Cost effective management frameworks: the impact of IDS deployment technique on threat mitigation
Introduction
The recent CSI-FBI survey [1] of 503 American organizations reveals the concerns of business leaders on the increase in security breaches as a result of online electronic commerce. Of the 503 organizations surveyed, 90% detected a security breach of their information systems and 80% experienced financial losses as a result of breaches. While internal threats remain a top priority, 40% cited breaches from outside their organization. Additionally, 85% experienced viruses and 74% stated their Internet connection was most frequently targeted. The most signification piece of data from this survey indicates that 90% of these respondents have a Web site, 90% have firewalls and antivirus programs and 100% conduct business electronically in some fashion.
The statistics in the survey points to a notable trend, not necessarily the percentages, but simply that 100% of those surveyed are conducting business electronically and 90% of them have firewalls and antivirus, yet 90% reported system breaches. Protecting information systems today must be done in a layered process, which includes technology and human analysis. As the CSI-FBI survey revealed, most companies have already deployed firewalls and antivirus programs, and many are moving aggressively towards acquiring intrusion detection systems (IDSs), a security system that monitors computer systems and network traffic and analyzes that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization.
But given the need to demonstrate the value of an IDS deployment especially when multiple deployments are involved, organizations must justify implementation expenses by proving that the IDS is a value added resource. The justification is to prove that the deployment of the IDS is going to lead to a reduction in the annual loss expectancy (ALE) and the Return on Security Investment (ROSI). This is realized if the IDS is able to effectively detect and deter attacks.
One method for justifying IDS is by determining the value of the ALE using conventional cost/benefit (risk) assessment; the ALE represents the cost/benefit break-even point for risk mitigation measures. In other words, the organization could justify spending up to the dollar amount equivalent of the ALE per year to prevent the occurrence or reduce the impact of a fire. A risk assessment can identify what types of intrusions a company's infrastructure is vulnerable to and the potential for loss should an attack occur. It will also provide the justification of IDS deployment as an effective safeguard. Another way to analyze the benefits of IDS is to document the misuses of an organization's network. The CSI-FBI survey shows that 78% of the respondents detected employee misuse of its systems and its Internet connection. This included web surfing, email abuse, and use of company hardware/software for personal gain. This misuse directly increases the risk of systems being attacked and information compromised, which can be tied to justifying the need and expense of IDS.
An alternative method for justifying IDS is to demonstrate the ability of the IDS to effectively detect and deter attacks in quantifiable measures. There are performance studies [2], [3], [4] that demonstrate the different aspects to this. A more elaborate discussion on the performance studies is given in Section 2.
In this paper, we review risk analysis methodologies, introduce new (Cascading Threat Multiplier, CTM) concepts into risk equations, explore the impact of threat mitigation on the ALE and correlate the effect of IDS management technique on threat mitigation.
The rest of the paper is organized as follows. In Section 2, we discuss current IDS deployment and implementation methods. We discuss risk assessment methodologies in Section 3. In Section 4, we present a novel concept to risk analysis—the CTM and discuss the relation of the ALE to threat mitigation in Section 5. We then present a case study to illustrate the impact of deployment techniques on ALE reduction and a positive Return on Investment (ROI) in Section 6.
Section snippets
IDS technologies, cost structure and deployments in complex environment
Intrusion detection is an overlay of two separate and different IDS technologies: network-based IDS and host-based IDS. The primary advantage of network-based IDS is that it can watch the whole network or any subsets of the network from one location. Therefore, network-based IDS can detect probes, scans, and malicious and anomalous activity across the whole network. These systems can also serve to identify general traffic patterns for a network as well as aid in troubleshooting network
Assessment methodologies
The landscape of risk assessment methodologies is constantly changing. Some methodologies promulgated via US government FIPS 65 guideline for performing risk analysis in large data processing centers [6] were withdrawn in 1995. One of the earliest used estimators in the computer industry was the ALE, a quantitative method for performing risk analysis. It was described in a 1979 FIPS publication (#65) by the National Institute of Standards and Technologies as appropriate for use by large data
Novel concepts: the Cascading Threat Multiplier
The interplay of technological processes, policies and risk management methods in today's enterprise environments requires the formulation of new analytical frameworks and concepts like the CTM to accurately conduct valuation studies and quantify the ROI for any acquired or developed technology.
