New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Steve Garritano, Fiid Williams, Wayne Feick, Alan Caudill, Beena Agarwal, Olivier Devaux, Francis Tran, Joshua Keich, Steve Saunders, Jerry Ford, Alan Chuey, Ralph Brenner, Yang Li, Jennifer Durham, Ling Wang, Dan Faershtein, Andy Tran, Charles Gillet - Developing an application for visualizing and measuring network security risk
Despite the multitude of security products in use today, enterprises are unable to quantify the effectiveness of their network security as a whole. The reasons for this may not be immediately obvious because the challenge is threefold: Organizational: Security is a multi-dimensional concern with networking and security operations groups sharing the charter. Cross-organizational coordination is desirable but often not pragmatic. Technological: Today’s networks are a complex mesh of best-of-breed technologies and point solutions, each with its own function and management interface. Administrators lack an end-to-end view of their security posture. Financial: Many IT departments often lack the resources to configure and manage all of the networking and security technologies in use. Mis-configuration of devices and security policies is quite common. Some amount of automated integrity and compliance checking is needed. This inherent complexity makes it difficult to manage the security and networking infrastructure as a whole and harder still to measure the effectiveness of the security posture. CIOs, CSOs, and information technology professionals want answers to fundamental questions about their networks: “How secure am I?”, “Are my investments improving my security?”, “Where is the best place to remediate for the highest positive risk impact?”, “Am I vulnerable to this new attack and where should I patch first?” “My vulnerability scanners have identified several thousand vulnerabilities on my network, which ones need immediate attention because they are exploitable?” Technologies that have attempted to create this holistic network view in the past have not been pragmatically deployable because they have required that customers deploy VA scanners broadly in every part of their network. This technology prerequisite has proven to costly to implement so holistic network risk management has been confined to only those enterprises that have made an investment in pervasive vulnerability scanning.
Despite the multitude of security products in use today, enterprises are unable to quantify the effectiveness of their network security as a whole. The reasons for this may not be immediately obvious because the challenge is threefold:
Organizational: Security is a multi-dimensional concern with networking and security operations groups sharing the charter. Cross-organizational coordination is desirable but often not pragmatic.
Technological: Today’s networks are a complex mesh of best-of-breed technologies and point solutions, each with its own function and management interface. Administrators lack an end-to-end view of their security posture.
Financial: Many IT departments often lack the resources to configure and manage all of the networking and security technologies in use. Mis-configuration of devices and security policies is quite common. Some amount of automated integrity and compliance checking is needed.
This inherent complexity makes it difficult to manage the security and networking infrastructure as a whole and harder still to measure the effectiveness of the security posture. CIOs, CSOs, and information technology professionals want answers to fundamental questions about their networks: “How secure am I?”, “Are my investments improving my security?”, “Where is the best place to remediate for the highest positive risk impact?”, “Am I vulnerable to this new attack and where should I patch first?” “My vulnerability scanners have identified several thousand vulnerabilities on my network, which ones need immediate attention because they are exploitable?” Technologies that have attempted to create this holistic network view in the past have not been pragmatically deployable because they have required that customers deploy VA scanners broadly in every part of their network. This technology prerequisite has proven to costly to implement so holistic network risk management has been confined to only those enterprises that have made an investment in pervasive vulnerability scanning.
