编者按:在过去的一年中,惠普公司的企业安全服务业务(HP
ESS)已经开始向客户提供一个新的安全性分析服务。例如:诺丁汉大学IT中心使用该产品,在维护该大学的大型IT网络的安全方面帮助校方做出了更好的决策。随着惠普实验室安全性分析研究的商业化,它已经准备好迎接云技术。
安全分析研究小组,由左到右:Yolanta Beres,
Brian Monahan, Marco Casassa-Mont,
Simon Shiu, Richard Brown, Jonathan Griffin, Gareth Gale, and
Stephen Crane.
西蒙•费斯撰稿
在过去的一年中,惠普公司的企业安全服务业务(HP
ESS)已经开始向客户提供一个新的安全性分析服务。例如:诺丁汉大学IT中心使用该产品,在维护该大学的大型IT网络的安全方面帮助校方做出了更好的决策。
使用安全性分析“改变了我们对信息安全的思维模式,”诺丁汉大学安全与协调小组组长保罗•肯尼迪说。
“惠普HSS服务基于惠普的云技术与安全实验室已有的研究,致力于设定出更加严密的、科学的安全计划。”惠普安全性研究组长西蒙•肖说。
随着企业越来越依赖于IT技术,他们既要面对不断上升的安全威胁,也要面临不断紧缩的预算。是优先考虑业务需求还是考虑安全威胁,企业首席信息安全官在此类公司政策与投资方面承受了巨大的压力。但实际上比上面说的更困难,西蒙•肖认为,在复杂多变、充满风险的IT环境中,传统的鉴别资产或潜在风险的方法很快就会失效。
为此,西蒙•肖和他的同事们根据他们能想象的复杂系统背景下研发了一个风险模型。例如:补丁的盲区,软件为了解决这个新发现的漏洞而进行升级,这样会出现很多并发进程和事件:发现安全漏洞,恶意软件传播,发布补丁,测试和部署,发布防毒软件,等等。
惠普实验室用模型模拟这些复杂的连锁反应,并为安全专家们提供一个它做出的更易懂的折中方案,即:优先使用一种最能保护其网络安全的方法。另外,这些模型便于IT部经理向其他股东解释他们的想法和决定,也可以向负责他们预算的主管解释为什么他们要采取某个行动。
想要理解怎样最好地接近风险是一个越来越大的挑战,西蒙•肖说。随着IT拨款引进云技术,安全部经理会越来越依靠那些他们不需要拥有或掌控的服务。西蒙•肖预测,在这个全新的复杂多变的安全环境中,他们对于辨别安全隐患的需求将会只多不少。
分析安全性折中方案
在寻求更科学的风险性分析方法中,惠普团队首先需要明确企业自身如何理解风险,这种理解直接关系到他们对安全方面的投资。
团队很快意识到,许多安全部门经理们会权衡各种不同的行动方案。
“例如修补漏洞,”
西蒙•隋说,“一种折衷方案权衡根据计划好的网络服务等级而主动地定期发布补丁程序,或者随意的发布一些补丁程序,但这样遭遇紧急事件或网络服务中断的风险更高。除此之外,还有一些折中方案是处于减缓和中断你获取补丁之间,或者依赖病毒库、网关和用户政策以降低风险。
根据对这些情况的洞察,惠普的研究人员联合一家大型金融服务公司以及大型公共部门客户端做了试点实验,并开发出一套决策模型。
西蒙•肖总结说,“与其在抽象环境中想象,这些组织中的安全分析专家们已经开始建立模型,考虑自己的战略和他们之前做出的权衡。
“这个程序,”
西蒙•肖说道,“使安全部经理可以将他们的决策解释给其它股东或是那些没有他们专业的人们。”
试点实验非常成功地建造了两种不同的安全分析模型-漏洞威胁管理和辨认通过管理。这些模型会迅速将分析结果传到惠普信息安全业务部,并提供给诺丁汉大学这样的客户使用。
采用惠普的安全性分析模型“向我们展示了以前从未考虑过的降低风险的机会。让我们清楚认识到在哪里追加投资可以得到最大价值,”诺丁汉大学的保罗•肯尼迪说。“同样重要的是,”他补充说,“它强调用简单程序和政策改变方式对我们面临的风险造成重大影响。以前那种有针对性的解决方式‘足够好’,所以我们不该在此方面花费更多时间或资源。”
图片展示了从实验建模到产生结果的过程
建立安全性科学
在建立试点模型的同时,实验室团队还在研究如何将经济学,心理学和人类行为学的知识融入到他们的模型中。
因此,他们为一个称为“信托经济”的项目撰写了主要研究建议。这个项目汇集了来自巴斯大学,纽卡斯尔大学和伦敦大学学院的认知科学家、心理学家、人类行为专家、经济学家、惠普公司研究人员,还有美林集团和国际电网的安全专家。
这个项目由阿伯丁大学教授、惠普研究员大卫•皮姆领导,在2009年获得英国政府科技战略委员会提供的大量资金,并于
今年夏天顺利完成。项目研究出很多学术论文,论题涵盖人类行为、决策经济学、数学模型的方面,还有一系列关于做出安全性决策的案例研究。
云时代的安全性
信托经济项目即将完成,但是人们更清晰地看到IT安全性规划所处的环境已经发生了迅猛的改变。
西蒙•肖特别强调说,“我们看到旧的生命周期已经完全被云技术打破。您现在需要从供应链中获取IT信息,而不是控制它,这种对业界的威胁会变得更为严峻。”
以前IT经理们拥有并掌控他们的IT系统和其中所含的信息,现在他们越来越多地依赖多种服务供应商来运行他们的系统、掌控这些信息。因此,西蒙•肖说,管理者最好能够仔细考虑整个系统的信息所在。如此一来,安全性变得不再是所属控制问题,而是要确保供应商能够妥善管理信息的问题。
惠普的团队认为这是一个比较复杂的问题,而且按照标准程序来处理你的安全计划和决策看起来又不很明智。但是惠普团队相信,如果能更好地理解人们在这种新环境下所作出的行为,那么他们依然可以修改它去建模。
为此,西蒙•肖的团队再次与大卫•皮姆工作,推出了第二个研究项目:云管理经济。这个项目仍由科技战略委员会资助。它汇集了巴斯大学、阿伯丁大学、信息安全专业研究所的经济学家,联同瓦里索夫特公司、萨佛尔公司、马麻雷德公司,以及伦敦劳埃德保险公司一起研究在云环境中的安全性决策经济。
项目的一个重点是把企业IT转变到云运算看作转变到一个复杂的不同诱因的生态系统中。项目通过模拟整个生态系统,探索已知和预期的行为,来发掘潜在的信息管理问题,并帮助不同的股东们(大型和小型企业,服务提供商和监管部门)提供决策,以提高整体的安全管理。
随着时间的推移,这些模型可能将会运用到惠普公司的业务部。在近期内,西蒙•肖希望可以很快在工作间内测试它们。那些来自云安全方面的企业、正在从特定CIO转移、或正打算转移到云计算系统的企业都会受到邀请,更加深入地思考如何在云技术中做风险性分析、做决策。
惠普实验室安全性研究议程扩展
风险性分析是只是分析、决策、采购、制造、监控、IT安全审计这个更广阔的生命周期中的一个阶段。
“我们看到越来越多的组织在挣扎,”西蒙•肖说,“我们扪心自问,能用自己的科技研究做些什么改变呢?”
这使得惠普的云和安全实验室也从事信任基础结构(特别是建立信任虚拟化平台,并利用它们更好的进行安全管理)和态势感知方面的研究。
总体而言,西蒙•肖说,“我们正试图做一些事情,告诉外界我们怎样可以找到更严谨更科学地安全性管理方法。”
