Secure Networks Solution Metrics
John J. Roese Office of the CTO
Abstract This document introduces a set of measurable metrics focused on the effect of implementing a Secure Networks Solution from Enterasys. The metrics address three concerns: cost control, system capability and risk mitigation, and help establish an industry benchmark of what constitutes a Secure Network. The metrics are grouped into five categories: security operations, security event response, security control capabilities, business cost of security events, and business improvement impact of a Secure Network implementation.
Page 1 of 48 • Whitepaper
�Table of Contents Secure Networks Metrics Operational Effectiveness Metrics Financial Improvement Metrics Business Advantage Metrics Metric Template Description Security Operations Efficiency (Metric Category 1.0) Time to Configure and Deploy Security (Metric 1.1) Secure User Mobility (Metric 1.2) Concentration of Configuration/Operation Functions (Metric 1.3) Overall Security Response Efficiency (Metric Category 2.0) Time to Detect Event (Metric 2.1) Time to Assess and Locate Event (Metric 2.2) Time to Respond and Correct (Metric 2.3) Security Control (Metric Category 3.0) Granularity of Control (Metric 3.1) Depth of Control (Metric 3.2) Ingress Network Points Protected (Metric 3.3) Business Cost of Security Events (Metric Category 4.0) IT Staff Use (Metric 4.1) User Downtime (Metric 4.2) Lost Revenue Time (Metric 4.3) Secure Networks Business Impact (Metric Category 5.0) Reduction of Business Cost Due to Security Events (Metric 5.1) Reduction in Security Events (Metric 5.2) Alignment of Technology with Business (Metric 5.3) Continuity Improvement (Metric 5.4) Secure Networks Index Appendix A—Calculating Your Own Metrics
3 3 3 3 4 5 6 8 10 11 13 15 17 19 20 21 24 26 27 29 30 32 33 35 37 40 42 43
Page 2 of 48 • Whitepaper
�Secure Network Metrics Secure Networks is an architectural solution developed by Enterasys Networks as a more comprehensive approach to networking, which includes intrinsic security in the network. The approach was developed in response to the reality today that organizations are under attack. These attacks can come from inside or outside the organization, and may pose different levels of risk from trivial to severe. When an attack on an organization is successful, the costs can be enormous. In the UK, the Corporate IT Forum (tif)1 estimated that each security incident now costs £122,000 ($230,700 USD) in man-hours and related costs2. This makes security a significant risk to on-going business operations, and as such, an area that must be addressed properly. The goal of Secure Networks is to address these security issues and thereby protect an organization and reduce the risk from these security breaches. The implementation of Secure Networks Solutions from Enterasys will impact customers positively in three key areas: Operational Effectiveness, Financial Improvement, and Business Advantage. In order to differentiate the various marketed or real solutions that are present in the industry from various vendors, measurable metrics of how the solutions improve the customer’s IT situation are critical. These metrics function as an industry benchmark for what constitutes a Secure Network. Operational Effectiveness Metrics Operational effectiveness is measured in terms of how the IT organization can improve its overall ability to support the business and quickly perform the critical functions needed to leverage the IT systems as a competitive advantage without imparting additional risk. Financial Improvement Metrics Financial improvement is measured in terms of controlling, limiting or reducing the operational cost of IT services. This can be measured in terms of either human capital or cost of technology associated with achieving the IT and business objectives of the organization. Business Advantage Metrics Business advantage is measured in terms of how the IT systems and technologies can enable new business opportunity, reduce risk associated with business operations or introduce efficiency improvements to the core business of the organization. Metrics Categories The metrics themselves are divided into five categories. The categories are: • Security Operations Efficiency • Security Response Efficiency • Security Control Capabilities • Business Cost of Security Events • Secure Networks Business Improvement
1 The Corporate IT Forum in the UK is an independent organization representing the IT end-user community. The group includes over 2,800 senior IT directors and managers from over 140 of Europe’s largest IT user organizations. It includes 50 of the FTSE 100 companies on the London Stock Exchange, representing a combined IT spend of over £20 billion ($37.8 billion USD) per year.
Page 3 of 48 • Whitepaper
2 Press release, November 14, 2003, http://www.tif.co.uk/news/PR20011114.html
�Metric Template Description Name of Metric Financial: YES or NO Operational: YES or NO Business: YES or NO
The above identifies which of the three business areas will be impacted by this metric. Description: This is a brief description of what the metric will measure Value Expected: Fair performance is the value that should be required by an organization in order to maintain normal business operations. Optimal performance is the value expected when the organization has implemented a Secure Networks Solution. Rational for Value: This is the underlying reason that Enterasys Networks expects the values previously indicated, as well as why these values are significant and will positively impact the indicated metric categories. Measurement: The potential method for measuring the metric is described in this section. ROI Calculation or Business Impact: This section explains how the measurement can be converted to a business indicator. This can be via ROI, CBA or a statement of impact for the business. From this statement it will be easy to draw a line from the action measured by the metric and the impact to the organization. Technologies and Features Involved: This is a discussion of the technologies and features involved in the Secure Networks Solution that contribute to the positive change in the metric. In many cases the technology involved will be a combination of devices, software and methods of implementation. As with any true security solution the technology implemented does not operate in a vacuum and must be considered a piece of an overall security process. The technology supplied by Enterasys can fit seamlessly into a heterogeneous network and still allow the organization to benefit from its implementation.
Page 4 of 48 • Whitepaper
�Security Operations Efficiency (Metric Category 1.0) Description: This is a group of metrics, which is comprised of three sub-metrics: • Time to configure and deploy security policies • Time to provide secure mobility • Concentration of configuration/operation functions The Security Operations Efficiency metrics are used to determine how efficiently a security operation is functioning when in a steady operational state, not under attack. One thing to keep in mind is that time metrics can easily be converted to costs by understanding the value of that time to the organization. For instance, if an organization earns $100,000 per minute and the organization is stopped for ten minutes, the cost is $1,000,000. Value Expected: While the metrics here are grouped together, they are not summed to provide a single overall number. Optimal performance—See below individual metrics (1.1, 1.2, 1.3) Fair performance—See below individual metrics (1.1, 1.2, 1.3) Rational for Value: The values for the individual metrics are explained in the section covered for each specific metric. Measurement: Measurement of these metrics is covered in the individual metrics below. ROI Calculation or Business Impact: The average value today to handle a security event, as indicated in the introduction, can range into the hundreds of thousands of dollars. The primary reasons for this are the human-resource costs in terms of downtime and personnel working to fix the issues caused by the attack. If the time to go from detection, assessment, response and correction are reduced from hours or days to minutes, the savings should be proportionate. In this case assuming that an event could have cost $230,700 and lasted on average 3.08 hours, but was reduced to an event lasting 10 minutes, the savings could have been almost $218,000 USD. Technology and Features Involved: The technologies and features involved for each of the metrics comprising this measurement are discussed below in this section.