In order to address the challenge of holistic network security risk management which can benefit any organization regardless of installed technology, RedSeal Systems Engineering set out to build an application that can visualize and measure risk with or without vulnerability assessment scanners in place. The result is the RedSeal Security Risk Manager (SRM) 3000 which includes a unique set of analytics algorithms that comprise Adaptive Risk Analysis (ARA TM) - a body of mathematics, security and development work for which several patents have been filed. The SRM 3000 is a system to visualize, measure and proactively mitigate security risk for unified and measurable insight into network security and its effectiveness. With RedSeal's SRM 3000, IT professionals are able to measure security and business risk, pinpoint threats and exposures and gain actionable information to improve the day-to-day security posture of the network, reduce workload and report on compliance. RedSeal’s SRM 3000 is the only security management product to illustrate risk exposure and prioritize remediation using Adaptive Risk Analysis (ARA). This breakthrough technology generates initial actionable results even with a subset of router and firewall data, and then provides an easy-to-use path for adding more information on the as-built security posture of the environment. The additional information can include application flow data, patch history, and vulnerability scans. RedSeal gives enterprises of any size a never before seen view of their infrastructure – a visualization of risk exposure and concise guidance on where and when to remediate. RedSeal has taken an open, vendor-agnostic approach to SRM, allowing it to be easily adapted to almost any customer environment regardless of installed technology. It provides organizations of all sizes with a practical, easy to implement way of quantifying network security. RedSeal’s SRM 3000 analyzes and models complex networks and hosts to give actionable information for mitigating exposure of high-valued business assets, in most cases within minutes. Additionally, it tracks the security posture of the network over time, providing a thorough audit trail of security performance. At the system’s core is the Adaptive Risk Analysis (ARA) engine that models and analyzes the configurations of complex networks and hosts, clearly identifying risk “hot spots.” Displaying the ARA engine’s modeling and analysis is RedSeal’s unique RiskMap™ visual layout, designed with functional roles in mind, allowing users to quickly locate their network areas and key business assets that are the targets of threats and get precise guidance on the best places to eliminate exposure. The risk metrics and remediation information from RedSeal can be used daily to maintain security at optimal levels, while the system’s reporting and auditing capabilities allow for tracking security efficiency thereby helping guide compliance efforts and future technology investment. Key features and capabilities of RedSeal’s SRM include: Risk quantification – measures the network’s risk posture based on calculation of the exposure and value of business assets. RedSeal’s unique approach employs Adaptive Risk Analysis, a method by which the granularity of the output adjusts based on the amount of input to the system. Proactive mitigation – compiles prioritized listing of vulnerabilities and misconfigurations to indicate where to remediate first to gain the greatest reduction in risk. Threat analysis – displays graphically, one breach at a time, the multi-step path an exploit may take in penetrating critical business resources. The threat map is based on the traffic analysis, any host patch & vulnerability data, and RedSeal’s own knowledge base of vulnerabilities and impacts. Network configuration checking – verifies that the configuration details on devices such as routers and firewalls do not have unintended consequences, such as inadvertently allowing too much access, along with highlighting best practices. Traffic flow analysis – computes the real-world permitted traffic which can be compared to security policy requirements to quickly identify and pinpoint important infrastructure discrepancies that affect security and availability of key services. Actionable trending and reporting – summarizes the network’s security posture over days, weeks, or months. Trending data is grouped to highlight vulnerabilities, changes in risk, and the security posture of important devices and groups (i.e. SOX Servers). The SRM 3000 system is the culmination of exhaustive customer requirements gathering in the form of hundreds of customer interviews and rigorous development work which occurred over the past eighteen months. Specifically, ARA and RiskMap constitute industry firsts in the use of risk quantification analytics and the application of TreeMap technology respectively (see: TreeMap history, http://www.cs.umd.edu/hcil/treemap-history/). Several patents have been filed for these two key functions of the product. Most importantly, our customer advisors have resoundingly validated the product’s unique feature set and value, speaking publicly on numerous occasions as to its benefits and potential. The sections below give more detail on how SRM works as well as its specific inputs and outputs. What is Security Risk Management? Security risk management is technology that creates a visualization of risk exposure by analyzing the interactions between security devices and servers in a network. This functionality makes it possible to measure and quickly respond to security risks. An effective risk management system should: Provide information that can be used proactively, to prevent attacks. Present an end-to-end understanding of an enterprise’s security situation, involving networks, endpoints, and applications. Pinpoint which parts of the network are most at risk. Create useful security metrics A comprehensive risk management system should create a security map of the network. To populate this map, input is taken from various sources, such as router and firewall configuration files, vulnerability scans, and application flow monitors (such as NetFlow), among others. This information is used to analyze how a particular threat might gain entry and which machines might potentially be exploited to spread the threat. Risk exposure is