HOW DO SECURITY TECHNOLOGIES INTERACT WITH EACH OTHER TO CREATE VALUE? THE ANALYSIS OF FIREWALL AND INTRUSION DETECTION SYSTEM

Transcription

1 HOW O SECURTY TECHNOLOGES NTERACT WTH EACH OTHER TO CREATE VALUE? THE ANALYSS O REWALL AN NTRUSON ETECTON SYSTEM Huseyin CAVUSOGLU Srinivasan RAGHUNATHAN Hasan CAVUSOGLU Tulane University University of Texas at allas University of British Columbia Extene Abstract 1. ntrouction The goal of T security is to balance the nees of information protection an information. To achieve this goal firms eploy multiple security technologies often arrange in the form of a layere security architecture. T security research along with its traitional emphasis on security technology has recently begun analyzing T security from an economics perspective. T security researchers have initiate research on the impact of vulnerability level on firms security investment ecisions (Goron an Loeb 2002) the effect of security interepenency on firms risk management strategies (Ogut et al. 2005) market for vulnerability iscovery (Kannan an Telang 2005) responsible security vulnerability isclosure policies (Cavusoglu et al. 2004a) an security patch management (Cavusoglu et al. 2004b). The goal of our research is to unerstan the rivers of economic value erive from T security technologies so that firms can balance their information an protection nees efficiently. Recently Cavusoglu Mishra an Raghunathan (2005) hereafter referre to as CMR analyze the value of ntrusion etection Systems (Ss). Because CMR focuse on the value of etection of security breaches it consiere only users that ha to the system. Consequently CMR i not consier the traeoff between an protection of information. n this paper we analyze the value of firewalls an Ss the two security technologies commonly use to satisfy the information an protection nees when they are use iniviually an together. The funamental motivation for our research is the ebate within the T security community about whether a firewall obviates or complements the nee for S an vice versa. Axelsson (2000) summarize the ebate as The best effort [security] is often achieve when several security measures are brought to bear together. How shoul intrusion etection collaborate with other security mechanisms to this synergy effect? How o we ensure that the combination of security measures provies at least the same level of security as each applie singly woul provie or that the combination oes in fact lower the overall security of the protecte system? an he continue they [these questions] remain largely unaresse by the research community. This is perhaps not surprising since many of these questions are ifficult to formulate an answer. Our research aresses precisely those questions. Our moel of an S is ientical to that of CMR in that Ss are characterize by etection an false alarm rates that are relate by a ROC (Receiver Operating Characteristic) curve. irewalls control entry into an out of T systems. Just like Ss firewalls also suffer from false positive (i.e. enying entry for an authorize user) an false negative (i.e. allowing entry for an unauthorize user) errors. However while the purpose of an S is to etect hacking by any user irrespective of whether the user is an internal user that oes not have to pass through a firewall or an external user that nees to pass through a firewall to use (or abuse) the system the purpose of a firewall is to allow or isallow the use of the system by external users. n essence firewalls aress requirements an Ss aress protection nees. One of our most significant results is that eployment of both a firewall an an S is not necessarily better than eploying either one of them alone. That is firewall an S can conflict with each other. When eploying both a firewall an an S is better than eploying only one of them whether one complements (i.e. enhances the value of) or substitutes (iminishes the value of) the other epens critically on whether the firm allows to external users when it eploys neither of them which in turn epens on the ratio of cost to benefit of proviing to an external user. Our results on complementarity an substitution reveal how proper eployment of technologies such as firewalls an Ss mitigate the traeoff between an protection nees. rom the practitioners point of view the finings of our research offer specific insights about the conitions uner which each technology shoul be implemente an the appropriate T security architecture for a given firm.

