SlideShare une entreprise Scribd logo

Practical Measures for Measuring Security

Télécharger en tant que PPTX, PDF
Chris Mullins
Chris Mullins

Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider.

TechnologieActualités & Politique
1  sur  24
WELCOME TO SECURE360 2012  Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.  Please complete the Session Survey front and back (this is Room 7), and leave on your seat. Note: “Session” is Tuesday or Wednesday  Are you tweeting? #Sec360
AGENDA Are you Ready? The Problem of Measuring Security Metric Myths Characteristics of Effective Metrics Defining Your Metrics The Process of Measurement Sample Metrics Implementing Metrics Presenting Metrics A Mature Metrics Program Page 3
WHY HAVEN’T YOU SOLVED THIS YET? Is the Organization ready? What’s the Tone from the Top? Is it Security someone’s Job? Do you have Policy in place? Are resources allocated to identify and detect issues? Are resources allocated to remediate issues? Are you Level 4? Page 4
Page 5
TYPICAL PROBLEMS OF MEASURING SECURITY Risk is difficult to define precisely Attack Surface Current Environment Asset Value Measures not linked to action Measures often focus on outcomes Page 6
METRIC MYTHS 7 Myths that hold people back 92.467% of the time. 1. Metrics must be Objective and Tangible 2. Metrics must have discrete values 3. Metrics must be absolute 4. Metrics are costly 5. You can’t manage what you can’t measure 6. It’s essential to measure outcomes 7. You need precise, accurate data Page 7
CHARACTERISTICS OF A GOOD METRIC (This is probably NOT a good example) Attackability Computation. An Attack Surface Metric, Carnegie Mellon University, 2005 Page 8
CHARACTERISTICS OF A GOOD METRIC 1. Directly Relates to an objective 2. Should have a logical stakeholder 3. Collection should be inexpensive, simple and standardized 4. Should have a resolution appropriate for maturity 5. Should be phase appropriate 6. Should have applicability defined 7. Should have an indicated action Page 9
DEFINING YOUR METRICS Page 10
DEVELOPING YOUR METRICS Metrics Relating to Security Controls 1. Should map directly to a defined control 2. Use data describing the security control’s implementation to generate required measures 3. Characterize the measure as applicable to system categorization (low, med, high) Page 11
DEVELOPING YOUR METRICS Metrics Relating to Security Program Performance 1. Map to InfoSec Goals & Objectives that encompass performance 2. Use the data describing the information security program performance to generate required measures Page 12
NOW THAT YOU HAVE YOUR METRICS On your Mark, get Set… Document in a standard format  See 800-55 for an excellent template Prioritize and Select Establish Performance Targets Evaluate Metric performance and relevance periodically, incorporate feedback Page 13
SAMPLE METRICS • Percentage of the agency’s information system budget devoted to information security • Percentage of “high” vulnerabilities mitigated within defined time periods after discovery • Percentage of remote access points used to gain unauthorized access • Percentage of information system security personnel that have received security training • Average frequency of audit records review and analysis for inappropriate activity Page 14
SAMPLE METRICS (CONTINUED) • Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation • Percentage approved and implemented configuration changes identified in the latest automated baseline configuration • Percentage of information systems that have conducted annual contingency plan testing • Percentage of users with access to shared accounts Page 15
SAMPLE METRICS (CONTINUED) • Percentage of incidents reported within required time frame per applicable incident category • Percentage of system components that undergo maintenance in accordance with formal maintenance schedules • Percentage of media that passes sanitization procedures • Percentage of physical security incidents allowing unauthorized entry into facilities containing information systems Page 16
SAMPLE METRICS (CONTINUED) • Percentage of employees who are authorized to access information systems only after they sign an acknowledgement that they have read and understood rules of behavior • Percentage of individuals screened before being granted access to organizational information and information systems • Percentage of vulnerabilities remediated within organization- specified time frames Page 17
SAMPLE METRICS (CONTINUED) • Percentage of system and service acquisition contracts that include security requirements and/or specifications • Percentage of mobile devices that meet approved cryptographic policies • Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated Page 18
IMPLEMENTING METRICS Page 19
EXAMPLE: A METRIC IN ACTION Page 20
PRESENTING METRICS Do you REALLY have to use Excel? Page 21
WHEN YOU GET BACK TO THE OFFICE ON MONDAY: 1. Are you ready? 2. Engage Stakeholders 3. Identify Your Metrics - Leverage CIS, NIST 800-55 4. Automate collection & reporting 5. Act on what you find 6. Make it look good! 7. Document the value 8. Re-evaluate periodically Page 22
REFERENCES / CREDITS CMMI: http://www.sei.cmu.edu/cmmi/ http://www.noticebored.com/html/metrics.html Center for Internet Security Consensus Security Metrics: http://benchmarks.cisecurity.org/en-us/?route=downloads.metrics NIST 800-55: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf http://www.geckoboard.com/ Page 23
THANK YOU! Chris Mullins cmullins@alertlogic.com @chrisbmullins 713.581.4332

