Thesis: Improving security incident management in multination IT service providers

From Software Business Community

Improving Security Incident Management in multi national IT Service Providers

by Christian Frühwirth, 2008

Keywords

IT Security, Incident management, SOX, COBIT, ITIL, IPS, IDS, Case Study

Abstract

The realities of information security have changed tremendously in this decade and the expectations on today’s IT security management have gone beyond providing plain physical security. Today, security management is increasingly under pressure from three factors: 1.) attacks on IT systems have increased in numbers and sophistication 2.) legal regulations like the Sarbanes Oxley (SOX) act call for standardized security processes and audits 3.) Management wants to regain control over security business processes and costs. Improving IT security management means to tackle all of the three factors.

To deal with evolved, attacks a new generation of event based intrusion detection systems is needed. On the legislative side, improvements come from the implementation of industry standard frameworks which facilitate compliance audits. Security business process can be improved by reengineering them to take advantage of the 1.) advanced intrusion detection tools 2.) standard frameworks for legal compliance and 3.) through intelligent security management software tools.

This work studies an IT security business process at a multinational IT service provider, the Mobilkom Austria Group, and evaluates its compliance with the industry standard frameworks COBIT and ITIL. The study uses a survey to document the actual work practices at the IT service provider and comparable international corporations. Previously informal process descriptions are formalized and metrics are established to document the current security management baseline.

Proposals for performance improvements are developed by analyzing the formalized processes, the stakeholders’ goals and comparing the actual process status with these goals. Performance is measured in terms of a) execution time and b) execution costs for each process. Stakeholder requirements are gathered via structured interviews with company representatives, CIOs and network security staff.

The result of the analysis is used to configure and deploy a next-generation intrusion detection and incident management tool – the Cisco built “monitoring analysis and response system” (MARS). Cisco MARS uses event correlation to identify multi- stage security incidents and is able to trigger incident handling processes. The MARS configuration is adapted to fulfill stakeholder requirements as well as comply with legal regulations of the SOX act.

The IT security management business process is reviewed and adapted to take advantage of the new incident management system. Process reengineering is used to further align the processes with the COBIT and ITIL frameworks and facilitate independent security audits.

All analysis and work results are compiled into a best-practice integration plan for companies facing similar challenges as the assessed IT service provider. A final evaluation compares the company’s previous baseline of incident handling processes with the improved version.

Conclusion

Information security management in corporate environments has evolved rapidly in the last years. This work showed the implications which the challenges of new, more rigor legislation, the involvement of senior management, increasingly complex threats and skyrocketing costs have on the improvement of IT security management.

Most organizations faced these challenges for a long time by heavily investing in security staff, until they were finally out-scaled by the costs and complexity of the issues at hand. Governments and the academic community have addressed the problems and developed a series of frameworks, aimed at regaining control of security issues from an organizational perspective. These frameworks enabled standardized security process audits, an easier compliance with legal regulations and were quickly embraced by the senior management of international organizations.

This work conducted a case study in a typical multinational IT service provider company which had just decided to implement two of the frameworks: ITIL and COBIT, to improve their security management practices. While the company’s management was mainly concerned about the legal and organizational issues of information security, the technicians on the production level faced severe problems meeting the requirements of the new frameworks in their daily work. Their current security processes were inadequately supported by software tools and the workflow did not comply with the frameworks’ specifications.

The case study set out to improve the one security processes which conflicted most with the new frameworks: the incident management process. A pilot study showed that most organizations had such a process in place but the practitioners in the case study company were unhappy with its performance. A requirements analysis was used to identify the main problems and align them with the companies change capabilities. The change capabilities were to reengineer the process, hire additional staff, improve the existing software tools or purchase new tools.

Event though security management is generally an organizational issue, most of the incident management process’ performance problems were traced back to the inadequate tool support. The existing tools were far too numerous, difficult to use and did not comply with the new legislation. Thus, the process performance improvement could not come from process redesign alone, but instead from an in- depth integration of powerful tool support in a newly designed business process. Hence, the case study company decided to invest in a new class of security management tools.

However, not all security management processes can equally benefit from this strong emphasis of tool support. Among all ITIL processes, incident management was identified to benefit the most from software tools, while others, like configuration management, benefit less [16]. Organizations which choose to improve a particular security management process have to evaluate the impact of this different change capabilities – investing in tool support is not always the best solution and, in any case, needs to be accompanied by adjustments in the concerned business processes.

