measuring security risk in enterprise networks
Enterprise networks have become essential to the operation of companies, laboratories, universities, and government agencies. As they continue to grow both in size and complexity, their security has become a critical concern. Vulnerabilities are regularly discovered in software applications which are exploited to stage cyber attacks. There is no objective way to measure the security of an enterprise network. As a result it is difficult to answer such objective questions as "are we more secure than yesterday" or "how should we invest our limited resources to improve security" or "how does this vulnerability impact the overall security of my system". By increasing security spending an organization can decrease the risk associated with security breaches. However, to do this tradeoff analysis there is a need for quantitative models of security instead of the current qualitative models. The objective of our research is to develop models and metrics that can be used to objectively assess the security of an enterprise network.
Some of the challenging aspects of this research are as follows --
- Security Vulnerabilities are rampant: CERT1 reports about a hundred new security vulnerabilities each week. It becomes difficult to manage the security of an enterprise network (with hundreds of hosts and different operating systems and applications on each host) in the presence of software vulnerabilities that can be exploited.
- Secure configuration of a complete system is highly complex: It is a difficult task to configure an enterprise network and all its components to meet the security requirements. Also, installing software components from major commercial vendors in its default configuration often creates vulnerabilities. Without quantitative models of security it is difficult to compare one network configuration with another one. System administrators often make errors in configuring a system that causes an attacker to easily steal confidential data.
- Attackers launch complex multi-step cyber attacks: Cyber attackers can launch multi-step and multi-host attacks that can incrementally penetrate the network with the goal of eventually compromising critical systems. It is a challenging task to protect the critical systems from such attacks.
A High Level System Architecture
Our system contains the following components --
- Analysis of System Vulnerabilities: This component monitors the state of the network and identifies the vulnerabilities that need to be fixed before an attacker can exploit them to launch an attack. Since the software configuration of hosts changes quite frequently one scenario of using this analysis is to periodically (hourly or daily as appropriate) collect the configuration information and send the list of exploits to a security analyst.
- Analysis of Current Attacks: This component enables a security analyst to detect the different steps of an attack (for example network scanning) and prevent the attack from happening. Currently, an analyst uses log files and event logs to recognize hostile actions such as Denial of Service (DoS) attacks. Intrusion Detection Systems (IDS) can recognize that a single host is under attack but they have high false positives.
- A User Friendly Visualization System: This component provides situational awareness at a glance. The visualization system will provide an interactive multi resolution view so the analyst can first obtain a high level overview quickly and then drill down to specific details.
1. Computer Emergency Response Team, http://www.cert.org/