Recommandé

Securitymetrics
SecuritymetricsSecuritymetrics
SecuritymetricsManish Kumar
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 

Recommandé

Securitymetrics
SecuritymetricsSecuritymetrics
SecuritymetricsManish Kumar
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?Lori McInnes
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)Kendall Gill
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolHernan Huwyler, MBA CPA
 
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in HealthcareMedigate
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
How to Secure Your Clinical Network
How to Secure Your Clinical NetworkHow to Secure Your Clinical Network
How to Secure Your Clinical NetworkMedigate
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Cyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job DescCyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job DescMitchell Lavender, CISSP, CISM
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesDonald E. Hester
 
Chapter003
Chapter003Chapter003
Chapter003Jeanie Delos Arcos
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!Heather Salmons Newswanger
 
MIS 22 Disaster Management
MIS 22 Disaster ManagementMIS 22 Disaster Management
MIS 22 Disaster ManagementTushar B Kute
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management Medigate
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Clinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthClinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthMedigate
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 

Contenu connexe

Tendances

Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?Lori McInnes
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)Kendall Gill
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolHernan Huwyler, MBA CPA
 
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in HealthcareMedigate
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
How to Secure Your Clinical Network
How to Secure Your Clinical NetworkHow to Secure Your Clinical Network
How to Secure Your Clinical NetworkMedigate
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesDonald E. Hester
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!Heather Salmons Newswanger
 
MIS 22 Disaster Management
MIS 22 Disaster ManagementMIS 22 Disaster Management
MIS 22 Disaster ManagementTushar B Kute
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management Medigate
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Clinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthClinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthMedigate
 

Tendances (20)

Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines School
 
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
How to Secure Your Clinical Network
How to Secure Your Clinical NetworkHow to Secure Your Clinical Network
How to Secure Your Clinical Network
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Cyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job DescCyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job Desc
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
 
Chapter003
Chapter003Chapter003
Chapter003
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
MIS 22 Disaster Management
MIS 22 Disaster ManagementMIS 22 Disaster Management
MIS 22 Disaster Management
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security Management
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Clinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthClinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of Truth
 

Similaire à Practical Measures for Measuring Security

Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamJohn D. Johnson
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Anton Chuvakin
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsVMware Tanzu
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management FrameworkJoseph Wynn
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through SecurityEnergySec
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Managementjadams6
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...CompTIA
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practiceshusseinalshomali
 
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...Julie Rampello
 

Similaire à Practical Measures for Measuring Security (20)

Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Management
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practices
 
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Practical Measures for Measuring Security

