Reliable Security Current State, Challenges, Desired State
-
Upload
kirk-walsh -
Category
Documents
-
view
34 -
download
0
description
Transcript of Reliable Security Current State, Challenges, Desired State
Reliable Security Current State, Challenges, Desired State
S. Rao VasireddyBell Laboratories, Alcatel-LucentTel: [email protected]
2 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####
Quality of Service
Quality of Service: Availability 99.95%; Packet Loss 10
-8
“You cannot improve what you cannot measure”
– Lord Kelvin
Quality of Security ?
3 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####
What is Quality of Security?
Quality of security requires establishment of a set of metrics that can be:
– Consistently measured and tracked
– Engineered to achieve comprehensive network security
Example metric: Encryption protocol strength
– Measured by Time to Break Encryption (TBE) = 10N years
Security metrics should be enablers to measure and engineer security, similar to the role played by performance and reliability metrics.
Key Length
1997 2005 Number of Key Combinations
40-bit DES 4 Hrs Seconds ~ 1012
56-bit DES 140 days ~ Hrs ~ 1015
128-bit 3DES
NA ~1021 years ~ 1024
4 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####
Characteristics of Metrics
Specific, Measurable, Attainable, Repeatable, Time-dependent (SMART)
Measurable attributes that can be objective or subjective
Provide evidence of effectiveness for security engineering (e.g. 99% of traffic has communications security)
Network security is implemented by several measures. Example techniques:
Encrypt traffic with Integrity checks
Authenticate transactions and processes
Log & analyze security events
Ensure that traffic from “Source A” reaches intended “Destination X”
Harden ports, Interfaces and Operating Systems
Prevent/filter unwarranted traffic
Adhere to security policy and operations/management procedures
Security metrics should represent the technology, process and operational measures required to achieve comprehensive security
5 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####
Current State of Quality of Security
Technology, standards and measurement techniques are still evolving
– Lack comprehensive measurement and tracking for the emerging engineering discipline
Qualitative measures:
– An estimate of the state of security
– Example: 95%+ success rate for zero-day virus prevention. Not an accurate measure of availability
Need additional measures such as:
– P% of transactions authenticated
– Q% of the events logged & analyzed
– R% guarantee that traffic from “Source A” reaches “Destination X”
– 100% of the procedure that are relevant to network operations and security policy are followed
Assess
Implement
Plan
&
Desig
n
Man
age
Security Life-cycleCurrent focusGap
Mainly driven by security compliance audits, penetration tests etc.
– Compliance to policy, regulatory and legal requirements
– Reactive as opposed to proactive measures
6 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####
Challenges
A security metric is not independent by itself
– Dependencies exist on other metrics and operational procedures
– A fix that will result in improved quality for one metric may positively or
negatively impact other
Quality of security requires process as well as technology based metrics. Technology based Metrics need to be embedded in the process metrics as a stop gap measure to compensate for the lack of measuring tools.
Threat N
Metric1
Metric 3
Threat 1
Vulnerability N
Technology (or)Process based Fix
Targeted ImprovementVulnerability 1
NetworkMetric 2
Metric1
Metric 3
•Result
Metric 2
7 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####
A Foundation for Quality of Security
Security Frameworks, Process/ certification guidelines: – Define Metrics, Architecture– Help build the security Genome for networks – Example: ITU-T X.805, ISO/IEC 27001, NIST
NETWORK Technology Specific Standards: – Define/Specify new technologies, protocols and operations/management techniques– IETF, IEEE, ISO/IEC, ITU, 3GPP, 3GPP2, ANSI, ETSI
End User Security
Control/Signaling Security
Management SecuritySecurity DimensionsSecurity
Planes
Ac
cess
Co
ntr
ol
Infrastructure SecurityInfrastructure Security
Applications SecurityApplications Security
Services SecurityServices Security
End User Security
Control/Signaling Security
Management Security
Dat
a C
on
fid
enti
alit
y
Ava
ilab
ility
Pri
vac
y
Au
the
nti
cati
on
No
n-r
ep
ud
iati
on
Security Layers
Destruction
Disclosure
Corruption
Removal
Interruption
Destruction
Disclosure
Corruption
Removal
Interruption
ATTACKSATTACKS
THREATSTHREATS
VULNERABILITIESVULNERABILITIES
Dat
a In
teg
rity
Dat
a In
teg
rity
Co
mm
un
icat
ion
Sec
uri
ty
Pri
vac
y
Ava
ilab
ility
Dat
a C
on
fid
enti
alit
y
No
n-r
epu
dia
tio
n
Ac
cess
Co
ntr
ol
Au
then
tica
tio
n
ITU-T X.805 together with other security standards provides a framework to establish metrics for security.
8 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####
A standards Based Approach for Evaluating Quality of Security
End User Security
Control/Signaling Security
Management SecuritySecurity DimensionsSecurity
Planes
Ac
ce
ss
Co
ntr
ol
Infrastructure SecurityInfrastructure Security
Applications SecurityApplications Security
Services SecurityServices Security
End User Security
Control/Signaling Security
Management Security
Da
ta C
on
fid
en
tia
lity
Ava
ila
bil
ity
Pri
vac
y
Au
the
nti
ca
tio
n
No
n-r
ep
ud
iati
on
Security Layers
Destruction
Disclosure
Corruption
Removal
Interruption
Destruction
Disclosure
Corruption
Removal
Interruption
ATTACKSATTACKS
THREATSTHREATS
VULNERABILITIESVULNERABILITIES
Da
ta I
nte
gri
tyD
ata
In
teg
rity
Co
mm
un
icat
ion
Se
cu
rity
Pri
vac
y
Av
ail
ab
ility
Da
ta C
on
fid
enti
alit
y
No
n-r
ep
ud
iati
on
Ac
ce
ss
Co
ntr
ol
Au
the
nti
ca
tio
n
ITU-T X.805
•+NIST, NRIC etc
Security Frameworks, Verification tools Standards, BPs Metrics
% Compliance
Access ControlAuthenticationNon-RepudiationData ConfidentialityCommunication SecurityData IntegrityAvailabilityPrivacyProcess, policy compliance
Status
Summary
– A systematic measure, akin to broadly accepted ways to measuring performance and reliability, is needed for quality of security
– A combination of technical, process and operational methods are needed to implement quality of security to cover all phases of security life-cycle
– Industry standards and best practices provide a foundation for evaluating quality of security