A Formal Model of Security Controls’ Capabilities and Its Applications to Policy Refinement and Incident Management

Enforcing security requirements in networked information systems relies on technical security controls to mitigate the risks posed by increasingly sophisticated threats. Configuring these controls is challenging; even nowadays, administrators must perform it without adequate tool support. Hence, this process is plagued by errors that result in insecure postures, security incidents, and a lack of promptness in addressing threats. This paper presents the Security Capability Model (SCM), a formal model that abstracts the features that security controls offer for enforcing security policies, which includes an Information Model that depicts the basic concepts related to rules (i.e., conditions, actions, events) and policies (i.e., conditions’ evaluation, resolution strategies, default actions), and a Data Model that covers the capabilities needed to describe different types of filtering and channel protection controls. Following state-of-the-art design patterns, the model enables the generation of abstract versions of the security controls’ languages and a model-driven approach for translating abstract policies into device-specific configuration settings. By validating its effectiveness in real-world scenarios, we demonstrate that SCM enables the automation of various and complex security tasks, including accurate and granular security control comparison, policy refinement, and incident response. Lastly, we present opportunities for extensions and integration with other frameworks and models.