securiCAD®

A tool for modelling the cyber security of IT systems

2

securiCAD – unique selling point

securiCAD is a Computer Aided Design tool for modelling and analysing the cyber security of IT systems

• the user creates a model of a planned or existing IT system using a class library of component types, defence attributes and component interconnection types

• securiCAD identifies every attack path through the IT system as modelled• securiCAD presents a visualisation of the shortest attack path to a selected component based on the

likely time for a skilled attacker to complete it

To Foreseeti’s knowledge, no other commercial product has a similar capability to make testable predictions of IT system security at the design stage

3

The power of securiCAD analysisThe securiCAD method of analysis is powerful because:

• It can distinguish between strong and weak security architectures in a way that simple control based security regimes cannot. Secure architectures ensure that there is no easy attack path and the analysis exhaustively searches through all possible attack paths represented by the model.

• The model can store considerable security details about the IT system under consideration.• The securiCAD application contains considerable information about the ease or difficulty of

defeating many combinations of cyber security defences. This is based on extensive consultation with many experienced penetration testers by KTH, the Swedish Royal Institute of Technology.

• The analysis systematically reduces a great mass of system security information into selected metrics of real significance. It is objective, repeatable and quantified.

• The results can be displayed in various forms & levels of detail to suit client needs.• The assumptions and simplifications behind the analysis are available and the automated results

can be adjusted by a skilled human security analyst if desired.

4

What can securiCAD be used for?

securiCAD can be used to:• Visualise vulnerable attack paths• Assess how vulnerable an IT system is to cyber attack before it is built• Set smart metrics for managing cyber security across an IT system, organisation, supply chain or

regulated sector• Optimise cyber security investment through actionable, quantifiable, decision support

5

How are models created?

Models can be created by one or a combination of the following techniques;• Manually building the model from a library of base object types. Objects types are selected from

a drop-down list and dragged onto a palette; securiCAD then instantiates an instance of the object type. An object’s defence attributes are set by selecting from a drop-down list. Connections between objects are created by pointing and clicking.

• Reusing pre-configured groups of objects that represent a common design pattern or design component.

• Automated parsing of system data gathered by vulnerability scanners or network traffic monitoring (This is only applicable for existing IT systems.)

Slide 6 shows the securiCAD main user interface. The object type drop-down list is at the top left, the palette is the central user pane and the defence attribute list for the selected host is at the top right. Most of the containers shown on the palette contain several objects.

6

securiCAD user interface

7

How does securiCAD present its analysis?

securiCAD can output:• A graph showing the modelled probability of compromise of an object against time up to 100 days

(see blue graph at bottom right of slide 6) • The sequence of attack steps that a specific path comprises and the defences to be overcome at

each step (see slide 8, not whole path)• The modelled time to complete a specific attack step at probability levels of 5%, 50% & 95% (see

box on lower right of slide 8)• A risk matrix plotting the probability of an object’s compromise in a given time against the user

inputted consequence of this occurring.• An automated risk analysis report (see slide 9)

8

securiCAD visualisation of an attack path

9

Decision support in the form of reports can be auto generatedIndustrialized reports

10

securiCAD value proposition

Value of cyber security modelling Company values ”at stake”

• Visualize, track and benchmark overall security posture over time

• Understand how well you meet requirements

• Get access to expertise and build new/ enhanced analysis capabilities

• Free up time through automation, let your experts focus on right things

• Improve internal security dialogue

Visualize your security posture

Motivate and allocate budget effectively

Boost your organization

IT security budget is typically around 5%** of the IT budget and can be several MEUR per

year

Increase business based on trust through transparency

Cost of cyber crime for e.g. a utility or financial company is typically

+10 MEUR per year* and cost of non-compliance can be huge

* Source: Ponemon Institute ** Source: Gartner

• Allocate budget and motivate investments based on business needs and objective expertise

11

Current Foreseeti activity

• Strong customer demand:- Focus industries: utilities, finance and defence

• Continuing to invest in securiCAD development• Continuing to pull through KTH research

Further Information

• www.foreseeti.com• chris.few@foreseeti.com; tel 44 (0)7376

051818• sales@foreseeti.com