This chapter describes a methodology for assessing security infrastructure effectiveness utilizing formal mathematical models. The goal of this methodology is to determine the relatedness of effects on security operations from independent security events; determine the relatedness of effects on security operations from security event categories; identify opportunities for increased efficiency in the security infrastructure yielding time savings in the security operations; and identification of combinations of security events which compromise the security infrastructure. We focus on evaluating and describing a novel security assurance measure that governments and corporations can use to evaluate the strength and readiness of their security infrastructure. An additional use is as a before and after measure in a security services engagement to quantify infrastructure improvement that can serve as a basis for continuous security assurance.
This chapter presents a novel security assurance methodology organizations can use to quantify their global security posture across the enterprise. The information security industry is addressing many challenges; specifically, how to collect data, often from heterogeneous, non-automated and non-standard sources, and how to properly analyze and act on the data. Before the autocorrelation methodology is described, relevant terms are defined to facilitate discussion.
Security assurance has several variations and definitions in the literature but generally refers to the ability of an organization to protect information and system resources with respect to vulnerability, confidentiality, integrity, and authentication. Security assurance is one broad category of security intelligence that security practitioners and managers are keenly interested in measuring and quantifying. Vulnerability is a weakness in the security system that might be exploited to cause loss or harm and an attack is when a person or another system exploits vulnerability (Pfleeger & Pfleeger, 2006). This chapter presents an autocorrelation methodology to evaluate security assurance processes, technologies, applications, and practices through a novel security metric. Security metrics are tools that support decision making (NIST, SP800-100, 2006).
The ability to extract actionable information automatically through security metrics is crucial to the success of any security infrastructure. Information security metrics in general should be defined, developed, analyzed, maintained, and reported within a broader information security program with a stated mission and clear and concise goals. Within such a framework, security metrics can be linked back to specific program goals which can be leveraged for managerial decision making.
Data drives intelligence across all industries and data is generated from events. Events happen all around us as messages (or “events”) that flow across networks in support of commercial, government, and military operations. Event driven is defined as follows:
Event driven means simply that whatever tools and applications are used to automate business and enterprise management processes, those tools and applications rely on receiving events to monitor the progress of a process and issuing events to initiate its next stages. This is becoming universal for all business processing. (Luckham, 2002, pp. 29)
Processing security information is no exception as information security has become an essential business function (NIST, SP800-80, 2006). Within the context of security, the SANS Institute defines an event as “an observable occurrence in a system or network” (see glossary at: http://www.sans.org/resources/glossary.php). It follows that a security event is a single or collection of “observable occurrence(s) in a system or network” that violate the security policy of an organization. Two related concepts are event aggregation and security event management. Event aggregation is defined by Luckham (2002, pp. 17) as “recognizing or detecting a significant group of lower-level events from among all the enterprise event traffic, and creating a single event that summarizes in its data their significance”. Security event management software is “software that imports security event information from multiple data sources, normalizes the data, and correlates events among the data sources” (NIST, 2006, C-3).
For our purposes, we will define a security incident as a specific type of security event; one that has been identified and classified by the organization as of sufficient priority to require the response of security personnel and whose time to resolve will be measured and tracked. The terms security event and incident are often used interchangeably; the distinction becomes important in the Metrics Development and Implementation Approach section which describes how to develop and implement the metric used in the autocorrelation methodology within a security event management framework.