Balancing Network Security and Business Impact
When a business transaction over the Internet is worth a few thousand or more, one thinks twice before suspending any kind of traffic to the website, even if, in some cases, these transactions are highly susceptible to a cyber attack. How much money a business may lose as a result of the wrongful implementation of a security measure is "precious" information that every network manager would know to appreciate. Simulation of the required security action, before implementation, in real network environments that carry real business transactions, would allow for the collection, analysis and correlation of business related information and thus, would provide a way to predict the business impact. This article introduces the concept of business impact analysis (BIA), and discusses applicable technologies that can support it.
The network security market includes businesses that deploy network intrusion prevention systems, anti-DDoS (distributed denial of service) network devices and others security systems that are supposed to detect and automatically block or mitigate attacks.
However, the same businesses that need these systems also fear false positive events that will cause a negative business impact. This fear becomes critical when the dollar value of each Internet-based transaction is high. For large online companies, the cost associated with one minute of legitimate traffic blocking can range from a few thousand dollars up to a hundred thousand. These businesses require special consideration in terms of the false-positive problem.
As in any other information security area, risk analysis is an important activity that needs to be undertaken before any type of countermeasure action is applied to the network. An online organization that identifies an attack against it, should analyze the following main parameters:
- The business impact of the ongoing attack on the organization;
- A measure of the impact that the planned security countermeasures will have on legitimate traffic; and
- A comparison between the above two parameters that would help in the decision on whether the countermeasure is business-justified or not.
Analyzing these parameters is not an easy task. It is necessary to consider business parameters, network traffic characteristic parameters, and false positive scenarios that could be the result of the planned security countermeasure.
Here we will cover emerging network threats and how the security countermeasures provided by network security technologies today can block attacks, but, at the same time, can also negatively impact business. We will continue by presenting a few applicable solutions and technologies that can be used to measure the business impact and thus, avoid a negative impact by changing security countermeasures for a minimal impact on legitimate business transactions. These technologies include network behavioral analysis systems (NBA), Geo-IP analysis, business analytics and an expert system that when working in synch, can potentially allow a security manager to apply security countermeasure rules only after the rules have been carefully simulated and the expected impact is reviewed. Finally, we will conclude with a few impact simulation cases.
Current Threats and Solutions' Limitations
In the past 20 years, attacks have evolved from exploitation of known operating systems and application vulnerabilities into zero-day attacks, "non-vulnerability"-based attacks and business-logic attacks. The fact is that financially-motivated cyber crime organizations, activists and individual hackers are all taking advantage of the evolved multi-dimensional attack vectors (old and new). The evolution of attacks and attack methods presents a big challenge to attack detection. Having said that, market demands for real-time mitigation present an even greater challenge for the following main reasons:
Zero-day Attacks: In a zero-day attack, the vulnerability or the exploit is not yet known and therefore cannot be detected by traditional security tools, which are based on a pre-defined knowledge base of known attack patterns. As the attack is unknown, the only way to try to detect and prevent it is by using generic security filters that can identify traffic that doesn't comply with the standards of network and application protocols.
While this approach can potentially uncover suspicious activities that may be part of a zero-day attack to some extent, it can also create a high level of false positives in the blocking of this activity. The main reason for this is that in many cases protocols are not well defined, or even if they are, networking vendors simply don't follow the protocol rules properly when developing network and application stacks.
The result is that zero-day security filters will also identify legitimate traffic that doesn't comply with some of the network application protocol rules as attack traffic and will falsely block it. In general, we can say that as long the security filter is more general, which usually typifies zero-day security filters, the chances for false positives become higher, meaning that legitimate transactions will be dropped.
"Non-vulnerability-based" Attacks: Non-vulnerability based attacks represent a relatively newer generation of attacks. These types of attacks look "completely" legitimate. Each transaction complies with the network and protocol rules. It is only the rate, or sequence of transactions and transaction types which identifies them as malicious. As they are well integrated into legitimate forms of applications the separation between legitimate and non-legitimate traffic becomes vague, and so do the security filters that are responsible for mitigating these attacks. This results in a higher probability for more false positive events that will eventually block legitimate transactions.