presented in the form of a threat map and a risk map. The risk management solution must also have asset classification capabilities so that information about the relative business value of certain applications and servers can be input to the system. Asset classification capabilities are required so that the risk management system can determine which threats need to be addressed first and then provide a list of possible remediation actions. Although security risk management products emerged in a nascent form a couple of years ago, the first products in the category required frequent and pervasive network scanning. Thus the proposition of investing in security risk management was often deemed costly and complex. What us Adaptive Tisk Analysis (ARA)? The adaptive risk computational method is a practical approach to performing risk analysis and quantification. This method requires a minimum data set of files containing firewall rules. The adaptive risk approach enables companies to install and implement a risk management solution extremely quickly, usually within minutes. At any point after initial deployment, network information can be added incrementally from other data sources, such as vulnerability scans and application discovery tools, to increase the confidence of risk calculations. Working with a minimal data set, adaptive risk analysis (ARA) creates a model or map of the network. The network map can, for example, reveal points on the network where access to a server is inadvertently blocked. Model data is further analyzed in conjunction with data about the latest security vulnerabilities and exposures, such as those tracked by the National Vulnerability Database (NVD). This threat analysis results in a series of threat maps and a risk map that graphically depict the network’s vulnerable areas. With minimal infrastructure requirements, enterprises can get started quickly with security and therefore business risk management. The ARA approach can, additionally, incorporate information from many other data sources. The next section of this paper details many of the data sources that can be used. Risk Calculation Input: Data Sources and Data Points With ARA, the computation of security risk is based on inputs, or data sources. The availability of data sources varies, by the enterprise environment and access to information. An effective risk management system should support any and all data sources that can supply relevant information; that is, the solution should be based on an open and extensible architecture. The following data sources include some of the most common: Network device configuration information—This information set comprises files containing firewall and router access control lists (ACLs). From this information, a network map is created that depicts subnets and shows how they are connected. Customer-supplied application information—This information is user supplied, ideally through the use of interactive wizards, and identifies specific applications and non-standard ports in the network. This information expedites risk calculations, since it allows for filtering out those threats that don’t apply to the current network. Similarly, it captures information about patch management policies so that threats which preced the latest patch are not considered present on the network. Customer-supplied business values—This mechanism lets users assign values to infrastructure assets and applications (quickly and easily, since there are many servers on large complex networks). The higher the business value of an asset, the higher the business risk associated with it when it is found to have a high likelihood of exposure. NetFlow information—Cisco Systems invented NetFlow® a technology to record network performance data. It is used for network monitoring and gathering traffic statistics. NetFlow data can be used as an input to a security risk management system to inform about the presence of hosts and layer-4 ports with a listening application. Vulnerability assessment data—This information is gathered from vulnerability assessment scanners which may exist throughout or on critical network segments. The data set includes information about which applications and patch levels are present on servers. From one or more of these data sources, information is extracted about a number of data points. Data points include such network topology elements as hosts, operating systems, layer-4 ports, and application types. Information about a particular data point might come from multiple data sources. For example, information about an application type can come from the following data sources: customer-supplied inventory, network data collection, and vulnerability assessment. Adaptive risk calculations use information about these data points, along with information about security threats gleaned. The resulting risk analysis produces a risk score for hosts and subnets as well as analyses of traffic flow and threat propagation. Risk Calculation Output: Risk Scores A risk score is a measurement of the business value of an IT infrastructure asset multiplied by the likelihood of a compromise. The more valuable and more vulnerable an infrastructure asset is, the higher the risk and therefore, the higher the risk score. The risk scores of various elements cast a spotlight on areas where changes should be made to mitigate the most risk. Risk scores are calculated for each vulnerability, host, and subnet that can be compromised via a direct exploit or a leapfrog attack. If the risk score is derived from only a couple of data sources, then confidence is lower than if it had been derived from several. To take into account the level of confidence in a risk score, the SRM system should provide a confidence factor, which is based on the data sources and data points used in the calculations. The confidence factor shows where additional security investments would most improve confidence in risk calculations. Risk Calculation Output: Threat and Risk Analysis and Remediation Threat and risk analysis graphically displays, in the form of a threat map and a risk map, the network hot spots and multiple possible attack paths from an untrusted network to vulnerable subnets or servers, if there are any. Because risk calculations also take into account confidence factor, the SRM system shows, for each subnet and