By Simon Firth
Over the
past year, HP's Enterprise Security Services (HP ESS) business has
begun offering a new Security Analytics service to its customers.
The University of Nottingham's IT center, for example, is using the
product to make better decisions when it comes to maintaining the
security of the institution's large IT network.
Employing
Security Analytics "changed the way we think about information
security," says Paul Kennedy, Group Leader for Security
& Compliance at the university.
The HP ESS
service is based on research undertaken at HP's Cloud and Security
Lab and represents an effort to set security planning on a more
rigorous, scientific foundation, says Simon Shiu, who leads HPL's
security research.
With
businesses increasingly dependent on IT and also facing both
elevated security threats and ever tighter budgets, chief
information security officers are under severe pressure to align
their security policies and investments with business priorities
and risks. But that's more difficult than it sounds, Shiu argues,
as traditional approaches that identify assets and vulnerabilities
can quickly get divorced from the complex and dynamic IT
environment in which those risks actually exist.
In response,
Shiu and his colleagues have developed a way of modeling risks in
the context of the complex systems in which they occur. Even in the
discrete area of patching, for example, where software updates are
issued to address newly discovered vulnerabilities, there are many
concurrent processes and events occurring: vulnerabilities being
discovered, malware spreading, patches being released, tested and
deployed, anti-virus signatures being released and deployed, and so
on.
The HP Labs
models simulate such complex interactions and, as a result, offer
security professionals a better understanding of the trade-offs
they're making in prioritizing one approach to securing their
networks over another. In addition, these models let IT managers
explain their assumptions and decisions to other stakeholders, and
also justify why they want to undertake a particular action to the
executives in charge of their budgets.
The
challenge of understanding how best to approach risk is a growing
one, notes Shiu. As IT provision moves into the cloud, security
managers will be relying more and more upon services that they
don't necessarily own or control. In this newly complex and highly
dynamic security environment, Shiu predicts, their need for clarity
in approaching security risk is likely only to increase.
Analyzing security trade-offs
In moving
towards a more scientific approach to risk analysis, the HP team
first needed to understand how businesses themselves understand
risk and how that understanding shapes the way in which they invest
in security.*
A lot of
what security managers do, the team soon realized, revolves around
making trade-offs between different courses of action.