Examples of "non-vulnerability" based attacks include advanced network and application level DDoS attacks, dictionary and brute-force attacks (such as user/pass cracking and application scanning) and business intelligence gathering activities.
Business Logic Attacks: This attack category can be considered part of the "non-vulnerability"-based attack family but it is more focused on fraud rather than DoS and information stealth. They abuse the functionality of the application aiming at the business directly. As in the case of non-vulnerability-based attacks they don't contain any malformed requests and therefore, it is even more difficult to form an effective accurate security filter that will mitigate them without blocking legitimate transactions at the same time.
In an OWASP (Open Web Application Security Project) article, "Testing for Business Logic," these business logic attacks were outlined. "Business logic can have security flaws that allow a user to do something that isn't allowed by the business. Frequently these business logic checks simply are not present in the application."
As can be understood from the above, as long as attackers are trying to integrate well into legitimate forms of applications it is harder to detect them in an accurate manner.
Security solutions are responsible for covering all types of threats, including the more challenging ones such as the zero-day and non-vulnerability based attacks. Mitigation of these attack types requires the solution to be able to define security filters that include "behavior" rules, rather than just sequences of bytes in the content. Behavior rules should typically include the rate of application requests, the sequence in which these requests are being generated in each transaction and request types. Behavior is harder to predict and therefore, is also harder to accurately define. This is the main reason behavior-based security rules are more susceptible to false positives. The end result means an increased chance of blocking legitimate transactions that can impact the business quite significantly.
False positive risks per attack type is summarized in Figure 1.
Figure 1. False positive risk per attack type.
There is a strong need for solutions that will help companies to measure the business impact before security rules are applied. The following section will describe a few applicable technologies that may be used as part of this solution.
Business Impact Simulation
How to Approach the Problem
To provide the network or security manager with effective tools to evaluate the impact that a security countermeasure will have on his business, we first need to be introduced to a few technologies that can form the required business impact analysis solution. These technologies or solutions are Geo-IP analysis, network and application behavior analysis (NBA), business Web analytics, and expert systems.
The concept of Geo-IP analysis is pretty simple. It is the capability to identify Internet visitors' geographical location. Geo IP databases contain a range of IP addresses and their associated locations all over the world. The information may be very general such as the visitor's country or may include additional details such as country code, region, city, latitude, longitude, ZIP code, time zone, connection speed, ISP and domain name, mobile carrier information and more. There are a few companies that specialize in this area and offer a proprietary IP address lookup database that can provide the above information, which is regularly updated to maintain its' accuracy.
Network and Application Behavior Analysis (NBA)
There are different types of behavior analysis solutions that are usually considered to be part of the Network Behavioral Analysis (NBA) market, which in turn is part of the larger network security market. The main goal of these systems is to collect traffic measurements that can be used to characterize the normal way network traffic and application resources are being used. The same systems are designed to flag suspicious behavior based on identified deviation from the normal network and application behavior baselines, which may present a security risk such as DoS attacks, zero-day malware propagation, Bot activities, Trojan activities and more.
An important characteristic of these systems is their capability to learn what normal behavior is. For proper learning functionality these systems apply appropriate statistical methods that can be divided into two main learning strategies:
- Day-Time Differential Averaging distinguishes between expected values according to hour, day, and type of traffic in a week. It allows for the identification of behavior anomalies by comparing real time network or application behavior to the normal behavior that was learned for the same time in the day.
- Continuous Averaging conducts continuous averaging independent of the day or hour in the week. Through statistical filters, it is possible to control the sensitivity of the average response to the traffic and change it according the characteristics of the network. For example, low response sensitivity will make sure that historical measurements (remote in time) are considered as important and will contribute significantly to the averaging, while high response sensitivity will make sure that only recent measurements will contribute to the average baseline.
