Analyzing the performance of security operations to reduce vulnerability exposure windows

PDF
0.4MB

Yolanta Beres
HP Labs
United Kingdom

Jonathan Griffin
HP Labs
United Kingdom

Simon Shiu
HP Labs
United Kingdom

Max Heitman
Citi
United States

David Markle
Citi
United States

Peter Ventura, Citi, United States

Abstract:
In this paper we present a novel approach of using the mathematical models and stochastic simulations to guide and inform security investment and policy change decisions. In particular, we investigate vulnerability management policies, and explore how effective standard patch management and emergency escalation based policies are, and how they can be combined with earlier, pre-patch mitigation measures to reduce the potential exposure window.
To achieve that we have examined the current practices across several large organizations, and based on this construct the model of external events and of internal decision points and security processes that the vulnerability management consist of. We show, based on the experimental simulations, how changes in various internal parameters of the model, such as the patching timeline and the effectiveness of early mitigation measures affect the overall exposure window in terms of the time it takes to reduce the potential risk. This enables further analysis of the trade off between investing in improving patching processes, versus adding more mitigation mechanisms that can be put into effect earlier.
We believe that this type of mathematical modelling and simulation-based approach provides a novel and useful way of considering security investment decisions, which is quite distinct from traditional risk analysis.