MIT SDM Systems Thinking Webinar Seriessdm.mit.edu/wp-content/uploads/2016/03/Charles-MIT-Webinar.pdf · Firewalls, IDM, IDS/IPS, ... • An article by David Weldon [3] on “US cyberhealth

system design & management

MIT SDM Systems Thinking Webinar Series

Implementing Better with the Right Intrusion Prevention Solutions: A Computer Implemented Logic that Performs Artificial Intelligence Decision-Making Analysis

By Charles Iheagwara, Ph.D, SDM ‘10

Copyright @ Charles Iheagwara

Outline

•  Introduction

•  Growing Intrusion Trends

•  Enterprise Intrusion Prevention

•  Implementing with Unfit Solutions

•  A Method of Implementing Correctly

•  Summary



Introduction


What is Intrusion Prevention?

•  First we need to define intrusion to answer the question

•  If we define intrusion as “Any unauthorized access into an entity’s network or systems, then we can

•  Define intrusion prevention as a preemptive approach to used to identify potential threats and respond to them swiftly.

•  What are the methods of preventing intrusion?

•  There are different methods

•  Typically by the use of enterprise –level security products: Firewalls, IDM, IDS/IPS, ETC.


•  Intrusion into enterprise networks continues to grow at alarming rates:

–  Recent hacking events at Sony, UMUC, Target Stores and the US OPM provide proof of implementation failures.

•  An article by David Weldon [3] on “US cyberhealth report” finds companies underperforming and attributes growing intrusions to ineffective implementations.

•  Specifically, Weldon contends that:

–  “despite all the attention that Cyber security is getting, and all the money that large corporations pour into prevention and detection, the majority of large organizations are underperforming when it comes to safeguarding their systems.”

Trends


•  According to the article which focused on the Standard & Poor's 500 organizations:

–  The companies analyzed spend a significant amount of money on Cyber security, represent 75 percent of the American equity market by capitalization and are also among the leading targets of Cyber-attacks.

–  Despite the huge amount spent, these companies continue to underperform. For example [3], the study found that during 2013, at any given time, between 68 percent and 82 percent of the S&P 500 companies included in the analysis had been compromised with an externally observable security event.

• 

Trends Cont.


Intrusion into enterprise networks continues to grow at alarming rates: Recent hacking events at UMUC and Target Stores provide proof of implementation failures. Why did these happen? Deployments were ineffective to prevent intrusions See Article at the following URL: http://www.fiercecio.com/story/us-cyberhealth-report-finds-companies-underperforming/2014-02-26

Attributes growing intrusions to ineffective implementations.



How do Organizations Prevent Intrusions in their Networks Today?


Implementations

•  Largely by deploying intrusion detection and prevention devices: – Firewalls (including NGFW) – IPS/IDS – Others devices including system specific

measures

•  We focus on Firewalls and IPS/IDS


Commercial Intrusion Prevention Tools •  Leading vendor products are listed by Gartner, NSS Labs, Others

•  Next generation firewalls and intrusion detection and prevention systems feature a diverse product range from leading vendors such as Check Point (NASDAQ: CHKP), Fortinet (NASDAQ: FTNT), McAfee (NASDAQ: INTC), Cisco (NASDAQ: CSCO), Dell, HP (NYSE: HPQ), IBM (NYSE: IBM) and Juniper (NYSE: JNPR).

•  The mix represents products from different class families: –  Firewalls –  Next Generation firewalls (NGFW) –  Intrusion Detection Systems –  Intrusion Prevention Systems –  Threat Isolation Products –  Etc.

•  With advances in technology, products in different class families are increasingly integrating features from products in other families.

–  For example, NGFW functionalities are available as add-ons to the existing M- series McAfee firewalls.


Securing the Enterprise


Securing the Enterprise: IPS Security Product Market Growth


PROBLEM /OPPORTUNITY

•  Hundreds of Cyber security products in the marketplace from different vendors:

–  Some products are better than others in different functional areas of performance

•  Budget and implementation goals are the two biggest determinants in product selection:

–  Choice of the best fit product affect the ability of an organization to realize it’s intrusion prevention goal

•  End User selection of one product over the other is often a pain-point: –  Products and technologies poorly understood –  Very complex to implement

•  Evidence abound on the so many failed implementations: –  Poor product selection –  End user selection based on vendor sales pitches –  Objective criteria lacking


Why Implementations Fail

•  Deployments were ineffective to prevent intrusions.