Business process adjustments should be carefully planned and based on a realistic view of the available IT capabilities. Eliciting IT capabilities means more then to just take a look at a systems specification sheet. As the pilot and case study showed, a security system’s advertised capabilities differ widely from those which are actually available in daily business. Thus deploying new security systems before the actual process redesign can improve the performance of the new process through providing more realistic input to the redesign phase.

During an incident management process redesign, the ITIL framework provides a solid basis for the new process. It needs however, some adaptation to the context of the particular company. The case study company was suffering from an increasing number of minor security incidents which used up valuable resources in the security department. Skilled security staff is costly and needs a long training time, thus minor incidents which do not require the full skill set of a security professional were assigned to the company helpdesk after the process redesign. Provided the proper process and tool support is available, helpdesk agents can significantly reduce the security department’s workload and boost the process performance.

The evaluation of the improved process in the case study company pointed out critical success factors for a successful incident management process:

• Ensure the process follows applicable legal and best practice guidelines (SOX, ITIL, COBIT, etc. Do not re-invent the wheel!)
• Ensure the process’ output corresponds with the stakeholder goals (in most cases: restore service availability)
• Provide variation points in the process to make it scaleable when needed
• Distribute tasks among individual roles but be clear about the process ownership.
• Ensure the roles have all required permissions to do their job, or know how to acquire them when needed.
• Provide integrated tool support for all activities and decisions throughout the process.
• Ensure a single reporting format is used throughout the process.
• Provide all roles with the means to access a single incident data- repository with various levels of detail.
• Provide means for real time monitoring of the process progress.
• Provide a wrapper for the individual security tools to reduce complexity.
• Ensure timely notification of all stakeholders which are affected by the incident.
• Provide an incident communication plan and define key contact persons at all hierarchy levels.

Even so, there is no guarantee for complete success. Frameworks like the used COBIT and ITIL can only provide guidelines for process reengineering. Still, much relies on the skills of the individual security professional. The professional’s performance is often diminished by inadequate tools, management overhead and the occupation with low priority tasks.

The inadequate tools will remain a problem in the foreseeable future because the complexity of ever larger networks, security systems and threats is anincreasing challenge even for the most state-of-the-art security management systems.

The issue of management overhead has been nearly solved by many organizations which used frameworks like ITIL for a longer period of time and, through learning effects, reduced the overhead. Further more, the lively research in the area of agile business processes will eventually lead to more practitioner oriented processes and improvements in the frameworks.

The prioritization of task in security management, and therefore the occupation of security professionals, depends entirely on the company’s security policy. Most organizations employ value-neutral policies which consider threats to information integrity, confidentiality and availability equally important. However, this is a clear contradiction of most security stakeholders’ approach in real life. Most of them diver between different threats and apply business or value based, models to rank the importance of security factors. A value based security policy would allow an organization, and in the end the security professionals, to base their decisions, actions and investments on what is ultimately best for their business.

A lot of research has been done on security management and the scientific community enjoys a vivid inter-disciplinary exchange of ideas in this field. Computer science and mathematics have substantially contributed to the development of advanced incident management systems, like the event correlation engine used in case study company’s MARS system. Management science has provided the basis for the process reengineering work and established the ITIL and COBIT guidelines. There are countless other disciplines who affect security management today and they will continue to shape successful research in the area.

As of today I see future work in security management heading in three directions:

1. Towards unified legislative frameworks, which will enable the standardization of security management and audits across domain-, organizational- and national borders.
2. Towards agile and scalable business processes, which will enable businesses to adapt to and deal with the increasing number of threats.
3. Towards advanced security management tools, which will put the security professionals’ skills to optimal use by enabling them to orchestrate an organization’s security systems from top to bottom .

Although the realities in information security have changed, the organizations have changed with them and security management emerged from the shallows of software and network engineering and has now risen up to the realm of corporate strategy management.

In the future the importance of security management will continue to grow as we become more dependent on the around-the-clock availability of information, rely on its integrity and hope for its confidentiality to keep our business running.

