DeNexus' flagship Cyber Risk Quantification and Management platform, DeRISK is made of several component modules, one of these is called Attack Propagation Algorithm -APA-, powered by Inside-Out and Outside-In data. In this blog post, we aim to disclose how and why we have optimized the performance of APA in DeRISK v5.
APA is the module that estimates the probability of an Attack Attempt being successful in causing a Loss Event. APA uses a propagation algorithm over a directed graph, in which the nodes represent the steps of an attack to progress from an Initial Access Vector to a successful Impact or to be stopped by the presence of a Cyber Control; and the edges represent the probabilities of moving along these steps. The APA graph represents the Attack Paths that can cause an impact on a Single Facility or single Unit Risk using a combination of given MITRE ATT&CK tactics and techniques.
Also, Unit Risks might communicate externally, for example with a control center, or even with other facilities. When that happens, the attacker can exploit this communication to perform a “lateral move” from one Unit to adjacent Units and vice versa. DeRISK captures these dependencies leveraging Inside-out data in the DeNexus Knowledge Center in our APA graph, by creating edges connecting these entities (facilities, control centers, etc).
As you would imagine, the more complex the connection and the more facilities there are, the larger the graph and the possible paths to reach impact.
The events that DeRISK is modeling are quite rare, so the probability of succeeding is usually quite low. This means that the Monte Carlo simulation in DeRISK may require millions of iterations to ensure that we reach the required accuracy level.
Implementation of APA in previous versions of DeRISK worked well when it had to run the simulations for a single Unit isolated or for a relatively small group of Units. But as DeNexus’ customer base grew, and the portfolios of our customers grew in size and number of Units, the graph necessary to calculate bottom-up Cyber Risk Aggregation became exponentially bigger and we observed a progressive degradation in the performance that required the implementation of new solutions.
To be specific, we observed the following issues:
The new specifications were set:
Or, in simpler terms: support a larger and much more complex graph with millions of iterations and optimize its performance.
After careful analysis and multiple tests, we concluded that simply optimizing the existing code did not meet the new requirements, so the decision was made to re-architect and refactor APA in a scalable and performant way that can support current and future needs:
We achieved exceeded initial requirements and were truly gratifying, both in terms of performance and scalability. In terms of performance, we reached ~100M of iterations per second on small graphs (< 5 Units) and ~25M of iterations per second on medium graphs (>60 Units). Measures have been taken on a cluster with 32 vCPU and assuming a range of Units with medium to high-security maturity postures.
Comparing the new APA against the former one we have ~50x of performance improvement that enables DeRISK to run 40 million simulations each time to solve a constrained global optimization problem over the mitigations of a given cybersecurity framework, enabling DeNexus’ proprietary bottom-up data-driven approach for very large portfolios. A robust and reliable foundation for future additional developments.
Memory usage stays nearly constant during execution and there is negligible impact on memory when the graph size or the number of iterations increases.
In summary, a robust and reliable foundation for future additional developments, including the support for additional industry verticals that we will be unfolding in future blog posts.
Click Here to learn more about DeNexus Inc.'s comprehensive Cyber Risk Quantification and Management platform.
Click Here to read more about the DeNexus Knowledge Center and the DeNexus Trusted EcoSystem.