server, how many of the vulnerabilities are inferred and how many are confirmed. An effective SRM system should provide features that enable drilling down to details about each vulnerability, the associated protocols and port numbers, the IP addresses that might be exposed, and the remediation options available. Because it is often the case that numerous vulnerabilities may be found, the SRM system also needs to provide some means of prioritizing remediation efforts. In this context, risk maps and downstream risk scores offer a great benefit. The downstream risk score for a network element provides an answer to the following question: Which areas of my network should I worry about first? The downstream risk is calculated by rolling up the risk score for a particular host and all the downstream hosts that could be reached via a leapfrog attack from that original host. This score helps you set priorities. How RedSeal's SRM Applies Adaptive Risk Analysis RedSeal’s Security Risk Manager TM (SRM) incorporates adaptive risk calculations to provide answers to the following questions: What is my overall enterprise risk? Is it trending up or down? What areas most urgently require remediation? Where should I make my next security technology investment? Based on an open framework, RedSeal’s SRM is designed for heterogeneous networks, working with the security products a company already has in place, regardless of vendor or technology type. The extensibility of SRM’s open architecture makes it possible to support numerous data sources beyond those listed earlier in this paper, which are provided out-of-the-box. The sections that follow describe how information from adaptive risk analysis is presented within RedSeal’s SRM. Risk Analysis and Prioritization A risk analysis map is the starting point for day-to-day risk management activities in RedSeal’s SRM. One might begin with an enterprise-wide view of security risk, and then drill down into subnets and individual hosts. For each host, a security or network operations professional can quickly see the risk score, business value, and number of vulnerabilities). The amount of risk can be displayed as a measure of relative size and color, which gives an indicator of which subnets and hosts need immediate attention. From the summary information, one can navigate to areas of SRM that display threat maps and remediation suggestions for a selected subnet or host. For example, when an individual device is clicked, details are also displayed to show which network configuration checks (NCCs) the device failed. These checks verify that rule sets for devices such as routers and firewalls are not inadvertently mis-configured and therefore inconsistent with desired security policies. Summary information about each check failure indicates what configuration settings need to be changed. In addition, many reports are available, which list, for example, the twenty five devices, subnets, or device groups that are most at risk, have the highest business value, or are the most vulnerable These reports quickly and clearly display the subnets and hosts that have the highest risk, best coverage, highest monetary value, greatest number of vulnerabilities, and so on. Threat Analysis Views and Data Coverage To produce threat maps, RedSeal’s SRM uses an embedded Threat Reference Library, which contains data that RedSeal incorporates and frequently updates from public authoritative sources and from its own research. Threat maps make it possible to examine threats from the inside out, to find out whether a particular host or subnet is vulnerable. Threat maps can also display threats from the outside in, starting with an untrusted network, to explore the possible paths of attack into the network. Threat maps can be viewed from three levels: High-level view Network-to-network attack view Host or subnet vulnerabilities details High-level view—This view shows the source of an attack, the targeted network or next hop, as well as the risk score and confidence factor,. This view is invoked by (1) selecting an attack source (that is, untrusted subnet), (2) selecting the confidence factor to use as a threshold for indicating which paths to display, and then (3) choosing between seeing a measure of each subnet’s business value or its downstream risk. This information tells the SRM user how much of the network could be affected and what the likelihood is of an attack. If paths to a critical network segment disappear when a higher the confidence factor is chosen, this suggests that the number of data inputs available to SRM needs to be increased. With more complete data, vulnerabilities that were previously only inferred by SRM can be confirmed. Network-to-network attacks view—This view shows, for a selected link between subnets, a list of potential attack paths, in order to explain why a given path appears on the threat map. This view provides a list of vulnerable hosts on the selected subnet and all the paths that might be used to exploit vulnerabilities. Details about the selected link along the attack path include the source and destination addresses, layer-4 protocol, port, specific vulnerabilities, and metrics regarding the likelihood of attack (exposure, severity, and impact). Host or subnet vulnerability details—This view shows, for the selected subnet, details about each vulnerability found on each host in the subnet. This information details how severe the problem is, what type of impact it could have, if the attack can leapfrog, what the downstream risk is, and whether the vulnerability is inferred, potential, or confirmed. Whereas threat maps are designed to show how potential threats might traverse the network, the Threat Remediation features of RedSeal’s SRM provide guidance on mitigating threats. RedSeal’s SRM can help identify which specific filtering devices and configuration files need to be changed, as well as which hosts need to be hardened or patched. Depending on the network scope and available data sources and data points, the following information may be shown: List of vulnerable hosts List of vulnerabilities and patch information for a particular host List of network configuration checks that failed for the device or host Report listing remediation suggestions for failed network configuration checks NetFlow® is a registered trademark of Cisco Systems, Inc.
