SlideShare une entreprise Scribd logo

Continuous Monitoring 2.0

nCircle - a Tripwire Company
nCircle - a Tripwire Company

Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government GFirst Conference 2012

Business
1  sur  29
Télécharger pour lire hors ligne
Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government Keren Cummins, Director, Federal Programs nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
nCircle at a Glance • More than 6,500 customers worldwide • 10 consecutive years of revenue growth • 150 employees with significant investment in R&D, & continued innovation • Core business is VA, Configuration Compliance, File Integrity Monitoring, PCI, Performance Management • Ranked in Inc. 5000 six years in a row • Ranked one of San Francisco Bay Area’s Top 100 Fastest Growing Private Companies nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Agenda • The evidence for benchmarking as an essential element of success in continuous monitoring • Commercial initiative in cloud-based benchmarking • Mapping this initiative into the federal space • Your feedback! nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Defining Terms • Continuous Monitoring - the context of information security, is defined in 800-137 as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • Benchmarking - the process of comparing one's business processes and performance metrics to industry bests and/or best practices from other industries. Dimensions typically measured are quality, time and cost. nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Game Changers • State Department – 89% risk reduction in the first 12 months across the entire world • USAID – FISMA C- to consistent A+’s for five years • Center for Medicare/Medicaid Services (CMS) – 80% risk reduction at 88 data centers and as high as 95% at one major center nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Common Elements • Breadth of engagement • Simplicity of result • Context • Short cycle time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Why hasn’t everyone done this? • Or, why is this hard? – Metrics are hard – My organizational structure is different – My monitoring solution won’t do that nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
The Challenge for Security Performance Management • How can we replicate benchmarking success effectively? – With the organizations and tools that we already have in place? – For all our security programs (not just vulnerability management and configuration auditing)? nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
https://benchmark.ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
The CISO needs what the CFO has…. • CISO needs a metrics language to describe a company’s security performance just like the CFO describes financial performance • CISO’s can now field a formal security performance management program built on objective, fact based metrics that – Shows how security organization is protecting the company – Benchmarks performance vs. internal goals, and vs. industry peers – Trends performance over time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
With a Security Performance Management Program, CISOs can demonstrate that • There is a comprehensive approach to security that is… – Measured against specific goals & standards – In line with our risk tolerance – Aggregated by meaningful asset groupings – At least equal to or better than our own industry's investment & performance – Controls aligned with GRC objectives • Based on actual data on an ongoing basis that we can rely on to make decisions on: – Investment – Execution – Resource allocation nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Security Metrics & Scorecards– cornerstone of an effective IT GRC assessment • Metrics affirm the existence and effectiveness of security controls • Scorecards enable and evidence management oversight; communicate performance and evaluate corrective actions • Well constructed Metrics and Scorecards: – Continuously monitor controls – Deliver trusted, timely, and actionable decision making information – Identify and communicate concentration of risks – Align security initiatives with business objectives nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
An Effective Security Performance Management Solution Proven Metrics and Scorecards • Measure performance to goals • Cover the entire IT Ecosystem • Objective, Fact- based metrics • Relevant & Actionable • Benchmark with peer groups  How secure and compliant is our enterprise?  How do we compare to others?  Are we investing effectively? IT Security Ecosystem Event Management & Incident Response Antivirus & Network Endpoint Endpoint Protection Encryption Protection Vulnerability Configuration Identity & Access Patch Management Auditing Management Management nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Valuable Peer Benchmarks Benchmark Performance Quadrants Benchmark Performance Standard Participant Results Weekly Performance Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Analyze performance against Benchmarks & Identify underperforming areas nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Over 1,000 companies have joined nCircle Benchmark to-date Financial Services Bellwether Metrics nCircle Benchmark Accounts Benchmark Benchmark As of 7/20/12 Metric Average Median Quartile 1000 900 Top 25%: 0–5 800 Second Quartile: 6 - 33 Average CVSS host 172 33 Third Quartile: 34 - 67 700 score (per host) Bottom 25%: 68 - 700 600 500 Top 25%: 0 – 1 days 400 Second Quartile: 2–9 Average days since last 23 9 Third Quartile: 10 – 32 300 scan Bottom 25%: 33 – 90 200 100 Top 25%: 0 – 2 days 0 Second Quartile: 3 – 22 Virus definition age 29 22 Third Quartile: 23 – 40 (days) Bottom 25%: 41 - 56 Top 25%: .00 - .03% Second Quartile: .040 - .049% Failed logins per .05% .04% Third Quartile .05 - .08% attempt Bottom 25%: .09 - .11% nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Benchmarking in the Federal Space • All the same security domains as commercial, plus… • Agencies generate CyberScope continuous monitoring data, usually from SCAP XML files • Generated using a wide and growing variety of SCAP validated solutions, numerous vendors • Files uploaded to OMB once/month • Files are – Human readable? Not so much – Don’t lend themselves to trending – Don’t lend themselves to comparative analysis – Readily ingested and processed by nCircle Benchmark data collectors nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Cyberscope: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Asset Classification & Departmental Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Vulnerabilities & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
SCAP Output • Continous Monitoring Metrics driven directly from SCAP data – Asset based Compliance, Vulnerability and Classification Scorecards • Asset Grouping identifies areas of improvement and concentration of risk or examines specific critical cyber assets – Intra- and Inter-Agency (Bureau/Service) Benchmark Comparisons nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
SCAP: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Asset Identification & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Compliance & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Vulnerabilities & Benchmark Community nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
HQ Security Performance Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Benchmark Federal Notional Diagram Cyberscope reporting and benchmark comparisons Cyberscope Assets Vulnerabilities Configuration Internal Benchmark Scorecards, by Asset Group, SCAP sources plus Department local agencies bureaus FISMA locations requirements nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Questions? • Contact information: Keren Cummins, Director Federal and MidAtlantic Programs (301) 379-2493 kcummins@ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
nCircle Company Confidential © 2012 nCircle. All Rights Reserved.

