The aim of this work has been to develop a framework for adaptive security systems with attention for the entire security management life cycle. It is my view that users of security systems as well as developers may benefit from a standardization attempt for both technical and economical reasons.
Traditional security management focuses on analysing protection requirements and selecting appropriate safeguards. In order to stay competitive, organizations need appropriate security adaptable to constantly changing needs. A static implementation of protection mechanisms as a one-off exercise cannot address an organizations needs for cost-efficient and effective security.
Existing intrusion detection systems address some of these needs by providing real-time notification and analysis of potential attacks, but suffer from a number of design deficiencies. Firstly, they only offer limited functionality and do not support many aspects of the security lifecycle such as formal definition of security policies. Secondly, these systems tend to focus on a rather narrow field of security and are designed to cope with either network or computer intrusion. They are usually not designed to encompass multiple security domains or protect various types of resources. In many cases the information that is collected by the monitors of such systems is insufficient to give a clear image of the problems on hand.
We have proposed a framework that combines various modules to provide real-time detection, analysis and response and enforce an active policy that covers multiple security domains. It supports central security management and formal model specification. Information gathered from various resources could be combined to correlate events and take more appropriate action. A broad and extensible range of security services may be provided and the open interfaces allow interaction between several instances of adaptive security management systems.
The interfaces between the various components could be subject for standardization. Independent bodies could then evaluate commercial products and assign assurance and functionality labels. Customers may view these as proof of quality and interoperability, a basis for the selection of their safeguards.
Quality and protection can however not be assured by equipment and software alone. Even an expert system cannot replace human common sense and every technology has its limits, so certain vulnerabilities will remain. Many threats can be repelled beforehand by a proper structured approach to risk management. Proper selection, configuration and maintenance of equipment can take you a long way in avoiding gaping security holes.
The proposed framework is however nothing more than a model, of which no implementation exists as yet. Another difficulty is the lack of a powerful semantic language for describing security related events. No doubt a lot of technical hurdles would have to be overcome to actually design a system that follows the framework; it is not unthinkable that the problems are of such a nature that the entire framework turns out to be of poor design. I guess the proof of the pudding is in the eating - more experienced people are however kindly invited to take the first spoonful...