In order to address the challenge of holistic network security risk management which can benefit any organization regardless of installed technology, RedSeal Systems Engineering set out to build an application that can visualize and measure risk with or without vulnerability assessment scanners in place. The result is the RedSeal Security Risk Manager (SRM) 3000 which includes a unique set of analytics algorithms that comprise Adaptive Risk Analysis (ARA TM) - a body of mathematics, security and development work for which several patents have been filed.
The SRM 3000 is a system to visualize, measure and proactively mitigate security risk for unified and measurable insight into network security and its effectiveness. With RedSeal's SRM 3000, IT professionals are able to measure security and business risk, pinpoint threats and exposures and gain actionable information to improve the day-to-day security posture of the network, reduce workload and report on compliance.
RedSeal’s SRM 3000 is the only security management product to illustrate risk exposure and prioritize remediation using Adaptive Risk Analysis (ARA). This breakthrough technology generates initial actionable results even with a subset of router and firewall data, and then provides an easy-to-use path for adding more information on the as-built security posture of the environment. The additional information can include application flow data, patch history, and vulnerability scans. RedSeal gives enterprises of any size a never before seen view of their infrastructure – a visualization of risk exposure and concise guidance on where and when to remediate.
RedSeal has taken an open, vendor-agnostic approach to SRM, allowing it to be easily adapted to almost any customer environment regardless of installed technology. It provides organizations of all sizes with a practical, easy to implement way of quantifying network security. RedSeal’s SRM 3000 analyzes and models complex networks and hosts to give actionable information for mitigating exposure of high-valued business assets, in most cases within minutes. Additionally, it tracks the security posture of the network over time, providing a thorough audit trail of security performance.
At the system’s core is the Adaptive Risk Analysis (ARA) engine that models and analyzes the configurations of complex networks and hosts, clearly identifying risk “hot spots.” Displaying the ARA engine’s modeling and analysis is RedSeal’s unique RiskMap™ visual layout, designed with functional roles in mind, allowing users to quickly locate their network areas and key business assets that are the targets of threats and get precise guidance on the best places to eliminate exposure. The risk metrics and remediation information from RedSeal can be used daily to maintain security at optimal levels, while the system’s reporting and auditing capabilities allow for tracking security efficiency thereby helping guide compliance efforts and future technology investment.
Key features and capabilities of RedSeal’s SRM include:
Risk quantification – measures the network’s risk posture based on calculation of the exposure and value of business assets. RedSeal’s unique approach employs Adaptive Risk Analysis, a method by which the granularity of the output adjusts based on the amount of input to the system.
Proactive mitigation – compiles prioritized listing of vulnerabilities and misconfigurations to indicate where to remediate first to gain the greatest reduction in risk.
Threat analysis – displays graphically, one breach at a time, the multi-step path an exploit may take in penetrating critical business resources. The threat map is based on the traffic analysis, any host patch & vulnerability data, and RedSeal’s own knowledge base of vulnerabilities and impacts.
Network configuration checking – verifies that the configuration details on devices such as routers and firewalls do not have unintended consequences, such as inadvertently allowing too much access, along with highlighting best practices.
Traffic flow analysis – computes the real-world permitted traffic which can be compared to security policy requirements to quickly identify and pinpoint important infrastructure discrepancies that affect security and availability of key services.
Actionable trending and reporting – summarizes the network’s security posture over days, weeks, or months. Trending data is grouped to highlight vulnerabilities, changes in risk, and the security posture of important devices and groups (i.e. SOX Servers).