Page 5 of 48 • Whitepaper
�Time to Configure and Deploy Security (Metric 1.1) Financial: NO Description: The cost associated with the definition, configuration and deployment of security policies to the network infrastructure. This metric is to some extent affected by metric 1.3. Value Expected: Optimal value—15 minutes/policy Fair value—less than 60 minutes/policy Rational for Value: Creation and deployment of imbedded network security policies as well as the dynamic association of security policies allows for automated protection of the infrastructure. The time required to define, configure and deploy the policies does not directly impact the organization in normal operations. The only cost or impact associated with this metric is the time required for deploying metrics that will affect the operational cost of the security system. There are, however, two indirect costs associated with this metric. If a security policy is difficult to configure or deploy both in terms of complexity and time, then it (1) is less likely to be used in general and (2) may not be able to be deployed in time to halt a security incident as it happens. Measurement: Measurement of this metric can be accomplished in the following way: 1. Define security policy to be deployed. This time should be the same regardless of system, so it is not included in the metric. 2. Start timer. a. Determine devices to be configured to affect policy. b. Create configurations for each system to be affected. c. Deploy configuration to each system determined previously. 3. Stop timer. 4. Test configuration/policy changes in effect. ROI Calculation or Business Impact: Average costs associated with typical security policy creation and deployment are determined based on IT costs for operating an infrastructure. The largest cost is generally the salary of the people involved, but it will also be affected by the tools used and the size of the infrastructure. Since more devices mean more configuration effort is necessary in general, larger infrastructures typically cost more to operate than smaller ones. This cost can be influenced by the ease with which the tools can be applied. Operational: YES Business: YES
Page 6 of 48 • Whitepaper
�The cost can be measured by determining the amount of time that is spent in the following activities: 1. Determining which policies need to be applied to protect the infrastructure. In general it is good practice to deny all unnecessary use of the infrastructure. 2. Configuring the network devices (access control lists in switches, routers and firewalls), as necessary. 3. Configuring the user’s device, as necessary. 4. Changing the network infrastructure physically, as necessary. This time is then multiplied by an average cost of performing these tasks to arrive at a cost for this activity. Technologies and Features Involved: There are several technologies involved with provisioning dynamic security policies: • Policy Configuration and Distribution—central pre-configuration and distribution of security policies — NetSight Atlas Policy Manager • Policy Enforcement Point Configuration—deployment of network policy enforcement at the point of access — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points • Authentication Linkage—creating a linkage and/or database of authenticated users and end systems for identification on the network. This is done using: — IEEE 802.1X — Web-Based (PWA) — MAC-Based This authentication is deployed at the network ingress point. — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points
Page 7 of 48 • Whitepaper
�• Dynamic Policy Association—dynamic security policy configuration at network access based upon user/node connection and authentication system; link should be made between directory services roles and network roles — RADIUS Filter-ID return attributes — Directory Services organizational model • Endpoint Detection—identifies and verifies the type of endpoint accessing the network; typically this is used for VoIP endpoints. In this instance, valid endpoints and how to handle them need to be defined — Matrix N-Series and other Matrix switch families Secure User Mobility (Metric 1.2) Financial: YES Description: The cost associated with the movement of company assets, including systems and users, while protecting the infrastructure based on derived security that was established at the original location. Value Expected: Optimal value—0 minutes/move Fair value—less than 60 minutes/move Rational for Value: Imbedded network security and dynamic association of security policies allow for freedom of movement of users inside the network. There is no required reconfiguration of the network or security environment. Security is implied through the system’s or users’ association to the environment and is dynamically allocated. ROI Measurement or Impact: Average costs associated with typical user moves are estimated at $100 to $400 depending on the infrastructure and the size and location of the move. These numbers are usually associated with typical moves in organizations of approximately 1,000 people. A percentage of these costs are associated with the reconfiguration of security and, network usage parameters, as potential reconfiguration of the network infrastructure, and in some cases the user’s device as well. When a user moves from one location of an enterprise network to another, the user’s original security policies and network resource usage policies must accompany them. Manual configuration of these policies at the new location is resource intensive and costly. The goal in a Secure Network is to not need to do any reconfiguration, and therefore incur no cost for the move as far as network and security reconfiguration. Operational: YES Business: YES
Page 8 of 48 • Whitepaper
�The cost can be measured by determining the amount of time that is spent in the following activities: 1. Determining which policies need to change in a user move, if necessary. 2. Reconfiguring the network devices (access control lists in switches, routers and firewalls), if necessary. 3. Reconfiguring the user’s device, if necessary. 4. Changing the network infrastructure physically, if necessary. This time is then multiplied by an average cost of performing these tasks to arrive at a cost for this activity. As mentioned before, for many organizations this cost has been measured at around $100 to $400 per move. Technologies and Features Involved: There are several technologies involved with delivering dynamic security provisioning: • Policy Configuration and Distribution—central pre-configuration of security policies — NetSight Atlas Policy Manager • Policy Enforcement Point—network policy enforcement at the point of access — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points • Authentication—authenticated users and end systems for identification on the network — IEEE 802.1X — Web-Based (PWA) authentication — MAC-Based authentication • Dynamic Policy Association—dynamic security policy configuration at network access upon user/node connection and authentication — RADIUS Filter-ID return attributes — Directory Services organizational model • Endpoint Detection—identifies and verifies the type of endpoint accessing the network; typically this is used for VoIP endpoints — Matrix N-Series and other Matrix switch families
Page 9 of 48 • Whitepaper
�Concentration of Configuration/Operation Functions (Metric 1.3) Financial: YES Description: The percentage of the network elements deployed in an infrastructure that can have a security parameter configured from a single central administrative control point. The efficiency of security operations can easily be tied to concentration of configuration and operations control, preferably in one or very few consoles. The advantages of concentrating the vast majority of functions in one console are: • The operator will be able to become more proficient with that console. • Time will be saved because of not moving to other consoles or waiting for the management processes to start for other management tasks. • Response time for completing a task will be improved. Value Expected: Optimal value—100% of network elements Fair value—greater than 75% of network elements Rational for Value: The current percentage of network devices for which a single policy manager, like NetSight Atlas, can enforce a policy profile, is critical to control in times of duress. The more consoles and areas that must be visited during an attack or other disruptive incident, the more likely it is that the attack will either spread or disrupt the business of the organization. If all network elements can be controlled from one place, and subsequently locked-down or otherwise modified in reaction to an attack, the more likely that an attack will not disrupt the business. Measurement: This metric is easily measured by simply determining the number of devices, which are under control of a management system. If all the devices are controlled from one system, then the number is 100%. This is rarely the case. If there is more than one configuration console, then the console controlling the largest number of devices should be considered the primary management interface. The metric can be measured by counting the number of devices being configured by that console and determining what that number is as a percentage of the overall number of devices. ROI Calculation or Business Impact: If the time associated with traditional configuration of a network infrastructure device with a specific security policy parameter is ~5 minutes, the total IT professional man-hours required to configure 1,000 devices is ~83 hours. At a cost of $40 per hour, this exercise would cost $3,320 in IT resources each time a new security parameter is required in the enterprise. If the same result can be accomplished to all 1,000 devices from a central point of administration in the time it takes to configure an individual device, the savings would be $3,316 each time any security parameter is required in the enterprise. Operational: YES Business: YES
Page 10 of 48 • Whitepaper
�Measurement of this parameter is based strictly on the percentage of network elements in an infrastructure that can be controlled from one central point. In very large organizations with large numbers of network elements (> 1,000 network elements), it may be necessary to break these down into groups, but the concept is the same if each group can be controlled centrally. Technology Involved: This metric has technology aspects in the management and administration applications, and also in the ability to enforce a common default policy configuration of various rules on many devices (up to 1,000) throughout a network. All of the devices’ default security policy configurations can be managed from the same singular control point. • Central Security Policy Configuration and Distribution—the ability to administer default policy role parameters from a single management point to (up to) 1,000 network devices using only one action — NetSight Atlas Policy Manager • Stored Policy Profile—the ability to set and store a policy profile using a common “policy MIB” on multiple network infrastructure devices — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points Overall Security Response Efficiency (Metric Category 2.0) Description: This category is comprised of three measurements: • Time to Detect Event • Time to Assess and Locate Event • Time to Respond and Correct The security response efficiency is a good predictor of how an organization will fare when under attack. One thing to keep in mind is that time metrics can easily be converted to costs by understanding the value of that time to the organization. For instance, if an organization earns $100,000 per minute and the organization is stopped for ten minutes, the cost is $1,000,000.
Page 11 of 48 • Whitepaper
�Value Expected: The value expected here is: Time to Detect + Time to Assess/Locate + Time to Respond/Correct Each metric is examined separately in the sections below. Since the metrics can be affected by the size of the network, these values are based on an infrastructure consisting of approximately 1,000 network devices (switches and routers). Optimal performance—less than 540 seconds (9 minutes)3 Fair performance—less than 80 minutes4 Rational for Value: The values for the individual metrics are explained in the section covered for each specific metric. Measurement: Measurement of overall Security Response Efficiency is defined as the sum of each of the sub-metrics in 2.1, 2.2 and 2.3. That is: Value for 2.1 + Value for 2.2 + Value for 2.3 ROI Calculation or Business Impact: The average value today to handle a security event, as indicated in the introduction, can range into the hundreds of thousands of dollars. The primary reasons for this are the human-resource costs in terms of downtime and personnel working to fix the issues caused by the attack. If the time to go from detection, assessment, response and correction are reduced from hours or days to minutes, the savings should be proportionate. In this case, assuming that an event could have cost $230,700 and lasted on average 3.08 hours, but was reduced to an event lasting 10 minutes, the savings could have been almost $218,000 USD5. Technology and Features Involved: The technologies and features involved for each of the metrics comprising this measurement are discussed below in this section.
Page 12 of 48 • Whitepaper
3 For the three metrics combined 4 For the three metrics combined 5 Assuming an event costs on average $230,700 and lasts 3 hours. This is assuming the 3,080 man-hours as indicated in the survey were lost, and an average organization size of 1,000 people. Cost per minute (assuming costs incurred 24 hours per day, during event) $230,700/ (3.08*60)=$1,248.38. If the event time is reduced from 184.8 minutes average (3.08 hours) to 10 minutes, the cost of the event without SN = $230,700. Cost of event with SN = 10 minutes * $1248.38/minute = $12,483.80. Savings = $230,700 - $12,483.80 = $218,216.20. Of course, even in that first 10 minutes while the event was being contained in a Secure Network, other financial damages could have been done, but nowhere near the $230,700 for an average event.