The choice of the proper learning strategy depends on the network behavior history and its dynamics - stable systems having quite a long history are likely to exploit the first strategy; otherwise, the second one is preferable. After the first period of learning, the system needs to characterize the network to be protected by one or more of the strategies and then tune in the sensitivity of the NBA detection engines accordingly. Thus, more accurate indications about deviation from the norm will be achieved.
Business Web Analytics
Especially for on-line businesses, web analytics include valuable information such as the average deal size associated with each online transaction per its geographical location, the hour of day and day of the week, the type of transaction or a combination of all of the above. Correlating this information with statistics that include the total expected number of transactions allows a pretty good revenue prediction, for at least the short term.
In general, an expert system is software that works with both knowledge and information. Expert systems aid in formulating a decision in a similar way an expert in the field might. To do this, expert human rules need to be formulated in such a way that the system will be able to use them in the decision-making process. The expert system includes a knowledge base of factual and heuristic data and an inference mechanism that forms a line of reasoning in solving a problem. The inference mechanism can be constructed through chaining of IF-THEN expert rules. This system is usually used to collect real-time and historical data from various sources, normalize them and then apply the expert correlation rules to come to a decision about specific behavior.
After describing these distinct technologies, let's now see how they can work in synch in order to put together an impact analysis system.
The Process of Business Impact Analysis
The business impact analysis process is illustrated in Figure 2. This process aims at providing a business impact report based on various inputs and an expert system responsible for correlating them:
Figure 2. Business impact analysis system.
The idea is to create an expert system that will know how to collect various parameters that are all relevant for the analysis of the business impact and will simulate a "what-if" scenario, taking into account different security rules before actually applying them. The dataflow shown in Figure 2 includes the following input parameters that should all be processed by the expert system:
Real Traffic: Real-time web traffic samples taken from the protected network.
Normal Behavior: Normal baselines that were established, based on historical network measurements; e.g., transaction/sec per type and per hour in a day. As mentioned in the previous section, this type of information can be retrieved from NBA systems.
Geo-IP Database: Geo IP databases that contain a range of IP addresses and their associated locations and other characteristics.
Business Web Analytics: Web analytics information such as the average online transaction deal size per geographical location and the hour in a day.
Simulated Security Rules: This input will usually be a content filtering rule. It can include a network level filtering pattern; e.g., simple source IP address and L4 port), application content pattern (e.g., URL), or a combinations of the two.
Expert System: This system's responsibility is to collect all of the input and apply pre-defined expert rules. These logical rules correlate between the different input, giving each one a specific decision weight. The weight is chosen according to the importance of the parameter for a certain decision output. The final output is the desired business impact report.
The following two cases demonstrate how this system enables an evaluation of the business impact:
Case I: Business Impact
The following case illustrates a situation in which a protected e-commerce website is under a DDoS attack. Although traffic still flows to the website and transactions are being executed, the business is starting to be affected as a result of higher latency that customers are experiencing. The security manager is using a few network security tools that help him to analyze the attack. These tools detect the ongoing suspicious activities that might fit the DDoS attack pattern and suggest security filters to mitigate it. The security manager feeds these security rules into the discussed expert system. The system analyzes the data and based on all input including Geo-IP information, Network behavior (NBA), and Business analytics, provides the following business impact report:
Figure 3. Case 1 impact report.
Figure 3 above shows a business impact report based on all system input and the simulated security filters. The security manager can observe the following information before the security filters are actually implemented:
100 hit-ratio: Hit ratio in general means how many visitors or transactions will be blocked as result of the security rule and how many will not as shown in Figure 4. Based on the real-time traffic statistics input and the Geo-IP database input, it can be observed that visitors from two countries will probably be completely blocked. These two countries are marked as country A and country B. For simplicity, we will ignore the reports of the other countries.
Figure 4. Hit-ratio representation.
