By Arun Sood

Information is critical to decision making in a corporation. Companies are beginning to apply risk management approaches to managing the IT infrastructure.  Vendors like Symantec and McAfee are also responding to this need.  Proactive Risk Management methodology enables the study of a variety of trade-offs.  However, for quantitative security risk management, it is necessary to have a quantitative metric.  The lack of easily measurable and understandable metrics is a big hole in the conventional reactive models of prevention and detection.

The current technology used to prevent intrusions and detect intrusions is based on complete knowledge of the attack methodology and software vulnerabilities.  This is an unrealistic expectation.  Since even the best of these systems cannot prevent all intrusions, it becomes critical to start looking for additional methods of protecting the IT resources.  In particular, our objective is to limit the damage that can be done by an intruder. 

To develop a new metric for measuring server tolerance to intrusions, we note that the resulting loss increases with the time the intruder has to explore the system, assess its weakness and inflict damage.  We call this time, the Intruder Residence Time (IRT) and suggest that the relationship between Loss and IRT is as shown in the Loss Curve in Figure 1.

To assess the risk and for system design, the objective is to minimize the IRT.  However, the lower the IRT the higher the system cost (Figure 2).  So we need to look for a compromise.  The lower knee of the curve in Figure 1, marked with T, is a candidate for a design parameter.

 
However, we still have a problem.  IRT is not measurable – it is a probabilistic quantity.  For this reason, a better metric is an indirect measure of IRT.  We propose that exposure time is a better metric. We suggest that exposure time of a server is a good way to assess the vulnerability of a server.  Lower exposure time will lead to lower intruder residence time, which in turn will lead to less loss. 

How to design low exposure time systems?  This topic has been discussed in a series of papers about Self Cleansing Intrusion Tolerance architectures and can be viewed at http://cs.gmu.edu/~asood/scit.

Arun Sood
Task Technologies Ltd, Clifton, VA
Department of Computer Science, George Mason University, Fairfax, VA
asood@tasktechnologies.com

Related posts:

1. What do you mean by “Convergence”?
2. ISO 27001 Standard Released
3. Port Knocking 101 - The Basics
4. I Guess Carly Thinks Performance Doesn’t Matter
5. Plan, Plan, Plan, Plan - React!

Posted by Arun.Sood on Monday, July 23rd, 2007, at 2:50 pm, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.