Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Thursday, December 13, 2012

More on SILAS: Security Intelligence-as-a-Service

In a previous blog post of mine I introduced our HPL/HP work on the Security Intelligence-as-a-Service (SILAS) solution and the fact we achieved an important milestone, in collaboration with HP business groups: a full working implementation is available.


Thanks for your questions. I am providing some additional details. The SILAS solution can now be showcases to HP customers and (potential) business partners.

As previously mentioned, SILAS consists, at the very base, of an Analytics Technology that provides: statistical analysis of data; predictions based on simulations.

There is currently a major gap in organizations’ security lifecycle management processes. On the one hand, organizations carry out strategic, long-term risk assessment activities - at the business level - to identify threats and mitigate them with suitable policies and controls. This involves periodic re-assessment of their security investments. On the other hand, they heavily invest in monitoring and Security Information and Event Management solutions (SIEM - e.g. HP ArcSight) to collect information from their IT infrastructure, for compliance and governance purposes. However information gathered at this level is seldom leveraged for higher-level strategic security risk assessment, except by means of expensive and manual processes. It is primarily used at the IT Operational levels. There is increasing demand for better integration and simplification of these processes in order to maximize investments and improve the overall risk assessment.

This gap is even more evident in the context of managed services and/or disaggregated IT in the Cloud, where the organisation further loses control on their IT along with related information flows. SILAS aims at addressing this gap.

A typical scenario (where SILAS can be deployed to add value) consists of a multitenant Security Operation Center (SOC), as shown in the following picture:





In this scenario the SOC manages incidents and IT operation issues for multiple customers. SILAS calculates and provides a wide variety of strategic metrics:

• customer metrics, reflecting the effectiveness of their processes (e.g. vulnerability and threat management - VTM, identity and access management - IAM, etc.), based on the data they shared with the SOC; metrics related to external threat environments (e.g. derived from information collected from HP ArchSight, HP TippingPoint, DV Labs, OSVDB, etc.);

• metrics providing an assessment of SOC processes, e.g. how effectively they identify incidents, close alerts, deal with false positives;

• what-if analysis and predictive metrics.

SILAS is meant to:

• provide estimation of strategic (security, risk and business) metrics to decision makers and customers, in multi-tenancy, multi-customer contexts, such as Security Operation Centers and Cloud Operation Centers

• use these metrics to enable predictive and what-if analysis, by leveraging the HP/HPL Security Analytics Solution (based on modelling and simulation techniques)

• provide customers with strategic reports - based on processed metrics and prediction - to illustrate historical trends and benchmarks

• leverage Cloud infrastructure for data processing and metric estimations

The following picture illustrates the SILAS core capabilities and high-level architecture:



SILAS is not meant to be a reactive, real-time analytic solution. It leverages existing solutions such as HP ArchSight, HP TippingPoint/ThreatLinq, OSVDB, etc. to gather the relevant data. As unique differentiation, it provides longer-term estimates of critical metrics and uses them to make predictions. It provides decision support capabilities to key stakeholders (risk management teams, customers, etc). As such it nicely complements current HP SW offerings.

We are currently trialling this solution in collaboration with HP business groups.

A few screenshots of a public version of SILAS (we use for demonstration purposes) follow:




Figure 1: SILAS main dashboard. Links to various metric processing, prediction and reporting capabilities




Figure 2: SILAS metric estimation. Example of estimation of "patch take-up curve" metric estimation (i.e. how quickly an organisation patches its systems against a vulnerability), over a period of time, calculated on data collected from HP ArcSight




Figure 3: SILAS predictions and "what-if" analysis. Example of prediction to vulnerability "risk exposure", calculated with HP/HPL Security Analytics models and related simulations. Models are instantiated with previously calculated SILAS metrics, e.g. the "patch take-up curve" metric.




Figure 4: SILAS Report. Example of customer report illustrating, for a given time period, the "patch take-up curve" metric and compareing it against an anonymised version of the same metrics (in the same time period)/benchmark,  calculated by using information collected from other customers (in a multi-tenant SOC).




Figure 5: SILAS Report. Another example of customer report showing the outcomes of various "what-if" analysis, calculated with HP/HPL Security Analytics models and related simulations. Models are are instantiated with both previously calculated SILAS metrics, e.g. the "patch take-up curve" metric and the various "what-if" assumption to be explored (e.g. using specific IT security controls).




Figure 6: SILAS Report. Another example of customer report showing the historical trends of some relevant SOC process metrics indicating how effectively a SOC handles customer's incidents (e.g. in terms of time to close an alert, identify false positives or identify an incident). The report shows historical trends and anonymised benchmarks against similar, aggregated metrics, obtained from other customers.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---





Friday, November 30, 2012

HPL Situational Awareness-as-a-Service, in the Cloud

In the context of the HPL Safe Cloud project, I have been working on an HP Labs R&D demonstrator, jointly with HP businesses, to illustrate:


• Next generation Business Operation Centers in Disaggregated IT scenarios, i.e. where an organisation relies on service providers (SaaS) and infrastructure providers (IaaS) in the Cloud to run their IT operation

• Information Sharing as a key requirement for the organisation to improve its (security, business, etc.) situational awareness, now that it has not anymore control over their IT operations- issues and trade-offs involving information sharing, involving the company and the other stakeholders, including SaaS and IaaS providers

• Next generation war rooms

• Our vision in the areas of Safe Cloud and controlled information sharing

We have achieved an important milestone: a full working implementation is available. Additional details and a few screenshots of the public, R&D version of the demonstrator are available online.

