impossible for ideas to compete in the marketplace if no forum for
METRIC OF NETWORK INTEGRITY
By Kevin Soo Hoo
The recent spate of network worms has focused attention, once again, upon information security, particularly network security. After more than a quarter century of corporate computing, business managers and technologists alike can do little more to articulate the state of their network security than give qualitative descriptions of their "gut feel" about it. Why is this the case? Certainly, the lack of concrete metrics may confer a certain degree of job security for some, but they, alone, cannot account fully for the absence. A more plausible root cause may rest in the fast pace of innovation in network technology and the inherent difficulties associated with measuring security itself.
Other types of security have metrics. Those metrics,
however, are usually process-based ones that were developed for well-established
avenues of attack. Whether they are force counts for national security or
guards, locks, and doors for physical perimeter security, the threats and
adversary capabilities are static enough to have
Network security suffers from the twin drawbacks of rapid innovation and poorly understood adversaries. The fast pace of technological change creates opportunities for new modes of attack and network failure. While network defenders are busy developing countermeasures for known exploits, their adversaries are equally busy concocting new ones. And, as the network becomes ever more complex, the supply of weaknesses to exploit appears inexhaustible. Similarly, the supply of network attackers is highly varied and also seemingly unending.
The often-cited laundry list of malefactors, for example, terrorists, business competitors, national spies, hackers, and thieves, does little to reveal the true motivations, capabilities, and interests of those actually attacking networks today.
Given the challenges of measuring network security, the slow progress of metrics development is hardly surprising. Strategies for characterizing or validating security generally fall into one of the two categories below.
These measurement strategies, however, do not
necessarily imply good metrics. In fact, many of them are biased, subjective,
and not repeatable. If measurements are instantaneous snap-shots of a particular
parameter, then metrics are more complete pictures, typically comprised of
several measurements, baselines, and other supporting information that provide
context for interpreting the measurements. Good metrics are goal oriented and
exhibit, according to George Jelen of the International Systems Security
Engineering Association, SMART characteristics: Specific, Measurable,
Attainable, Repeatable, and Time dependent.
Today, measurements of network security are often conducted by separate organizations that independently define, collect, and analyze technical metrics in isolation. These metrics include the numbers of vulnerabilities found in network scans, known incidents reported, estimated losses from security events, security bug discovery rate in a new software application, intrusion detection system alerts, number of virus infected e-mails intercepted, and others. But, are these good metrics? Looking back at the criteria set forth, this assortment of measurable attributes tends to be subjective in nature, highly dependent upon the measurement taker, and generally lacking a coherent story or goal.
The concept of network integrity is a useful means for limiting the scope of network security metrics to a tractable subset of what can be measured. Adapting the NIST definition of system integrity, network integrity is a state in which the network "performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system."
This simplification places network integrity as part of network reliability and divorces it from questions of network information asset value, loss, and opportunity cost. The problem can be further constrained by looking only at electronic (i.e. non-physical) threats. The diagram below illustrates how network threats precipitate tactical security objectives, which in turn support network integrity and reliability. http://csrc.nist.gov/publications/nistpubs/800-12/
Information technology operations personnel, responsible for server and desktop maintenance, are generally interested in a more granular view of the network integrity to maintain network services. Whereas executives look for support for resource allocation decisions, network operations people seek help to prevent, detect, and respond to network integrity compromises. Thus, questions of concern include:
Finally, the network security team is typically responsible for an organization's security policies and programs. Although they may not have direct operational responsibility, they are quite interested in how security policies, procedures, and programs are ensuring or failing to ensure network integrity.
Metrics of Network Integrity
Information Technology Operations
Note: Security policies are the primary vehicle by which security expectations and requirements are communicated throughout the enterprise. The best practices that constitute good security policy are too numerous to enumerate here. A good metrics regime provides necessary feedback to an organization's policy maintenance and enforcement process to keep theoretical security expectations consistent with realistic security practice. Measuring the quality of security policy is a separate and important exercise, but it is not the subject of this paper.
Attainability and repeatability are the remaining attributes of good metrics to be addressed. Automation of the measurement process with some form of instrumentation technology is one scalable strategy for ensuring them. Limiting the role of human intervention in the process serves to minimize both subjective judgment and measurement errors. Impartiality and consistency are necessary conditions for credible measurement comparisons across either time (time-series) or organizations (benchmarks).
The need for metrics is real and growing more acute. In this paper, we have put forward a list of good metrics of network integrity that help inform security decisions across the enterprise. A number of industry consortia and trade groups are putting forward candidates for general IT security metrics. TechNet, the Global Security Consortium, and others are advocating new approaches to metrics. The hope is that formal benchmarks will soon emerge to give both private and public entities visibility into the state of information security at local, industry, and national levels. The Department of Homeland Security in a recent Cyber Security Summit, in Santa Clara, CA, put the information technology industry on notice that solutions to the apparent cyber insecurity and lack of standard metrics must be found soon, or the government will intervene. What shape that intervention might take is uncertain, but the threat alone is motivation enough to begin a concrete discussion about metrics.
Visit the Authors Web Site
Inquiry Only - No Cost Or Obligation
Click Here for The Business Forum Library of White Papers
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business