Motivation and Research Objective
The primary objective of this research study is to create a patch management model that has generic applicability to computer systems that are connected over the Internet. The secondary objectives are to establish meaningful metrics to measure the system patch and its performance, and to study system behavior with varying parameters.
We present the stochastic model that was developed and based on the Continuous Time Markov Chain (CTMC) Model. The proposed model is validated using the Symbolic Hierarchical Automated Reliability and Performance Evaluator (SHARPE) tool. This proven and stable tool is primarily used to specify and analyze the performance, reliability and performability models (Sahner, Trivedi, & Puliafito, 1996). We also illustrate the sensitivity analyses that we performed to study the dynamic behavior of the proposed model with varying parameter values.
Background
Most security vulnerabilities are caused by software flaws, and software vendors are in a race to develop patches against vulnerability. According to McAfee’s report (2012), 438 information technology (IT) professionals worldwide have indicated that the largest risk management challenges are discovering threats and vulnerabilities in their information systems, and one-third of their organizations keep increasing their risk and compliance expenditures. Though the number of reported vulnerabilities has been under a descending trend after a peak in 2008, secure and mission-critical companies and organizations still faced approximately ten newly discovered vulnerabilities per day in 2011 (McAfee report, 2012; NIST-NVD, 2013).
A security patch is a program for fixing bugs in information systems. Currently, patching is a major remediation process for controlling security risks. Understanding patch management as a continuous vulnerability management process to maintain system reliability is critical. A vulnerability caused by insecure software has a life cycle, which includes the introduction, discovery, private exploitation, disclosure, public exploitation, patch release, patch testing, and patch deployment phases (Okhravi & Nicol, 2008). Among the given eight phases, some studies focus on the time gap between a software vendor's patch release and a firm's patch deployment. Because of the burden of operational risks and managerial costs of patching (Shostack, 2003), asynchronous patch updating is common (Cavusoglu, Cavusoglu, & Zhang, 2004). Many systems have been left unpatched for months and even years (Shostack, 2003). More recently, periodic patching became a common trend (Cavusoglu, Cavusoglu, & Zhang, 2008). Nearly half of the midsized companies applied patches monthly, and one-third did it on a weekly basis (McAfee report, 2012).
Patch management became a strategic decision to balance security risks and operational costs. However, there is a lack of quantitative security models to find the optimal equilibrium or managerial implications. Studies have shown that a more quantitative approach to the security attributes that satisfy quality-of-service (QoS) requirements, such as reliability, availability, and performance, is needed (Madan, Goševa-Popstojanova, Vaidyanathan, & Trivedi, 2004).
In the following discussion, we develop and present a formal framework for modeling the states of the patch management process and develop metrics that, to our knowledge, are novelties in this area. Similar works along the same vein are on vulnerability discovery modeling (Alhazmi & Malaiya, 2005), on patch management evaluation (Okhravi & Nicol, 2008), on the impact of vulnerability disclosure and patch availability (Arora, et al., 2004), on stochastic activity networks (Sanders & Meyer, 2002), and on patch management practices (Gerace & Cavusoglu, 2005; Gerace & Cavusoglu, 2009; Chan, 2004).