This demonstrator is now available and can be shown to HP customers and business partners. Below I attach, as an example, a screenshot:




We focus on a scenario involving a company that increasingly relies on SaaS and IaaS Cloud Providers to run their IT Operations. The demonstrator uses advanced visualisation and back-end processing techniques to show a futuristic, next generation Business Operation Center, supporting a company to monitor/manage their disaggregated IT.

The demonstrator provides an overview of the various company's SaaS providers along with the dependencies they have on IaaS Cloud providers and the high-level “health” status of their services.

We then use the demonstrator to illustrate the need that a company has for information sharing - to enable better situational awareness - now that the company has lost control on its IT Operations. We highlight the tension-points involved in information sharing, the trade-offs that are acceptable by the various stakeholders and the consequences of sharing data.

The demonstrator shows various view points, in terms of available information and what can be shared. For example it is possible to focus on a SaaS Provider and/or an IaaS Provider, show the locally available information and which information can actually be collected, processed and shared with the company - based on agreed policies. The demonstrator highlights some of the implications of sharing data, i.e. via live metrics, highlighting risk points and related alerts.

The demonstrator can also show the dependency on the IT infrastructure used in the Cloud and various types of metrics/information that can be exchanged with the company (right - as part of a mutual agreement). This include information on IT performance, security and incident management aspects.

A key capability of the demonstrator is to enable the audience to interactively play different roles, such as acting as the company or one of the SaaS providers. A player can interact with the system and the other players, decide which information to share (for example with other SaaS providers and/or the company) in order to accomplish common goals (e.g. dealing with an incident or an attack). We believe this creates further awareness about the importance of information sharing, the implications and tension-points in doing it, and the needs for information sharing controls.

In our HP Labs vision, HP could provide these capabilities (dashboards, controlled information sharing, analytics, etc.) as a (Security) Service to its customers, for example in the context of Managed Services and/or Next generation SOCs.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



HPL Security Intelligence-as-a-Service (SILAS)

As discussed in previous posts, our HPL Security Intelligence-as-a-Service (SILAS) solution consists, at the very base, of R&D Analytics Technology that provides: statistical analysis of data; predictions based on simulations.
We now have achieved an important milestone in collaboration with HP business groups: a full working implementation is available.

Additional details and a few screenshots of the public, R&D version of SILAS are available online. Below I attach a screenshot of the SILAS main dashboard.





A typical scenario (where SILAS can be deployed and add value) consists of a multitenant Security Operation Center (SOC),

In this scenario the SOC manages incidents and IT operation issues for multiple customers. SILAS calculates and provides a wide variety of strategic metrics: customer metrics, reflecting the effectiveness of their processes (e.g. vulnerability and threat management - VTM, identity and access management - IAM, etc.), based on the data they shared with the SOC; metrics related to external threat environments (e.g. derived from information collected from HP ArchSight, HP TippingPoint, DV Labs, OSVDB, etc.); metrics providing an assessment of SOC processes, e.g. how effectively they identify incidents, close alerts, deal with false positives; what-if analysis and predictive metrics. All these metrics can be conveyed to customers (and/or other stakeholders) via reports, by highlighting trend analysis and benchmarks.

SILAS is meant to:

• provide estimation of strategic (security, risk and business) metrics to decision makers and customers, in multi-tenancy, multi-customer contexts, such as Security Operation Centers and Cloud Operation Centers

• use these metrics to enable predictive and what-if analysis, by leveraging the HP/HPL Security Analytics Solution (based on modelling and simulation techniques)

• provide customers with strategic reports - based on processed metrics and prediction - to illustrate historical trends and benchmarks

• leverage Cloud infrastructure for data processing and metric estimations

SILAS is not meant to be a reactive, real-time analytic solution. It leverages existing solutions such as HP ArchSight, HP TippingPoint/ThreatLinq, OSVDB, etc. to gather the relevant data. As unique differentiation, it provides longer-term estimates of critical metrics and uses them to make predictions. It provides decision support capabilities to key stakeholders (risk management teams, customers, etc.). As such it nicely complement current HP SW offerings.

We are currently trialling this solution in collaboration with HP business groups.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---





On Security Analytics – Risk Analysis for Incident Management Processes

Thanks to all the people that contacted me with interest on how HP Labs has applied HP Security Analytics techniques for Risk Analysis in the context of Incident Management Processes. I would like to remind that this HP Labs capability (along with related technologies and know-how) have now been transferred to HP Enterprise Security Services (HP ESS). Please feel free to contact HP ESS representatives if you would like to use the service.




An example of the benefits and risk assessment capabilities that can be achieved with Security Analytics (specifically in the space of Security Operation Centers and their Incident Management Processes) has been docuemented in a recent HP Labs Technical Report has been recently called “Security Analytics – Risk Analysis for an Organisation’s Incident Management Processes”:



“This document is an example of the type of report an organisation would receive at the end of a HP Security Analytics engagement. The focus is on the analysis of the security risks and performance of the organisation’s Security Incident & Events Management (SIEM) Processes and related Security Operation Centre (SOC)’s activities. HP Labs carried out the underlying R&D work in collaboration with HP Enterprise Security Services and involved analysis of processes, probabilistic modeling, simulation and “what-if” analysis for some of HP’s key customers. The outcome of this was a set of case studies from which we have been able to create this more general anonymised report illustrating the richness of the risk assessment and “what-if” analysis that has been carried out.

The lifecycle management of security is critical for organisations to protect their key assets, ensure a correct security posture and deal with emerging risks and threats. It involves various steps, usually carried out on an ongoing, regular basis, including: risk assessment; policy definition; deployment of controls within the IT infrastructure; monitoring and governance. In this context, Security Incident & Events Management play a key role. Even the best information security practices and investments in security controls cannot guarantee that intrusions – accidental and criminal activities – and/or other malicious acts will not happen. Controls can fail, be bypassed or become inadequate over time; new threats emerge. Managing such incidents requires detective and corrective controls to minimise adverse impacts, gather evidence, and learn from previous situations in order to improve over time. These incident management processes are usually run in the context of a SOC and/or as part of specialised Computer Security Incident Response Teams (CSIRTS), built on top of SOCs.