�Time to Detect Event (Metric 2.1) Financial: YES Description: The time (in real time) that it takes to identify a tangible security breach6 on the network inclusive of malicious and non-malicious events. Value Expected: Optimal performance—less than 180 seconds (3 minutes) Fair performance—less than 60 minutes Rational for Value: Certain security events such as worms and viruses can spread exponentially by infecting neighboring end systems creating additional source points expanding the spread of the event. The “Sapphire/Slammer” worm event doubled in size every 8.5 seconds. With security breaches like this, every second of delay in identification can equate to hundreds of additional infected end systems. Secure Networks tools have been shown to get this time under 3 minutes for detection. Measurement: Suggested process flow to define this parameter would be as follows: 1. Start timer. 2. Controlled release or initiation of “security breach.” 3. Notification of “security breach.” • Notice of incident displayed by detection system like Dragon IDS real-time information • Flow setup throttling recognized attack and has notified operators, must be externally visible • Broadcast suppression watermarks hit and notified operator, must be externally visible 4. Stop timer. Operational: YES Business: YES
6 For an infrastructure of approximately 1,000 devices
Page 13 of 48 • Whitepaper
�ROI Calculation or Business Impact: Detection time is very much dependent on the technology in place at the time of the event. An organization which has technology that can reduce the detection time from a few hours to a few minutes can be significantly ahead in today’s world. While in the past security attacks could take hours or days to spread, today the spread is in a few seconds. The detection time must also be measured in seconds. This can make the difference between containment and catastrophe. At a cost of about $1,250 per minute for the average event, the ROI for improved detection is significant. Technologies and Features Involved: There are several areas of technology and various features that contribute to security event identification. • Intrusion Detection Systems (IDS)—purposefully built detection appliances using known attack signature database, atypical network protocol usage detection, or excessive connection attempt awareness — Dragon family of products — IDS capability of the XSR • Flow Setup Monitoring—access switch, access router and firewall technology that monitors the number of data flows established on any physical switch port. Can be used to detect certain DoS attacks involving flow setup. Likely to be best used to identify typical propagation vectors of worm or virus activity, as these attacks typically utilize some random generation of SIP/DIP or transport layer addressing — Matrix N-Series and other Matrix switch families — X-Pedition and XSR security routers • Broadcast Rate Monitoring—access switch, access router, firewall and wireless technology that monitors the broadcast packet rate on any physical switch port or wireless connection; can be used to detect certain DoS attacks involving broadcast flooding — Matrix N-Series and other Matrix switch families — X-Pedition and XSR routers — RoamAbout wireless access points • Firewall Logging—traffic that does not meet firewall policy can either log messages locally or forward information to a syslog service — XSR router with the firewall option enabled
Page 14 of 48 • Whitepaper
�Time to Assess and Locate Event (Metric 2.2) Financial: YES Description: The time (in real time) that it takes to locate the physical source of a security breach against the network or associated resources and therefore assess the severity and breadth of an event. Physical source is defined as related to the network infrastructure, located on a specific switch, or router generally down to the individual port. Note: Identification within a VLAN is not considered a physical source, as the association of the VLAN to the network infrastructure is theoretically not fixed. Value Expected: Optimal performance—less than 60 seconds7 Fair performance—less than 10 minutes8 Rational for Value: This is the time required to perform various location technology processes. This is dependent on the size of network infrastructure search area and device count. Current manual processes can take hours to days and accuracy is low. If a significant security event takes days to locate and assess, it most certainly will affect the operation of the business. Measurement: Suggested process flow to define this parameter would be as follows: 1. After controlled release of “security breach” and detection. 2. Start timer. • Location of incident displayed by detection system like Dragon IDS real-time information. This may or may not be possible. • Location displayed from flow setup throttling notification; must be externally visible, and able to determine switch or router affected, preferably to port level. • Broadcast suppression watermarks system notifies operator of physical source of broadcast; must be externally visible and able to determine switch or port. 3. Stop timer. ROI Calculation or Business Impact: As with the time required to detect an event, the longer the assessment of an event takes, the higher the risk that an organization’s main business will be affected. Here too the time lost can be equated to money lost. It is also important to recognize that effectively locating and assessing the security event is key to not only responding and correcting the system (covered in the next section) but also to determining the risk to the overall business. Knowing the size of the risk helps to determine the size of the response. A minor security event, which affects no critical systems, needs to be handled at a different level than a major security event that threatens to shut down the business.
7 For an infrastructure of approximately 1,000 network devices 8 For an infrastructure of approximately 1,000 network devices
Operational:
YES
Business: NO
Page 15 of 48 • Whitepaper
�Technologies and Features Involved: There is a dependency of “event identification” in order to begin the process of locating the physical source of the breach. Once the security event is identified there are several technologies that can be utilized to locate the source. • Intrusion Detection Systems (IDS)—provide source IP addresses of end systems introducing attacks that are decodable in the IDS signature database. Once the source IP address is identified, there are several technologies that can be leveraged to obtain the exact network location (physical access port) of the source. — Dragon family of products — XSR router with optional IDS capability • Node-to-Alias Mapping Information (ctAlias) — Matrix N-Series and other Matrix switch families • IP Address-to-Media-Type Mapping (ipNetToMedia) — Matrix N-Series and other Matrix switch families • RMON Node Address Information (RMON addressMap & RMON Host Table) — Matrix N-Series and other Matrix switch families — X-Pedition routers • IP Routing Table Information (IP Route) — Some Matrix switch families — XSR and X-Pedition routers • User Authentication Information (802.1X PAE & 802.1X Ext.) — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points • Endpoint Detection—identifies and verifies the type of endpoint accessing the network; typically used for VoIP endpoints — Matrix N-Series and other Matrix switch families
Page 1 6 of 48 • Whitepaper
�Time to Respond and Correct (Metric 2.3) Financial: YES Description: The time (in real time) that it takes to respond to a security breach and apply a technology correction to mitigate the risk associated with that breach. This does not necessarily mean patching all end systems with an upgrade, but being able to protect the infrastructure from the damage associated with a security event. Value Expected: Optimal performance—less than 60 seconds9 Fair performance—less than 10 minutes10 Measurement: This measurement starts after location of the cause of the security breach. 1. Controlled release or initiation of “security breach.” 2. Notification of “security breach” received. 3. Location of security breach identified. 4. Start timer a. Initiation of “mitigation” process (either via manual or automatic mechanisms). b. Confirmation that security breach is contained. 5. Stop timer. Rational for Value: Current manual mitigation techniques generally take more than several minutes. With central administration and control of mitigation processes, the time to respond can reasonably take place system-wide in under 60 seconds. With automated mitigation processes, the response time can be reduced further to potentially under a second. The time taken to deploy policies across the infrastructure is also part of this value and may vary depending on the size of the infrastructure. ROI Calculation or Business Impact: As with Time to Detect and Time to Assess and Locate, the Time to Respond to a security breach is applicable to the Overall Security Response Efficiency and, therefore, the ROI of a Secure Network. From the onset of a security event to the mitigation of that event there is a cost associated with the business impact. Operational: YES Business: YES
9 For an infrastructure of approximately 1,000 network devices 10 For an infrastructure of approximately 1,000 network devices
Page 17 of 48 • Whitepaper
�From TruSecure/ICSA Labs (8/29/2004): A recent survey with 882 respondents determined that the MS Blaster worm cost medium was $475,000 per company (including hard, soft, and productivity costs). The larger (node count) companies in the survey reported losses up to $4,228,000. Because the loss of man-hours or overall time was not given in this case, it is difficult to quantify the cost per time interval of mitigating a security event. It would, however, be safe to say that costs associated with business disruption would be directly impacted by the time to mitigate a major security event. Technologies and Features Involved: Response capabilities are provided through both manual and automated processes. There are several technologies that enable these processes: • Mitigation Configuration—central administration point for automated response to security events — NetSight Atlas Console — NetSight Atlas Automated Security Manager • L2/L3/L4 Packet Classification, Filtering and Stateful Packet Inspection—firmware features for eliminating undesirable traffic from the point of entry to the network — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points • Secure Communication Protocols—used to transport security enforcement parameters from configuration points to enforcement points; this includes SNMPv1/v3 — Most Enterasys Networks products support SNMPv3 • 802.1X, RADIUS and RADIUS accounting for the termination of user access to infrastructure — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points
Page 18 of 48 • Whitepaper
�Security Control (Metric Category 3.0) Financial: NO Description: This category of three metrics covers the amount of operational control an organization has regarding security. The amount of control an organization has directly relates to the impact that will be felt during a security event. For example, assume an organization has very coarse control of the network and an event occurs, which forces the organization to isolate portions of the network to protect users from the event. With only coarse control, it is very likely that a significant number of users will be affected by that event. If, on the other hand, the organization has very granular control down to a user, or better yet specific traffic flows from that user, then the organization can narrowly define a response to an event. This will tend to affect fewer users and have a smaller impact on the organization. There are three metrics, which make up this group: • Number of devices/endpoints under central control • Depth of control on devices • Control of network ingress points (high risk vs. low risk) These metrics are grouped together by type, but cannot necessarily be summed or equated statistically. Value Expected: The value of each individual metric is determined in the respective sections below. Rational for Value: The rational for the value of each individual metric is determined in the relevant sections below. Measurement: Each potential method for measuring the metric is described in the relevant section below. ROI Calculation or Business Impact: Each ROI calculation or business impact is described in the relevant section below. Technologies and Features Involved: The technologies and features involved in the improvement or delivery of each metric are described it the relevant sections below. Operational: YES Business: NO
Page 19 of 48 • Whitepaper
�Granularity of Control (Metric 3.1) Financial: NO Description: The ability of the network system to exert control over the greatest number of devices is very desirable, but at the same time the granularity of that control is very important. This is the case because, when a security event occurs, being able to isolate a single point of attack or compromise is much better than isolating groups of users or physical areas of connectivity. If a network’s control capability can only control IT constructs such as VLANs, subnets or ports, there is a high probability that in many cases actions taken to suppress an offending station will inadvertently impact adjacent users, devices or applications that are not behaving improperly. Value Expected: Optimal value—100% of devices, individually controlled Fair value—greater than 75% of devices, individually controlled Rational for Value: Given most complex network solutions, especially those including Wi-Fi based WLANs, there is a high probability that some areas of the network will exist as either uncontrollable shared segments or segments that are under a different administrative domain. In such cases, if only one device on such a segment is generating unwanted traffic or becomes compromised, it is critical that the network be able to suppress or isolate that single device without inadvertently shutting down communications to other devices sharing that network. Alternatively, a Secure Network would be able to restrict individual applications from an individual device while allowing others to continue. For example, if a user is generating unwanted SMTP email messages as part of a virus attack, it is desirable to suppress that traffic from that user but allow the user to continue to communicate using applications that are not deemed dangerous. This allows the user to remain productive while preventing damage to the rest of the IT infrastructure. This allows the IT staff time to correct the issues on the device in question. ROI Measurement or Impact: Lost productivity by adjacent devices or by infected end systems suppressed at a level broader than necessary adversely affects ROI. Whatever the cost of end-user downtime would have been is multiplied by the number of extra users affected and the time they are down in a regular network. This would be avoided with a Secure Network solution because the increased granularity avoids the problem of shutting down more than is absolutely necessary. In other words, the fly is killed by the fly swatter, not the sledge hammer. Measurement of this parameter is possible by looking at how each individual device can be controlled and isolated by the network. If a device exists on a “shared” connection on a switch, for individual control a single user on the “shared” connection must be able to be controlled or at least isolated. Examples of “shared” connections are users connected via wireless access points or basic/non-intelligent switches through an uplink to an intelligent switch. Operational: YES Business: NO
Page 20 of 48 • Whitepaper
�Technologies and Features Involved: The granular edge control and context-based networking services of the Enterasys Secure Network enable this level of control to be deployed. • Flow-Based Forwarding and Policy Control—allows for per-device/per-application control — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points — XSR and X-Pedition routers • Authentication and Role-Based Authorization—allows for precise access granted to individual users — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points • Policy Management—allows for simple deployment of rules that drive controlled behavior — NetSight Atlas Policy Manager • Multi-User Authentication—allows for awareness of end systems downstream even on shared segments — Matrix N-Series and other Matrix switch families Depth of Control (Metric 3.2) Financial: NO Operational: YES Business: NO
Description: The amount of control that the network system is able to exert over individual devices is critical to how specific the control of the system can become. Also, the more specific a control can be during a security event, the more likely the impact of the event will be minimized. This is the case because, when a security event occurs, being able to isolate a single type of traffic flow used in an attack or compromise is much better than isolating all communications from users or physical areas of connectivity. If a network’s control capability can only control applications at the TCP level or higher, there is a better probability that the actions taken to suppress an offending station will not inadvertently impact non-affected applications. It is also important to note that this level of control must be possible without a significant performance penalty on the network. Depth of control is considered on ports where granularity of control (previous metric) applies to the individual device. This means that devices that cannot be controlled individually would not apply here. To be able to apply the concept of depth of control to various devices, it is necessary to understand that the level of control can be different for each device. For instance, it may be possible to control a traffic stream right to the application layer on one device, but another device may only be able to be turned on and off (physical layer control, signal/no signal). Because this is the case, it is difficult to set one standard to use for depth of control. In order to address this, the following non-linear table is established.
