JADAVPUR
U  N  I  V  E  R  S  I  T  Y
Centre for Distributed Computing

CDC-JU
Events

PROJECT ELSM

 

 

 ELSM

 

Enterprise Level Security Metrics 

 

Funded By 

 

Department of Information Technology,
Ministry of Communications and Information Technology, Government of India
  

 

Overview 

 

1. Aim and Scope of the project:  (in terms of specific physical achievement)  

 

Aim of this new project is to develop a stand alone Tool for Enterprise Level Security Metrics for measurement of, and improvement in, ISMS. The WISSDOM2 Tool Suite developed in the previous project will be enhanced with additional services for large scale deployment. New services for the Critical sectors will be developed. Finally all the outcomes will be integrated with WISSDOM2, so that they can be deployed either separately or as a part of WISSDOM2. 

The scope of work will include the following:  

a) Study and development of Enterprise Level Metrics (ELM) for ISMS.

b) Development of an integrated ELM Tool 

c) Enhancement of the WISSDOM2 Tool Suite, to incorporate additional services viz., asset management, asset-based risk analysis, detailed technical vulnerability analysis, and other sector-specific advisory generation. 

d) To take up Product Life-cycle activities like Quality Management, Configuration and Documentation Management, Release Management, Bug and Patch Management, Support and Training Management, etc. 

e) Development of different versions WISSDOM2 specifically for critical sectors like Banking and Telecom. 

f) Deployment of ELM Tool and WISSDOM2 in government and non-government organizations, especially those carrying out E-Gov functions. 

g) Study and development of Composable Security, Critical Information Infrastructure Dependency Models and Incremental and Hierarchical  Generation and analysis of attack graphs leading to the development of new services in WISSDOM2 Tool suite for Critical Sectors. 

 

2. Detailed description of the Project: 

Preamble

 

Over the last few years the Govt. Departments and Industry have become aware of the fallouts of lapse in Information Security. The importance of implementation of Information Security Management System (ISMS) as per ISO 27000 series of standards have also been appreciated. A long-standing gap has been filled up by the Department of IT by sponsoring projects related to ISMS. Jadavpur University has come up with an enabling tool, WISSDOM2 for ISMS with funding from DIT. During the validation sessions for WISSDOM2, a common concern among the operational, executive and management level participants were the measurement and improvement of the implemented ISMS at the Enterprise level.

 

Motivation

 

The increasing complexity of ICT infrastructures demands having a macro level view of security within an enterprise, enabling optimal management of the infrastructures. So far decisions about cyber security of enterprises have been made using low-level measurements and metrics, which give component and subsystem level views. The need of the hour is the development of Enterprise Level Metrics (ELM) which will help in making decisions in cases of technology adoption, information security situational awareness etc. This will complement the component level metrics used so far. Also attention is needed for defining metrics for interconnected infrastructures where higher level metrics (for the entire system/enterprise/sector) can be derived by composing lower level metrics (for individual components/subsystems).

 

During the course of validation runs of WISSDOM2 in various critical sector organizations, it was felt that to be useful as an enabler, the tool suite should have some additional services as well as a growth path along different sectors.

 

While evaluating security of large critical infrastructures it is often easier to break the large system into its components small enough to subject them to security evaluation individually and then measure the security of the overall system in terms of its components. In this context, composability is defined as the ability to create systems and applications with predictably satisfactory behavior from components, subsystems, and other systems. On the other hand different critical sectors have their inter-dependencies that need to be precisely modeled.

 

The present investigating team has been motivated to bridge these gaps in R&D by their experience in developing the WISSDOM2 tool suite comprising of a host of web services, funded by the DIT, and the case studies taken up as part of the effort. 

International Scenario

 

There are initiatives aimed at developing new paradigms for identifying measures and metrics. Some of them attempt to apply tools and techniques from other disciplines; others attempt to approach the problem from new directions. These initiatives include the following:

 

Measures of effectiveness. The Institute for Defense Analyses (IDA) developed a methodology for determining the effectiveness of cyber-security controls based on its well-used and documented methodology for determining the effectiveness of physical security controls. Using a modified Delphi technique, the measures of effectiveness of various components and configurations were determined, which then allowed for a security “ranking” of the potential effectiveness of various architectures and operating modes against different classes of adversaries.

 

Ideal-based metrics. The Idaho National Laboratory (INL) took a completely different approach to developing metrics. It chose to specify several best-case outcomes of security and then attempt to develop real-world measures of those “ideals.” The resulting set of 10 system measurements covering 7 ideals is being tested in the field to determine how well they can predict actual network or system security performance.