2 2. Moel escription We consier an T security architecture that is commonly referre to by the T security community as efense-in-epth (Whitman an Mattor 2003). n this architecture three layers the firewall at the network layer the S at the host layer an manual investigation at the ata layer are employe to implement security. We iscuss the broa components of our moel below. User: Two types of users can use the system that is being protecte by the security architecture. All internal users have to the system from insie the firewall. The external users the system from outsie the firewall an hence they are valiate by the firewall if one exists before ing the system. We assume that ε fraction of users is external users an (1 ε ) fraction is internal users. While all internal users are legal users of the system only a proportion ζ of external users are legal users. The objective of the firewall is to allow all legal external users an to stop all illegal external users. After gaining to the system a user (internal or external) may choose to abuse (hack) the system. A hacker erives a benefit of if the intrusion is unetecte. f the intrusion is etecte the hacker incurs a penalty of for a net benefit of ( ). We assume that ; that is a hacker that is etecte oes not enjoy a positive benefit. We enote the probability of hacking for a user as. Note that in orer to hack a user has to gain first. Cracking a firewall alone is not consiere an intrusion because by cracking a firewall a user simply gets to the system. irm: The firm may use a firewall an S both a firewall an S or neither in its security architecture. The firm oes not gain or lose anything just because a user is given. However hacking by any user legal or illegal an external or internal imposes a loss to the firm an normal use by a legal user offers a positive benefit to the firm. We assume that the benefit to the firm for normal usage by a legal user is ω. When a user hacks the system an the intrusion is unetecte the firm incurs a amage of. However the firm can etect intrusions using Ss an manual investigations. irms can confirm or rule out intrusions only through manual investigation (Cavusoglu et al. 2005). f the firm etects an intrusion the firm prevents or recovers a fraction φ 1 of. t is reasonable to assume that c φ so that the firm s cost of investigation is not higher than the benefit it gets if it etects an intrusion. irewall: The firewall is eploye to control the by external users. ollowing the literature (Cavusoglu et al. 2004c) we measure the effectiveness of a firewall through two parameters:. is the probability that the firewall stops an illegal external user. an is the probability that the firewall stops a legal external user. S: The moel for the S is similar to that of a firewall an is ientical to that of CMR. That is is the probability that the S raises an alarm for an intrusion. is the probability that the S raises an alarm when there is no intrusion. Unlike a firewall which takes action against suspecte hackers an S simply raises an alarm. Only manual investigation confirms or rules out intrusions. 3. Moel Analysis We moel the security problem as a game between the firm an users of the system it protects. The firm ecies on the technologies it woul implement. Then given the technology structure an their quality profile the firm ecies on its manual investigation strategy while the users ecie on their hacking strategies. inally the payoffs are realize. We assume that the firm an users are risk neutral We perform the analysis using backwar inuction. That is first we erive the equilibrium for the firm s investigation strategy an a user s hacking strategy given that the firm has ecie to implement either one both or none of the security technologies. Subsequently we etermine the value of implementing ifferent technologies an the firm s optimal technology implementation strategy. The cases when the firm implements only the firewall or only the S or neither are special cases of the case when the firm implements both the firewall an S. Consequently we analyze the firewall plus S case first. (Note: erivations of results were omitte ue to size limit but available from authors upon request) roposition 1: The equilibrium when the firm implements a firewall an an S is given by the following.

3 c if then 0 * * * 1 2 c( ) c(1 ) Otherwise 1 ( ) (1 ) (1 ) * * * 1 2 c or the firewall only case we substitute 1. That is the S is assume to generate an alarm for every user. The S only case is slightly more complex because of two possibilities that arise when there is no firewall. n the first possibility which we refer to as no-external- scenario the firm oes not use a firewall because it oes not allow to any external user an restricts only to internal users. The secon possibility which we refer to as full-external- scenario is one in which the firm oes not use a firewall because it allows to every external user an hence it oes not nee a firewall to selectively block or allow. The former scenario can be analyze by setting 1 in our moel an the latter scenario is equivalent to substituting 0. or the no technology case we make the following substitutions: 1 an epening on how we view the absence of a firewall either 0 or 1 Base on these substitutions we fin the following result. Corollary 1. (a) The equilibrium for the S only case both for no-external- an full-external scenarios is ientical to that for the firewall an S case given in roposition 1. (b) The equilibria for the firewall only case an the no technology case both for no-external- an full- * * external- scenarios are ientical an is given by the strategy profile ( / c / ). We can show that in the no-technology case the firm oes allow external iif ( c / φ ) ( c / φ ) / ( ωζ ( 1 ( c / φ ))) < 1. We enote the quantity as the cost-to-benefit-ratio- ωζ (1 c / φ ) ( ) for-external-. 4. The Value of irewall an S Having erive the firm s optimal strategies for ifferent T security architectures we next erive the value of firewall an S when each is eploye alone or both are eploye together. We compute the value of a specific technology or the combination of technologies as (firm s expecte payoff when it implements a specific technology or the combination of technologies firm s expecte payoff when it oes not implement any technology) The Value of irewall Only The value of a firewall can be compute to be (1 ) c 1 c c in the fullexternal- scenario an (1 ) 1 1 (1 ) c c in the no-external scenario. roposition 2. The value from implementing only a firewall is positive iff c / (1 ). (1 ) c (1 ) 1 (1 )(1 ) roposition 2 shows that the firm erives a positive value from a firewall only when the cost-tobenefit-ratio-for-external- is neither too high nor too low. Clearly the upper limit is greater than one while the lower limit is less than one which implies that a firewall can be beneficial in both fullexternal- an no-external- scenarios The Value of S Only