- Normal transaction rate (NBA input): According to the network behavioral analysis input, at this time of the day the transactions that normally originate from visitors in this country is around 3% of the total traffic to the website, which is considered relatively low. It is also shown that currently the real-time transaction rate is around 15%, which means that there is a relativity high rate of visitor activity from this geographical area at this time of day.
- Business analytics: According to the business analytics input, country A, at this hour and date, usually presents a very low percentage of revenue-based transactions - around 0.1% of the total revenues.
- The situation in country B is different. According to the business analytics input, the revenue based transactions from visitors in this location in the same hour is relativity high, around 10 %.
- Normal transaction rate (NBA input): According to the network behavioral analysis input, at this time of day the transactions that normally originate from visitors in this country is around 20%. We also see that currently the real-time transaction rate is around 25%, which means that it fits the normal behavior at this hour of day.
Taking all of this into account, implementing the security filter on country B would result in high business impact. On the other hand, implementing the same security filter on country A will probably be very effective for the following reasons:
- The level of traffic from this area of the world is significantly higher than normal, which may point to the fact that most of the attacks are originating from this location.
- Based on the business analytics, the revenue-based transaction from this country is low, so blocking it probably means that the business impact will be low.
Based on the above details, a decision to apply the security filter on country A and not on country B; e.g., adding the source IP addresses allocated to country B into a white list, would be a very logical one.
Case 2: Business Impact and False Positive Analysis
In this case, we illustrate how the network manager can know with certainty that the security filter he is considering implementing includes a "generic error" which would result in too many false-positive events; i.e., legitimate transactions will be "hit" by the security rules and will be falsely blocked.
Let's take for example a case of a zero-day malware outbreak. Typically in these cases, security vendors will work very hard to investigate and release an emergency attack signature that when implemented in the intrusion prevention systems, is supposed to block the malware. To find out the level of accuracy of the new emergency signature, the security manager can make use of the business impact analysis expert system. In this case, the security filter input will be the emergency malware signature. An example of a business impact report for this case is shown in Figure 5.
Figure 5. Case 2 impact report.
Figure 5 shows a business impact report based on the simulated security filter (malware signature), geo-IP DB information and the real-time traffic. In this specific example we see that it looks like the ratio between transactions that will be "hit" by the emergency malware signature and those that will not, is identical in all geographical locations. This is an unusual correlation (between different locations) in statistics that usually typifies a case of a generic error in the simulated signature rule. Such a correlation can be the result of an attack signature that mistakenly includes patterns that match legitimate protocol behavior. For example, it may include specific HTTP header types which are legitimate and are usually used as part of the online transaction by some portion of the web browser in most parts of the world.
This type of geo-IP-based traffic statistics report by itself will help the security manager in the decision of whether to implement the signature as is or to modify it. In this example the manager must not use the signature as the false positive impact can be high. In case the security manager chooses to modify the signature and improve its accuracy, he can simulate it again and implement the signature only if the impact report improves.
This article outlined a general approach to business impact analysis. The examples that were given aim to describe the line of reasoning that may be achieved by using an expert Impact Analysis system that processes the discussed input, such as the geographical IP information, network behavioral analysis and business analytics.
The main justification for using an expert system lies in its capability to adjust itself easily to handle different types of impact simulation requirements on a case by case basis. This type of expert system can use all of discussed input, only part of them or new ones without any software modification - only the expert rules will need to be modified according to the new input that is added.
The discussed business impact approach is part of a wider subject usually defined as risk analysis & management. Network security is all about risk management and mitigation but when the risk is not well correlated with the business aspects of the protected network then decisions are usually far from being optimal and can do more harm than good.
Avi Chesla currently serves as Vice President of Security Products at Radware Ltd. He has been focusing on next generation security solutions and adaptive behavioral analysis systems since 2000. He has authored a number of articles and has earned a number of patents related to network security. Avi can be contacted at firstname.lastname@example.org.
Share This Article