explanations to aid users in understanding the design space and its trade-offs.
Here’s how OCCAM works:
- Input to OCCAM consists of system requirements, functional models, configuration parameters, and standard operating procedures (SOPs) for system operators.
- No input on threats or adversary behavior is required; instead, OCCAM models the attack surface as an objective function of vulnerability scores (e.g., enabled privileges and permissive file accesses.)
- OCCAM formulates the problem of attack surface minimization while preserving functionality as a constrained optimization problem, utilizing an accessible, mainstream programming language.
- In minutes, OCCAM can determine thousands of configuration settings to minimize the objective function (vulnerability score) while satisfying hundreds of constraints (system requirements).
- OCCAM also provides explanatory information, which helps operators gain understanding to manage the system, and suggestions for modifications to SOPs to reduce configuration vulnerability.
- OCCAM has been successfully applied to computer systems, satellite networks, robotics, and the power grid.
OCCAM can be used on any complex system, including industrial process control systems, positive train control, and shipboard and small business networks. It can also be used to repair faulty configurations and to help systems, such as robots and autonomous systems, recover from attacks.
To learn more about OCCAM and our other research on ensuring security-by-design, contact us at [email protected].