4 roposition 3. (i) The value of implementing only an S is positive iff ( / ) µ β. (ii) The value of implementing only an S is positive iff the S is a eterrent to hackers. The results state in roposition 3 were foun by CMR also an the intuitions unerlying these results are explaine in CMR. An important question not aresse by CMR is whether the implementation of an S has any impact on the firm s ecision to allow or eny external. The following result answers this question. Corollary 2. When the firm implements an S it will allow external iff cost-to-benefit-ratio-forexternal- is less than /. Corollary 2 implies that eployment of an S may cause a firm to alter its policy of isallowing external to one of allowing external. The reason is that the S eters hackers which in turn increases the benefit an ecreases the cost from external. Our most surprising fining about Ss is that while an S is commonly viewe as a etective control its value pertains to its effect on both prevention an control. Specifically our fining that the S offers positive value only when it eters hackers shows that an S acts as a preventive control an the fining that the S may encourage the firm to allow external shows that an S may also act as an control The Value of S an irewall Combination The key research question here is how the presence of one technology affects the value obtaine from the other technology. We use the following efinitions for these effects where V x = Value of technology x when eploye alone an V x+y = Value of technologies x an y when eploye together. Technologies x an y are complementary if V x+y > Max(V x V y ) an V x+y > Max(0V x )+Max(0V y ); substitutes if V x+y Max(V x V y ) an V x+y Max(0V x )+Max(0V y ); conflicting if V x+y < Max(V x V y ). The efinition of complementary technologies implies that eploying both technologies results in a higher value than eploying either technology alone an further that the incremental value offere by a technology is greater when the firm eploys the other technology than when it oes not. n case of substitutes while eploying both technologies still results in a higher value than eploying either technology alone the incremental value from eploying a technology when the other is alreay eploye is less than its value when eploye alone. inally when the technologies are conflicting eployment of both technologies hurts the firm i.e. the firm realizes the greatest value by eploying only one of the technologies. Unerstaning which of the above three categories a given firewall an S fit into is paramount to firms while setting up the security architecture. ailure to assess these interaction effects may cause the firm to implement some technologies that shoul have not been implemente or to not implement some technologies that shoul have been implemente. Now we show one of the most significant results of this stuy which escribes the interaction between the values of firewall an S technologies. roposition 4. (1) When : ( c / ) 1 f Min Max (1 ) c (1 ) 1 (1 ) (1 ) then S an firewall substitute each other. 1 ( c / ) 1 f Min Max (1 ) 1 (1 ) c 1 (1 ) (1 ) then S an firewall complement each other.

