In complex systems such as telecommunications and Information Technology (IT) infrastructures, the potential impacts of security vulnerabilities, even if discovered and disclosed, tend to be difficult to assess in a timely fashion. This is primarily due to the number and nature of these vulnerabilities, as well as the number of assets in such systems. Some assets may also have embedded software layers and other dependencies, which further complicates security assessments. These complications may be further compounded when considering services provided in an information system, since services may involve many different assets and dependencies with and between those assets.
The capacity to understand and make informed decisions soon after a vulnerability is disclosed is one key aspect of proactive security. Such capacity allows network operators, for example, to understand the security state, i.e., the risk to a network infrastructure, at any given time and to assign a priority action list for risk mitigation. Identification of commercial risks associated with relying on data stored and transmitted on network segments during a period of elevated security risk may also be of use in performing a comprehensive security assessment.
In common Network Management Systems (NMSs), a view of a managed communication network is limited to physical topology of interconnected systems. This view does not provide the level of information required to properly assess the status of aggregated views at higher layers suitable for operational decisions based on service, business, or functional priorities.
Several currently available management tools provide some sort of service-level view. One tool has the ability to model a “customer” and create a relationship between the customer and a network based on a Service Level Agreement (SLA) profile. The model allows the presentation of services and customers, their relationship to network objects and the relationships between network objects in the form of a graphical asset map. Another tool allows service-level characteristics to be displayed in a basic color-coded chart that represents a list of services and corresponding statuses in respect of performance, applications, systems, network, and security. Tools providing support for display of a service as a hierarchical graph of service and related asset icons, grouped by customer, are also known.
These and other existing tools, however, present limited or incomplete views of service-level status or security risks. For example, currently available tools do not provide a mechanism to present complex relationships between services, assets, and the physical topology of an information system in one consolidated representation. Some tools use separate views to present customer and service relationships, asset relationships, and physical topology, whereas others do not present service relationships at all. This limits the tools in that a user is not able to quickly relate a service security risk state to its related assets.
A further shortcoming of existing tools relates to the level of information provided. Service status in a service-level view may be limited to a color-coded icon or list item that represents only one attribute or aggregated attribute, without presenting in the same view lower-level details regarding underlying assets that contribute to service-level security, for instance. Existing tools also do not differentiate between security metrics, which may lead to difficulties in identifying exactly what an indicator is intended to indicate. A green icon may be intended to indicate that no alarms have been raised by a firewall, but may be interpreted incorrectly by an operator as indicating that a service is secure for confidentiality. Other security vulnerabilities may exist, but might not be clearly represented.
Current tools are further limited in terms of security monitoring, and may report only the results and alerts received from firewall, Intrusion Detection Systems (IDSs) and other security appliances, for example. Such tools have no mechanism to collect or present information related to the analysis of assets and security vulnerabilities. Other tools that may support vulnerability analysis do not account for asset interdependence, such that a failure in a database used by a software application that is involved in providing a service will not appear as a failure in the dependent application. Therefore, critical aspects of information may be lost as information is aggregated up to the service level.
Thus, there remains a need for improved techniques for service-level security risk analysis.