Recently, different ROI techniques and generalized cost models have been proposed for the IDS deployment. This has come along as Cost–Benefit Analysis (CBA) techniques have become the most popular
Deployment techniques versus threat mitigation
The measure of risk can be determined as a product of threat, vulnerability and AVs:
The risk elements and their corresponding countermeasures for a specified system can best be visualized with a cuboid (Fig. 4). The system has an initial level of risk before any countermeasures are applied. Countermeasures, assuming that their values are assigned by the same parameters that are used for threat, vulnerability and asset valuation, can reduce risk, i.e. by reducing
Case study
This case study will permit the in-depth exploration of the benefits of performing risk analysis to maximize the management techniques of IDSs. From these, we hope to glean some general concepts about IDS ARO and ROI and determine the viability of the management approach that will enhance the maximization. By developing the examples, we also hope to develop a possible method of reasoning about IDS risk analysis more generally. The case study will be presented in the context of events and risk
Conclusions
The studies presented in this paper underscore the importance of the new concepts we have introduced into risk analysis formulas. When an IDS device is deployed in a complex environment a lot of factors are brought to bear on the performance index. In order to accurately measure the performance of the IDS using the ARO as a measure, it is necessary to formulate the analytical framework for asset valuation and risk calculations. This can be realized using the new concepts and formulas we have
References (18)
- et al.
Evaluation of the performance of IDS systems in a switched and distributed environment
Computer Networks
(2002) Network based intrusion detection: a review of technologies
Computers and Security
(1999)- ...
- et al.
A comparative experimental evaluation study of intrusion detection system performance in a gigabit environment
Journal of Computer Security
(2003) - ...
Guide for Selecting Risk Analysis Tools
(1989)- et al.(1999)
- et al.
Risk Analysis for Electronic Commerce Using Case-Based Reasoning
(1999) - et al.
An Open Framework for Risk Management
(1998)
Cited by (7)
Network externality and incentive to invest in network security
2014, Economic ModellingCitation Excerpt :In the literature that takes a decision theory-based approach, NS strategy is assessed by calculating the costs and benefits of NS investments by identifying the key variables (e.g., asset value, security risk, degree of threats and cost of breaches). This quantifying approach adopts financial metric indexes by using multiple economic indexes of annual loss expected (ALE), return on investment (ROI) (Bojanc and Jerman-Blažič, 2008a; Hausken, 2006; Iheagwara et al., 2004; Purser, 2004; Tsiakis and Stephanides, 2005), net present value (NPV) (Bojanc and Jerman-Blažič, 2008b), and internal rate of return (IRR) (Bojanc and Jerman-Blažič, 2008a). For example, Bojanc and Jerman-Blažič (2008b) introduced methods for identifying the assets, threats, and vulnerabilities of Information and Communications Technology systems, and proposed a procedure to recommend the optimal investment choice for the necessary security technology based on the quantification of various values of the protected systems (e.g., an economic index combination of ROI, NVP and IRR).
Economic valuation for information security investment: a systematic literature review
2017, Information Systems FrontiersCyber risk analysis and valuation: A new combinatorial models and systems approach
2017, European Journal of Industrial EngineeringSystems for detecting advanced persistent threats: A development roadmap using intelligent data analysis
2012, Proceedings of the 2012 ASE International Conference on Cyber Security, CyberSecurity 2012Cost benefit deployment of DNIPS
2010, IEEE International Conference on CommunicationsPCA-ICA ensembled intrusion detection system by Pareto-Optimal optimization
2008, Information Technology Journal