Reliable Security Current State, Challenges, Desired State

S. Rao VasireddyBell Laboratories, Alcatel-LucentTel: 732-582-7179rvasireddy@Alcatel-Lucent.com

2 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####

Quality of Service

Quality of Service: Availability 99.95%; Packet Loss 10

-8

“You cannot improve what you cannot measure”

– Lord Kelvin

Quality of Security ?

3 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####

What is Quality of Security?

Quality of security requires establishment of a set of metrics that can be:

– Consistently measured and tracked

– Engineered to achieve comprehensive network security

Example metric: Encryption protocol strength

– Measured by Time to Break Encryption (TBE) = 10N years

Security metrics should be enablers to measure and engineer security, similar to the role played by performance and reliability metrics.

Key Length

1997 2005 Number of Key Combinations

40-bit DES 4 Hrs Seconds ~ 1012

56-bit DES 140 days ~ Hrs ~ 1015

128-bit 3DES

NA ~1021 years ~ 1024

4 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####

Characteristics of Metrics

Specific, Measurable, Attainable, Repeatable, Time-dependent (SMART)

Measurable attributes that can be objective or subjective

Provide evidence of effectiveness for security engineering (e.g. 99% of traffic has communications security)

Network security is implemented by several measures. Example techniques:

Encrypt traffic with Integrity checks

Authenticate transactions and processes

Log & analyze security events

Ensure that traffic from “Source A” reaches intended “Destination X”

Harden ports, Interfaces and Operating Systems

Prevent/filter unwarranted traffic

Adhere to security policy and operations/management procedures

Security metrics should represent the technology, process and operational measures required to achieve comprehensive security

5 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####

Current State of Quality of Security

Technology, standards and measurement techniques are still evolving

– Lack comprehensive measurement and tracking for the emerging engineering discipline

Qualitative measures:

– An estimate of the state of security

– Example: 95%+ success rate for zero-day virus prevention. Not an accurate measure of availability

Need additional measures such as:

– P% of transactions authenticated

– Q% of the events logged & analyzed

– R% guarantee that traffic from “Source A” reaches “Destination X”

– 100% of the procedure that are relevant to network operations and security policy are followed

Assess

Implement

Plan

&

Desig

n

Man

age

Security Life-cycleCurrent focusGap

Mainly driven by security compliance audits, penetration tests etc.

– Compliance to policy, regulatory and legal requirements

– Reactive as opposed to proactive measures

6 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####

Challenges

A security metric is not independent by itself

– Dependencies exist on other metrics and operational procedures

– A fix that will result in improved quality for one metric may positively or

negatively impact other

Quality of security requires process as well as technology based metrics. Technology based Metrics need to be embedded in the process metrics as a stop gap measure to compensate for the lack of measuring tools.

Threat N

Metric1

Metric 3

Threat 1

Vulnerability N

Technology (or)Process based Fix

Targeted ImprovementVulnerability 1

NetworkMetric 2

Metric1

Metric 3

•Result

Metric 2

7 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####

A Foundation for Quality of Security

Security Frameworks, Process/ certification guidelines: – Define Metrics, Architecture– Help build the security Genome for networks – Example: ITU-T X.805, ISO/IEC 27001, NIST

NETWORK Technology Specific Standards: – Define/Specify new technologies, protocols and operations/management techniques– IETF, IEEE, ISO/IEC, ITU, 3GPP, 3GPP2, ANSI, ETSI

End User Security

Control/Signaling Security

Management SecuritySecurity DimensionsSecurity

Planes

Ac

cess

Co

ntr

ol

Infrastructure SecurityInfrastructure Security

Applications SecurityApplications Security

Services SecurityServices Security

End User Security

Control/Signaling Security

Management Security

Dat

a C

on

fid

enti

alit

y

Ava

ilab

ility

Pri

vac

y

Au

the

nti

cati

on

No

n-r

ep

ud

iati

on

Security Layers

Destruction

Disclosure

Corruption

Removal

Interruption

Destruction

Disclosure

Corruption

Removal

Interruption

ATTACKSATTACKS

THREATSTHREATS

VULNERABILITIESVULNERABILITIES

Dat

a In

teg

rity

Dat

a In

teg

rity

Co

mm

un

icat

ion

Sec

uri

ty

Pri

vac

y

Ava

ilab

ility

Dat

a C

on

fid

enti

alit

y

No

n-r

epu

dia

tio

n

Ac

cess

Co

ntr

ol

Au

then

tica

tio

n

ITU-T X.805 together with other security standards provides a framework to establish metrics for security.

8 | Presentation Title | Month 2006 All Rights Reserved © Alcatel-Lucent 2006, #####

A standards Based Approach for Evaluating Quality of Security

End User Security

Control/Signaling Security

Management SecuritySecurity DimensionsSecurity

Planes

Ac

ce

ss

Co

ntr

ol

Infrastructure SecurityInfrastructure Security

Applications SecurityApplications Security

Services SecurityServices Security

End User Security

Control/Signaling Security

Management Security

Da

ta C

on

fid

en

tia

lity

Ava

ila

bil

ity

Pri

vac

y

Au

the

nti

ca

tio

n

No

n-r

ep

ud

iati

on

Security Layers

Destruction

Disclosure

Corruption

Removal

Interruption

Destruction

Disclosure

Corruption

Removal

Interruption

ATTACKSATTACKS

THREATSTHREATS

VULNERABILITIESVULNERABILITIES

Da

ta I

nte

gri

tyD

ata

In

teg

rity

Co

mm

un

icat

ion

Se

cu

rity

Pri

vac

y

Av

ail

ab

ility

Da

ta C

on

fid

enti

alit

y

No

n-r

ep

ud

iati

on

Ac

ce

ss

Co

ntr

ol

Au

the

nti

ca

tio

n

ITU-T X.805

•+NIST, NRIC etc

Security Frameworks, Verification tools Standards, BPs Metrics

% Compliance

Access ControlAuthenticationNon-RepudiationData ConfidentialityCommunication SecurityData IntegrityAvailabilityPrivacyProcess, policy compliance

Status

Summary

– A systematic measure, akin to broadly accepted ways to measuring performance and reliability, is needed for quality of security

– A combination of technical, process and operational methods are needed to implement quality of security to cover all phases of security life-cycle

– Industry standards and best practices provide a foundation for evaluating quality of security