Aspects of the embodiments relate to a computer system that assesses the risk of a technology that is utilized by an organization, where different technologies may incorporate different software packages.
Business, government, technical, and education organizations typically utilize systems and that incorporate one or more technologies. For example, an information technology (IT) system may utilize one or more software modules for processing information within an organization, where each software module corresponds to a technology. The value of the system to the organization is typically based on the proper operation of the incorporated technologies within the system.
Traditional approaches typically assess a technology by analyzing different vulnerabilities associated with the technology, where each vulnerability is defined as a set of conditions that may lead to an implicit or explicit failure of the system. For example, the assessment of an IT system may use an open framework provided by the Common Vulnerability Scoring System (CVSS) for communicating the innate characteristics and impacts of each individual vulnerability. Common causes of vulnerabilities are design flaws in software and hardware, botched administrative processes, lack of awareness and education in information security, technological advancements, and improvements to current practices, any of which may result in real threats to mission-critical information systems. The quantitative CVSS model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. The CVSS model is consequently well suited as a standard measurement approach for industries, organizations, and governments that need accurate and consistent vulnerability impact scores for each vulnerability.
Aspects of the embodiments address one or more of the issues mentioned above by disclosing methods, computer readable media, and apparatuses that assess the overall risk different technologies that may incorporate different software packages for an organization. An organization may assume one of different entities, including a financial institution, a manufacturing company, an educational institution, or a governmental agency. A technology is typically associated with numerous vulnerabilities, and consequently the risk assessment of one vulnerability may not adequately reflect the overall risk level of the technology.
According to an aspect of the invention, a mathematical and objective approach assesses the relative risk of different technologies in order to provide a macro view of product-related risk across an organization's entire technology portfolio, where the products may comprise one or more software packages. The approach determines the threat risk for various software groups based on prior security findings over a known time span. The results may be used to determine which software packages are not a concern, within tolerance, and need to be addressed for possible alternatives within the organization. Measurements allow for the analysis of vendor process maturity and adjustment of behavior to create a lower risk rating as opposed to eliminating a software package for use in the organization.
According to another aspect of the invention, technologies are evaluated by obtaining severity levels and environmental risk scores for the vulnerabilities associated with the technologies. Each severity level measures a possible risk level of a corresponding vulnerability for an organization, while each environmental risk score is based on an environment of the organization. Technology risk scores are then determined from the severity levels and the environmental risk scores over a time duration. Each technology may then be categorized from a statistical distribution of the technology risk scores.
According to another aspect of the invention, an indexed risk score for each technology is determined based on time trending variables. Inputs may be a number of vulnerabilities (which may be referred to as issues), blended advisory/severity scores, the standard deviation of the blended advisory/severity scores, and the results then provide behavior forecasting of the technologies over a subsequent time duration. Further evaluation of the technologies may be performed in order to determine a risk versus reward model for the different technologies. Embodiments may model the reward of a technology based on the cost and complexity of patching as well as the degree of vendor support for the technology, while the risk may be based on a risk score of the technology.
Aspects of the embodiments may be provided in a computer-readable medium having computer-executable instructions to perform one or more of the process steps described herein.
These and other aspects of the embodiments are discussed in greater detail throughout this disclosure, including the accompanying drawings.
The present invention is illustrated by way of example and not limited in the accompanying figures in which like reference numerals indicate similar elements and in which:
In the following description of the various embodiments, reference is made to the accompanying drawings, which form a part hereof, and in which is shown by way of illustration various embodiments in which the invention may be practiced. It is to be understood that other embodiments may be utilized and structural and functional modifications may be made without departing from the scope and spirit of the present invention.
In the description herein, the following terms are referenced.
Software Package: A software package may refer to any component (or module) that can be integrated into a main program. Typically this is done by the end user in a well-defined interface. In other contexts, the integration may occur at a source code level of a given programming language.
Technology: A technology may be broadly defined as an entity that achieves some value. Consequently, a technology may refer to a tool, machine, computer software (e.g., a software package including Adobe® Reader® and Microsoft Internet Explorer®), or a technique that may be used to solve problems, fulfill needs, or satisfy wants. Moreover, a technology may include a method to do business or a manufacturing process.
Vulnerability: A vulnerability may be defined as a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of a system (e.g., an information system) or process. For example with a software package, vulnerabilities may be associated with memory corruption, buffer overflow, and security weaknesses. Examples of unauthorized or unexpected effects of a vulnerability in an information system may include executing commands as another user, accessing data in excess of specified or expected permission, posing as another user or service within a system, causing an abnormal denial of service, inadvertently or intentionally destroying data without permission, and exploiting an encryption implementation weakness that significantly reduces the time or computation required to recover the plaintext from an encrypted message. Common causes of vulnerabilities include design flaws (e.g., software and hardware), botched administrative processes, lack of awareness and education in information security, and technological advancements or improvements to current practices.