Even with SIEM in place, a potential major risk for the organisation arises due to delays introduced in assessing and handling known incidents: this may postpone the successful resolution of critical security incidents (e.g. devices exposed on the Internet, exploitation of privileged accounts, deployed malware, etc.) and allow for further exploitation. Another related risk can be introduced by sudden and/or progressive changes of the threat landscape, due to changing economic and social scenarios, new business activities or process failings within the existing IT services. This might create unexpected volumes of new events and alerts to be processed by the security team and as such, introduce additional delays. Hence, it is important for an organisation to understand the risk exposure due to their Incident Management processes, explore potential future scenarios (e.g. changes in available resources or threats landscapes or adoption of Cloud solutions) and identify suitable ways to address related issues, e.g. by introducing process changes and/or making investments in security controls.

HP Security Analytics is uniquely positioned to provide the analysis of the involved risks, explore what-if scenarios and provide decision support for decision makers. This type of Security Analytics assessments is now available as a service, provided by HP ESS.”.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On HP Secure Boardroom

You might be interested in learning more about HP Secure Boardroom:
“Data and information is your enterprise's most valuable assets. Are your current security polices fully protecting them? Gain insight into a comprehensive security strategy that is adaptive to new security threats, reduces risk, and lowers TCO. Watch now to learn the logistics of this innovative approach to enterprise security”

A Videocast is available here.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Tuesday, September 11, 2012

New HPL TR: Security Analytics – Risk Analysis for Incident Management Processes

A new HP Labs Technical Report has been recently released called “Security Analytics – Risk Analysis for an Organisation’s Incident Management Processes”. It is currently available online here.




The abstract of the HPL TR follows:

“This document is an example of the type of report an organisation would receive at the end of a HP Security Analytics engagement. The focus is on the analysis of the security risks and performance of the organisation’s Security Incident & Events Management (SIEM) Processes and related Security Operation Centre (SOC)’s activities. HP Labs carried out the underlying R&D work in collaboration with HP Enterprise Security Services and involved analysis of processes, probabilistic modeling, simulation and “what-if” analysis for some of HP’s key customers. The outcome of this was a set of case studies from which we have been able to create this more general anonymised report illustrating the richness of the risk assessment and “what-if” analysis that has been carried out.

The lifecycle management of security is critical for organisations to protect their key assets, ensure a correct security posture and deal with emerging risks and threats. It involves various steps, usually carried out on an ongoing, regular basis, including: risk assessment; policy definition; deployment of controls within the IT infrastructure; monitoring and governance. In this context, Security Incident & Events Management play a key role. Even the best information security practices and investments in security controls cannot guarantee that intrusions – accidental and criminal activities – and/or other malicious acts will not happen. Controls can fail, be bypassed or become inadequate over time; new threats emerge. Managing such incidents requires detective and corrective controls to minimise adverse impacts, gather evidence, and learn from previous situations in order to improve over time. These incident management processes are usually run in the context of a SOC and/or as part of specialised Computer Security Incident Response Teams (CSIRTS), built on top of SOCs.

Even with SIEM in place, a potential major risk for the organisation arises due to delays introduced in assessing and handling known incidents: this may postpone the successful resolution of critical security incidents (e.g. devices exposed on the Internet, exploitation of privileged accounts, deployed malware, etc.) and allow for further exploitation. Another related risk can be introduced by sudden and/or progressive changes of the threat landscape, due to changing economic and social scenarios, new business activities or process failings within the existing IT services. This might create unexpected volumes of new events and alerts to be processed by the security team and as such, introduce additional delays. Hence, it is important for an organisation to understand the risk exposure due to their Incident Management processes, explore potential future scenarios (e.g. changes in available resources or threats landscapes or adoption of Cloud solutions) and identify suitable ways to address related issues, e.g. by introducing process changes and/or making investments in security controls.

HP Security Analytics is uniquely positioned to provide the analysis of the involved risks, explore what-if scenarios and provide decision support for decision makers. This type of Security Analytics assessments is now available as a service, provided by HP ESS.”.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



HP SILAS: Security Intelligence-as-a-Service

We are making good progress in the development of the HP SILAS service (Security Intelligence-as-a-Service), a project in collaboration with HP Enterprise Security Services.




SILAS aims at providing key decision makers within organisations with strategic metrics, predictions and “what- if” analysis (leveraging HP Security Analytics) for risk assessment, scenario planning and decision support.



SILAS uses information provided by current SIM/SEM solutions (e.g. HP ArcSight), threat intelligence services (e.g. HP DV Labs and HP TippingPoint/TreatLinq) and other logging systems to ground the statistical estimation of risk metrics and to provide input parameters to HP Security Analytics’ predictive metrics and simulations.



We are currently considering the deployment of SILAS within Security Operation Centres (SOCs). SOC customers will receive strategic reports consisting of trend analysis and benchmarks (against other customers in a community) on key, agreed metrics.



Current risk metrics relate to organisation processes (e.g. vulnerability management processes, incident management & user account provisioning/deprovisioning), assessment of SOC incident management processes (of relevance to the customer), external threats (e.g. Zero Day Threats) and predictive metrics (related to all the above areas).