References

1 Wayne C. Booth, Gregory G. Colomb, Joseph M. Williams. 2002, “The Craft of research,” B&T, Second Edition [Book]

2 Matt Bishop. 2004, “Introduction to Computer Security”, Addison-Wesley Longman, Amsterdam [Book]

3 Shon Harris, 2006, CISSP “Certification All-in-one Exam Guide”, Mcgraw-Hill Professional, Third Edition [Book]

4 David Luckham. 2005, “The Power of Events: An Introduction to Complex Event Processing in Distributed Enterprise Systems”, Addison-Wesley Longman, Amsterdam [Book]

5 Bin Chen, Joohan Lee, Annie S. Wu, 2006. „Active Event Correlation in Bro IDS to detect Multi-stage Attacks”, 4th IEEE International Workshop on Information Assurance (IWIA 06)

6 Masum Hasan, Binay Sugla, Ramesh Viswanathan. 1999. ”A conceptual framework for Network Management, Event Correlation and Filtering Systems”. Proceedings of the Sixth IFIP/IEEE International Symposium on Integrated Network Management

7 Neubauer, Klemen, Biffl. 2005 “Business Process-based Valuation of IT-Security” Proceedings of the seventh international workshop on Economics-driven software engineering research EDSER 05

8 Any Ju An Wang 2005. “Information Security Models and Metrics”, ACM Southeast Regional Conference, Proceedings of the 43rd annual Southeast regional conference

9 Mohammad Saad Saleh, Abdullah Alrabiah, Saad Haj Bakry. 2007. “Using ISO 17799: 2005 information security management: a STOPE view with six sigma approach”, International Journal of Network Management, Volume 17 , Issue 1

10 Thomas H. Davenport, Short. 1992 “Process Innovation: Reengineering Work Through Information Technology” Harvard Business School Press [Book]

11 Privacy Rights Clearinghouse, 2008, “A chronology of data breaches”, available at http://www.privacyrights.org/ar/ChronDataBreaches.htm, visited Jan. 2008

12 Sandeep Kumar, Eugene H. Spafford, 1994, “An Application of Pattern Matching in Intrusion Detection”, CiteSeer Number 94-01 Available at: citeseer.ist.psu.edu/article/kumar94application.html

13 Steven Noel, Eric Robertson, Sushil Jajodia. 2004. “Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances”, 20th Annual Computer Security Applications Conference, ACSAC04, page(s): 350- 359

14 Anton Chuvakin 2004, “Security Event Analysis through Correlation”, Information Security Journal: A Global Perspective, Volume 13, Issue 2 May 2004 , pages 13 - 18

15 SonicWALL Inc. 2007, “High Tower Security Event Management Solutions by Sonic Guard”, available at http://www.sonicguard.com/high-tower.asp [Online]

16 Michael Brenner 2006, “Classifying ITIL Processes, A taxonomy under Tool Support Aspects. Business driven IT Management”, The First IEEE/IFIP International Workshop on Business-Driven IT Management, 2006. BDIM '06. BDIM’06, pp. 19-28

17 Jan Van Bon, Georges Kemmerling, Dick Pondman 2002. “IT Service Management: An Introduction”, IT Service Management Forum (ItSMF)

18 bITa Center 2005, “Business Information Services Library”, Available at www.bita-center.com/bisl2, visited Jun. 2007 [Online]

19 Kelly McLaughlin, Fred Damiano. 2007. “American ITIL”, Proceedings of the 35th annual ACM SIGUCCS conference on User services

20 Information Systems Audit and Control Association (ISACA), 2007, available at: www.isaca.org

21 COBIT, Information Systems Audit and Control Association, www.isaca.org/COBIT, visited May 2007

22 Uday O. Ali Pabrai. 2005. “The COBIT Security Baseline”, Certification Magazine

23 CobiT Online. 2007, Available at www.isaca.org/cobitonline [Online]

24 Farahmand, Navathe, Sharp, Enslow. 2003. “Managing Vulnerabilities of Information Systems to Security Incident”s, Proceedings of the 5th international conference on Electronic commerce (ICEC), ACM International Conference Proceeding Series; Vol. 50, Pages: 348 – 354,

25 Richard L. Rollason-Reese. 2003. “Incident Handling, An orderly response to unexpected Events”, Proceedings of the 31st annual ACM SIGUCCS conference on User services, Pages: 97 - 102

26 The Open Guide. 2007. “ITIL Incident Management” Available at: www.itlibrary.org/index.php?page=Incident_Management, visited Oct. 07 [Online]

27 Bistarelli, Fioravanti, Peretti. 2006. “Defense trees for economic evaluation of security investment”s, First International Conference on Availability, Reliability and Security (ARES'06). Pages: 416-423

