Integrated Risk Analytics Using XCCDF Reports and Network Configuration
In enterprise security management, hundreds or thousands of XCCDFs (with OVAL objects embedded) can be generated frequently to check the compliant of the end hosts. However, there are two major limitations to be addressed: (1) there is no tool yet that can aggregate, analyze and visualize the collected XCCDF reports using statistical analysis in a way that makes sense for decision makers, and (2) even with XCCDF and OVAL information, it is still unclear how to assess the risk and impact on the enterprise as a whole, from both mission and business aspects. Our goal of this project is to address these two challenges by (1) creating an language interfaces, metrics and a formal analytic tool to allow for investigating risk and impact across the entire enterprise, and (2) integrating and visualizing the XCCDF reports to represent statistical trends useful for security decision making.