They are meant to be delivered to key decisions makers (C*O). Looking forward to get suggestions about additional metrics that might be of relevance – at that level - in the security context and beyond it.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Labs SAaaS: Situational Awareness-as-a-Service

At HP Labs Bristol we are making good progress towards the development of a futuristic demonstrator in the space of Situational Awareness, named “Situational Awareness-as-a-Service (SAaaS).




This demonstrator focuses on the disaggregated IT of current/future organisations which increasingly rely on third parties (IaaS, SaaS providers in the Cloud, etc.) to carry out their IT and business activities.



We demonstrate the issues and opportunities related to safely handling information sharing between the organisation and its various providers, in a context of a future Next Generation IT Operation Centre and Security Operation Centre (SOC).



This includes illustrating the trade-offs in defining information sharing policies and handling queries to gather data from the involved parties, the clever analytics processing that can be performed on top of shared data (e.g. by leveraging HP Software solutions, HP/HPL SILAS, etc.) and the role of external, trusted information aggregators.



HP Labs will use the SAaaS vision to develop further innovative technologies in the area of controlled analytics and information sharing for large data sets.



The demonstrator currently consists of various storyboards focusing on IT and security information sharing stories. I am looking for public, real stories within organisations highlighting the pain points and issues in current disaggregated IT and security operations. The goal is to showcase them and illustrate how they could improve by leveraging SAaaS and future HPL/HP technologies.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Introduces Intelligent Security Solutions to Drive Innovation and Reduce Risk

HP announced additions to its security solutions portfolio that enable enterprises to assess, transform, optimize and manage their security environments to proactively protect what matters. Details are available online, here.


“Cloud, mobility and big data initiatives are helping organizations solve pressing challenges, while driving accelerated innovation, enhanced agility and improved financial management. However, these initiatives also can introduce big security concerns.

According to new research conducted on behalf of HP, concerns around understanding security requirements for cloud services as well as how to secure and consume big data are top of mind for nearly two-thirds of business and technology executives. Half of those surveyed are concerned about mobile data loss or theft. In addition, more than half of respondents admitted that their organizations spend more time and money on reactive measures than on proactive risk management.(1)

A reactive, perimeter-based approach to security is no longer sufficient. Enterprises need proactive, intelligent security solutions that span traditional and hybrid delivery models, and address the challenges brought on by these new shifts in IT.

“Cybersecurity threats are growing exponentially, and without a proactive information risk management strategy, enterprise growth, innovation and efficiencies are hindered,” said George Kadifa, executive vice president, Software, HP.

“HP helps clients protect what matters most to their organizations by delivering intelligent security solutions that prioritize security resources to help identify threats earlier and enable a faster response time,” said Mike Nefkens, acting executive vice president, Enterprise Services, HP.”



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Friday, June 15, 2012

Frameworks for Graphical Visualisation of Policies

I am looking for public information about case studies, frameworks and/or approaches to graphically visualise policies. In particular, how to convey data sharing policies by using graphical metaphors.


Policies are increasing getting more and more complex: not everybody can makes sense of them and/or translate them into practical/actionable terms. On the other hand, they are used in many digital contexts (web services, enterprise, B2C, cloud, etc.) to dictate constraints, SLAs, expectations and obligations.

I am interested in exploring how graphical visualisation can help to:

• convey them to end-users in a more intuitive way ...

• enable better reasoning about their meaning and implications

• allow administrators to translate them into enforceable activities/constraints



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---





Next Steps: Security Intelligence-as-a-Service (SILAS)

Thanks for your interest in my previous blog post, related to the HP Labs R&D work we are carrying out (in collaboration with a business group) in the area of Security Intelligence-as-a-Service (SILAS).




As mentioned before, the next steps involve trialling the solution in a Security Operation Centre (SOC) environment to refine its capabilities and provide value-added risk assessment and what-if analysis capabilities to the involved decision makers.



SILAS currently processes inputs provided by various data sources (including HP ArcSight, HP TippingPoint and OSVDB) to generate meaningful, strategic risk metrics and predictions. We are planning to expand the areas where to provide these predictions and what-if analysis (via HP Security Analytics), beyond the current IAM, VTM, Web Infection and Incident Management areas.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



HP Global Citizenship Report

HP Released the HP Global Citizenship Report, accessible online, here.




--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Friday, June 8, 2012

More on Security Intelligence-as-a-Service (SILAS)

As previously mentioned in a blog of mine, we (HP Labs in collaboration with an HP business group) are making quick progress in implementing a Security Intelligence as a Service (SILAS) solution:


“SILAS (Security Intelligence-as-a-Service): this R&D work aims to build a service that provides strategic metrics and risk assessment to customers (potentially in a federated SOC environment). It gathers information from the IT infrastructure (including SIM/SEM solution, e.g. HP ArcSight, HP TippingPoint, etc.) and uses it to provide statistical analysis, support predictive risk assessment and what-if scenario analysis (via HP Security Analytics), as well as trends and benchmarking across customers. Security Analytics (predictive) models are instantiated with the data collected from the field, to provide accurate predictions and animate what-if scenarios”

One of the coming objectives is trialing this solution in a Security Operation Centre (SOC). We already have identified one but I am welcoming any expression of interest by potential customers/early adopters. In addition I welcome inputs about security risk metrics and potential what-if analysis scenarios that might be of interest/relevance. Currently we have identified a few core metrics and scenarios in the space of IAM, VTM and SOC Incident Management Processes but I am very keen in getting a wider portfolio. Please contact me for more information and/or provide your input.







--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

More on Safe Information Sharing in the Cloud

As previously mentioned in my blog posts, a key R&D area I am currently involved in is about “Safe Information Sharing in the Cloud”.

Sharing information in the cloud about security, performance, legal, etc. aspects is critical to enable the right levels of accountability, risk assessment and governance.

