The ISO 7498-2 model [ISO89] by deliberate intention merely constitutes a framework for the definition and placing of security services and their supporting mechanisms. Security is however applied in a changing environment. Vulnerabilities change over time and the likeliness of a security threat increases: more knowledge about computer systems and software bugs becomes available as these systems are utilized. Change not only takes place external to the organization. Operational circumstances change, new machines and software are put in use, software is transferred from development to production stage, staff comes and goes. The widespread adaptation of end user computing dictates that business people configure their own machines in order to do their business. Business changes, computer systems are upgraded and staff assume new roles with different job descriptions. They are assigned new responsibilities and need other access rights. As a consequence different computing and communication requirements arise.
The more varying the environment, the more difficult it becomes to enforce security guidelines. The rules easily become a burden, especially when change occurs under time pressure. Hasty new implementations lead to misconfigurations of the newly adopted systems, in this way constituting a new and often unobserved vulnerability. Such a new system could possibly be the weakest link in the security chain!
The problem with traditional security technologies is that they are static, whereas an organization's computer network is a dynamic business environment. Regular feedback, constant monitoring and real-time evaluation are key concepts in an environment where security requirements constantly change. Adaptive security is therefore an extension to the traditional security management life cycle. Risk analysis leads to selection of safeguards. Safeguards are defined in terms of security services that are implemented by selected security mechanisms. But this is not a one-off exercise: information security is an ongoing concern. Feedback is needed to ensure the proper functioning of safeguards. The International Organization for Standardization states in this context:
``There is a tendency to ignore safeguards that have been implemented and at best, little attention is given to maintaining or enhancing security. Moreover, the obsolescence of safeguards should be discovered by planned actions rather than stumbled upon. In addition, security compliance checking, monitoring of the operational environment, log record reviews, and incident handling are also necessary to ensure ongoing security.'' [ISO97, p.12]The structured review of systems, timely detection of new vulnerabilities, monitoring of operations and response to incidents indeed constitute the dynamic aspect of an adaptive security system.
To understand the importance of adaptive security management, one should know that the entire sequence associated with a network probe, intrusion and compromise often can be measured in milliseconds or seconds. An attacker need only locate one exposed vulnerability, whereas the system's defenders need to address as many as 200-300 -- all while supporting revenue-generating operations [JOH97, p.6]. According to a 1996 survey by the American Society for Industrial Security, 75% of the security breaches come from people from inside the company that have authorized access to the information. This leads to the conclusion that everybody can be the problem. The insider attacks are moreover the most difficult to detect: the intruders are to some degree expected to be there.
Clearly, this is not an environment well supported by old-fashioned manual audits, random monitoring and non-automated decision analysis and response. Tools are needed to enforce compliance to the security policy. Moreover, the implementation of an adaptive security management system with effective logging and reporting facilities can be the basis for computer supported audit, leading to potential savings in terms of cost and time spent on preparing and performing internal audit and supporting external audit.
An initial risk analysis involves setting a boundary for the analysis and identifying cost constraints. This means that from the very start, certain risks will not be addressed and possibly not even identified. For most organizations it is not economically feasible to implement all safeguards to prevent every possible risk, even if they have all been clearly identified. Therefore certain attacks are likely to occur. Adaptive security can help addressing residual risk by dynamically making decisions based upon information inferred from the knowledge base and by looking up an effective countermeasure. In a more advanced scenario the system can learn from data it already possesses to create new solutions (i.e. responses) to incidents. It is clear that even if you can prevent a threat to have an impact, you can never prevent an attack to be launched against you. Unforeseen but detected intrusion attacks for example could be countered by such an adaptive system by closing down all external connections. A security officer can then report on the incident after inspection and analysis of the logs.
The above discussion of the security requirements of a changing network environment enables us to give the following description of a modern network security system:
Adaptive
security
management
provides
real-time
ability
to
monitor,
detect,
and
respond
to
vulnerability
and
threat
conditions
[ISS98a].
Underlying
adaptive
security
management
is
a
proactive,
risk-assessment
based
approach
to
network
security
management
and
the
ability
to
enforce
an
active
network
security
policy
[ISS98b].
Easy
access
to
external
information
(hacking
practices,
software
bugs,
upgrades
and
patches,...)
is
a
necessity.
The
security
management
system
should
provide
for
easy
monitoring
and
the
capacity
for
tailor
made
automatic
auditing.
Ultimately,
the
use
of
techniques
from
artificial
intelligence
may
even
prevent
threats
unknown
to
the
system
in
its
initial
state
and
enable
the
system
to
learn
from
previous
experiences.