2007-11-07
Article continued from Page 2
Proactive risk management approach
Enterprises are aware of the fact that risk cannot be completely eliminated and must be tolerated. The intrusion tolerance paradigm assumes that organization remains vulnerable to a certain extent and that attacks will happen and some will be successful. The main objective of a proactive approach is to limit the damage that can be done by the intruder and make sure that the system remains secure and operational. A proactive approach allows organizations to manage the security of their infrastructures and the business values that those infrastructures deliver.
In Table 2 we summarize the key differences between the proactive approach driven by the intrusion tolerance paradigm and the reactive approach driven by the prevention and detection paradigm.
| Issue | Firewall, IDS, IPS | Intrusion tolerance |
|---|---|---|
| Risk management | Reactive | Proactive |
| A priori information required | Attack models; software vulnerabilities; reaction rules | Exposure time selection; length of longest transaction |
| Protection approach | Prevent all intrusions; impossible to achieve | Limit losses |
| System Administrator workload | High - manage reaction rules; manage false alarms | Less - no false alarms generated |
| Design metric | Unspecified | Exposure time: Deterministic |
| Packet/data stream monitoring | Required | Not required |
| Higher traffic volume requires | More computations | Computation volume unchanged |
| Applying patches | Must be applied immediately | Can be planned |
The exposure time (and thus the associated risk) is different for each server and can be shaped by factors like:
- Longest transaction time,
- Usage behavior patterns (user behavior),
- The amount of time it takes for the server to boot and restore to a known state,
- Total number of current active transactions on the system, and
- Expected traffic on the servers.
The exposure time can also learn from interconnected enterprise servers. The value can be adjusted dynamically or assigned ranges that vary depending on server conditions, such as performance, number of processes running, CPU usage, power usage, physical memory, kernel memory, and commit charge.
The proactive model incorporates the impact of exposure time by augmenting the traditional methodology presented in the last section. A typical intrusion [6] goes through three phases: network reconnaissance, application reconnaissance and exploit attempt. Thus, by limiting the exposure time of the server, the time available for exploration and exploitation will be reduced. The reduced exposure time leads to reduced exposure factor, which in turn results in reduced expected loss. Exposure factor reduction is modulated on the basis of an S-curve and because of the shaping effect of this curve the output of this process is called risk shaped exposure factor (EFShaped). The steps in this computation are summarized in Figure 2.
Figure 2: Risk shaping
Figure 2 also captures the risk shaping in a matrix format. In this matrix the ET and EF values have been respectively normalized by ETMax and EFMax. Thus the entry in the 1,1 location is 1 and all other values are less than 1. The bottom right quadrant of the matrix shows the lower values of EFShaped. Typically, the shaded rows are the optimal set of ET values -- higher values of ET yield only limited advantage and lower ET values will have a higher implementation cost.
In summary, the EF from the traditional approach is treated at EFMax, and is modified based on the exposure time. The reduced exposure time leads to lower EFShaped.