This is even more important as the organisation, now leveraging resources from the cloud, loses controls on various critical aspects ranging from the management of the IT infrastructure to the involved security and governance processes.

Specifically, I am keen in further exploring the space of “data sharing policies”, enforcement environments and the actual implications in terms of controls. I have been looking for current examples and case studies. Any related link and public information is welcome.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

HP Labs at HP Discovery 2012

HP Labs has been a key participant at HP Discovery 2012. Some highlights are available here.



In particular our Cloud & Security Lab has been involved, demonstrating state-of-the art prototypes and solutions in the Security and Risk Management areas.

This includes R&D work we did in Security Analytics, now transferred to HP ESS and offered to customers as a service.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



Friday, June 1, 2012

On Safe Information Sharing in the Cloud

I am interested in getting links to public material related to case studies, R&D and work done in the space of information sharing, in particular in the context of cloud environments.




Specifically, I am interested in next generation supply-chain scenarios and federated Security Operation Centres (SOCs), operating in the cloud and/or involving entities which use services in the cloud.



For example, in case of security incidents involving and IaaS and a SaaS, the SOC centre at the SaaS site might need to know more information about the incident, etc. This involves safe information sharing.



As previously mentioned in a post of mine, key requirements include providing mechanisms for safe sharing, assurance, risk assessment and compliance. Sharing policies need to be in place. Assurance mechanisms need to be in place to assess the pedigree, quality and completeness of the shared data.



I wonder if any specific case study has already been carried out in this space whose results are publicly available and or if there are any publications available. So far I didn’t manage to find very relevant information (but still searching ...).





--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

SILAS and SAaaS: Update on my R&D work

I am currently working on two new R&D areas:




• SILAS (Security Intelligence-as-a-Service): this R&D work aims to build a service that provides strategic metrics and risk assessment to customers (potentially in a federated SOC environment). It gathers information from the IT infrastructure (including SIM/SEM solution, e.g. HP ArcSight, HP TippingPoint, etc.) and uses it to provide statistical analysis, support predictive risk assessment and what-if scenario analysis (via HP Security Analytics), as well as trends and benchmarking across customers. Security Analytics (predictive) models are instantiated with the data collected from the field, to provide accurate predictions and animate what-if scenarios;



• SAaaS Demonstrator (Situational Awareness-as-a-Service): this demonstrator will showcase advanced scenarios and capabilities related to information sharing and situational awareness in a cloud context, specifically in the context of cyber security. Advanced GUI and back-end capabilities are under development. The demonstrator will also be used as a context where to further carry out research in the context of the CSL Safe Cloud R&D project.

I welcome input, material and case studies of relevance to the above two areas.





--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



Recent HPL R&D publications in the space of Cloud, Cloud Assurance and Privacy

I recently published, along with HPL colleagues, new papers in the space of Cloud, Cloud assurance and compliance and privacy:




• Marco Casassa Mont, Kieran McCorry, Nick Papanikolaou, Siani Pearson “Security and Privacy Governance In Cloud Computing via SLAs and a policy orchestration service”, Frank Leymann, Ivan Ivanov, Marten van Sinderen and Tony Shan (eds.), Proc. Closer 2012, Portugal, SciTePress, April 2012.

• Nick Papanikolaou, Siani Pearson, Marco Casassa Mont and Ryan Ko, “Automating Compliance for Cloud Computing Services”, Frank Leymann, Ivan Ivanov, Marten van Sinderen and Tony Shan (eds.), Proc. Closer 2012, Portugal, SciTePress, April 2012.



In particular I believe that safe information sharing in the cloud is a key aspect to further enable adoption of cloud solutions by the industry.



For example, this will be the case in next generation supply-chain scenarios and federated Security Operation Centres (SOCs), operating in the cloud and/or involving entities that use services in the cloud.



Key requirements include providing mechanisms for safe sharing, assurance, risk assessment and compliance. An area to further explore and research ...



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

On Enabling Safer Information Sharing in the Cloud

I published an HPL Technical Report discussing an approach to enable safer information sharing in the cloud, leveraging data sharing agreements and policy enforcement mechanism:




HPL 2012-22 Marco Casassa Mont, Ilaria Matteucci, Marinella Petrocchi, Marco Luca Sbodio Enabling Data Sharing in the Cloud, HPL-2012-22



The HPL TR abstract follows:



“Web interactions usually require the exchange of personal and confidential information for a variety of purposes, including enabling business transactions and the provisioning of services. A key issue affecting these interactions is the lack of trust and control on how data is going to be used and processed by the entities that receive this data. In the traditional world, this issue is addressed by using contractual agreements that are signed by the involved parties. This could be done electronically as well but there is currently a major gap between the definition of legal contracts, regulating the sharing of data and the software infrastructure required to support and enforce them. How to ensure that legal contracts can be actually enforced by the underlying IT infrastructure? How to ensure that a potentially enforceable version of the contract corresponds to the legal version of the contract? This article describes our work to address this gap through the usage of electronic Data Sharing Agreements (e-DSA). e-DSAs can be formally defined and analysed to identify inconsistencies and contradictory policies/constraints; they can then be deployed within the IT infrastructure and enforced. We specifically show how this can be achieved in a cloud scenario, where e-DSAs are enforced via policy enforcement capabilities developed in the UK EnCoRe [6] collaborative project. “



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---



Updated Personal HP Labs web site

I updated my personal HP Labs web site to reflect my recent work and R&D focus.


It contains updates about new HPL Technical Reports and papers I published in the space of privacy and information sharing as well as more details about my R&D focus areas.


--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Successful Conclusion of the UK Collaborative EnCoRe Project

On April, 27th HP Labs hosted the Closure Event for the UK Collaborative EnCoRe Project. The overall project was a great success. It provides great vision, technical, legal, risk management and social deliverables on how to effectively handle consent and revocation of personal data, from users and organisation viewpoints.