–  See Article at the following URL: http://www.fiercecio.com/story/us-cyberhealth-report-finds-companies-underperforming/2014-02-26

–  Attributes growing intrusions to ineffective implementations.


Why Implementations Fail Cont.

In terms of implementation, effectiveness of the products depend on several factors primary of which is the selection of the right solution for the right environment. Hundreds of Cyber security products in the marketplace from different vendors, some products are better than others in different functional areas of performance and solutions integration. .


Buying Intrusion Prevention Products

•  A lot of companies largely rely on vendors sales pitches

•  Some would typically seek out paid reference sources to figure out what is trending:

–  Garner

–  NSS

–  Others (i.e. Forester)

•  And then make buying & implementation decisions


NSS Labs: Security Value Map

17

Gartner Market Data

18 Copyright @ Charles Iheagwara

Lack of Customization and Limited Information Input

•  Neither Gartner, NSS Labs or vendor sales pitchers provide users with holistic/custom solutions that are uniquely suited to their environment:

–  NSS Labs provide individual product technical/functional capability measures in specific areas

–  Gartner provides market data of companies ability to execute

•  A missing link is customization to specific customer unique requirements.

•  Hence, there is a need for an objective criteria that is more scientifically based.



Artificial Intelligence Solution: A Better Way to Implement


The Artificial Intelligence Decision Making Approach

•  A holistic approach entails adopting a holistic approach that takes into account: –  A wider scope of visbility into the anatomical underpinnings of each

vendor product –  Relates to the user unique requirements

•  “IntrusionPoint” an analytic SaaS tool that performs artificial intelligence decision-making analysis of intrusion prevention solutions that produces the best fit match for end-users from their individual unique requirements and perspectives has been developed .

–  Addresses the requirements from a holistic perspective


IntrusionPoint Optimizes Selection of Best Fit Solution

•  The SaaS tool is designed to allow users of intrusion prevention products customize a business case analysis for any deployment and target environment or market.

•  The tool accepts a wide range of market data, technical parameters, and business/financial and service planning inputs that a user can tailor for their particular deployment plan.

•  It simulates a network deployment and operations using a variety of technical, environmental and service plans and produces detailed reports, Analytics, graphical outputs, and key technical, deployment and implementation comparison charts unique to a user’s requirements.


Implemented Logic


Implemented Logic Cont.

•  The logic tool provides answers to among others the following:

–  How do I specify my network environmental requirement? –  What is(are) the best fit product(s)? –  What other deployment options makes sense for my environment? –  How will customer and product support be addressed during the deployment

lifecycle –  How would a vendor product integrate into my existing network infrastructure? –  What are the performance bottlenecks of a particular vendor product? –  What is the comparative advantage of a particular product over the other(s)? –  What are the risk factors in implementing a particular vendor solution over time? –  How do the costs of vendor solutions affect my budgetary plan? –  How can the service agreements be optimized for my deployment or

implementation plan?


Conceptual Approach

The construct of Artificial Intelligence Implemented logic provides answers:

•  Define a string of variables mimicking user implementation environments

•  Decode the unique attributes of each vendor solution (DNA) in different performance areas such as:

–  functional scenarios –  technical characteristic –  component characteristics –  solutions integration –  etc.

•  Construct a data structure from which a database system is developed


Conceptual Approach Cont.

•  Create a query set database from the data set created from the table of matrixes comprising:

–  a query set with multiple alternative possibilities, each having a distinguishing attribute defined in a decision-making matrix.

•  Create a query set comprising a query that relates to each of the multiple alternative possibilities set

•  Create a set of user primary, secondary and tertiary preference bias values developed by an expert having knowledge of how each alternative affect user input requirement,

–  wherein each bias value is associated with a particular alternative, and reflects the expert's conception, based on the distinguishing attribute, of the relative degree of predictive value of the query for the particular alternative relative to other alternatives in the possibility set.

•  Obtain a response to the query.



