Technical Reports


Click here for full text: PDF

Security Analytics: Analysis of Security Policies for Vulnerability Management

Beres, Yolanta; Griffin, Jonathan; Shiu, Simon
HP Laboratories


Keyword(s): security, analytics, risk management, threat, vulnerability, patch, policy, intrusion prevention, modelling, simulation

Abstract: In this paper we present a novel approach of using mathematical models and stochastic simulations to guide and inform security investment and policy change decisions. In particular, we investigate vulnerability management policies, and explore how effective standard patch management and emergency escalation based policies are, and how they can be combined with earlier, pre-patch mitigation measures to reduce the potential exposure window. To achieve that we have examined the current practices across several large organizations, and based on this we construct the model of external events and of internal decision points and security processes that the vulnerability management consist of. We show, based on the experimental simulations, how changes in various internal parameters of the model, such as the patching timeline and the effectiveness of early mitigation measures affect the overall exposure window in terms of the time it takes to reduce the potential risk. This enables further analysis of the trade off between investing in improving patching processes, versus adding more mitigation mechanisms that can be put into effect earlier. We believe that this type of mathematical modelling and simulation-based approach provides a novel and useful way of considering security investment decisions, which is quite distinct from traditional risk analysis.

21 Pages

Additional Publication Information: To be published in Annual Computer Security Applications Conference, ACSAC 2008

External Posting Date: September 30, 2008 [Fulltext]. Approved for External Publication
Internal Posting Date: September 30, 2008 [Fulltext]

Back to Index