 

Goal-oriented metrics. Used primarily in the software development domain, the goal-oriented paradigm seeks to establish explicit measurement goals, define sets of questions that relate to achieving the goals, and identify metrics that help to answer those questions.

 

Quality of Protection (QoP). This is a recent approach that is in early stages of maturity. It has been the subject of several workshops but is still relatively qualitative.

 

Adversary-based metrics. MIT Lincoln Laboratory chose to explore the feasibility and effort required for an attacker to break into network components, by examining reachability of those components and vulnerabilities present or hypothesized to be present. It and others have built tools employing attack graphs to model the security of networks.

 

At the National Level

 

At the national level, the need for a comprehensive security program has been recognized by only a handful of big business houses. There are several DIT-sponsored projects on Information Security in various institutions across the country. C-DAC Hyderabad carries out research on OS hardening and malware detection and prevention. C-DAC Bangalore has developed N@G, which is a network security tool. A team at IIT-Kharagpur is carrying out research on Network vulnerability analysis.

 

But, to the best of our knowledge, there is little effort in the development of enterprise level metrics at the national level.

 

Objectives and Deliverables of this Proposal

 

The primary objective of this new project is to design and develop an Enterprise Level Security Metrics Tool to enable measurement of, and improvement in, the effectiveness of ISMS. The research on enterprise-level metrics will be divided into five categories: definition, collection, analysis, composition, and adoption. The other dimension of the research will be to focus on the Strategic level, Performance level and Operational level metrics. The definitions of the metrics will have mathematical foundation followed by the computational methods. Data should be collected by ways that cannot be compromised by adversaries. This includes conditioning the data via normalization, categorization, prioritization, and valuation. It may also prescribe system developments with built-in auditability and embedded forensics support, as well as other features, such as malware defense and situational understanding. Analytics will focus on determining how effectively the metrics describe and predict the performance of the system. The prediction should include both current and postulated adversary capabilities. Since security properties are often best viewed as total-system or enterprise-level emergent properties, research is required in the composability of lower-level metrics (for components and subsystems) to derive higher-level metrics for the entire system. Finally, adoption refers to those activities that transform ELM results into a useful form (such as a measurement paradigm or methodology) that can be broadly used - taking systems, processes, organizational constraints, and human factors into account. The outcome of this phase of research is a number of technical reports describing the mathematical and computational methods of ELM. This will include development and analysis of the methods of choice, validation, data collection, computation, composition, classification and adoption for operations, evaluation, risk management, and decision making for Enterprise ISMS. This research outcome will be used to develop a stand-alone tool for ELM. A 3-tier architecture of the tool is envisaged, with the Data collection, Analytics and Presentation in the form of Dashboards and Mashboards, distributed from the bottom to the top layer.

 

In its present form, WISSDOM2 can generate ISMS documentation for enterprises, based on the ISO 27000 series of standards. We now propose to design and develop sector-specific versions of WISSDOM2, which will cater to the information security requirements of banking, telecom, E-gov organizations / departments and Datacentres. In order to achieve this, the knowledge-base of WISSDOM2 needs to be enhanced to incorporate the security controls sector-specific standards and regulations. The add-on services envisaged are asset management, asset-based risk analysis, detailed technical vulnerability analysis, and other sector-specific advisory generation. Large scale deployment of WISSDOM is planned in this phase. The Reports generated are to be matured in consultation with user groups. To develop WISSDOM2 as an enhanced tool, activities of Product Life-cycle Management will be taken up. Specifically, Product Quality Management, Configuration and Documentation Management, Release Management, Bug and Patch Management, Support, Training Management and licensing issues will be taken up and documents will be generated for each phase of the life-cycle process. The final outcome of this phase is well-documented enabling tool for Enterprise ISMS. At least 4 versions WISSDOM2-Egov, WISSDOM2-Banking, WISSDOM2-Telecom and WISSDOM2-DC are envisaged in this phase.

 

Basic research will be continued to tackle the security of huge IT infrastructure of Critical Sectors. Composability will be studied across inter-connected systems and across security parameters and protective measures. Suitable composability operators will also be identified for the purpose. A related issue to study is the cyber and physical dependency among critical sectors. The composability and dependency models along with attack graphs will be used to develop incremental and hierarchical analysis of Critical Sector Enterprises. New metrics are also envisaged along these lines. In this phase a number of technical reports and research papers will be authored and new services for CIIP will be developed as stand-alone and integrated manner.

 

 

CDC-JU © All Rights Reserved