Page 21 of 48 • Whitepaper
�Application 100%
Presentation 97%
Session 94%
Transport 90%
Network 75%
Data-link 50%
Physical 25%
Table 1. Depth of Control Levels This table establishes reference values for control levels. This means that the measured amount of control for a device is based on where in the OSI model the control can be applied. This means that if a device can be controlled at the transport layer, for instance, it is said to be 90% controlled. If every device in the network could be controlled at the transport layer, then the following would be true: 100% of Devices Controlled x 90% Control Level for Devices = 90% Depth of Control Value Expected: Optimal value—90% depth of control value Fair value—greater than 75% depth of control value Rational for Value: Given the complex nature of applications on networks today and the methods being used to attack users, it is likely that an individual attack will attempt to mimic valid traffic on the network. In such cases, if a device or devices are generating both valid and unwanted traffic, it would be most beneficial to simply isolate the invalid traffic rather than the entire device. In this way the user can continue with their work, while not impacting others and spreading a potential attack. Many network systems can exert this kind of control, but the price paid in reduction of network performance is significant. This control must be possible without a large penalty in performance. A Secure Network would be able to restrict individual applications from an individual device while allowing others to continue. For example, if a user is generating unwanted SMTP email messages as part of a virus attack, it is desirable to suppress that traffic from that user but allow the user to continue to communicate using applications that are not deemed dangerous. This allows the user to remain productive while preventing damage to the rest of the IT infrastructure. This allows the IT staff time to correct the issues on the device in question. Measurement: The measurement of this metric does not occur in real time, but is based more on the behavior and capabilities of the system as a whole. This metric is measured by determining, first if the deployed system allows the selective filtering of individual traffic flows and at what level the traffic flows can be restricted for an individual device, anywhere on the network. If control is possible, then the numbers of devices controlled at each layer of the OSI model table above are determined. When all layers of the OSI model are covered and devices which cannot be controlled are included, the number of devices should be 100%.
Page 22 of 48 • Whitepaper
�For example, assume there are 800 devices on the network that can be controlled as follows: OSI Layer C1 Number of devices controlled (counted) 5 10 500 80 50 50 100 800 C2 Percentage of devices controlled at this level (C1 ÷ total devices) 0.625% 1.25% 62.5% 10% 6.25% 6.25% 12.5% 100% C3 Level of control for this layer (from Table 1) 97% 94% 90% 75% 50% 25% 0% C4 Depth of control value (C2 x C3)
Presentation Session Transport Network Data-Link Physical None Totals
0.606% .1175% 56.250% 7.500% 3.125% 1.563% 0.000% 70.844%
In the above example the depth of control would be 70.844%. ROI Measurement or Impact: When a device is infected by a worm or virus, in many cases regular business applications are not affected and can continue to function. The productivity of this user is not affected in this case, because as far as they are concerned they are still able to work. In this case it would be preferable to allow that user and application to continue to function, while at the same time isolating the malicious traffic from the worm or virus. In many network systems today the only capability is for an on/off decision as far as the end station is concerned. Where the productivity of the user was not affected by the infection, the response to the infection does affect the user’s productivity. This would be avoided with a Secure Network solution because the depth of control at the end user is suitable to isolating malicious traffic flows while leaving valid business communications in place. In other words, the cure is not worse than the disease. Technologies and Features Involved: The depth of control at the edge combined with context-based networking services of the Enterasys Secure Network enable an advanced solution to be deployed. • Flow-Based Forwarding and Policy Control—allows for per-device/per-application control — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points — XSR and X-Pedition routers • Authentication and Role-Based Authorization—allows for precise access granted to individual users — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points • Policy Management—allows for simple deployment of rules that drive controlled behavior — NetSight Atlas Policy Manager
Page 23 of 48 • Whitepaper
�Ingress Network Points Protected (Metric 3.3) Financial: NO Description: One of the most significant issues with IT security is the assumption that attacks will conveniently ingress the business IT infrastructure at the points where selected perimeter security technology is present. While this would be a nice scenario, security threats, like water, tend to flow around obstructions. In order to strengthen the overall security position of a business, it is desirable to have a less porous edge. By instituting security technology in a greater portion of the overall edge of the communications network, security is substantially increased and risk reduced. Many methods of such security can be utilized, but at a minimum, the edge could be considered to provide security to the infrastructure if it can understand acceptable traffic, applications and/or users and actively intervene when anomalous events or unauthorized users are detected. This defines the security capability of the edge and is related to the previous two metrics. The attribute that defines this metric set is risk level of the ingress point. This is combined with the security capability level of that point. There are two types of ingress points considered —high-risk ingress points and low-risk ingress points. Looking first at risk level, high-risk ingress points are ones where there is a much greater likelihood that an attack will take place. These are points such as public areas with network connections, home users with VPN connections, common work areas with minimal physical access control, or the perimeter of the controlled physical space in the case of wireless. Low-risk points are areas where physical security is in place. These areas include controlled access areas such as computer rooms, wiring closets and, even to some extent, individual employee work areas such as offices and cubicles. The assumption here is that these are areas where physical access is somehow limited to authorized personnel. The second part of this metric set, security capability, is simply categorized as a protected or unprotected port based on the capabilities mentioned above and measured in the previous two metrics. Metric 3.3a measures the percentage of physical entry points, which are considered high risk. Metric 3.3b measures the percentage of physical entry points, which are considered low risk. The two metrics must equal 100% of ports in the infrastructure. Value Expected: Metric 3.3a - Optimal value—100% of high-risk ports protected Metric 3.3a - Fair value—greater than 75% of high-risk ports protected Metric 3.3b - Optimal value—100% of low-risk ports protected Metric 3.3b - Fair value—greater than 25% of low-risk ports protected Rational for Value: With the exception of some Wi-Fi networks, in most enterprises security at the ingress points of the network is absent almost completely. Generally, LAN ports do not implement authentication technology, authorization functions or any kind of restrictive policy. It is sometimes the case that upstream routed interfaces in an intranet implement piecemeal access control lists, but that approach leaves all downstream devices exposed and in most cases is almost impossible to utilize at scale. A Secure Network should be one that in areas unprotected by a physical security layer (doors, walls, guards) the network assumes that risks must be reduced and leverages authentication-, authorization-, and/or restriction-based policy to put a barrier between the rest of the IT systems and potential unauthorized unacceptable uses.