"In
patching, for example," says Shiu, "one trade off is between
patching aggressively and routinely affecting ‘planned' service
levels or relaxing patching processes and then running a greater
risk of emergencies and ‘unplanned' service disruptions. Beyond
this there are trade-offs between the kind of mitigation and
disruption you get with patching, versus relying on signatures,
gateways and user policies."
The HP
researchers developed these insights into a set of decision models
which they tested in pilot programs with a major financial services
company and a large public sector client.
As a result,
says Shiu, "rather than thinking about their environment in the
abstract, the security analysts in these organizations started to
engage with the model and think about their strategy and the
tradeoffs they were making."
"The
process," Shiu notes, "gave them a way to justify their decisions
to people who were not the same kind of stakeholders, and who
didn't have the same kind of expertise as them."
The pilots
were so successful that models for two kinds of security analysis –
vulnerability threat management and identity and access management
– were swiftly transferred to HP's Information Security business
and made available to clients like Nottingham
University.
Employing
HP's Security Analytics models "showed us risk reduction
opportunities we hadn't considered before and allowed us to see
clearly where extra investment would gain us the most value,"
reports Nottingham's Paul Kennedy. "Equally importantly," he adds,
"it highlighted simple process and policy changes that would have a
big impact on our risk profile and pinpointed solutions that were
‘good enough' and that we shouldn't focus any further time or
resources on."
Towards a science of security
Concurrent
with their pilot modeling, the Labs team was researching how they
might apply and integrate techniques from economics, psychology and
human behavior into their modeling approach.
This led
them to assemble a major research proposal for a project, called
Trust Economics that would bring together cognitive scientists,
psychologists, human behavior experts and economists from Bath
University, Newcastle University and University College London,
with HP's own researchers and security executives from Merrill
Lynch and National Grid.
Led by HP
researcher David Pym, now a professor at Aberdeen University, the
project was awarded a major grant in 2009 by the U.K.
government-backed Technology Strategy Board and was
completed this summer. It generated multiple research papers on topics
spanning human behavior, the economics of decision making, and
mathematical modeling as well as a number of notable case studies
of security decision making.
Security in the age of the cloud
As the Trust Economics project neared completion,
however, it became clear that the environment in which IT security
planning takes place was rapidly chang随着
As the Trust
Economics project neared completion, however, it became clear that
the environment in which IT security planning takes place was
rapidly changing.
In
particular, says Shiu, "We saw that the move to Cloud computing is
completely disrupting the old lifecycle. You're now procuring IT
from a supply chain rather than controlling it, and the threat
environment is much more severe. "
Where IT
managers once owned and controlled both their IT systems and the
information contained in them, they were now increasingly reliant
on multiple service providers to run their systems and manage that
information. In consequence, says Shiu, it makes better sense to
think about the whole system in which the information is residing –
and as a result security becomes less a question of ownership and
control than one of securing the proper stewardship of that
information by others.
That's both
a more complicated problem and a situation where it's even less
wise to base your security planning and decision making on standard
practices, the HP team felt. But it was still amenable to modeling,
they believed, if they could better understand how people behave in
this new environment.
To that end,
Shiu's group, again working with David Pym, have launched a second
research project, called Cloud Stewardship Economics, also funded
by the Technology Strategy Board. It brings together economists
from Bath and Aberdeen universities, the Institute of Information
Security Professionals, the companies Validsoft, Sapphire, and
Marmalade Box and insurer Lloyds of London in order to investigate
the economics of security decisions in a cloud
environment.
A major
project focus is to treat the shift to cloud computing as a shift
towards a complex eco-system of differently incentivized providers
and consumers. By modeling the whole eco-system, and exploring both
known and expected behaviors, the project aims to uncover potential
information stewardship problems, and to help the different
stakeholders (large and small enterprises, service providers and
regulators) form strategies to improve overall security
management.
In time,
it's likely that these models will also migrate into HP's business
units. In the nearer term, Shiu hopes to test them soon in
workshops where players from across the cloud security landscape –
in particular CIOs who are migrating, or planning to migrate, to
cloud-based systems – will be invited to think in more depth about
how to approach risk analysis and decision making in the
cloud.
The wider HP Labs security research
agenda
Risk
analysis is just one phase in the much broader lifecycle of
analysis, decision making, procurement, operations, monitoring, and
then auditing of IT security.
"It's a cycle with which we see more and more
organizations struggling," says Shiu, "and we're asking what
difference can we make to it with our technology
research?" "It's a
cycle with which we see more and more organizations struggling,"
says Shiu, "and we're asking what difference can we make to it with
our technology research?"
That's led
HP's Cloud and Security Lab to also pursue research in trusted
infrastructure (in particular, creating trusted virtualized
platforms and exploiting them for better security management) and
in the area of situational awareness.
Overall,
says Shiu, "we are trying to seed some things out there that show
how we can be more rigorous and scientific in our approach to
security management."
原文地址:http://www.hpl.hp.com/news/2011/oct-dec/security_analytics.html
加载中,请稍候......
加载中…