Enhancing cybersecurity by generating user-specific security policy through the formal modeling of user behavior

Abstract

Organizations today are faced with the difficult challenge of balancing the embrace of new and emerging technology, and securing their systems and data that support critical business functions. Although there have been significant advances in security enforcement technology, attackers are still able to compromise organizations and access. The impacts of computer intrusions have become so untenable that many organizations are looking at a drastic rethinking of their approach to the security of internal networks. This approach is called Zero Trust and it seeks to remove all notion of a trusted internal network boundary. The benefits of Zero Trust include significantly increasing the work that attackers would need to perform to achieve their objectives. But Zero Trust will also increase the management complexity for internal security teams. These teams will need a way to collect data and enforce policy decisions based upon analysis. This process will need to be done for all organizational systems, and data, and it will need to be done in all access contexts. Our approach uses formal methods to model and examine end-users security-related behaviors. Researchers have found that the users’ security decisions correlate with factors including demographics, personality traits, decision-making styles, and risk-taking preferences. We describe these behaviors by using Finite-State Automata (FSA). This allows for the automated formulation of linear-time security properties based on Timed Computation Tree Logic (TCTL). The logic is then used to check the satisfaction of collected and observed security behaviors against policy. This formal behavioral analysis could be combined with other security and network data during the context analysis process that needs to occur for each Zero Trust access request. Other network or host security data could include address identifiers, tokens, event data, packet inspection, running process data, cyber threat intelligence, and much more. Our method allows organizations that embrace a Zero Trust philosophy to generate context specific security policies that can be automatically verified for correctness and completion.