EnCoRe inter-disciplinary public deliverables are going to be made available on the EnCoRe web site in the coming months. Currently it provides links to the 3 incremental versions of the EnCoRe Technical Architecture, for 3 case studies.



--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Monday, January 9, 2012

Call for Proposals: HP Labs Innovation Research Program 2012 – Deadline: January, 27th

HP Labs' Innovation Research Program (IRP) is designed to create opportunities at colleges, universities and research institutes around the world for collaborative research with HP. Through an annual, open Call for Proposals (CfP), we solicit your best ideas on a range of targeted research topics with the goal of establishing new research collaborations.

The Guide to the 2012 IRP has been published; please read it carefully before submitting your proposal. The submission deadline is January, 27th .

Specifically I am encouraging proposals in the space of The Cloud and Security – see the Guide at Page 5.


--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---

HP Labs: Innovation and Delivery in the areas of Dynamic Consent and Privacy Management

During the last 6 months, HP Labs provided key contributions involving the overall coordination of the UK collaborative EnCoRe project, the release of public architectural documents and the development of fully working R&D solutions in the areas of dynamic consent and privacy management.

Specifically this includes:

1. The Third EnCoRe Technical Architecture (D2.3) document;
2. The final HP Labs’ EnCoRe Service Framework: a General, Reference Implementation for Dynamic Consent and Privacy Management;
3. The HP Labs Demonstrator for Cabinet Office/Identity Assurance;
4. HP Labs papers on EnCoRe, dynamic consent and privacy management.
My previous blog posts provide the details.



--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---

EnCoRe: Third Technical Architecture D2.3

HP Labs led the overall design and delivery of the third EnCoRe Technical Architecture along with the release of a related EnCoRe public architectural document, D2.3 [1]. This architecture focuses on the third EnCoRe case study, centered on the UK Cabinet Office/Identity Assurance Programme [2].

The first EnCoRe Technical Architecture [3] was designed to fulfill the basic privacy management requirements of the first EnCoRe case study, centred on employee data and focusing on an organisational context. The second EnCoRe Technical Architecture [4], based on a Biobank scenario, fulfilled additional requirements including: the need to support more flexible and compelling privacy-aware policies beyond access control such as obligation policies; the need to ensure that data subjects’ privacy preferences are taken into account and enforced when personal data is shared with third parties. This architecture was designed to support future needs such as the ones related to the third case study. The third EnCoRe Technical Architecture primarily refines and finalises previous specifications in the following areas: flexible expression of privacy preferences (choices); tracking of data whereabouts; privacy-aware access control policies and obligation policies; sticky policies; logging, auditing and compliance checking. These refinements are driven by additional knowledge and requirements gathered in EnCoRe, during the second and third case studies.

Various use cases, related to the UK Cabinet Office/Identity Assurance Programme, have been taken into account to illustrate how EnCoRe can provide the desired capabilities in terms of dynamic consent and privacy management.

The third Technical Architecture document describes the resulting final EnCoRe architecture. Although inspired by, and focused on, the specifics of the third EnCoRe case study, this architecture is much more widely applicable than to just that scenario, being suitable for use in other scenarios where an individual (the data subject) discloses his or her personal data to an organisation, which may wish to disclose it to other organisations. Its legal ability to do so may depend on the specific details of the consent, granted by the data subject at the time of disclosure. At that time, the data subject may not be fully aware of the implications of granting consent, and/or may select the simplest consent options offered by the organisation. Later, perhaps after becoming more aware of these implications, or having just changed her mind, the data subject may wish to revoke the previously granted consents and be sure that her new wishes will be respected by all the organisations that have (or have access to) copies of the personal data she disclosed. In order for this to happen, a complex set of interactions, between and within the involved organisations, is required. The EnCoRe architecture provides the framework for these.

The third EnCoRe Technical Architecture document also provides clear and refined guidelines towards the implementation of a related technical solution, consisting of secure and self-standing services to support dynamic consent and privacy management within and across organizations.

These guidelines have been taken into account in the HP Labs’s EnCoRe Service Framework, which provides a general, reference implementation of the EnCoRe architecture and its core capabilities, as well as a framework to carry out additional research & development activities.

[1] D2.3 Technical Architecture for the third realized Case Study,, http://www.encore-project.info/deliverables_material/D2_3_EnCoRe_Architecture_V1.0.pdf
[2] UK Cabinet Office, Identity Assurance (IdA) Programme Statements, http://services.parliament.uk/hansard/Commons/ByDate/20110518/writtenministerialstatements/part003.html
[3] D2.1 Technical Architecture for the first realized Case Study, http://www.encore-project.info/deliverables_material/D2.1%20EnCoRe%20Architecture%20V1.0.pdf
[4] D2.2 Technical Architecture for the second realized Case Study, http://www.encore-project.info/deliverables_material/D2_2_EnCoRe_Architecture_V1.0.pdf

--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---

HP Labs’ EnCoRe Service Framework: a General, Reference Implementation for Dynamic Consent and Privacy Management

HP Labs completed the development of the EnCoRe Service Framework for the management of dynamic consent and privacy within and across organisations [5]. This framework provides a general, reference implementation of EnCoRe technical capabilities, fully consistent and compliant with the third EnCoRe Technical Architecture [1].