5 Otherwise S an firewall conflict with each other. (2) When : S an firewall conflict with each other. irst a very significant but unexpecte result is that eploying both firewall an S can be worse for the firm than eploying only one of them. f eploying only the S hurts the firm then eploying it along with a firewall results in a value that is lower than that when the firewall is eploye alone. This is because the S that offers a negative value oes not alter the traffic when eploye together with the firewall but increases the hacking probability of every user which in turn reuces the value of the firewall making it less useful. Similarly when eploying only the firewall offers a negative value supplementing an existing S which offers a positive value when use alone with a firewall may reuce the value to the firm. While allowing legal traffic an preventing illegal traffic can be beneficial especially when the firm uses an S if the cost-to-benefit-ratio-of-external- is sufficiently low or is sufficiently high the firm will be better off not controlling the traffic through a firewall even with an S. Secon the substitution an complementary regions are orere from left to right on the cost-tobenefit-ratio-of-external- line. Since firms that have a low (high) cost-to-benefit-ratio-of-external are more likely to allow (isallow) external when a firewall is absent firms appear to enjoy complementary or substitution effect epening on whether they allow or isallow external in the absence of a firewall. We fin that (i) when the firm oes not allow external even when the firm implements an S while complementary effect is possible substitution effect is not an (ii) when the firm allows external when the firm oes not implement any technology while substitution effect is possible complementary effect is not. The intuition for this result is best explaine in terms of how the value of one technology is affecte by the presence or absence of other technology. or complementary (substitution) effect to occur the incremental value offere by a technology shoul be higher (lower) in the presence of the other technology than in the absence. Suppose the firm oes not allow external even when it implements an S. n the presence of a firewall that offers a positive value the same S receives a higher traffic but the hacking probability remains the same. Consequently the incremental value of the S can only be higher in the presence of a firewall than in the absence which inicates the complementary effect. Similar reasoning can be given for why the firewall offers a higher value in the presence than in the absence of an S when the firm oes not allow external even when it implements an S. f the firm allows external when the firm oes not implement any technology then the firm allows external even when it implements only an S. n this scenario if the S is augmente with a firewall while the hacking probability oes not change the traffic to the S ecreases. Consequently the incremental value of the S is lower in the presence of a firewall than in the absence. Thir we fin that in the no-external- scenario even if eploying a firewall alone is not beneficial eploying the firewall along with an S may be more beneficial than eploying the S alone; that is the firewall becomes beneficial in the presence of an S. When only a firewall is eploye it oes not offer a positive value if the expecte gain from legal is less than the expecte loss from hacking. An S reuces the probability of hacking. This enhances the expecte benefit from legal usage an reuces the loss from hacking when external users are allowe to. Consequently a firewall may become beneficial when use with an S even if it is not beneficial when use alone. 5. iscussion an Conclusions The analysis presente in the previous sections offere important theoretical insights into the value of S an firewall technologies. rom a manager s perspective the most important implications of our analysis pertain to insights about the optimal firewall an S eployment policies. We epict the optimal eployment policy in Table 1. t reveals that a firm shoul implement both a firewall an an S only when the cost-to-benefit-ratio-for-external- is moerate an etection rate of S is high. Otherwise firm shoul implement at most one technology. These results run counter to the recommenation by some people in the T security community to rely only on firewalls for balancing the an protection nees (Gartner 2003).

6 igure 1. esign of the optimal security architecture with efault configuration / No technology allow external Only a firewall No technology rop external Only an S allow external Both a firewall an an S Only an S rop external x1 x2 x3 x4 We use a stylize moel to assess the value of an S an a firewall. As with all stylize moels our moel shoul be juge base on the insights it yiels. rom the viewpoint of practical application of our moel estimates of ifferent costs quality an other parameters become essential. We believe that even with limitations with respect to obtaining relevant ata the qualitative insights we erive our stuy are useful to managers. n our analysis we assume that the firewall an S are implemente using efault configuration. However since many security technologies are configurable value of these technologies when they are optimally configure is of paramount interest to firms. As point out in CMR configuration makes every S valuable. Currently we are investigating configuration in firewall an S when they are use alone an together. This analysis will she light into (i) the value of optimally configure security technologies (ii) whether security technologies are configure ifferently when they are use together an alone (iii) the type of interaction effect between security technologies when they are optimally configure an (iv) the esign of optimal security architecture. We hope to have the initial results reay by WSE REERENCES Cavusoglu H. B. K. Mishra an S. Raghunathan (2005) The Value of S in T Security Architecture nformation Systems Research 19(1) pp Cavusoglu H. B. Mishra S. Raghunathan (2004c) "A Moel for Evaluating T Security nvestments" Communications of the ACM 47(7) pp Cavusoglu H. H. Cavusoglu an J. Zhang (2004b) Security atch Management: Can t Live with it Can t Live without it WTS04 Washington C. Cavusoglu H. H. Cavusoglu an S. Raghunathan (2004a) Analysis of Software Vulnerability isclosure olicies CORS/NORMS Banff Alberta Canaa. Gartner (2003) Hype Cycle for nformation Security Gartner Research Report Stamfor C. Goron L. A. an M.. Loeb (2002) "The Economics of nformation Security nvestment" ACM Transactions on nformation an System Security pp Kannan K. an R. Telang (2005) Market for Software Vulnerabilities? Think Again Management Science 51(5) pp Ogut H. N. Menon an S. Raghunathan (2005) "Cyber nsurance an T Security nvestment: mpact of nterepenent Risk" WES05 Boston MA.