Page 24 of 48 • Whitepaper
Operational:
YES
Business: NO
�Measurement: The measurement of these metrics is fairly easy to quantify since, strictly speaking, it is a percentage of ingress points to the network, categorized and then counted as either secured or unsecured. All network ingress ports must be considered and categorized. High-risk ports are used to measure 3.3a and low-risk ports are used to measure 3.3b. For both 3.3a and 3.3b, each port must then be classified as secured or unsecured. ROI Measurement or Impact: While the calculation of these metrics is straightforward, what is more difficult to measure is the impact this has on ROI. To have a measurable impact, an organization needs to know and understand how unsecured ingress points have been responsible for security events, which contributed to a monetary loss for the organization. A suggested method for doing this would involve tracing back any security event to its point of origin and then determining if security on that ingress point could have prevented the event. Once the cost of the security event is understood, the ROI of the cost of the event, versus the cost of a Secure Network implementation to secure that ingress point (and others like it) can be calculated. Technologies and Features Involved: The following technologies help to make this capability possible in a Secure Network: • Policy Management capabilities in the infrastructure — NetSight Atlas Policy Manager — NetSight Atlas Configuration Tools • Enterprise Control MIBs and Enterasys Policy MIB — Matrix N-Series and other Matrix switch families — X-Pedition and XSR routers — RoamAbout wireless access points • Flow-Based Forwarding and Policy Control—allows for per-device/per-application control — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points — XSR and X-Pedition routers • Authentication and Role-Based Authorization—allows for precise access granted to individual users — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points
Page 25 of 48 • Whitepaper
�Business Cost of Security Events (Metric Category 4.0) Financial: YES Description: This category is used to calculate the approximate cost of a security event for an organization by finding the amount of time diverted from regular business processes to either combat the security threat, or the time and opportunity lost from the business due to an attack. Each of the metrics measures the time impact during a security event. These times are converted to costs, based on an individual organization’s costs multiplied by the time taken for each metric. These costs are added together to produce a real cost for an organization. The values for the purposes of comparison are left as times. The three metrics considered are: • IT staff time required to deal with a security event • User downtime during a security event • Business revenue downtime during a security event Each of these metrics is explained in more detail in their relevant sections below. Value Expected: Optimal value—0 minutes (based on 4.1 + 4.2 + 4.3) Fair value—less than 5 hours (based on 4.1 + 4.2 + 4.3) Rational for Value: While each of these three metrics will provide different costs for various organizations, the actual times measured should be comparable. For an organization to turn these times into costs requires the organization to know their average cost and revenue numbers in terms of time. As mentioned in the Overall Security Response Efficiency (Metric Category 2.0), an average security event has been calculated to be $230,700 USD by The Corporate IT Forum in the UK. While this metric may seem high, it seems to be typical these days, if all costs for a security event are taken into account. With a Secure Network Solution in place, this number should be significantly reduced for an organization. This group of metrics becomes important when calculating cost of security in any ROI calculation. The goal, given that an average event costs $230,700 or about $1,200 per minute for a three-hour event in which 1,000 employees are affected, is to reduce the time to deal with an event and therefore reduce the overall cost. As mentioned previously the purpose of this group of metrics to measure the overall impact of a security event on the business. Operational: YES Business: NO
Page 26 of 48 • Whitepaper
�Measurement: Measurement of these three metrics is considered individually in the relevant sections below. Each time metric in this group should be considered separately and multiplied by the relevant cost for that area in order to determine cost for that metric. ROI Calculation or Business Impact: This group of metrics is calculated by individually determining the times and costs for each of these three groups. The costs for each metric area need to be determined individually since it is expected that the costs in these three areas are different from one another. Each metric calculation is explained in the relevant section for that metric. Technologies and Features Involved: Each metric can be affected by the use of different technology. The technology for each is outlined in the relevant sections below. IT Staff Use (Metric 4.1) Financial: YES Description: The number of IT professional resources (in man hours), which are diverted to mitigate a single security event. Value Expected: Optimum value—0 minutes Fair value—less than 60 minutes Rational for Value: In an optimum configuration, no IT personnel would need to be diverted from their regular tasks to handle security events. This assumes an automated response system is in place that can determine the nature of the event and respond to it. Even without an automated response in place it is desirable to keep this time as low as possible since this time is directly proportional to how the organization is fairing while under attack. The value of this number is an indicator of the level of security preparedness an organization has. The lower this number is, the more prepared an organization is for an attack. Measurement: For the purposes of this metric the best approach to this number is to use an average that is calculated over a number of events. Choosing a time period, for instance the last six months, and then looking at the security events during that time should provide a good mix of events. Once each event is identified, the time diverted by IT resources to mitigate the threat should be calculated. An average is then taken over the time period and used for this metric. Operational: YES Business: NO
Page 27 of 48 • Whitepaper
�ROI Calculation or Business Impact: According to Deloitte and Touche Tohmatsu (May 20, 2003), financial services companies are spending approximately 6% of their IT budgets on security. In 2003, 47% hired extra security staff, as compared to 2001. Price Waterhouse Coopers said in their bi-annual report on information security breaches in the UK that the average cost of a security breach was $50,000. The Corporate IT Forum indicated that the cost had recently increased to $230,700 USD. This is in keeping with the idea that attacks are becoming more difficult to deal with manually and are moving much more quickly. Based on this, the time required by IT staff to deal with a threat is increasing in general. In a C-Net article from March 22, 2001, a university conducted an analysis concluding that an intruder could break into a university’s computer in less than a minute, and he could stay less than a half an hour. Yet finding out what he did in that time took researchers, on average, more than 34 hours each. With a Secure Network Solution in place, dealing with a security event is greatly simplified and in many cases automated. This leads to significantly lower times to deal with a security event, and potentially lower staff levels required for dealing with security events. Technologies and Features Involved: There are several tools that can help reduce the number of IT security professional resources that are required to address security events: • Central Security Policy Configuration and Distribution—the ability to administer policy enterprise-wide from a single management point — NetSight Atlas Policy Manager • Automated Detection Technologies—the ability to automatically detect security anomalies with little to no IT resource intervention. — Intrusion Detection Systems (IDS): Dragon, XSR with IPS SW — Flow Setup Throttling: Matrix products — Span Guard: Matrix products
Page 2 8 of 48 • Whitepaper
�User Downtime (Metric 4.2) Financial: YES Description: This is the productive time lost by the user community in an organization due to a specific security event. While user downtime is not strictly an IT cost, it is a real and critical business measure. In this case, the time (and therefore cost) can be influenced by the IT organization both by minimizing the downtime itself, and by potentially offering increased protection of critical user communities so that they are less likely to be affected by a security event. Value Expected: Optimal value—0 minutes Fair value—120 minutes Rational for Value: This metric is affected by the time it takes to mitigate a security event and whether or not the security event affected the user community. The ultimate goal is always to protect the entire user community from security events. However, that is not always realistic due to the costs involved. With this in mind, it is possible to deploy a more secure infrastructure for critical areas of the organization where the cost of downtime due to a security event is particularly high. Examples of this are financial trading floors where downtime costs are measured in the millions per minute. Understanding the amount of impact to a user community during a security event is critical. In the best case the costs are understood by the user community, and the impact of an event on each community should be understood. Measurement: The measurement of this metric is conceptually easy, but in practice some decisions need to be made. Measurement can be done in very simplistic terms, or in very detailed terms. The simplest method is to take an overall time that an event affects an organization. In more detailed terms, if the organization can determine costs for individual departments and can categorize downtime by department, it is possible to make this metric very specific. ROI Calculation or Business Impact: The measurement of this cost is conceptually easy, but in practical terms takes some effort, depending on how accurate the number needs to be. Simply speaking, this cost is the product of the salaries of employees who are affected by the security event, multiplied by the time they are affected and cannot execute their responsibilities. In reality though, this metric can be difficult to quantify because employees are affected differently for different events. It is also difficult to track how long they are truly affected. To turn this metric into a cost, a good approximation is to take the number of employees in an affected area and multiply by the average cost of those employees for a given period of time. Then, to calculate the cost of the event, multiply this cost per time period by the time they are affected. The ROI when using a Secure Network can be shown here in the time saved mitigating the security event, and also the fact that some employee groups, which in the past were affected by security events, are no longer affected. Operational: NO Business: YES
Page 29 of 48 • Whitepaper
�Technologies and Features Involved: The technologies involved in expediting the time to mitigate a security event, or completely protecting a group from a security event, are the following: • Central Security Policy Configuration and Distribution—the ability to administer policy enterprise-wide from a single management point — NetSight Atlas Policy Manager — NetSight Atlas Automated Security Manager • Automated Detection Technologies—the ability to detect security anomalies automatically with little to no IT resource intervention — Intrusion Detection Systems (IDS): Dragon family of products, XSR with IPS option installed — Flow Setup Throttling: Matrix N-Series and other Matrix switch families — Span Guard: Matrix N-Series and other Matrix switch families • Segmentation and Traffic Control Techniques—the ability to control who and what has access to certain critical business areas and allow in only traffic from known secure endpoints — Access Control and Authentication: Matrix N-Series and other Matrix switch families — Access Control and Firewall Services: XSR family of security routers with FW option — Access Control: X-Pedition routers Lost Revenue Time (Metric 4.3) Financial: NO Operational: NO Business: YES
Description: This metric measures the amount of time an organization cannot generate revenue due to a security event. This metric can be tied to bottom-line financials for an organization. This is a real cost to the business consisting of lost revenue when an event occurs. While this is not strictly an IT cost, this is a direct cost to the organization, and as such, an important metric when considering the cost of security events. Value Expected: Optimal value—0 minutes Fair value—120 minutes11 Rational for Value: In looking at this value, anything which can be done to keep an organization operational during the time of a security event will help to reduce this number. Reducing this number provides a good ROI for the technology that is used to provide this outcome. The more the impact of a security event can be limited, with a goal of zero, the better the ROI will be.
