Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics

Abstract : The goal of this work is to introduce meaningful security metrics that motivate effective improvements in network security. We present a methodology for directly deriving security metrics from realistic mathematical models of adversarial behaviors and systems and also a maturity model to guide the adoption and use of these metrics. Four security metrics are described that assess the risk from prevalent network threats. These can be computed automatically and continuously on a network to assess the effectiveness of controls. Each new metric directly assesses the effect of controls that mitigate vulnerabilities, continuously estimates the risk from one adversary, and provides direct insight into what changes must be made to improve security. Details of an explicit maturity model are provided for each metric that guide security practitioners through three stages where they (1) develop foundational understanding, tools and procedures, (2) make accurate and timely measurements that cover all relevant network components and specify security conditions to test, and (3) perform continuous risk assessments and network improvements. Metrics are designed to address specific threats, maintain practicality and simplicity, and motivate risk reduction. These initial four metrics and additional ones we are developing should be added incrementally to a network to gradually improve overall security as scores drop to acceptable levels and the risks from associated cyber threats are mitigated.

[1]  Miles A. McQueen,et al.  Ideal Based Cyber Security Technical Metrics for Control Systems , 2007, CRITIS.

[2]  Paul Love,et al.  Visible Ops Security: Achieving Common Security and it Operations Objectives in Four Practical Steps , 2008 .

[3]  Danny Dhillon,et al.  Developer-Driven Threat Modeling: Lessons Learned in the Trenches , 2011, IEEE Security & Privacy.

[4]  Ravi Kumar,et al.  A characterization of online browsing behavior , 2010, WWW '10.

[5]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[6]  Gregory S. Parnell,et al.  Mission Oriented Risk and Design Analysis of Critical Information Systems , 2005 .

[7]  Darryl Veitch,et al.  Capturing the Elusive Poissonity in Web Traffic , 2006, 14th IEEE International Symposium on Modeling, Analysis, and Simulation.

[8]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[9]  Anja Feldmann,et al.  An Assessment of Overt Malicious Activity Manifest in Residential Networks , 2011, DIMVA.

[10]  Salvatore J. Stolfo,et al.  Measuring Security , 2011, IEEE Security & Privacy.

[11]  V. Rich Personal communication , 1989, Nature.

[12]  Karen A. Scarfone,et al.  Common Platform Enumeration: Applicability Language Specification Version 2.3 , 2011 .

[13]  F. Osinga Science, Strategy and War: The Strategic Theory of John Boyd , 2006 .

[14]  David Vere-Jones,et al.  Point Processes , 2011, International Encyclopedia of Statistical Science.

[15]  David Levin Lessons learned in using live red teams in IA experiments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[16]  Karen A. Scarfone,et al.  Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 , 2010 .

[17]  Paul Barford,et al.  Generating representative Web workloads for network and server performance evaluation , 1998, SIGMETRICS '98/PERFORMANCE '98.

[18]  R. Kimball Failure in Risk Management , 2000 .

[19]  Robert A. Martin Managing Vulnerabilities in Networked Systems , 2001, Computer.

[20]  Gloria J. Serrao Network access control (NAC): An open source analysis of architectures and requirements , 2010, 44th Annual 2010 IEEE International Carnahan Conference on Security Technology.

[21]  A. Sayigh,et al.  This page was intentionally left blank , 2014, Electrical Overstress/Electrostatic Discharge Symposium Proceedings 2014.

[22]  Harold Booth,et al.  CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture (Draft) , 1969 .

[23]  Karen A. Scarfone,et al.  The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities , 2010 .

[24]  Kelley L. Dempsey,et al.  Information Security Continuous Monitoring for Federal Information Systems and Organizations , 2011 .

[25]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[26]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[27]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.