In accordance with various aspects of the invention, methods, computer-readable media, and apparatuses are disclosed for assessing different technologies for an organization. The different technologies may incorporate different software packages. An organization may assume one of different entity types, including a financial institution, a manufacturing company, an education institution, a governmental agency, and the like.
Traditional approaches often assess different vulnerabilities associated with a technology in a separate manner. However, a technology is typically associated with numerous vulnerabilities (sometimes in the hundreds), and consequently the assessment of one vulnerability does not adequately reflect the overall risk level of the technology.
With embodiments of the invention, an approach assesses relative risk of different technologies in order to provide a macro-view of a product-related risk across an organization's technology portfolio. For example, the technology portfolio may include a plurality of software packages that are used by the organization to process information within the organization and between other organizations. The approach may support the determination of threat risks for different software packages (software groups) based on prior security findings over a known time span. The determined threat risks may be used to determine which software packages are not a concern, which are within tolerance, and which need to be addressed for possible alternatives within the organization.
With embodiments of the invention, measurements allow for analysis of vendor process maturity and adjustment of behavior to create a lower risk rating as opposed to all-out elimination. A rating can be determined that can be applied to the technologies to set limits of acceptable risk. Anything falling above those limits may be addressed appropriately. Technologies with a limited lifespan may be rated artificially higher than those with a significantly long history.
The invention is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
With reference to
Computer storage media include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media include, but is not limited to, random access memory (RAM), read only memory (ROM), electronically erasable programmable read only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the desired information and that can be accessed by computing device 101.
Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Modulated data signal is a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media.
Computing system environment 100 may also include optical scanners (not shown). Exemplary usages include scanning and converting paper documents, e.g., correspondence, receipts, etc. to digital files.
Although not shown, RAM 105 may include one or more are applications representing the application data stored in RAM memory 105 while the computing device is on and corresponding software applications (e.g., software tasks), are running on the computing device 101.
Communications module 109 may include a microphone, keypad, touch screen, and/or stylus through which a user of computing device 101 may provide input, and may also include one or more of a speaker for providing audio output and a video display device for providing textual, audiovisual and/or graphical output.
Software may be stored within memory 115 and/or storage to provide instructions to processor 103 for enabling computing device 101 to perform various functions. For example, memory 115 may store software used by the computing device 101, such as an operating system 117, application programs 119, and an associated database 121. Alternatively, some or all of the computer executable instructions for computing device 101 may be embodied in hardware or firmware (not shown). Database 121 may provide centralized storage of risk information including attributes about identified risks, characteristics about different risk frameworks, and controls for reducing risk levels that may be received from different points in system 100, e.g., computers 141 and 151 or from communication devices, e.g., communication device 161.
Computing device 101 may operate in a networked environment supporting connections to one or more remote computing devices, such as branch terminals 141 and 151. The branch computing devices 141 and 151 may be personal computing devices or servers that include many or all of the elements described above relative to the computing device 101. Branch computing device 161 may be a mobile device communicating over wireless carrier channel 171.
The network connections depicted in
Additionally, one or more application programs 119 used by the computing device 101, according to an illustrative embodiment, may include computer executable instructions for invoking user functionality related to communication including, for example, email, short message service (SMS), and voice input and speech recognition applications.
Embodiments of the invention may include forms of computer-readable media. Computer-readable media include any available media that can be accessed by a computing device 101. Computer-readable media may comprise storage media and communication media. Storage media include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, object code, data structures, program modules, or other data. Communication media include any information delivery media and typically embody data in a modulated data signal such as a carrier wave or other transport mechanism.
Although not required, various aspects described herein may be embodied as a method, a data processing system, or as a computer-readable medium storing computer-executable instructions. For example, a computer-readable medium storing instructions to cause a processor to perform steps of a method in accordance with aspects of the invention is contemplated. For example, aspects of the method steps disclosed herein may be executed on a processor on a computing device 101. Such a processor may execute computer-executable instructions stored on a computer-readable medium.
Referring to
Computer network 203 may be any suitable computer network including the Internet, an intranet, a wide-area network (WAN), a local-area network (LAN), a wireless network, a digital subscriber line (DSL) network, a frame relay network, an asynchronous transfer mode (ATM) network, a virtual private network (VPN), or any combination of any of the same. Communications links 202 and 205 may be any communications links suitable for communicating between workstations 201 and server 204, such as network links, dial-up links, wireless links, hard-wired links, etc. Connectivity may also be supported to a CCTV or image/iris capturing device.
