Visible to the public Biblio

Filters: Keyword is Agile Security  [Clear All Filters]
2020-12-28
Dove, R., Willett, K. D..  2020.  Contextually Aware Agile-Security in the Future of Systems Engineering. 2020 IEEE Systems Security Symposium (SSS). :1—8.

A recurring principle in consideration of the future of systems engineering is continual dynamic adaptation. Context drives change whether it be from potential loss (threats, vulnerabilities) or from potential gain (opportunity-driven). Contextual-awareness has great influence over the future of systems engineering and of systems security. Those contextual environments contain fitness functions that will naturally select compatible approaches and filter out the incompatible, with prejudice. We don't have to guess at what those environmental shaping forces will look like. William Gibson famously tells us why: “The future is already here, it's just not evenly distributed;” and, sometimes difficult to discern. This paper provides archetypes that 1) characterize general systems engineering for products, processes, and operations; 2) characterize the integration of security to systems engineering; and, 3) characterize contextually aware agile-security. This paper is more of a problem statement than a solution. Solution objectives and tactics for guiding the path forward have a broader range of options for subsequent treatment elsewhere. Our purpose here is to offer a short list of necessary considerations for effective contextually aware adaptive system security in the future of systems engineering.

2020-02-17
Hadar, Ethan, Hassanzadeh, Amin.  2019.  Big Data Analytics on Cyber Attack Graphs for Prioritizing Agile Security Requirements. 2019 IEEE 27th International Requirements Engineering Conference (RE). :330–339.

In enterprise environments, the amount of managed assets and vulnerabilities that can be exploited is staggering. Hackers' lateral movements between such assets generate a complex big data graph, that contains potential hacking paths. In this vision paper, we enumerate risk-reduction security requirements in large scale environments, then present the Agile Security methodology and technologies for detection, modeling, and constant prioritization of security requirements, agile style. Agile Security models different types of security requirements into the context of an attack graph, containing business process targets and critical assets identification, configuration items, and possible impacts of cyber-attacks. By simulating and analyzing virtual adversary attack paths toward cardinal assets, Agile Security examines the business impact on business processes and prioritizes surgical requirements. Thus, handling these requirements backlog that are constantly evaluated as an outcome of employing Agile Security, gradually increases system hardening, reduces business risks and informs the IT service desk or Security Operation Center what remediation action to perform next. Once remediated, Agile Security constantly recomputes residual risk, assessing risk increase by threat intelligence or infrastructure changes versus defender's remediation actions in order to drive overall attack surface reduction.