At present, enterprise networks constitute the core component of information infrastructures in areas such as power grids, financial data systems and emergency communication systems. Protection of these networks from malicious intrusions is critical to the economy and security of our nation. To improve the security of these information systems, it is necessary to measure the amount of security provided by different networks configurations. This talk gives an overview of the techniques and challenges for security risk analysis of enterprise networks. A quantitative model for security risk analysis will enable us to answer questions such as "are we more secure than yesterday" or "how does the security of one network configuration compare with another one". More importantly, security risk metrics provide crucial guidance on prioritizing security hardening measures under resource constraints every organization faces. It can be used to answer questions like "is it worth spending this amount of money to improve security", or "how much benefit can we get from the investment"?

I will present a methodology for security risk analysis that is based on the model of attack graphs and the Common Vulnerability Scoring System (CVSS). Attack graphs illustrate the cumulative effect of attack steps, showing how individual steps can potentially enable an attacker to gain privileges deep into the network. CVSS is a risk measurement system that gives the severity of a single vulnerability based on a number of properties on the vulnerabilities. Our technique analyzes all attack paths through a network to provide a probabilistic metric of the overall system risk, taking into account the success likelihood of individual attack steps derived from CVSS. I will present how such a method can be used through a number of small but realistic examples and demonstrate the key insights of our approach.