Security Analytics: Analysis of Security Policies for Vulnerability Management

In this paper we present a novel approach of using mathematical models and stochastic simulations to guide and inform security investment and policy change decisions. In particular, we investigate vulnerability management policies, and explore how effective standard patch management and emergency escalation based policies are, and how they can be combined with earlier, pre-patch mitigation measures to reduce the potential exposure window. To achieve that we have examined the current practices across several large organizations, and based on this we construct the model of external events and of internal decision points and security processes that the vulnerability management consist of. We show, based on the experimental simulations, how changes in various internal parameters of the model, such as the patching timeline and the effectiveness of early mitigation measures affect the overall exposure window in terms of the time it takes to reduce the potential risk. This enables further analysis of the trade off between investing in improving patching processes, versus adding more mitigation mechanisms that can be put into effect earlier. We believe that this type of mathematical modelling and simulation-based approach provides a novel and useful way of considering security investment decisions, which is quite distinct from traditional risk analysis. External Posting Date: September 30, 2008 [Fulltext] Approved for External Publication Internal Posting Date: September 30, 2008 [Fulltext] To be published in Annual Computer Security Applications Conference, ACSAC 2008 © Copyright ACSAC 2008