  • 1.
  • 2. WELCOME TO SECURE360 2012  Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.  Please complete the Session Survey front and back (this is Room 7), and leave on your seat. Note: “Session” is Tuesday or Wednesday  Are you tweeting? #Sec360
  • 3. AGENDA Are you Ready? The Problem of Measuring Security Metric Myths Characteristics of Effective Metrics Defining Your Metrics The Process of Measurement Sample Metrics Implementing Metrics Presenting Metrics A Mature Metrics Program Page 3
  • 4. WHY HAVEN’T YOU SOLVED THIS YET? Is the Organization ready? What’s the Tone from the Top? Is it Security someone’s Job? Do you have Policy in place? Are resources allocated to identify and detect issues? Are resources allocated to remediate issues? Are you Level 4? Page 4
  • 6. TYPICAL PROBLEMS OF MEASURING SECURITY Risk is difficult to define precisely Attack Surface Current Environment Asset Value Measures not linked to action Measures often focus on outcomes Page 6
  • 7. METRIC MYTHS 7 Myths that hold people back 92.467% of the time. 1. Metrics must be Objective and Tangible 2. Metrics must have discrete values 3. Metrics must be absolute 4. Metrics are costly 5. You can’t manage what you can’t measure 6. It’s essential to measure outcomes 7. You need precise, accurate data Page 7
  • 8. CHARACTERISTICS OF A GOOD METRIC (This is probably NOT a good example) Attackability Computation. An Attack Surface Metric, Carnegie Mellon University, 2005 Page 8
  • 9. CHARACTERISTICS OF A GOOD METRIC 1. Directly Relates to an objective 2. Should have a logical stakeholder 3. Collection should be inexpensive, simple and standardized 4. Should have a resolution appropriate for maturity 5. Should be phase appropriate 6. Should have applicability defined 7. Should have an indicated action Page 9
  • 11. DEVELOPING YOUR METRICS Metrics Relating to Security Controls 1. Should map directly to a defined control 2. Use data describing the security control’s implementation to generate required measures 3. Characterize the measure as applicable to system categorization (low, med, high) Page 11
  • 12. DEVELOPING YOUR METRICS Metrics Relating to Security Program Performance 1. Map to InfoSec Goals & Objectives that encompass performance 2. Use the data describing the information security program performance to generate required measures Page 12
  • 13. NOW THAT YOU HAVE YOUR METRICS On your Mark, get Set… Document in a standard format  See 800-55 for an excellent template Prioritize and Select Establish Performance Targets Evaluate Metric performance and relevance periodically, incorporate feedback Page 13
  • 14. SAMPLE METRICS • Percentage of the agency’s information system budget devoted to information security • Percentage of “high” vulnerabilities mitigated within defined time periods after discovery • Percentage of remote access points used to gain unauthorized access • Percentage of information system security personnel that have received security training • Average frequency of audit records review and analysis for inappropriate activity Page 14
  • 15. SAMPLE METRICS (CONTINUED) • Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation • Percentage approved and implemented configuration changes identified in the latest automated baseline configuration • Percentage of information systems that have conducted annual contingency plan testing • Percentage of users with access to shared accounts Page 15
  • 16. SAMPLE METRICS (CONTINUED) • Percentage of incidents reported within required time frame per applicable incident category • Percentage of system components that undergo maintenance in accordance with formal maintenance schedules • Percentage of media that passes sanitization procedures • Percentage of physical security incidents allowing unauthorized entry into facilities containing information systems Page 16
  • 17. SAMPLE METRICS (CONTINUED) • Percentage of employees who are authorized to access information systems only after they sign an acknowledgement that they have read and understood rules of behavior • Percentage of individuals screened before being granted access to organizational information and information systems • Percentage of vulnerabilities remediated within organization- specified time frames Page 17
  • 18. SAMPLE METRICS (CONTINUED) • Percentage of system and service acquisition contracts that include security requirements and/or specifications • Percentage of mobile devices that meet approved cryptographic policies • Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated Page 18
  • 20. EXAMPLE: A METRIC IN ACTION Page 20
  • 21. PRESENTING METRICS Do you REALLY have to use Excel? Page 21
  • 22. WHEN YOU GET BACK TO THE OFFICE ON MONDAY: 1. Are you ready? 2. Engage Stakeholders 3. Identify Your Metrics - Leverage CIS, NIST 800-55 4. Automate collection & reporting 5. Act on what you find 6. Make it look good! 7. Document the value 8. Re-evaluate periodically Page 22
  • 23. REFERENCES / CREDITS CMMI: http://www.sei.cmu.edu/cmmi/ http://www.noticebored.com/html/metrics.html Center for Internet Security Consensus Security Metrics: http://benchmarks.cisecurity.org/en-us/?route=downloads.metrics NIST 800-55: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf http://www.geckoboard.com/ Page 23

Notes de l'éditeur

  1. 1. It’s ok to measure subjective factors, such as “security awareness”, as long as you don’t measure subjectively.2. It’s easy to measure the number of people that attended security awareness training, but it’s more difficult to measure the effectiveness of that training. That doesn’t mean it’s impossible or not worthwhile, though. And survey and statistical theory can be applied to extract very useful information, especially when applied to a continuous scale.3. The number of security incidents this month, or the number of vulnerabilities patched are both absolute numbers, but without a good deal of context such as the total number of vulnerabilites, the size of the environment, the number of staff available to patch, etc – it makes it very hard to understand the real meaning behind these numbers. Surveying your staff to ask “Is security better or worse this month versus last month” is probably a much more telling number, measured over team, even though it has not absolute value.4. It can be costly measure, but this should be a function of your metric design. We’ll talk more about this in the next section.5. This is related to all of the previous myths. You can absolutely improve security and reduce risk without being able to measure.6. Just because your house did not burn down this month doesn’t mean that no one piled a stack of oily rage next to the gasoline can in the garage. With real world security, meauring outcomes is like talking about the need to keep the barn door closed after the horses are gone. Outcomes can be useful however, so don’t throw them out completely.7. A recent survey showed that 87.663% of security metrics were a load of hooey. The more decimal places you see, the more suspect you should be.
  2. Show vuln scan resultsSo what?Actions?Resources required?Business case?