Page 30 of 48 • Whitepaper
11 Arguably, any time above 0 for this value could be considered unacceptable; however, that is not the reality today.
�Measurement: Measuring the amount of time that an organization’s primary business is no longer generating revenue due to a security event should be easy to quantify. If a security event is serious enough to stop an organization from generating revenue, there will likely be several stakeholders associated with the organization who will be measuring the time of the event. Generally the number is associated with the time a call center cannot receive or make calls, or a production line cannot produce products, or a financial institution cannot perform transactions. Each of these are serious events, and should be measured in minutes. ROI Calculation or Business Impact: This number and the cost associated with it will be very dependent on the organization and value of its transactions over a given time period, and how these would be affected by a loss of the technology infrastructure. In relative terms though, the value of a loss can be significantly impacted if both the time required to mitigate a security event and the breadth of a security event are reduced. Again while strictly not a number tracked by the IT department, as noted above, this number should be easy to obtain. One method for quantifying this value is to simply compare the revenue of the organization during the security event to a comparable period during which there was no security event. A Secure Networks solution should reduce or eliminate the affect a security event has on revenue. Technologies and Features Involved: The technologies involved in speeding the time to mitigate a security event, or completely protecting a group from a security event, are the following: • Central Security Policy Configuration and Distribution—the ability to administer policy enterprise-wide from a single management point — NetSight Atlas Policy Manager — NetSight Atlas Automated Security Manager • Automated Detection Technologies—the ability to detect security anomalies automatically with little to no IT resource intervention. — Intrusion Detection Systems (IDS): Dragon family of products, XSR with IPS option installed — Flow Setup Throttling: Matrix N-Series and other Matrix switch families — Span Guard: Matrix N-Series and other Matrix switch families • Segmentation and Traffic Control Techniques—the ability to control who and what has access to certain critical business areas and allow in only traffic from known secure endpoints — Access Control and Authentication: Matrix N-Series and other Matrix switch families — Access Control and Firewall Services: XSR family of se c u rity routers with FW option — Access Control: X-Pedition routers
Page 31 of 48 • Whitepaper
�Secure Networks Business Impact (Metric Category 5.0) Financial: YES Description: This category of four metrics measures the impact of implementing a new security architecture such as Secure Networks. These metrics are designed to look at a previous baseline and compare it to a new security approach. In many organizations after security has been implemented, there is not as much emphasis in determining business value derived from that implementation. In many cases, this is not done simply because it is difficult to measure quantitatively how security has positively impacted the business. This is generally true since most security systems do not provide the tools to measure improvements. A Secure Network implementation does provide the tools needed to perform quantitative measurements of improvements in security. If the organization does not have a Secure Network in place, it is still encouraged to look at these metrics and attempt to quantify them anyway. This will give the organization the opportunity to compare their current practice to the best practices associated with Secure Networks implementations. This group of metrics consists of the following four items: • Reduction of Business Cost Due to Security Events • Reduction in Number of Security Events • Alignment of Technology with Business • Improvement in Continuity Value Expected: The value expected from these metrics are individual and cannot be summarized into one value. Each should be considered individually and used as a comparison to a time when security had not been improved. Rational for Value: The rational for the values derived by these metrics is discussed individually in the relevant sections below. Measurement: The measurement of each metric in this section does require some knowledge of a previous baseline measurement. In many cases it is recommended that the baseline be obtained prior to the new security model, such as Secure Networks being implemented. Each metric’s measurement is discussed in the relevant sections below. ROI Calculation or Business Impact: The calculation of a ROI or other financial measure for this group of metrics can be problematic. Since this group of metrics is based on comparisons to previous baselines, the improvements are expressed as percentage improvements in a given area. In order to obtain an ROI or other financial measure from these improvements, values must be determined, which represent costs associated with the baseline operations. With the expected improvements quantified, new costs should be obtained representing the improvements because of the improved security. Finally the old costs should be compared to the new costs to validate the improvements indicated by the metrics. Technologies and Features Involved: The technologies used to improve each metric are covered in the relevant sections below.
Page 32 of 48 • Whitepaper
Operational:
YES
Business: YES
�Reduction of Business Cost Due to Security Events (Metric 5.1) Financial: YES Description: This metric measures the difference in business cost after a new security architecture, such as Secure Networks, is implemented. In order for this metric to be valid, the costs to the organization prior to implementing a new security architecture must be understood. This metric categorizes the costs associated with a security event, including as many tangible factors as possible. These include the metrics measured in section 2.0 (Security Response Efficiency) as well as the metrics from section 4.0 (Business Cost of Security Events). What makes this metric different than section 4.0 is the fact that it is a comparison between a previous security architecture and a new security architecture such as Secure Networks. Value Expected: Optimal value—75% reduction in costs to the business Fair value—greater than 25% reduction in costs to the business Rational for Value: A large percentage of security breaches involve usage of administrative protocols and services by non-IT administrators. The ability to enforce an Acceptable Use Policy for employees and general users allows for the elimination of these threats. Administrative protocols such as SNMP, Telnet, TFTP, and others can be eliminated from use by any non-IT administrator. In addition, potentially dangerous traffic such as routing protocols can be limited to only the device that requires it, and not to or from general users or devices. It is critical that the activity of the Secure Network be visible so that the system’s value can be measured. Tracking the number of attacks prevented because of the enforcement of policy rules is a key measure of effectiveness of the system once in place. Once the baseline costs are understood, pre-Secure Networks, it should be easy to quantify the reduction in costs from the new security implementation. Measurement: Measurement of a reduction in costs due to security events can be problematic. There are two potential methods that can be used. One method is fairly simple, but does not guarantee accuracy. The other can become complex, but the results are more defendable under review. The simple method involves taking a typical period of time at the organization and determining all costs associated with security events during that period of time. The period of time used should be sufficiently long so that security events will have occurred during that period of time. A minimum suggested length of time is 3 months, with a preferred period of time being in the range of 6 to 12 months. Using this method is not necessarily accurate over shorter periods of time, because as the time frames are lengthened, the accuracy of the numbers improves. The costs should be calculated before the new security system is implemented and after the new security architecture is in place. The major drawback to using this method is that there is an assumption that two similar periods of time will have similar numbers and types of attacks. This may not necessarily be the case. Typically as time progresses, the frequency and complexity of attacks increases. This means that when comparing an earlier period to a later period, the later period will almost invariably have been subjected to a larger number of more sophisticated attacks. Operational: YES Business: YES
Page 33 of 48 • Whitepaper
�The more complex method involves understanding the types of attacks the organization is subject to in some detail, and being able to quantify the costs associated with specific attacks, over a period of time. As in the simple method, a specific time period must be chosen, but it is not as critical to keep that time period very long in this method. During the selected time period, say 3 – 6 months, each attack needs to be examined and categorized. The costs associated for that attack should be understood and summarized. At the end of the period, the total cost to the business for security related events should be understood. Once a new security architecture like Secure Networks is put in place, the number of attacks and their associated costs should also be examined over the given time period. This should be easier to do with Secure Networks in place. Then, at the end of the time period, the frequency and complexity of attacks should be considered and a normalization factor should be applied. This means that if in the second measurement period the number and complexity of attacks increased by 25%, that the cost associated with the less frequent, less complex period should also be increased by 25%. This produces a more accurate number, but is much more difficult to quantify. ROI Measurement or Impact: A typical security event can cost between $50,000 (Price Waterhouse Coopers) and $4,228,000 (TruSecure/ICSA Labs), with a value of $230,700 shown as an average (The Corporate IT Forum). There were a total of 82,094 security incidents that were actually reported to CERT/CC in the year 2002. A 25% reduction in that number would reduce the number of events by 20,523 producing a savings of between $1 billion and $86 billion for that year, worldwide. For a specific organization, the costs from a baseline period and a period after implementation of a new security architecture such as Secure Networks are considered. The difference in the two costs becomes a sample for the return in an ROI calculation. Because the time period will be relatively short, it is suggested that the cost savings be multiplied by a factor to make the time period equivalent to typical ROI payback period at the organization. The investment consists of the cost associated with implementation of the new security architecture. The following example may help: Assuming the following: • The period under consideration is 6 months. • The typical payback period for the organization is now considered two years. • The cost of events during the baseline 6 month period was $100,000. • The cost of events with the new security architecture during the new 6 month period is $50,000. • The complexity and frequency of events increased by 25% between the two periods. • The cost of the security architecture was $100,000.
