In complex systems such as telecommunications and Information Technology (IT) infrastructures, the potential impacts of security vulnerabilities, even if discovered and disclosed, tend to be difficult to assess in a timely fashion. This is primarily due to the number and nature of these vulnerabilities, as well as the number of assets in such systems. Some assets may also have embedded software layers and other dependencies, which further complicates security assessments.
The capacity to understand and make informed decisions soon after a vulnerability is disclosed is one key aspect of proactive security. Such capacity allows network operators, for example, to understand the security state, i.e., the risk to a network infrastructure, at any given time and assign a priority action list for risk mitigation. Identification of commercial risks associated with relying on data stored and transmitted on network segments during a period of elevated security risk may also be of use in performing a comprehensive security assessment.
Despite an ever increasing number of security event management systems, however, there is no currently available solution which offers the functionality of consolidating risk impacts at the network and/or service levels.
In the area of risk calculation, currently available solutions are further deficient in that they use proprietary and fixed risk calculation formulas. These formulas are based on various fixed assumptions which typically include, among others, assumptions relating to network topology (mesh, star, etc.), data (modeling, availability, uncertainty, and type such as qualitative or quantitative), organization type (military, government, business, etc.), and variables (threat, vulnerability, asset value, attack paths). Outputs provided by such formulas also tend not to reflect the current complexity of security.
Thus, there remains a need for more comprehensive and flexible security assessment and management tools.