The SRM 3000 system is the culmination of exhaustive customer requirements gathering in the form of hundreds of customer interviews and rigorous development work which occurred over the past eighteen months. Specifically, ARA and RiskMap constitute industry firsts in the use of risk quantification analytics and the application of TreeMap technology respectively (see: TreeMap history, http://www.cs.umd.edu/hcil/treemap-history/). Several patents have been filed for these two key functions of the product. Most importantly, our customer advisors have resoundingly validated the product’s unique feature set and value, speaking publicly on numerous occasions as to its benefits and potential.
The sections below give more detail on how SRM works as well as its specific inputs and outputs.
What is Security Risk Management?
Security risk management is technology that creates a visualization of risk exposure by analyzing the interactions between security devices and servers in a network. This functionality makes it possible to measure and quickly respond to security risks. An effective risk management system should: Provide information that can be used proactively, to prevent attacks. Present an end-to-end understanding of an enterprise’s security situation, involving networks, endpoints, and applications. Pinpoint which parts of the network are most at risk. Create useful security metrics A comprehensive risk management system should create a security map of the network. To populate this map, input is taken from various sources, such as router and firewall configuration files, vulnerability scans, and application flow monitors (such as NetFlow), among others. This information is used to analyze how a particular threat might gain entry and which machines might potentially be exploited to spread the threat. Risk exposure is presented in the form of a threat map and a risk map. The risk management solution must also have asset classification capabilities so that information about the relative business value of certain applications and servers can be input to the system. Asset classification capabilities are required so that the risk management system can determine which threats need to be addressed first and then provide a list of possible remediation actions. Although security risk management products emerged in a nascent form a couple of years ago, the first products in the category required frequent and pervasive network scanning. Thus the proposition of investing in security risk management was often deemed costly and complex.
What us Adaptive Tisk Analysis (ARA)?
The adaptive risk computational method is a practical approach to performing risk analysis and quantification. This method requires a minimum data set of files containing firewall rules. The adaptive risk approach enables companies to install and implement a risk management solution extremely quickly, usually within minutes. At any point after initial deployment, network information can be added incrementally from other data sources, such as vulnerability scans and application discovery tools, to increase the confidence of risk calculations. Working with a minimal data set, adaptive risk analysis (ARA) creates a model or map of the network. The network map can, for example, reveal points on the network where access to a server is inadvertently blocked. Model data is further analyzed in conjunction with data about the latest security vulnerabilities and exposures, such as those tracked by the National Vulnerability Database (NVD). This threat analysis results in a series of threat maps and a risk map that graphically depict the network’s vulnerable areas. With minimal infrastructure requirements, enterprises can get started quickly with security and therefore business risk management. The ARA approach can, additionally, incorporate information from many other data sources. The next section of this paper details many of the data sources that can be used.
Risk Calculation Input: Data Sources and Data Points
With ARA, the computation of security risk is based on inputs, or data sources. The availability of data sources varies, by the enterprise environment and access to information. An effective risk management system should support any and all data sources that can supply relevant information; that is, the solution should be based on an open and extensible architecture. The following data sources include some of the most common: Network device configuration information—This information set comprises files containing firewall and router access control lists (ACLs). From this information, a network map is created that depicts subnets and shows how they are connected. Customer-supplied application information—This information is user supplied, ideally through the use of interactive wizards, and identifies specific applications and non-standard ports in the network. This information expedites risk calculations, since it allows for filtering out those threats that don’t apply to the current network. Similarly, it captures information about patch management policies so that threats which preced the latest patch are not considered present on the network. Customer-supplied business values—This mechanism lets users assign values to infrastructure assets and applications (quickly and easily, since there are many servers on large complex networks). The higher the business value of an asset, the higher the business risk associated with it when it is found to have a high likelihood of exposure. NetFlow information—Cisco Systems invented NetFlow® a technology to record network performance data. It is used for network monitoring and gathering traffic statistics. NetFlow data can be used as an input to a security risk management system to inform about the presence of hosts and layer-4 ports with a listening application. Vulnerability assessment data—This information is gathered from vulnerability assessment scanners which may exist throughout or on critical network segments. The data set includes information about which applications and patch levels are present on servers. From one or more of these data sources, information is extracted about a number of data points. Data points include such network topology elements as hosts, operating systems, layer-4 ports, and application types. Information about a particular data point might come from multiple data sources. For example, information about an application type can come from the following data sources: customer-supplied inventory, network data collection, and vulnerability assessment. Adaptive risk calculations use information about these data points, along with information about security threats gleaned. The resulting risk analysis produces a risk score for hosts and subnets as well as analyses of traffic flow and threat propagation.