The steps that follow in the Figures may be implemented by one or more of the components in
At block 301, the relative risks of different technologies are assessed (designated as phase 1). As will be further discussed, characteristic values for different vulnerabilities associated with the different technologies are obtained, and relative risk scores for each technology is determined at the current time. Characteristic values for the different vulnerabilities may include severity levels measuring possible (potential) risk levels to an organization and an advisory level that measures the risk level of the vulnerability specifically based on the environment of the organization. Severity levels for the vulnerabilities of different technologies may be obtained from a third party while the advisory levels are often determined by the organization itself because the advisory levels are dependent on the characteristics of the organization's environment. For example, when technologies correspond to commercial software packages, an outside consulting service (e.g., iDefense Labs, which is headquartered in Sterling, Va.) may provide an analysis of the different vulnerabilities for the technologies.
While environmental risk scores (based on the organization's environment) scores may be considered, some embodiments may also consider other types of scores for a vulnerability, including base and temporal based on the Common Vulnerability Scoring System (CVSS) methodology.
Even though a vulnerability for a technology may have a large severity level, the technology may be installed only on a few isolated computers in an organization. Consequently, the advisory level for the vulnerability may be substantially less than the corresponding severity level.
At block 302, an indexed risk score for each technology is determined based on time trending variables (designated as phase 2). With some embodiments, inputs may be a number of vulnerabilities (which may be referred as issues), blended advisory/severity scores, and a standard deviation of the blended advisory/severity scores for a given technology as will be further discussed. Phase 2 subsequently provides behavior forecasting of the technologies over a subsequent time duration.
After completing phase 2, further evaluation of technologies at phase 3 may be performed at block 303 in order to determine a risk versus reward model for the different technologies. For example, as will be further discussed, the reward of a technology may be based on the cost and complexity of patching as well as the degree of vendor support for the technology, while the risk may be based on a risk score of the technology.
With some embodiments, the technology risk score is determined by:
Technology_Risk(X)=((Risk_Level(X))/N)*((ΔVulns(X))/ΔTime) EQ. 1
where Risk_Level(X) is the average severity level of all vulnerabilities for technology X over a given timeframe, N is the average severity level of all vulnerabilities for all technologies over the given timeframe, ΔVulns(X) is the average advisory score for technology X, and T is the value of the timeframe. As previously discussed, with some embodiments the severity level is based on a possible (potential) risk levels to an organization and the advisory score that measures the risk level of the vulnerability based on the environment of the organization. A consulting service (e.g., iDefense) may be assigned a high, medium, or low risk level to the severity level of the vulnerability. The risk level may then be transformed to a numerical value by a predetermined mapping. While the absolute value of the technology risk score depends on the value of the given timeframe, the relative value with respect to other technologies is not affected as long as the timeframe is the same for all technologies.
Referring to
The statistical distribution of the technology risk scores 402 for technologies 401 may then be used to determine the relative risk levels for the different technologies. For example, low risk category 403, medium risk category 404, high risk category 405, and non-permitted technologies (NPT) category 406 correspond to scores less than M−σ, between M−σ and M+σ, between M+σ and M+2σ, and greater than M+2σ, respectively, where M is the mean technology risk score for technologies 401. With some embodiments, technologies in categories 403-405 may be used without approval within the organization while technologies in NPT category 406 may be used only with permission. However, technologies in medium risk category 404 and high risk category 405 may be conditionally used based on product evaluation as will be further discussed with
Referring to
Based on a statistical analysis of technology risk scores 402 for technologies 401 as shown in
Referring to process 500 in
If the technology risk score is greater than a determined threshold (e.g., 0.32 as previously discussed) at block 502, then further evaluation of the technology is performed at blocks 503, 504, and 505. At block 503 the management of the organization is alerted about the potential risk of the technology. At block 504 the technology (which often includes a product such as a software package) is collaboratively reviewed by the vendor, liaison manager with the vendor, subject matter experts, and product managers. At block 505 possible solutions to reducing the risk level and the evaluation of alternative products are discussed. If it is determined that the risk level of the technology cannot be resolved, an alternative technology (product) may be used by the organization. Measurements may allow for analysis of vendor process maturity and adjustment of behavior to create a lower risk rating as opposed to all-out elimination for use by the organization.
In order to obtain forecasted technology risk score 602, the indexed risk score of a technology is first modeled to be depended on three time trending variables:
The average blended advisory/severity score may be determined by adding the weighted sum of the severity level and the advisory level of the corresponding vulnerabilities. For example, with some embodiments, 65% weight was given to the advisory level and 35% to severity level. More weight may be given to the advisory level because the advisory reflects the organization's environment for the technology.
