Today, organizations are facing many cyber-attacks which make the detection of cyber-attacks a very difficult task. In addition, the organizations have limited resources that can be allocated to the detection of complex cyber-attacks. Some of the challenges are: the need to analyze massive amount of data that is collected from the information technology (IT) infrastructure; the highly advanced attacks that are in continuously becoming more and more sophisticated; the fact that attacks can be originated by an insider or by an external entity; the rapid introduction of new technologies that are integrated into the organization's infrastructure; and the variety and costs of security solutions.
Because of these challenges organizations must conduct a thorough risk analysis process in order to focus their efforts and resources on the protection of the highly critical assets. In the risk analysis process the organization identifies the most important assets by estimating the risk to the asset which is a function of the asset's value and the likelihood of the threat to be realized. This process is time consuming and therefore ignores the dynamic nature of the IT infrastructure. This means that the value of assets may change over time and will not be reflected by the risk analysis process results.
Harel et al. [Harel, A., Shabtai, A., Rokach, L., and Elovici, Y., 2012. M-score: A misuseability weight measure. IEEE Trans. on Dependable and Secure Computing, 9 (3), 2012, 414-428] initially addressed this challenge and presented a new concept, Misuseability Weight, which assigns a sensitivity score to data, thereby estimating the level of harm that might be inflicted upon the organization when the data is leaked. Assigning a misuseability weight to a given dataset is strongly related to the way the data is presented (e.g., tabular data, structured or free text) and is domain-specific. Harel et al. [Harel, A., Shabtai, A., Rokach, L., and Elovici, Y., 2012. M-score: A misuseability weight measure. IEEE Trans. on Dependable and Secure Computing, 9 (3), 2012, 414-428] focus on mitigating leakage or misuse incidents of data stored in databases (i.e., tabular data) and presented the M-Score, a misuseability weight measure for tabular data.
Vartanian and Shabtai [Shabtai, A., Vartanian, A., 2014. TM-Score: A Misuseability Weight Measure for Textual Content”, submitted to IEEE Trans. on Information Forensics and Security] proposes an extension to the misuseability weight concept and specifically focused on textual content. The main goal in Vartanian and Shabtai is to define a misuseability measure, termed TM-Score, for textual content. Using this measure it is possible to estimate the extent of damage that can be caused by an insider that is continuously and gradually exposed to documents. The extent of damage is determined by the amount, type and quality of information to which the insider is exposed. However, there are other IT elements that may be vulnerable and sensitive, except from insiders, such as servers and routers which are affected from different parameters (not necessarily the information to which an element is exposed to) which the prior art does not deal with.
Moreover, the necessity for a full and comprehensive framework that is able to derive a misuseability score for each IT element is rising in order to cope with the challenges of data security in the world of cyber-attacks.
One of the solutions to data security is given by data protection companies, which meets the employees of the organization, learn the roles of each employee and the work that is done by each employee, and then analyze the misuseability of each IT element. However, this solution depends on humans, it takes time and if there is a change in the organization such as a new IT element or a new job, the analysis has to be redone by the analyzer of the data protection company.
It is therefore an object of the present invention to provide a method and a framework that automatically and dynamically derives a misuseability score for every IT component, for supporting the risk analysis process.
Further objects and advantages of this invention will appear as the description proceeds.