Page 34 of 48 • Whitepaper
�The following is the ROI calculation: Pre-SN Security Cost = Old Period Cost * Complexity Increase Factor (per period) = $100,000 + ($100,000 * 25%) = $125,000
SN Security Savings = Pre-SN Security Cost – SN Security Cost (per period) = $125,000 - $50,000 = $75,000
ROI = Net Income/Book Value of Assets = SN Security Savings (per period) * number periods for ROI time frame/SN Implementation Cost = ($75,000 * 4 periods)/$100,000 = $300,000/$100,000 = 300% Technology and Features Involved: The reduction of costs due to better handling of security events after a Secure Network is implemented is dependent on a wide range of Enterasys technologies. Each technology is discussed in more detail in other sections of this document. The relevant sections are 1.0, 2.0, 3.0 and 4.0. Reduction in Security Events (Metric 5.2) Financial: YES Operational: YES Business: YES
Description: The goal of any security strategy is to prevent security attacks, and ultimately to reduce the time spent on them. This metric is defined as the measurement of the reduction of security events. This does not mean that the number of attacks an organization faces is reduced. This metric considers that over a given number of attacks, the number of attacks that actually become security events that require intervention and costly responses are reduced, therefore reducing impact to the business. Value Expected: Optimal value—reduction of security events by 75% Fair value—reduction of security events by 25%
Page 35 of 48 • Whitepaper
�Rational for Value: By deploying a Secure Network, it is expected that a significant number of previously present unauthorized actions or attacks would be prevented. This can be measured by traditional security technologies seeing a substantial reduction in total security events. The impact of this reduction is seen in the ability of the traditional security devices (IDS, VA, Firewall, Anti-Virus, etc.) to detect fewer but more relevant attacks. It also can be measured in the cost of outside services provided by Managed Security Service Providers in that if fewer attacks are processed by such outsourced services, the overall cost of that service should be lower. Measurement: Since this number is simply a count of security events requiring intervention in two time periods, it should not be difficult to calculate. A time period that is sufficiently long should be considered. Typically 3-6 months is adequate. Tracking events prior to implementing a Secure Network may be difficult since there are not many systems that track this number. With a Secure Network implementation, it is possible to track the number of attacks and also to track which attacks become more serious security events requiring intervention. ROI Calculation or Business Impact: A typical security event can cost between $50,000 (Price Waterhouse Coopers) and $4,228,000 (TruSecure/ICSA Labs), with a value of $230,700 shown as an average (The Corporate IT Forum). There were a total of 82,094 security incidents that were actually reported to CERT/CC in the year 2002. Even a reduction of 25% in that number would reduce security events by 20,523, totaling a savings of between $1 billion and $86 billion for that year, worldwide. For an organization to measure this number accurately, it will be necessary to track all security events detected over a given time period and compare those to an equivalent time period, after Secure Networking practices and technologies are implemented. The baseline number can consist of various measurements, but should be chosen so that it can be compared to a similar measurement after the change in the infrastructure. To associate this number of events to a cost, before and after Secure Networks implementation, the organization can either calculate its own average cost of a security event, if it is know, or can use the average cost stated above. Technologies and Features Involved: The reduction of security events detected after a Secure Network is implemented is dependent on a wide range of Enterasys technologies. Each technology is discussed in more detail in other sections of this document. The relevant sections are 1.0, 2.0, 3.0 and 4.0. There are some technologies that are specifically relevant to the event counts. • Automated Detection Technologies—the ability to detect security anomalies automatically with little to no IT resource intervention — Intrusion Detection Systems (IDS): Dragon family of products, XSR with IPS option installed
Page 36 of 48 • Whitepaper
�Alignment of Technology with Business (Metric 5.3) Financial: YES Description: Elimination of improper placement of security technology can impact business processes in various ways. This is probably the most difficult metric to measure since it attempts to measure the lost opportunities associated with security technology either being misplaced, ineffective or lacking in features required by the business. In many cases because of a lack of network-based security technology and the need to do something to address the imminent threats enterprises face, a general reaction has been to overcompensate and place technology in roles for which it was not designed, misalign staff and create excessive or misdirected partner relationships. By throwing resources at the problem, people have felt that they were addressing the issues of IT security. With a Secure Network, infrastructure security, which was a critical missing component, is now participating in the security and network solution. This allows traditional security devices to move back to their designed function, IT staff to be optimized and partnerships to focus on their high-value aspects. In this scenario, no business opportunities should be missed because of misaligned security technologies. Value Expected: Optimal value—0% business opportunities affected Fair range—less than 25% of business opportunities affected Secure Networks should eliminate situations where bandwidth/capacity is compromised by placement of non-line-rate security devices in the critical path of communications. Rational for Value: Optimally, if the network can protect itself and pre-empt threats, the need to compensate for the network when considering new business processes or opportunities is reduced. With an optimal security solution, perimeter security devices such as firewalls and IDS systems can be placed at points in the network where they are designed to do the most good, without creating a technology choke point on the business. If the network is a system with respect to management and control, fewer IT staff can command much greater control capability, reducing the need for brute-force, human-driven change management. Finally, if the network makes the IT systems more secure and prevents significant security vulnerability, the need for external assistance is reduced. Measurement: Measurement of opportunity cost is always difficult to determine without extensive understanding of opportunities which exist, their value, and what effect the security infrastructure has on them. The concept of measuring opportunity cost is based on looking at projects which are cancelled, postponed or otherwise modified to compensate for a lack of security capability in the IT department. The value of these projects needs to be understood from their business cases and then counted against the value that is actually delivered by the projects. In the case of projects that cannot be delivered at all, it can be said that their entire value is lost to the business and hence, the opportunity cost is the value these projects would have delivered. If the projects are cancelled entirely due to security shortcomings, the cost of the security technology can be measured against the value that could have been
Page 37 of 48 • Whitepaper
Operational:
YES
Business: YES
�derived from the business project. The same can be said for business projects, which end up delivering less value due to modifications caused by security technology shortcomings. In this case, some value is derived from the projects, but the value is less than what was expected due to security concerns. To perform this measurement, the percentage reduction in value derived from the business projects is measured for the metric. ROI Calculation or Business Impact: The ROI on this metric is probably the most difficult to gauge, but could potentially be the metric with the highest potential ROI to a business. Since this metric deals with business process and business initiatives, in order to measure this value, the IT organization and the business that IT supports need to have an honest and frank conversation. During this discussion the two groups must try to decide which business initiatives have been affected negatively because of a lack of supporting security infrastructure in the organization. The impact of this shortcoming can be as minimal as a small business process change being required at implementation to accommodate a security short coming. This may make the new business process slightly less efficient and therefore affect the value generated by the business process. On the other hand, the effect of a sub-optimal security infrastructure could be to cancel a business-process change altogether. In this case, the value that is estimated to have been generated by that new business process would be set against the cost of upgrading the infrastructure to support the business change. Example: An example here may help to illustrate this metric. Suppose a law firm decided that, in order to increase their billable time, they were going to implement a wireless network to give their partners more opportunity to bill clients. They could now work, track the time and bill from anywhere in their office. The firm estimates that this will increase their billable hours by 5%. If the firm bills $5,000,000 per year (this would be a relatively small firm), then the 5% increase would translate to a $250,000 annual increase in billing. If this new business opportunity must be cancelled because of a lack of supporting security infrastructure, the increased value is lost. This metric looks at these lost opportunities and at the opportunities that are made less efficient because of a lack of infrastructure security. To measure this metric and make it comparable between organizations, an organization needs to look at the percentage of opportunities lost or affected negatively. For this value to translate to ROI, the estimated value of the lost opportunity must be known when an opportunity is dropped because of a lack of effective security. For opportunities which do go ahead, but are affected negatively by changes required to accommodate the lack of a Secure Network, the loss of efficiency needs to be translated into a value. This is usually done by looking at the initially projected value from a project, determining the actual value delivered, and then determining how much of that value was lost due to a lack of effective security in the infrastructure.
Page 38 of 48 • Whitepaper
�Technology Involved: The following technologies help to make this system possible: • Policy Management capabilities in the infrastructure — NetSight Atlas Policy Manager — NetSight Atlas Configuration Tools • Enterprise Control MIBs and Enterasys Policy MIB — Matrix N-Series and other Matrix switch families — X-Pedition and XSR routers — RoamAbout wireless access points • Flow-Based Forwarding and Policy Control—allows for per-device/per-application control — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points — XSR and X-Pedition routers • Authentication and Role-Based Authorization—allows for precise access granted to individual users — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points
Page 39 of 48 • Whitepaper
�Continuity Improvement (Metric 5.4) Financial: YES Operational: YES Business: YES
Description: This metric quantifies improvement in the business continuity of the network infrastructure versus continuity before implementing a Secure Network. It is important to note here that this measurement attempts to quantify the business continuity, not simply network continuity. Network continuity is the ability of the network to continue to pass traffic under all conditions. While this is important, it is not what is of primary importance to a business. The business ultimately cares about business continuity, that is the ability of the network to continue to pass traffic that is critical to keeping the organization functioning. Value Expected: Optimum value—75% improvement over baseline Fair value—25% or greater improvement over baseline Value utilized should come from whatever baseline is currently in use for decision support in the enterprise network. It is expected that the baseline could include one or more of the following network attributes: • Link Saturation: When a link exceeds the maximum load desirable • Reachability: The ability of packets to reach pre-defined endpoints • Latency and Jitter: The predictability of time delivery of traffic • Packet Loss: The amount of discarded packets due to buffer overflows and link saturation The baseline should also include attributes to measure the continuity of critical applications, which rely on the network. Examples of attributes that could be included12: • Application Response Time: Time for the application to respond to a typical request • Application Session Drops: The number of sessions dropped by the application in a given time period • Application Transaction Time: The time for a transaction to be completed Rational for Value: Typical network continuity is impacted by security events on a regular basis. When a virus or worm hits, the impact on network load, link availability, jitter, latency and other tangible characteristics of the applications delivery are seen. Once Secure Networking technology is in place, it is expected that the reduction in security events and the ability to control such events proactively will smooth the overall deviation in expected continuity metrics, thus improving the user experience and continuity. Measurement: Since this metric measures business continuity, it should extend beyond simple network uptime and response time. The actual continuity of applications needs to be factored in. Application response time (continuity) measurement is beyond the scope of this paper, but
Page 40 of 48 • Whitepaper
12 Additional attributes and examples of what can be measured for application response times is available at http://pastmon.sourceforge.net/documentation/generic_plugin.pdf.
�must be undertaken in order for this metric to be valuable. In most organizations, there are application measurement statistics that are kept by applications developers and operations teams. This is especially true for organizations that have signed SLAs between their IT groups and their internal customers. If this is the case, measurement of continuity improvements should be easy to quantify. Once continuity gains are understood, they need to be expressed as financial values. ROI Calculation or Business Impact: Calculation of ROI once continuity improvements can be measured should be straightforward. If continuity is improved by 50%, the cost of the business interruption can be calculated. By considering the value of revenue and operational costs over a period time, a loss of that value should yield a dollar figure that can be applied to the ROI calculation. An improvement in continuity will produce a lower loss due to a business interruption. Use the standard ROI calculation of: ROI = Net Income/Book Value of Assets Value of Continuity Gain Net Income = -----------------------------------------------------Cost of Secure Network Implementation Technologies and Features Involved The following technologies help to make these improvements in continuity possible: • Policy Management capabilities in the infrastructure — NetSight Atlas Policy Manager — NetSight Atlas Configuration Tools • Enterprise Control MIBs and Enterasys Policy MIB — Matrix N-Series and other Matrix switch families — X-Pedition and XSR security routers — RoamAbout wireless access points • Flow-Based Forwarding and Policy Control—allows for per-device/per-application control — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points — XSR and X-Pedition routers • Authentication and Role-Based Authorization—allows for precise access granted to individual users — Matrix N-Series and other Matrix switch families — RoamAbout wireless access points
Page 41 of 48 • Whitepaper
�Secure Networks Index In order to create an aggregate view of the effect of these metrics, a Secure Networks Index can be calculated. By giving a point score to the effectiveness of implementing Secure Networks technology, one can measure the current state of their implementation. The higher the numbering of this metric is, the better able the IT systems will be in impacting the overall business security posture. It is critical to understand that no system is absolutely secure at any time, but this index provides a measure of understanding of how well Secure Networks technology has been utilized by the organization.