Risk Calculation Output: Risk Scores
A risk score is a measurement of the business value of an IT infrastructure asset multiplied by the likelihood of a compromise. The more valuable and more vulnerable an infrastructure asset is, the higher the risk and therefore, the higher the risk score. The risk scores of various elements cast a spotlight on areas where changes should be made to mitigate the most risk. Risk scores are calculated for each vulnerability, host, and subnet that can be compromised via a direct exploit or a leapfrog attack. If the risk score is derived from only a couple of data sources, then confidence is lower than if it had been derived from several. To take into account the level of confidence in a risk score, the SRM system should provide a confidence factor, which is based on the data sources and data points used in the calculations. The confidence factor shows where additional security investments would most improve confidence in risk calculations.
Risk Calculation Output: Threat and Risk Analysis and Remediation
Threat and risk analysis graphically displays, in the form of a threat map and a risk map, the network hot spots and multiple possible attack paths from an untrusted network to vulnerable subnets or servers, if there are any. Because risk calculations also take into account confidence factor, the SRM system shows, for each subnet and server, how many of the vulnerabilities are inferred and how many are confirmed. An effective SRM system should provide features that enable drilling down to details about each vulnerability, the associated protocols and port numbers, the IP addresses that might be exposed, and the remediation options available. Because it is often the case that numerous vulnerabilities may be found, the SRM system also needs to provide some means of prioritizing remediation efforts. In this context, risk maps and downstream risk scores offer a great benefit. The downstream risk score for a network element provides an answer to the following question: Which areas of my network should I worry about first? The downstream risk is calculated by rolling up the risk score for a particular host and all the downstream hosts that could be reached via a leapfrog attack from that original host. This score helps you set priorities.
How RedSeal's SRM Applies Adaptive Risk Analysis
RedSeal’s Security Risk Manager TM (SRM) incorporates adaptive risk calculations to provide answers to the following questions: What is my overall enterprise risk? Is it trending up or down? What areas most urgently require remediation? Where should I make my next security technology investment? Based on an open framework, RedSeal’s SRM is designed for heterogeneous networks, working with the security products a company already has in place, regardless of vendor or technology type. The extensibility of SRM’s open architecture makes it possible to support numerous data sources beyond those listed earlier in this paper, which are provided out-of-the-box. The sections that follow describe how information from adaptive risk analysis is presented within RedSeal’s SRM.
Risk Analysis and Prioritization
A risk analysis map is the starting point for day-to-day risk management activities in RedSeal’s SRM. One might begin with an enterprise-wide view of security risk, and then drill down into subnets and individual hosts. For each host, a security or network operations professional can quickly see the risk score, business value, and number of vulnerabilities). The amount of risk can be displayed as a measure of relative size and color, which gives an indicator of which subnets and hosts need immediate attention. From the summary information, one can navigate to areas of SRM that display threat maps and remediation suggestions for a selected subnet or host. For example, when an individual device is clicked, details are also displayed to show which network configuration checks (NCCs) the device failed. These checks verify that rule sets for devices such as routers and firewalls are not inadvertently mis-configured and therefore inconsistent with desired security policies. Summary information about each check failure indicates what configuration settings need to be changed. In addition, many reports are available, which list, for example, the twenty five devices, subnets, or device groups that are most at risk, have the highest business value, or are the most vulnerable
These reports quickly and clearly display the subnets and hosts that have the highest risk, best coverage, highest monetary value, greatest number of vulnerabilities, and so on.