The HP Labs Service Framework supports four general use cases that apply to all case studies explored in EnCoRe:

· A data subject (end-user) submits his/her personal data to an organization along with the expression of their consent preferences;
· An entity within the organisation trying to access personal data and being constrained (in so doing) by related data subjects’ consent preferences and policies. The organization uses EnCoRe to explicitly enforce (privacy) preferences and policies;
· The disclosure of personal data to a third party, along with associated consent preferences, via the sticky policy mechanism;
· A data subject subsequently changes their mind and modifies/revokes their consent. Changes are automatically propagated to all the involved parties;

More details about these use cases are available [1].

A fully working prototype has been built by HP Labs, to fully illustrate the capabilities of the EnCoRe Service Framework and the four general use cases.

Specifically, the Service Framework implements the following key EnCoRe Architectural capabilities [1]: module for the configuration of supported Privacy Preferences and Policies; the Consent/Revocation Provisioning module; the Data Registry module; the Privacy-aware Access Control module; the Obligation Management module; Internal and External Workflow Management modules; the Sticky Policy Management module; instantiation of types of Privacy Preferences, various Access Control and Obligation Policies.

The various components of the Service Framework have been implemented to run as self-standing, secure and distributed services within an organisation. The goal is to ensure that early adopters of the EnCoRe toolkits can use this framework to explore its privacy management capabilities and deploy an extended version of it within their IT operational environments.

The implementation uses state-of-the-art technologies based on the Java framework. It uses the REST [6] methodology and approach for a quick and flexible development of service interfaces and the exchange of information between the involved services. The EnCoRe components are implemented as self-standing RESTful services [7]. These service components can be distributed across different IT systems based on needs. Their implementation supports state-of-the art security, including encryption of data and secure SSL communication. The representation of information that is exchanged between these EnCoRe components uses the XML technology to support future extensions and quick adaptation to the needs of different organisations and their IT operational environments.

This framework has been used by HP Labs as a platform for experimentation of innovative privacy management and consent/revocation solutions. Specifically, HP Labs used it to develop and deploy advanced solutions for: the tracking of whereabouts of personal data (via an enhanced version of the Data Registry component); the management of sticky policies by means of a variety of possible technical approaches. The service framework now fully supports sticky policies as the mechanism to exchange personal data and privacy preferences across parties, in a safe and accountable way. A reference implementation is available as described in [8].

The HP Labs Service Framework is also an agile platform to develop demonstrators for a variety of needs, including prototypes of the overall system for the EnCoRe engagement with the Cabinet Office Identity Assurance Programme [2].

HP Labs are exploring the opportunity to release this Service Framework in the context of an Open Source initiative. This option is currently being discussed within EnCoRe and various involved organisations: a decision will be made towards the end of the project (April 2012).

[1] D2.3 Technical Architecture for the third realized Case Study,, http://www.encore-project.info/deliverables_material/D2_3_EnCoRe_Architecture_V1.0.pdf
[2] UK Cabinet Office, Identity Assurance (IdA) Programme Statements, http://services.parliament.uk/hansard/Commons/ByDate/20110518/writtenministerialstatements/part003.html
[3] D2.1 Technical Architecture for the first realized Case Study, http://www.encore-project.info/deliverables_material/D2.1%20EnCoRe%20Architecture%20V1.0.pdf
[4] D2.2 Technical Architecture for the second realized Case Study, http://www.encore-project.info/deliverables_material/D2_2_EnCoRe_Architecture_V1.0.pdf
[5] EnCoRe, HP Labs Service Framework, http://www.encore-project.info/newsletters/newsletter03/EnCoReAUG2011.html
[6] REST, http://en.wikipedia.org/wiki/Representational_state_transfer
[7] RESTLET, RESTful web framework for Java, http://www.restlet.org/
[8] Siani Pearson, Marco Casassa Mont, Sticky Policies: An Approach for Managing Privacy across Multiple Parties, IEEE Computer Magazine, Volume 44, Number 9, September 2011, 2011

--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---

EnCoRe Demonstrator for UK Cabinet Office/Identity Assurance Programme

HP Labs developed a fully working demonstrator to illustrate the EnCoRe capabilities (for dynamic consent and privacy management) in the context of the UK Cabinet Office/Identity Assurance Programme. This demonstrator fully leverages the EnCoRe third Technical Architecture [1] and the related HP Labs’s prototype based on the EnCoRe Service Framework [5].

The Identity Assurance Programme [2] aims to deliver a rich ecosystem of services and to use standard federated identity management solutions to enable the relevant interactions between citizens (users), Identity Providers (IdP), the Hub, Attribute Providers and Public/Private Service Providers (PSPs).

Specifically, a citizen, when trying to access an online PSP service, is redirected, via the Hub, to a trusted IdP of choice, where they can be identified and authenticated. The citizen does this by providing their authentication credentials (the type of credentials to be used might change depending on the required level of assurance).

Once authenticated at the IdP site, a Minimum Data Set (MIDS i.e. basic personal data such as name, surname, etc.) necessary to identify the data subject is passed to the Hub that might enrich it by adding additional information retrieved from Attribute Providers. Finally the Hub passes the MIDS data, along with any additional information, to the PSP, for local matching if identities (i.e. local identification/authentication) and to enable the citizen to access the desired services. The goal is to ensure that the asserted identity of a citizen can be successfully used at the PSP site, to identify the citizen based on the locally available information.

It is important to notice that, in the described scenario, lots of personal data can potentially be exchanged between the various stakeholders, related to authentication, matching (MIDS) and business transactions. To make this programme successful, it is important that citizens (data subjects) have control over how their personal data is disclosed between the various stakeholders and subsequently used; they must be allowed to change their consent and related privacy preferences at any time; they must have degrees of assurance that their preferences are enforced by the various stakeholders.

EnCoRe helps to provide citizens with the desired level of control over their personal data and the involved organisations with mechanisms and solutions for enforcing privacy and consent.

