Reliable Security Current State, Challenges, Desired State

1. Reliable Security Current State, Challenges, Desired State S. Rao Vasireddy Bell Laboratories, Alcatel-Lucent Tel: 732-582-7179 rvasireddy@Alcatel-Lucent.com

2. Quality of Service “You cannot improve what you cannot measure” • Lord Kelvin Quality of Service: Availability 99.95%; Packet Loss 10-8 Quality of Security ?

3. What is Quality of Security? Quality of security requires establishment of a set of metrics that can be: • Consistently measured and tracked • Engineered to achieve comprehensive network security Example metric: Encryption protocol strength • Measured by Time to Break Encryption (TBE) = 10N years Security metrics should be enablers to measure and engineer security, similar to the role played by performance and reliability metrics.

4. Characteristics of Metrics • Specific, Measurable, Attainable, Repeatable, Time-dependent (SMART) • Measurable attributes that can be objective or subjective • Provide evidence of effectiveness for security engineering (e.g. 99% of traffic has communications security) • Network security is implemented by several measures. Example techniques: • Encrypt traffic with Integrity checks • Authenticate transactions and processes • Log & analyze security events • Ensure that traffic from “Source A” reaches intended “Destination X” • Harden ports, Interfaces and Operating Systems • Prevent/filter unwarranted traffic • Adhere to security policy and operations/management procedures Security metrics should represent the technology, process and operational measures required to achieve comprehensive security

5. Technology, standards and measurement techniques are still evolving Lack comprehensive measurement and tracking for the emerging engineering discipline Qualitative measures: An estimate of the state of security Example: 95%+ success rate for zero-day virus prevention. Not an accurate measure of availability Need additional measures such as: P% of transactions authenticated Q% of the events logged & analyzed R% guarantee that traffic from “Source A” reaches “Destination X” 100% of the procedure that are relevant to network operations and security policy are followed Current State of Quality of Security Mainly driven by security compliance audits, penetration tests etc. • Compliance to policy, regulatory and legal requirements • Reactive as opposed to proactive measures Current focus Gap

6. Challenges • A security metric is not independent by itself • Dependencies exist on other metrics and operational procedures • A fix that will result in improved quality for one metric may positively or negatively impact other Quality of security requires process as well as technology based metrics. Technology based Metrics need to be embedded in the process metrics as a stop gap measure to compensate for the lack of measuring tools.

7. A Foundation for Quality of Security • Security Frameworks, Process/ certification guidelines: • Define Metrics, Architecture • Help build the security Genome for networks • Example: ITU-T X.805, ISO/IEC 27001, NIST • NETWORK Technology Specific Standards: • Define/Specify new technologies, protocols and operations/management techniques • IETF, IEEE, ISO/IEC, ITU, 3GPP, 3GPP2, ANSI, ETSI ITU-T X.805 together with other security standards provides a framework to establish metrics for security.

8. A standards Based Approach for Evaluating Quality of Security Security Frameworks, Verification tools Status Metrics Standards, BPs Access Control Authentication Non-Repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy Process, policy compliance % Compliance ITU-T X.805 NIST, NRIC etc Summary • A systematic measure, akin to broadly accepted ways to measuring performance and reliability, is needed for quality of security • A combination of technical, process and operational methods are needed to implement quality of security to cover all phases of security life-cycle • Industry standards and best practices provide a foundation for evaluating quality of security