Threat Analysis Views and Data Coverage
To produce threat maps, RedSeal’s SRM uses an embedded Threat Reference Library, which contains data that RedSeal incorporates and frequently updates from public authoritative sources and from its own research. Threat maps make it possible to examine threats from the inside out, to find out whether a particular host or subnet is vulnerable. Threat maps can also display threats from the outside in, starting with an untrusted network, to explore the possible paths of attack into the network. Threat maps can be viewed from three levels: High-level view Network-to-network attack view Host or subnet vulnerabilities details
High-level view—This view shows the source of an attack, the targeted network or next hop, as well as the risk score and confidence factor,. This view is invoked by (1) selecting an attack source (that is, untrusted subnet), (2) selecting the confidence factor to use as a threshold for indicating which paths to display, and then (3) choosing between seeing a measure of each subnet’s business value or its downstream risk. This information tells the SRM user how much of the network could be affected and what the likelihood is of an attack. If paths to a critical network segment disappear when a higher the confidence factor is chosen, this suggests that the number of data inputs available to SRM needs to be increased. With more complete data, vulnerabilities that were previously only inferred by SRM can be confirmed. Network-to-network attacks view—This view shows, for a selected link between subnets, a list of potential attack paths, in order to explain why a given path appears on the threat map. This view provides a list of vulnerable hosts on the selected subnet and all the paths that might be used to exploit vulnerabilities. Details about the selected link along the attack path include the source and destination addresses, layer-4 protocol, port, specific vulnerabilities, and metrics regarding the likelihood of attack (exposure, severity, and impact). Host or subnet vulnerability details—This view shows, for the selected subnet, details about each vulnerability found on each host in the subnet. This information details how severe the problem is, what type of impact it could have, if the attack can leapfrog, what the downstream risk is, and whether the vulnerability is inferred, potential, or confirmed.
Whereas threat maps are designed to show how potential threats might traverse the network, the Threat Remediation features of RedSeal’s SRM provide guidance on mitigating threats. RedSeal’s SRM can help identify which specific filtering devices and configuration files need to be changed, as well as which hosts need to be hardened or patched. Depending on the network scope and available data sources and data points, the following information may be shown: List of vulnerable hosts List of vulnerabilities and patch information for a particular host List of network configuration checks that failed for the device or host Report listing remediation suggestions for failed network configuration checks
NetFlow® is a registered trademark of Cisco Systems, Inc.
Part of what makes RedSeal compelling as a company is that we have finally commercialized Security Risk Management in the sense of making it available to everyone who has firewalls and routers on their network. Prior attempts focused only on those users that had pervasive VA scanning on their network but RedSeal’s ARA dispenses with that dependence and makes it possible for any user to get started with risk quantification. Customers with fewer than 10 firewalls may find that they don’t have sufficient network complexity to gain the full benefit from RedSeal’s management system but any organization responsible for 10 firewalls or more can derive immediate benefit from RedSeal SRM. Within an organization SRM primary users tend to be the security and networking personnel responsible for firewalls, routers and system patching who must ensure that high value assets and key business applications are all at once protected and accessible for authorized use. However, other parts of the organization can use the system to for instance verify compliance to desired access policies or in the case of CIOs and CISOs to justify additional security spending for areas of the network where the security score is “low” or lower than desired (i.e. acquired company’s network has a lower score than corporate).
Part of what makes RedSeal compelling as a company is that we have finally commercialized Security Risk Management in the sense of making it available to everyone who has firewalls and routers on their network. Prior attempts focused only on those users that had pervasive VA scanning on their network but RedSeal’s ARA dispenses with that dependence and makes it possible for any user to get started with risk quantification. Customers with fewer than 10 firewalls may find that they don’t have sufficient network complexity to gain the full benefit from RedSeal’s management system but any organization responsible for 10 firewalls or more can derive immediate benefit from RedSeal SRM.
Within an organization SRM primary users tend to be the security and networking personnel responsible for firewalls, routers and system patching who must ensure that high value assets and key business applications are all at once protected and accessible for authorized use. However, other parts of the organization can use the system to for instance verify compliance to desired access policies or in the case of CIOs and CISOs to justify additional security spending for areas of the network where the security score is “low” or lower than desired (i.e. acquired company’s network has a lower score than corporate).
RedSeal Systems Inc. 1820 Gateway Dr., Ste 280 San Mateo, CA 94404 USA Tel: 1-888-845-8169
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
