2007-11-07
The information technology revolution has changed the way business is transacted, governments operate, and national defense is conducted. Protection of these systems is essential and continuous efforts to protect them have resulted in exponential growth in reported security incidents. There are threats from hackers, spies, corporate raiders, terrorists, professional criminals, and vandals -- all of whom have a vested interest and well defined objectives for challenging the technology for financial and political gain, leading to damages to the enterprise infrastructure.
The current approach to security is based on perimeter defense and relies on firewalls, intrusion detection systems, and intrusion prevention systems. These approaches depend on a priori information. However, the increasing speed at which new exploits and attacks are being devised mandates a new layer of security defense for enterprise IT infrastructures -- a layer that provides consistent protection rather than perpetually lagging behind the morphing tricks of hackers. We propose such a new defense layer and a model that proactively manages server security risks and that co-exists with and complements the traditional security solutions.
Proactive security and exposure time as a metric
In this paper, we present a new approach to security risk management. The overall goal is to enhance the security of the national and corporate information infrastructure. For high levels of protection, the typical approach is to utilize a layered approach, often called "defense-in-depth." We propose the addition of a proactive security layer to the current security approaches.
To understand the necessity of this addition, consider one of the most popular security defenses -- intrusion detection and prevention by determining attack signatures. While the defense is effective after an attack is discovered and analyzed, it cannot be anticipatory and thus leaves the system vulnerable for a period of time. Such a defense reacts to the inventions of hackers. In contrast, a proactive security risk management system focuses on analysis of the corporate resources and the risk associated with it and develops plans to protect them. The resultant security coverage leaves no time gaps for it does not count on knowledge of attacks. In the end, foolproof security is impossible and cannot be guaranteed, even with the best firewall and intrusion prevention or detection systems; however, it begs the question: how much loss can an enterprise tolerate? In a military context, this leads to designing for survivability [1], and computer vendors treat this as a self preservation and business continuity issue [2]. Our faculty at George Mason University presents the Self Cleansing Intrusion Tolerance (SCIT) architecture [3], which reduces the losses by controlling the time a server is exposed to the Internet.
In our proactive security risk management, exposure time is the primary risk metric. We define exposure time as the time interval for which a server is exposed to the Internet. This metric has the advantage of being easily measured, repeatable, easy to understand and easy to relate to the potential damage resulting from an intrusion. We emphasize that this definition is not based on the detection of an intrusion, but is exclusively based on elapsed time. Certainly, servers with low exposure time provide fewer opportunities for the intruders to do damage. The proactive security risk management methodology described in this paper (Section 4) is driven by the need to assign an exposure time requirement to each risk associated with the servers in the system.