# 1.0 1.1 1.2 1.3 2.0 2.1 2.2 2.3 3.0 3.1 3.2 3.3a 3.3b 4.0 4.1 4.2 4.3 5.0 5.1 5.2 5.3 5.4 Metric Security Operations Efficiency Time to Configure and Deploy Secure User Mobility Concentration of Configuration and Operation Functions Overall Security Response Efficiency Time to Detect Time to Assess and Locate Time to Respond/Correct Security Control Capabilities Granularity of Control Depth of Control Network High-Risk Ingress Points Protected Network Ingress Low-Risk Points Protected Business Cost of Security Events IT Staff Use User Downtime Lost Revenue Time Secure Networks Business Impact Reduction of Business Cost Due to Security Events Reduction of Security Events Alignment of Technology with Business Continuity Improvement Weight 10% 5% 5% 7% 6% 7% 7% 7% 3% 3% 6% 6% 8% Optimal (3 Points) 15 Minutes 0 Minutes 100% 180 Seconds 60 Seconds 60 Seconds 100% 90% 100% Protected 100% Protected 0 Minutes 0 Minutes 0 Minutes Average (2 Points) 30 Minutes 25 Minutes 90% 20 Minutes 5 Minutes 3 Minutes 90% 85% 90% Protected 75% Protected 30 Minutes 60 Minutes 60 Minutes Fair (1 Point) 60 Minutes 60 Minutes 75% 60 Minutes 10 Minutes 10 Minutes 75% 75% 75% Protected 25% Protected 60 Minutes 120 Minutes 120 Minutes
5% 5% 5% 5%
75% 75% 0% misaligned 75% improvement
50% 50% 10% misaligned 50% improvement
25% 25% 25% misaligned 25% improvement
Page 42 of 48 • Whitepaper
�Appendix A—Calculating Your Own Metrics In this section, an organization can fill in the values for their own metrics calculation. Metrics The following table can be used to assess an organization’s Secure Networks effectiveness.
# 1.0 1.1 1.2 1.3 2.0 2.1 2.2 2.3 3.0 3.1 3.2 3.3a 3.3b 4.0 4.1 4.2 4.3 5.0 5.1 5.2 5.3 5.4 Metric Weight Security Operations Efficiency Time to Configure and Deploy 10% Secure User Mobility 5% Concentration of Configuration Function 5% Overall Security Response Capability Time to Detect 7% Time to Assess and Locate 6% Time to Respond/Correct 7% Security Control Capabilities Granularity of Control 7% Depth of Control 7% Network Ingress High-Risk Points Protected 3% Network Ingress Low-Risk Points Protected 3% Business Cost of Security Events IT Staff Use 6% User Downtime 6% Lost Revenue Time 8% Secure Networks Business Impact Reduction of Business Cost Due to Security Events 5% Reduction of Security Events 5% Alignment of Technology with Business 5% Continuity Improvement 5% 100% Actual Value Score Weighted Score
Page 43 of 48 • Whitepaper
�1.0
Security Operations Efficiency Sum of 1.1 + 1.2 + 1.3 Do not fill in this value; it is derived from the next three metrics. Time to Configure and Deploy Security Less than 15 Minutes = 3 points (Optimal) Between 15 and 30 minutes = 2 points (Average) Between 31 and 60 minutes = 1 point (Fair) More than 60 minutes = 0 points (Unacceptable) Time for Secure User Mobility Configuration No reconfiguration = 0 minutes/move = 3 points (Optimal) Management reconfiguration only = 30 minutes/move = 2 points (Average) Management + end system reconfiguration = 60 minutes/move = 1 point (Fair) Management, end system and network reconfig = >60 m/move = 0 points (Unacceptable) Concentration of Configuration/Operation Functions 100% of network elements = 3 points (Optimal) Between 90% and 99% of network elements = 2 points (Average) Between 75% and 90% of network elements = 1 point (Fair) Less than 75% = 0 points (Unacceptable) Overall Security Response Efficiency Sum of 2.1 + 2.2 + 2.3 Do not fill in this value; it is derived from the next three metrics. Time to Detect Less than 3 Minutes Between 3 and 20 minutes Between 21 and 60 minutes More than 60 minutes IT Staff Use Per Security No time diverted Between 1 and 30 minutes Between 21 and 60 minutes More than 60 minutes = 3 points (Optimal) = 2 points (Average) = 1 point (Fair) = 0 points (Unacceptable) Event = 3 points (Optimal) = 2 points (Average) = 1 point (Fair) = 0 points (Unacceptable)
1.1
1.2
1.3
2.0
2.1
3.1
2.2
Time to Assess and Locate Less than 60 Seconds = 3 points (Optimal) Between 1 and 5 minutes = 2 points (Average) Between 6 and 10 minutes = 1 point (Fair) More than 10 minutes = 0 points (Unacceptable) Time to Respond/Correct Less than 60 seconds Between 61 and 180 seconds Between 3 and 10 minutes More than 10 minutes = 3 points (Optimal) = 2 points (Average) = 1 point (Fair) = 0 points (Unacceptable)
2.3
Page 44 of 48 • Whitepaper
�3.0 3.1
Security Control Capabilities Do not fill in this value; it is derived from the next three metrics. Granularity of Control Individual device on ANY segment (even shared) Individual device on more than 50% of network Only all ingress ports Less than all ingress ports Depth of Control Depth of Control Level > 90% Depth of Control Level > 85% Depth of Control Level >= 75% Depth of Control Level < 75% = 3 points (Optimal) = 2 points (Average) = 1 point (Fair) = 0 points (Unacceptable)
3.2
= 3 points (Optimal) = 2 points (Average) = 1 point (Fair) = 0 points (Unacceptable)
3.3a
Network High-Risk Ingress Points Protected by Security 100% protected = 3 points (Optimal) Between 90% and 99% protected = 2 points (Average) Between 50% and 75% protected = 1 point (Fair) Less than or equal to 75%protected = 0 points (Unacceptable) Network Low-Risk Ingress Points Protected by Security 100% protected = 3 points (Optimal) Between 50% and 75% protected = 2 points (Average) Greater than or equal to 25% protected = 1 point (Fair) Less than 25% protected = 0 points (Unacceptable) Business Cost of Security Events Sum of 4.1 + 4.2 + 4.3 Do not fill in this value; it is derived from the next three metrics. IT Staff Use Per Security Event No time diverted = 3 points (Optimal) Between 1 and 30 minutes = 2 points (Average) Between 21 and 60 minutes = 1 point (Fair) More than 60 minutes = 0 points (Unacceptable) User Downtime Per Security Event No down time = 3 points (Optimal) Between 1 and 60 minutes = 2 points (Average) Between 60 and 120 minutes = 1 point (Fair) More than 120 minutes = 0 points (Unacceptable)
3.3b
4.0
4.1
4.2
Page 45 of 48 • Whitepaper
�4.3
Lost Revenue Time Due to Security Event No lost revenue time at any point during event Lost revenue time between 1 and 60 minutes Lost revenue time between 60 and 120 minutes Lost revenue time more than 120 minutes
= 3 points (Optimal) = 2 points (Average) = 1 point (Fair) = 0 points (Unacceptable)
5.0 5.1
Secure Networks Business Impact Do not fill in this value; it is derived from the next four metrics. Reduction in Business Cost Due to Security Events After baseline of attacks understood Reduction by 75% = 3 points (Optimal) Reduction by 50% = 2 points (Average) Reduction by 25% = 1 point (Fair) No Reduction = 0 points (Unacceptable) Reduction in Security Events After baseline of security events understood Reduction by 75% = 3 points (Optimal) Reduction by 50% = 2 points (Average) Reduction by 25% = 1 point (Fair) No Reduction = 0 points (Unacceptable) Alignment of Technology with Business Need to understand and quantify, as a percentage of total projects, how many of these projects are negatively impacted by a lack security infrastructure in the business. Security has caused 0% impact = 3 points (Optimal) Security has impacted between 1 and 10% of functions = 2 points (Average) Security has impacted between 11% and 25% of functions = 1 point (Fair) Security has impacted more than 25% of functions = 0 points (Unacceptable) Continuity Improvement After baseline of average continuity is understood Improvement by 75% = 3 points (Optimal) Improvement by 50% = 2 points (Average) Improvement by 25% = 1 point (Fair) No Improvement = 0 points (Unacceptable)
5.2
5.3
5.4
Page 46 of 48 • Whitepaper
�Page 47 of 48 • Whitepaper
�All contents are copyright © 2004 Enterasys Networks, Inc. All rights reserved. Lit. #9013638-1 6/04
Page 4 8 of 48 • Whitepaper
