Hackers of India

Security Content Metadata Model with an Efficient Search Methodology for Real Time Monitoring and Threat Intelligence

By  Preeti Subramanian  on 27 Mar 2015 @ Blackhat


Presentation Material

Abstract

The Security Content Automation Protocol (SCAP) federates a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. There are a number of SCAP components such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Common Remediation Enumeration (CRE), Extensible Configuration Checklist Description Format (XCCDF), and Open Vulnerability and Assessment Language (OVAL). Malware Attribute Enumeration and Characterization (MAEC) is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. These standards render data in the form of XML. Although these standards are linked to each other, there is a lack of commonality in their XML schema definitions. There is a need for a unique common metadata schema to represent important aspects relevant for designing efficient search engines. This common metadata supports distribution of data across various repositories that render SCAP content. Across all security content databases unique identification and a short description will be common. In addition, this model makes building of references to multiple components of SCAP intuitive. Differentiating attributes of security content can be represented as a list of properties, each property being a key-value pair. For example, in the case of CVE, (CVSS, 9.4) represents the key CVSS and a score of 9.4, where CVSS is Common Vulnerability Severity Score. In this model, modifications to the schema of SCAP components can easily be accommodated by just adding or deleting a property key-value pair without changing the model. Searching on this metadata enables fast response to queries and helps interlace various SCAP components; e.g., OVAL references CVE and each CVE depends on various platforms and products denoted by CPEs. This model enables Natural Language Processing (NLP) and render meaningful responses to queries such as most vulnerable applications OVAL definitions, vulnerabilities in Adobe Reader in 2014, what was released yesterday etc. This enables recognizing dates, SCAP components requested, products, platforms, or vendors. NLP supports an understanding of the intent of search in the repositories, thereby enriching user experience while benefiting from SCAP content to measure security posture of the systems. This archetype aids to resolve vulnerabilities before an attack happens. This model helps understand an incident in your machine and analyse if it is a malware attack. It will further help to scrutinize which vulnerability was exploited by the malware and most importantly, fix this attack.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker discusses a system that provides metadata about an organization’s system information, allowing administrators to identify potential security threats and vulnerabilities. The system correlates this metadata with other available data to provide a comprehensive view of the organization’s security posture.

The speaker mentions that there is a free product called Saner that can be used for personal use, which helps fix vulnerabilities. They also mention that they are working on a new product that will integrate threat intelligence and vulnerability intelligence to address the missing piece in anti-malware solutions.

The system collects metadata from publicly available sources such as the National Vulnerability Database and releases new checks three times a week. The metadata is provided in JSON or XML format, and users can access it through a RESTful API or directly from the repository. Paid users have access to additional content such as checks and XE CDF.

The speaker notes that they are using MongoDB for data storage and have not yet faced scalability issues due to their powerful servers and parallel processing approach. They acknowledge that the data will continue to grow as new vulnerabilities are discovered, but they plan to store all relevant information to provide a comprehensive security solution.

Finally, the speaker invites questions and offers to respond to any further inquiries about using the metadata or addressing potential concerns about the system.