The basis towards computerized risk management is MITRE’s initiative called
“Making Security Measurable and Manageable” [15]. This initiative has the following
structural elements: (i) standardized enumeration of common information security
concepts that need to be shared such as vulnerabilities, (ii) languages for encoding
and communicating information on common information security concepts,
(iii) repositories for sharing these concepts, and (iv) adoption of the above elements
by the community through the use of defined program interfaces and their
implementations. The initiative is focused on operational level of risk management.
Many leading industry security products [20] are already SCAP standard validated,
and utilize above described benefits.
Our approach [24] follows the above structure, builds on it (the implementation is
still an on-going process), and can be used to improve risk management on strategic
and/or tactical level with the development of business flight simulators. In addition,
these simulators may be used for automated support of decision-making and could be
thus self-adapting security information and event management systems enablers. The
IS security environment is complex and it is comprised of information technology and
human factor. Because analytical solutions in complex systems are exceptions, we
have to rely on computer simulations. Based on this and on the measurement
apparatus developed so far, our approach works as follows (see Fig 1).
With regard to achieve efficient risk management, simulations have to be as much
realistic as possible. Thus, simulators use two real-time data-feeds.
The US National Vulnerability Database serves as a data-feed for detecting
vulnerabilities and exposures of assets. The architecture communicates with the
database (or tools provided in the footnote) via SCAP protocol. For example, DVE is
calculated by querying the database for each organization’s IS asset.
1. Another data-feed is provided through SIF infrastructure where agents monitor the
status of nodes in the observed system. Agents and monitoring nodes communicate
via SNMP protocol.
In order to successfully correlate organization’s asset with newly discovered
vulnerabilities and exposures, these have to be registered in NVD. Thus, this datafeed
enables reactive risk management. Next data-feed enables proactive risk
management, because likelihood and impact of attack is assessed in real-time,
regardless if vulnerabilities or exposures are registered in NVD.
The numerical representation of acquired data is then used in the simulation model.
The aim of simulation is determining dynamics of risk factors to derive information
security risk dynamics. The causal dependency of risk factors can be explained in the
following way. In the centre of the analysis are assets and threats. Assets are exposed
to threats due to their various vulnerabilities. The interaction of threats with
vulnerable assets leads to risks. The longer assets are exposed to threats, the higher is
the probability of successful exploitation of these vulnerabilities, and therefore the
higher the risk. In line with time delayed risk perception, it takes some time to
implement appropriate safeguards to reduce exposure period, threat probability and/or
asset’s vulnerability. After implementation of safeguards according to organization’s
risk acceptance criteria, some portion of risk may remain effective and is referred to
as residual risk.
The mathematical model that formalizes description above [25] is based on firstorder
differential calculus and is originally provided in Vensim syntax. We present its
state-space representation to provide some insight into model characteristics. The
internal states, like asset value, are represented by vector x(t). Vector u(t) describes
inputs, such as arising threats or vulnerability disclosure and y(t) is output vector to
derive residual risk. The system output is defined by functions h(t, x(t), u(t)), while
the system state can change with respect to current state and its inputs and it is
modelled with functions f(t, x(t), u(t)). Due to causal dependencies of risk factors and
consequently their representation in equations, this system is classified as non-linear.
For example, asset vulnerability and safeguard investment states are mutually
depended. This system is also time-variant, because it can change in the simulation
time, due to PDCA risk management process.
No comments:
Post a Comment