The HP Labs’ demonstrator illustrates how this can be achieved in practice, by animating the following key use cases:

-Use Case 1: a citizen (data subject) provides consent for the use of their personal data as MIDS
-Use Case 2: a citizen provides consent for the use of selected Attribute Providers for the MIDS matching process
-Use Case 3: a citizen provides consent for sending / using further Verified Attributes
-Use Case 4: ensuring privacy in transactions through the Hub by using sticky policies
-Use Case 5: changing and propagating data & consent updates
-Use Case 6: a citizen revokes consent for an IdP to hold their data at all

More details about these use cases are available [1].
The demonstrator uses the HP Labs’ EnCoRe Service Framework (and prototype, deployed via an EnCoRe toolbox) within 3 simulated environments: an IdP, the Hub and the Service Provider.

The demonstrator focuses on the viewpoint of end-users (citizens), administrators and employees. It illustrates how dynamic consent and privacy management can be achieved in this context.

HP Labs are available to provide demos to illustrate EnCoRe capabilities in the context of the Identity Assurance scenario and other scenarios.



[1] D2.3 Technical Architecture for the third realized Case Study,, http://www.encore-project.info/deliverables_material/D2_3_EnCoRe_Architecture_V1.0.pdf
[2] UK Cabinet Office, Identity Assurance (IdA) Programme Statements, http://services.parliament.uk/hansard/Commons/ByDate/20110518/writtenministerialstatements/part003.html
[3] D2.1 Technical Architecture for the first realized Case Study, http://www.encore-project.info/deliverables_material/D2.1%20EnCoRe%20Architecture%20V1.0.pdf
[4] D2.2 Technical Architecture for the second realized Case Study, http://www.encore-project.info/deliverables_material/D2_2_EnCoRe_Architecture_V1.0.pdf
[5] EnCoRe, HP Labs Service Framework, http://www.encore-project.info/newsletters/newsletter03/EnCoReAUG2011.html
[6] REST, http://en.wikipedia.org/wiki/Representational_state_transfer
[7] RESTLET, RESTful web framework for Java, http://www.restlet.org/
[8] Siani Pearson, Marco Casassa Mont, Sticky Policies: An Approach for Managing Privacy across Multiple Parties, IEEE Computer Magazine, Volume 44, Number 9, September 2011, 2011

--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---

HP Labs papers on EnCoRe, Dynamic Consent and Privacy Management

HP Labs have contributed to the dissemination of EnCoRe and related principles by means of HP internal and public presentations as well as with a variety of papers and articles published in prestigious, international conferences and magazines.

This post provides a list of selected, recent publications that illustrate HP Lab’s work in EnCoRe and future R&D directions:

- Siani Pearson, Marco Casassa Mont, Liqun Chen and Archie Reed, “End-to-End Policy-Based Encryption and Management of Data in the Cloud”, IEEE CloudCom 2011, 2011

- Siani Pearson and Marco Casassa Mont, “Sticky Policies: An Approach for Privacy Management across Multiple Parties”, IEEE Computer, vol 44, issue 9, pp. 60-68, September 2011

- Siani Pearson, “Towards Addressing Privacy, Security and Trust Issues related to Cloud Computing”, to appear in Privacy and Security for Cloud Computing, Computer Communications and Networks, Springer, 2012

- Nick Papanikolaou, Siani Pearson, Marco Casassa Mont and Ryan Ko, “Towards Greater Accountability in Cloud Computing through Natural-Language Analysis and Automated Policy Enforcement”, HPL-2011-118. Available via http://www.hpl.hp.com/techreports/2011/HPL-2011-118.html

- Nick Papanikolaou, Siani Pearson and Marco Casassa Mont, “Towards Natural-Language Understanding and Automated Enforcement of Privacy Rules and Regulations in the Cloud: Survey and Bibliography”, HPL-2011-117. Available via http://www.hpl.hp.com/techreports/2011/HPL-2011-117.html

- Yun Shen and Siani Pearson, “Privacy Enhancing Technologies: A Review”, HPL-2011-113. Available via http://www.hpl.hp.com/techreports/2011/HPL-2011-113.html

- Siani Pearson, “Toward Accountability in the Cloud”, View from the Cloud, IEEE Internet Computing, IEEE Computer Society, July/August issue, vol. 15, no. 4, pp. 64-69, 2011.

- Siani Pearson, Marco Casassa Mont and Gina Kounga, “Enhancing Accountability in the Cloud via Sticky Policies”, Secure and Trust Computing, Data Management and Applications, Communications in Computer and Information Science, vol. 187, Springer Berlin Heidelburg, pp. 146-155, 2011.

- Nick Papanikalaou, Siani Pearson and Marco Casassa Mont, “Towards Natural-Language Understanding and Automated Enforcement of Privacy Rules and Regulations in the Cloud: Survey and Bibliography”, Secure and Trust Computing, Data Management and Applications, Communications in Computer and Information Science, vol. 187, Springer Berlin Heidelburg, pp. 166-173, 2011.

- Marco Casassa Mont, Siani Pearson, Sadie Creese, Michael Goldsmith, and Nick Papanikolaou. “A Conceptual Model for Privacy Policies with Consent and Revocation Requirements.” Privacy and Identity 2010, volume 352, IFIP Advances in Information and Communication Technology, Springer, 2011.

- Siani Pearson and Azzedine Benameur, "A Decision Support System for Design for Privacy", Privacy and Identity 2010, volume 352, IFIP Advances in Information and Communication Technology, Springer, 2011.

- Marco Casassa Mont, Gina Kounga, Siani Pearson and Archie Reed, “End-to-End Policy-Based Encryption and Management of Data in the Cloud”, Proc. HP Techcon 2011.


--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---