An indexed risk score for a technology may then be obtained by multiplying the above three trending variables as given by:
index_risk_score=number_issues*blended_score*σblended
where number_issues is the number of issues (vulnerabilities) per month, blended_score is the average blended advisory/severity score, and σblended
(number_issues+10*σblended
where number_issues is the number of issues (vulnerabilities) per month, blended_score is the average blended advisory/severity score, and σblended
The adjusted indexed risk score for each technology may then be projected over a subsequent time duration (e.g., the next 6 months) to forecast the technology behavior (which may be referred as time to lemon). The forecast may be based on an assumed worst case behavior. The forecasted behavior (lemon value) is referred as the forecasted technology risk score 602 as shown in
Referring to
With some embodiments, different smoothing methods may be used for forecasting behavior of the different technologies based on the historical trends for the different technologies. Different trending procedures include log linear trending, damped trend exponential smoothing, mean trending, linear trending, and linear exponential smoothing. Different technologies typical exhibit different degrees of volatility (variation) over time, and consequently trending for different technologies may utilize different trending procedures. For example,
The graphs shown in
Risk-reward assessment links risk and profitability objectives to improve strategic capital decisions and profitability objectives. Efficient risk-reward assessment assists in providing better business decisions by enabling an organization to reduce costs by enhancing existing risk functions and enabling comprehensive standardization of processes, systems, and data. Embedding an effective risk and reward framework into the key transactions may help the organization to successfully satisfy long-term business objectives in a cost-effective way by taking the right risk to obtain the right reward.
With some embodiments, a data collection identifies the type of risks, the nature and measure of the impact, and the probability and the control effectiveness within the environment. The results of the collection may be used to determine which of the risks is not a concern, within tolerance, need to be addressed for possible alternatives within the organization, and outweigh the expected reward.
With some embodiments, a risk-reward assessment for a technology is modeled based on four variables. The first variable is used to measure the risk, while the other three variables are used to assess the reward.
With some embodiments, the risk-reward assessment may be based on the Sharpe ratio, which is a measure of the excess return (or risk premium) per unit of risk for an investment asset. The Sharpe ratio is defined as:
S(X)=(rx−Rf)/σ(rx) EQ. 4
where S(X) is the technology investment for technology X, rx is the average asset return for technology X, Rf is the return of the benchmark asset, and σ(rx) is the standard deviation of rx.
Cost of remediation 1102 may be referred as the reward component because some embodiments may consider factors not limited only to the cost of remediation or patching but may also include vendor support and complexity.
While embodiments of the invention assess the risk level of technologies 401, some embodiments establish an objective and systematic approach for weighing the potential reward by evaluating relative risk of a given technology across the entire technology portfolio of the organization. For example, one technology may have more risk than another but may also offer a greater reward.
Cost of remediation 1102 may be used to measure the reward when using the Sharpe ratio.
With some embodiments, the cost of remediation may be the same as the cost of maintaining a technology in an organization. Consequently, the more prevalent a technology is, the higher will be the cost of maintenance. In this context, this variable is used as a reward factor to understand and to compare the potential saving that may be ascertained by calling out/eliminating a technology with a high maintenance (keeping the risk factor into consideration). For example, technologies ABC and XYZ are both similar products and both have low risk scores. However, the cost of remediation (or cost of maintenance/reward) for technologies ABC and XYZ are high and medium, respectively. When mapped on a risk/reward scale, the strategic decision is to choose technology XYZ comparing the cost factors.
Cost of remediation 1102 for each technology is generated by giving ⅓ weight to cost of patching, complexity, and vendor support. To assess the final output scores, a Sharpe ratio equivalent may used to understand how well the return of a technology compensates the risk taken (historical data justified on the basis of predicted relationships). With some embodiments, the Sharpe ratio equivalent is determined by dividing cost of remediation 1102 by the indexed risk score (as previously discussed) for the technology and is used to determine the reward score associated with the technology. The Sharpe ratio may be used to fine-tune the reward score, in which the Sharpe ratio ensures that the approach is statistically correct. In general, the higher the Sharpe ratio score, the greater is the reward of the technology in the organization's environment.
The statistical distributions of the risk and reward scores may be analyzed to further assess the risk-reward relationship of technologies 401. For example, categories for the risk level and the reward level may each be partitioned by determining the corresponding mean level and the corresponding standard deviation of each. The low, medium, and high categories include scores less than M−σ, between M−σ and M+σ, and greater than M+σ, respectively, where M is the mean score for technologies 401.
Aspects of the embodiments have been described in terms of illustrative embodiments thereof. Numerous other embodiments, modifications and variations within the scope and spirit of the appended claims will occur to persons of ordinary skill in the art from a review of this disclosure. For example, one of ordinary skill in the art will appreciate that the steps illustrated in the illustrative figures may be performed in other than the recited order, and that one or more steps illustrated may be optional in accordance with aspects of the embodiments. They may determine that the requirements should be applied to third party service providers (e.g., those that maintain records on behalf of the company).