•  Determine, based on the response to the query and the set of primary bias values, a set of corresponding secondary and tertiary bias values:

–  wherein each secondary and tertiary bias value is associated with a particular alternative, and reflects the expert's conception of the relative degree of predictive value of the query for the particular alternative relative to other alternatives in the possibility set; and

•  Score and rank the alternatives in the possibility set, based on the secondary and tertiary bias values, to:

–  provide a decision comprising the set of alternatives, ranked according to likelihood consistent with the created decision-making matrix; and



•  For scoring and ranking of the alternatives in the possibility set, the computer implemented logic (algorithm) performs weighted scoring and ranking of a query set values from a database:

•  the result of the scoring and ranking provides a user a best alternative from the alternative possibilities from the query response to implement intrusion prevention solution in their unique environment.

•  the result generated consists of charts of data, graphs, analytics, product data comparison matrix and customized report.



Solution Design


System Architecture

30

Numbers Frontend Numbers Backend 1 2 3 4 5

Web users Subscribe & Payment Search Matching requirements Reports, Graphs & Analytics

6 7 8 9 10 11 12 13 14

Admin users Dashboard / Control panel Content Administrators Manage content Reports, Graphs & Analytics Activity log Business logic & automation Database Web templates


Computer Logic (Algorithm)


•  The logic performs mathematical computations - using the system mathematical model - of input feed and produces results that are generated as reports

•  It looks for matching information from the data set that was pre-fed into the system database 13 and the user input data 4, and

–  It is essentially multiple types of vendors’ intrusion prevention solutions with identifying data attributes that are constantly updated upon enhancement of new product releases

•  The input data is the user unique requirements

•  Then executes business logic computation to

•  Generate desirable output information 5 for the user.

Mathematical Computation Logic


Function Weight Raw Score ScoreB.7 xx 1 0.00% n1C.1 xx 20 0.00% n2C.2 xx 20 0.00% n3C.3 xx 16 0.00% n4C.4 xx 8 0.00% n5C.5 xx 11 0.00% n6C.6 xx 8 0.00% n7C.7 xx 0 0.00% n8C.8 xx 0 0.00% n9C.9 xx 0 0.00% n10c.10 xx 16 0.00% n11 Total 100 N% Sum

Sample Scoring and Ranking Matrix

Based on the logic the algorithm of the system computes a range of values which represent best fit for each user unique environment

In essence, the business logic and automation uses a pre-defined criteria of system data elements and specifications to compute a range of values that is a match of best fit solution for each user



Specifying User Requirements & Product DNA Mapping


Specifying User Requirements vs. Product DNA

Eachproductinthedatabaseconsistsofmorethan2000anatomicalnodesthatareheuris6callyprocessedbythelogic.


Specifying User Requirements vs. Product DNA Cont.







Reporting, Analytics and Visualization


System Output: Products Analytics in Comparative Terms for Decision-making

The Product comparison graph is generated by taking the values of each product section-wise scoring that is stored in the database once products are filled with values for their respective fields.


System Output: Powerful Decision-making Analytics

The subscriber dashboard displays different types of analytics depending on user specified requirements of a particular product section. Each graph in the blocks are generated by pulling the values of the corresponding entry in the database for particular fields.


System Output: Powerful Decision-making Analytics Cont.


System Output: Powerful Decision-making Analytics Cont.


Output: Technical Characteristics Analytics for Decision-making.

Analytics generated on a subset of technical characteristics of a particular product



Summary


Artificial Intelligence Decision-Making Tool

•  The current way of sourcing and implementing intrusion prevention solutions are not holistic enough to realize the set implementation and budgetary goals

•  IntrusionPoint fills a market void –  performs artificial intelligence decision-making analysis of enterprise intrusion

prevention solutions –  A robust solution that meets the needs of customers who are intent of

preventing intrusion with the right solution

•  Decodes the DNA of all solution products available in the market & provides users with the intelligence and precision to decide best fit solutions

•  Uses a computer logic that heuristically analyze complex metrics

•  Addresses the problems of implementation with the unfit products


Value Proposition

•  IntrusionPoint is an innovative implementation tool that:

–  solves the problem of limited scope of visibility into intrusion prevention solutions

–  eliminates poor product selection and implementation with unfit solution

–  Helps organization realize their set goals on intrusion prevention



Contact Information

For more information on this presentation, please email me

at [email protected].


Documents

MIT SDM Systems Thinking Webinar Seriessdm.mit.edu/wp-content/uploads/2016/03/Charles-MIT-Webinar.pdf · Firewalls, IDM, IDS/IPS, ... • An article by David Weldon [3] on “US cyberhealth