Enterprise Security Measurement

TLEN 5700

SPRING 2004

Enterprise Security Measurement

By

Lacey Bostick

Ninan Koshy

Raunaq Gandhi

Amit Kela

Enterprise Security Management

1 Introduction

The expanding presence of the Internet and its impact on business operations has brought into focus the importance of implementing and maintaining information technology (IT) security within an enterprise. A wide range of information security threats, laws and regulations require executives within several industries including healthcare, financial services and government to implement information security measures to reduce threat risk and maintain compliance to laws and regulations. These measures can only be implemented efficiently if the correct enterprise information exists and is given to the decision makers.

The C-level executives[1] require security information covering the enterprise that is different from the needs of middle management and system administrators in order to make fact based decisions. These executives demand to understand the cost and impact of any proposed security controls and procedures before they can be approved. Moreover, the C-level executives and legal counsel are constantly probing how security controls and processes relate to business, financial, and legal risks that they must manage.

Most tools today produce pure technical reports based on factors like lack of technical controls and number of security events. Further summarization of detailed security data does not provide adequate information to generate executive reports that describe enterprise security posture (ESP). These reports fail to demonstrate the impact security events will have on the continued viability and operation of the enterprise or provide information based on which focused risk controls can be implemented. Additional analysis on the data must be performed and information added to provide a clear understanding of the security gaps, the level of exposure, and whether the situation is improving or degrading over time.

While there are many examples of commercial security event management (SEM) solutions that produce acceptable reporting for security engineers, systems administrators and middle management, we know of no solution that creates enterprise security posture (ESP) reports for executive management. The reporting structure and the metrics used to create these executive management reports still remain an unexplored or poorly developed area.

The problem as described above can be stated in a single question: what is a reasonable method to produce an ESP report which presents the security posture of an enterprise to executive management and what is the justification for the method selected? To solve this problem we propose a method to combine the business and technical factors on a system-by-system basis in a single report to demonstrate the measure of risk to the enterprise. We think this will provide a platform to deliver a fact based and actionable ESP report.

2 Background

Companies, in their bid to maintain security have installed security tools such as firewalls, intrusion detection systems (IDS), security policy compliance checkers, Virtual Private Networks (VPN) and a host of other security products. These tools generate large amounts of unmanageable data. To make the data useful it needs to be condensed, correlated and reported to present the enterprise security posture. There are many examples of commercial and internal enterprise security event management (SEM) systems that produce acceptable reporting for security engineers, systems administrators and middle management. However, these reports do not meet the requirements of a C-level executive report.

Existing SEM solutions produce reports based on security event data. These are detailed reports that categorize events over time highlight non-compliance, attacks, scans, vulnerabilities discovered and other security events. We researched existing commercial SEM products offering information security reporting. Products from ArcSight, NetForensics, e-Security and GuardedNet were reviewed. The raw security data produced by these SEMs is used to produce system/network administration reports. Some reports recommend mitigating actions and others require additional analysis to formulate mitigating actions for identified weaknesses, vulnerabilities and failures. The detailed reports are rolled up at the department/functional level so results can be compared over time periods to evaluate changes to system/network security. While some SEMs do allow a system value to be entered to give more weight to a score, it is just one number with no rationale behind the value selected.

The market for the SEM products is an evolving one and we observed marked improvements in the latter versions of the products. The newer versions of these products have a dashboard approach that classifies the data obtained into different threat categories, which makes it easier to understand. However, none of the existing solutions in the market provide a concise report to be presented to the executive. We propose that insufficient business risk data is the missing element to be added to the security risk metrics to generate actionable ESP reports.

In addition to studying SEM products, we read existing research both commercial and academic which have stressed on managing and integrating the business Risk an enterprise faces due to IT systems. Many qualitative approaches have been suggested to do a risk analysis however; none of these approaches provide a way to report these findings in a clear and concise way to the C-level executives.

3 Enterprise Risk

Webster’s dictionary defines risk as the chance of injury, damage, or loss due to a voluntary or involuntary action. Assets could be defined as tangible or intangible items that have a definitive role in the IT infrastructure and the loss or unavailability of any asset could have a negative impact on the functioning or mission of an enterprise. Combining the above definitions we will define IT enterprise risk as the possibility that damage or loss could happen to a business or organization due to compromise of an IT asset.

Our background research revealed that the enterprise risk can be divided into two parts 1) Business risk and 2) Technical Risk and these factors need to be combined to provide a view of the enterprise risk.

3.1 Business risk

We propose a subjective methodology and approach to calculate the business risk factor based on an existing method, Business Impact Analysis. This is an accepted method in the security industry and it is adopted to accelerate the acceptance of this report.

3.1.1 Valuing IT Assets

Determining what an asset is and calculating what it is worth to the enterprise will be key in determining the business risk it system poses. Not all systems are of the same value to an enterprise. Some are critical to the continued operation of the company while others are expendable. Generally, a quantitative approach in valuing assets in monetary terms is used to categorize assets, i.e. the higher the value, the higher the impact of system compromise to the business. IT systems, however, have both tangible (physical) and intangible (customer information, application, process etc.) qualities. The quantitative approach can be used to value the tangible asset, but determining the finite value of an intangible asset is still an underdeveloped process. Since IT assets have both tangible and intangible values, the true value of IT systems can only be determined if the value of the intangible aspect can be determined. We will propose a method to calculate a relative value to represent the intangible portion of assets.