28 Shuping, Wan, 2007, “Optimal Security Investment Under Tax and Transaction Cost”, Chinese Control Conference 07(CCC)

29 Al-Humaigani, M., Dunn, D.B. 2003. „A model of return on investment for information systems security”, Proceedings of the 46th IEEE International Midwest Symposium on Circuits and Systems (MWSCAS '03). Volume: 1, Pages: 483- 485

30 Tom Perrine, Abe Singer. 2001. “New Paradigms in Incident Management”, Proceedings of the 2000 workshop on New security paradigms, Pages: 133 - 138

31 McManus, M.; Scavo, F. 2006. “IT Security Study: The Current State of IT Security Budgets, Management Practices, and Security Incident”s. Computer Economics. 2006.

32 Secure Business Austria. SBA 2007 “IT Security Research Center” Available at: http://research.securityresearch.at [Online]

33 Christopher Gerg. Kerry J. Cox 2004. “Managing Security with Snort and IDS Tools”, O'Reilly Media, Inc.; 1st edition [Book]

34 Martin Roesch, 1999. “Snort—Lightweight Intrusion Detection for Networks”, Proceedings of the 13th LISA Conference, Pages: 229–238

35 Metagroup / Gartner, 2005. “Market development E-Security” 1999-2004. [Study]

36 Information Systems Audit and Control Association (ISACA). 2007. “Cobit” Available at: http://isaca.org/cobit

37 Alan Calder, Steve Watkins. 2003. “IT Governance: A Manager's Guide to Data Security and Bs 7799/Iso 17799”. Kogan Page; 2nd edition. [Book]

38 Anthony Tarantino. 2004. “The impact of SOX and corporate governance on IT”. Executive Update Vol. 7 18, Cutter Consortium, September 2004.

39 Anindya Ghose, Uday Rajan, 2006. “The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition and Social Welfare”. Workshop on Economics of Information Security 06

40 D Plummer. 1982. “STD 37, RFC 826, Address resolution protocol”, Available at: ftp://ftp.internic.net/rfc/rfc826

41 Robert Polstra. 2005. “A Case Study on How to Manage the Theft of Information”, Conference on Information security curriculum development (InfoSecCD 05)

42 C.P.M. Govers, 1999. "What and how about quality function deployment (QFD)”, Proceedings of the 8th International Working Seminar on Production Economics, International Journal of Production Economics, Volume 46, Pages 575-585

43 Liu Xiaoqing, Sun Yan, Kane Gautam, Kyoya Yuji, Noguchi Kunio. 2005 “QFD application in software process management and improvement based on CMM”, Proceedings of the third workshop on Software quality [Journal]

44 QFD Online 2007, “Traditional House of Quality Template”. Available at www.qfdonline.com/templates/ [Online]

45 Umarji, Medha; Seaman,Carolyn. Predicting acceptance of Software Process Improvement. HSSE '05: Proceedings of the 2005 workshop on Human and social factors of software engineering, ACM, 2005

46 Cisco Systems Inc. 2007. “CISCO Security monitoring analysis and response system MARS” Available at: http://www.cisco.com/en/US/products/ps6241/index.html [Online]

47 Ulf Lamping, Richard Sharpe, Ed Warnicke. 2004. “Ethereal User’s Guide” Available at: http://www.ethereal.com/docs/eug_html_chunked/ [Online]

48 Hubert Zimmermann. 1980. “OSI Reference Model—The ISO Model of Architecture for Open Systems Interconnection,” IEEE Transactions on Communications, Vol. 28, No. 4, Pages: 425 - 432

49 Rhys Bowen. 2002. “Murphy’s Law“.Saint Martin's Press Inc.

50 Dindin Wahyudin, Matthias Heindl, Ronald Berger, Alexander Schatten, Stefan Biffl 2007, “In-Time Project Status Notification for All Team Members in Global Software Development as Part of Their Work Environments” 1st Workshop on Measurement-based Cockpits for Distributed Software and Systems Engineering Projects (SOFTPIT 2007)

51 Grover Jeong, Kettinger, Teng,1995 "The Implementation of Business Process Reengineering," Journal of Management Information Systems, 12(1), Pages: 109-144

52 Malhotra, Yogesh. 1998. “Business Process Redesign: An Overview”, IEEE Engineering Management Review, Vol. 26, No. 3

53 Long, Vickers-Koch. 1995. „Using core capabilities to create competitive advantage“. Organizational Dynamic, Volume 24, Issue 1, Pages: 7-22