In accounting, the tangible asset value is determined using the formula:

Book price of the asset - Depreciation = Current value

This sort of valuation is reasonable for tangible assets by accounting standards but Intangible assets cannot be valued using this method. Assigning a monetary value to an asset does not necessarily answer the question of what a system is worth to the organization nor does it measure the effect of system failure or compromise on the viability and operations of the business.

3.1.2 Qualitative approach

The quantitative methodology attempts to assign independent objective numeric value to each asset and each aspect that is time consuming and not cost effective so we use a qualitative approach to make the valuation cost effective and attainable. The qualitative methodology assigns a relative subjective value which makes its easier to take intangible assets into.

Facilitated Risk Analysis Process (FRAP) [2] and FIPS 199 are both well-accepted qualitative approaches we will use to formulate the approach suggested above. FRAP proposes impact based subjective approach called Business Impact Analysis while FIPS 199 categorizes information systems based on 3 security objectives confidentiality, integrity and availability. Combining these approaches we will develop a Matrix that will take into consideration the 2 aspects 1) security objectives and 2) the different impacts the compromise of each objective will have on the enterprise. The matrix will be used in calculating a subjective impact score for each system. Section 4.1 Business Impact Analysis will describe how we use the matrix to calculate the value of the impact to the enterprise.

3.2 Technical risk

The Technical security risk posed by systems needs to be calculated based on the condition of the system and the environment. The system environment includes the people operating the system and they impact the security of the system. This means that some of the risk data can be computer generated and non-computer data points will have to be generated manually.

To calculate the technical security risk of an enterprise, the necessary inputs must be determined. To ensure that many minds have been used to determine the best inputs a published standard will be chosen as it ensures a broad consideration of the problem. The reason to choose a published standard is that it is subject to comment, change and improvement from many people interested in security. Different companies have different requirements, for which one standard might not be suitable. Hence to suit different requirements and also to incorporate new and emerging standards, an established standard is selected that best fits the industry and enterprise.

There are multiple standards to choose from. Some are commercial like International Organization for Standards (ISO) [3] 13335, 17799 and 17944 and others are government produced such as the Federal Information Protection Standards (FIPS). The Common Criteria (CC) is another open standard that is freely available and subject to comment and change. There are many more standards and some are very industry specific (ISO 17944 for Framework for security in financial systems). For the general risk model ISO 17799 (see British Standard 7799) will be used to define the categories of risk to be considered in the risk model.

The 10 categories of risk from British Standard 7799/ISO17799 [7] are used to determine which are applicable to security risk calculations. Note that the definition of security is different for each industry and implementation differs between each enterprise.

Table 1 Risk Categories ISO 17799

Compliance / Organizational Security
Access Control / Personnel Security
Business Continuity Management / Communications and Operations Management
Security Policy / Systems Development and Maintenance
Asset Classification and Control / Physical and Environmental Security

These categories reasonably encompass all technical security areas of an enterprise. Data for the 5 categories on the left of the table above can be computer generated and collected from a SEM. Data is gathered for the 5 categories on the right of the table via survey answers from the system administrators. Using a publicly available survey to determine security posture is recommended for the same reasons the open standards are recommended. As with security standards, a survey needs to be chosen that suits the industry and enterprise.

4.1 Business impact analysis

Business impact analysis assigns value to the impact of a failed security objective. A ‘what if’ analysis, will be used to create the matrix of impacts of the compromise to the enterprise. Scoring tables for each impact are given, and once these values are in the matrix, the final impact score is calculated.

4.1.1 Compromises

Security objectives are to avoid disclosure or modification of data and to protect systems so they remain available. The compromises are failures to fulfill a security objective, while the impacts are the different effects the failure has on the business. Each compromise will have one or more impacts to the enterprise.

4.1.2 Impacts

There can be many different effects due to a compromise we consider four basic impacts an enterprise will encounter to develop the matrix, an enterprise could add any other impact which affects its as suitable.

1) The financial impact calculates the monetary loss of the incident. This would be the most apparent impact and generally would be a direct consequence of a compromise. The choice of the monetary scale used is a reflection of the size of an enterprise and it changes to fit the enterprise.

2) Legal impact constitutes the estimated legal expenditure that the enterprise would have to bear in the event of the compromise.

3) Reputation is a fairly important aspect for an enterprise. In a financial enterprise, the clients trust a company primarily based on its reputation. If an enterprise is frequently in the news because of network compromises, its reputation will suffer in the market.

4) The regulatory compliance impact is another crucial category since an occurrence of a compromise might change the compliance of the network with respect to a particular regulation. This could cause an investigation and possible fine or other penalty.

Reputation and regulatory compliance are intangible and cannot be directly valued but can be assigned a relative value.

The following tables will be used to assign subjective values to the Impacts

Types of Impacts / Subjective Scales
Financial Impact / Scale based on the monetary business loss of an incident occurring
Legal Impacts / Scale based on monetary expenditure of legal proceedings
Reputation Impact / Scale based on fall in customer/investor confidence
Regulatory Compliance Impact / Scale will be based on liability of regulatory compliance

These scales are different for each industry and enterprise. A team that is knowledgeable about the relative impact areas should be used to define the loss scales for each impact table. These scales can be modified to fit the industry, enterprise and country where this method is used.

Financial Impact

Financial Loss / Valuation Score
Less than $500K / 1
Between $500k -$1M / 2
Between $1M- $10M / 3
Between $10 M -$ 40 M / 4
Over $40 M / 5

Legal Impact