Recommandé

Novell Access Governance Suite
Novell Access Governance SuiteNovell Access Governance Suite
Novell Access Governance SuiteNovell
 
Risk Advisory Services
Risk Advisory ServicesRisk Advisory Services
Risk Advisory ServicesEW Consultants India
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Basel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologiesBasel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologiesLera Technologies
 
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12OnTechnicalDebt
 
IT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGIT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGArul Nambi
 
IT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionIT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionArul Nambi
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEAndris Soroka
 

Recommandé

Novell Access Governance Suite
Novell Access Governance SuiteNovell Access Governance Suite
Novell Access Governance SuiteNovell
 
Risk Advisory Services
Risk Advisory ServicesRisk Advisory Services
Risk Advisory ServicesEW Consultants India
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Basel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologiesBasel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologiesLera Technologies
 
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12OnTechnicalDebt
 
IT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGIT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGArul Nambi
 
IT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionIT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionArul Nambi
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEAndris Soroka
 
About graycon
About grayconAbout graycon
About grayconmartyrj
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013Rahul Bhan (CA, CIA, MBA)
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk ManagementManoj Jain
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Nadir Hussain
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk ManagementRahul Bhan (CA, CIA, MBA)
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk ManagementRahul Bhan (CA, CIA, MBA)
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk managementRahul Bhan (CA, CIA, MBA)
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKSOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKArul Nambi
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services BrochureRahul Bhan (CA, CIA, MBA)
 
Retail Security solution
Retail Security solutionRetail Security solution
Retail Security solutionSsgstubbs
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk ServicesRahul Bhan (CA, CIA, MBA)
 
TA security
TA securityTA security
TA securitykesavars
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services BrochureRahul Bhan (CA, CIA, MBA)
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationnCircle - a Tripwire Company
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics BootcampnCircle - a Tripwire Company
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar nCircle - a Tripwire Company
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101Robert Rowley
 
Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import exportBenno Lippert
 

Contenu connexe

Tendances

About graycon
About grayconAbout graycon
About grayconmartyrj
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk ManagementManoj Jain
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Nadir Hussain
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKSOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKArul Nambi
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
 
Retail Security solution
Retail Security solutionRetail Security solution
Retail Security solutionSsgstubbs
 
TA security
TA securityTA security
TA securitykesavars
 

Tendances (16)

About graycon
About grayconAbout graycon
About graycon
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
 
Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk management
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
 
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKSOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
 
Retail Security solution
Retail Security solutionRetail Security solution
Retail Security solution
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk Services
 
TA security
TA securityTA security
TA security
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
 

En vedette

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationnCircle - a Tripwire Company
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import exportBenno Lippert
 

En vedette (6)

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import export
 

Similaire à Continuous Monitoring 2.0

Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
CCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QACCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QARebecca Gibson
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systemsRamsés Gallego
 
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S proaxissolutions
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIsH Contrex
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
 
ID Tech PPT.pdf
ID Tech PPT.pdfID Tech PPT.pdf
ID Tech PPT.pdfCReddy7
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentationjamesholler
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudVISI
 
IDC Technologies Presentation New
IDC Technologies Presentation NewIDC Technologies Presentation New
IDC Technologies Presentation NewVineet Mahajan
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld
 
Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101Konstantin Berger
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV ReadyThousandEyes
 

Similaire à Continuous Monitoring 2.0 (20)

Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...
 
CCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QACCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QA
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systems
 
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
 
Why Managed Services
Why Managed ServicesWhy Managed Services
Why Managed Services
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIs
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
ID Tech PPT.pdf
ID Tech PPT.pdfID Tech PPT.pdf
ID Tech PPT.pdf
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the Cloud
 
IDC Technologies Presentation New
IDC Technologies Presentation NewIDC Technologies Presentation New
IDC Technologies Presentation New
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
 
Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV Ready
 

Dernier

FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 

Dernier (20)

FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 

Continuous Monitoring 2.0

  • 1. Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government Keren Cummins, Director, Federal Programs nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 2. nCircle at a Glance • More than 6,500 customers worldwide • 10 consecutive years of revenue growth • 150 employees with significant investment in R&D, & continued innovation • Core business is VA, Configuration Compliance, File Integrity Monitoring, PCI, Performance Management • Ranked in Inc. 5000 six years in a row • Ranked one of San Francisco Bay Area’s Top 100 Fastest Growing Private Companies nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 3. Agenda • The evidence for benchmarking as an essential element of success in continuous monitoring • Commercial initiative in cloud-based benchmarking • Mapping this initiative into the federal space • Your feedback! nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 4. Defining Terms • Continuous Monitoring - the context of information security, is defined in 800-137 as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • Benchmarking - the process of comparing one's business processes and performance metrics to industry bests and/or best practices from other industries. Dimensions typically measured are quality, time and cost. nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 5. Game Changers • State Department – 89% risk reduction in the first 12 months across the entire world • USAID – FISMA C- to consistent A+’s for five years • Center for Medicare/Medicaid Services (CMS) – 80% risk reduction at 88 data centers and as high as 95% at one major center nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 6. Common Elements • Breadth of engagement • Simplicity of result • Context • Short cycle time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 7. Why hasn’t everyone done this? • Or, why is this hard? – Metrics are hard – My organizational structure is different – My monitoring solution won’t do that nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 8. The Challenge for Security Performance Management • How can we replicate benchmarking success effectively? – With the organizations and tools that we already have in place? – For all our security programs (not just vulnerability management and configuration auditing)? nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 9. https://benchmark.ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 10. The CISO needs what the CFO has…. • CISO needs a metrics language to describe a company’s security performance just like the CFO describes financial performance • CISO’s can now field a formal security performance management program built on objective, fact based metrics that – Shows how security organization is protecting the company – Benchmarks performance vs. internal goals, and vs. industry peers – Trends performance over time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 11. With a Security Performance Management Program, CISOs can demonstrate that • There is a comprehensive approach to security that is… – Measured against specific goals & standards – In line with our risk tolerance – Aggregated by meaningful asset groupings – At least equal to or better than our own industry's investment & performance – Controls aligned with GRC objectives • Based on actual data on an ongoing basis that we can rely on to make decisions on: – Investment – Execution – Resource allocation nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 12. Security Metrics & Scorecards– cornerstone of an effective IT GRC assessment • Metrics affirm the existence and effectiveness of security controls • Scorecards enable and evidence management oversight; communicate performance and evaluate corrective actions • Well constructed Metrics and Scorecards: – Continuously monitor controls – Deliver trusted, timely, and actionable decision making information – Identify and communicate concentration of risks – Align security initiatives with business objectives nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 13. An Effective Security Performance Management Solution Proven Metrics and Scorecards • Measure performance to goals • Cover the entire IT Ecosystem • Objective, Fact- based metrics • Relevant & Actionable • Benchmark with peer groups  How secure and compliant is our enterprise?  How do we compare to others?  Are we investing effectively? IT Security Ecosystem Event Management & Incident Response Antivirus & Network Endpoint Endpoint Protection Encryption Protection Vulnerability Configuration Identity & Access Patch Management Auditing Management Management nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 14. Valuable Peer Benchmarks Benchmark Performance Quadrants Benchmark Performance Standard Participant Results Weekly Performance Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 15. Analyze performance against Benchmarks & Identify underperforming areas nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 16. Over 1,000 companies have joined nCircle Benchmark to-date Financial Services Bellwether Metrics nCircle Benchmark Accounts Benchmark Benchmark As of 7/20/12 Metric Average Median Quartile 1000 900 Top 25%: 0–5 800 Second Quartile: 6 - 33 Average CVSS host 172 33 Third Quartile: 34 - 67 700 score (per host) Bottom 25%: 68 - 700 600 500 Top 25%: 0 – 1 days 400 Second Quartile: 2–9 Average days since last 23 9 Third Quartile: 10 – 32 300 scan Bottom 25%: 33 – 90 200 100 Top 25%: 0 – 2 days 0 Second Quartile: 3 – 22 Virus definition age 29 22 Third Quartile: 23 – 40 (days) Bottom 25%: 41 - 56 Top 25%: .00 - .03% Second Quartile: .040 - .049% Failed logins per .05% .04% Third Quartile .05 - .08% attempt Bottom 25%: .09 - .11% nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 17. Benchmarking in the Federal Space • All the same security domains as commercial, plus… • Agencies generate CyberScope continuous monitoring data, usually from SCAP XML files • Generated using a wide and growing variety of SCAP validated solutions, numerous vendors • Files uploaded to OMB once/month • Files are – Human readable? Not so much – Don’t lend themselves to trending – Don’t lend themselves to comparative analysis – Readily ingested and processed by nCircle Benchmark data collectors nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 18. Cyberscope: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 19. Asset Classification & Departmental Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 20. Vulnerabilities & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 21. SCAP Output • Continous Monitoring Metrics driven directly from SCAP data – Asset based Compliance, Vulnerability and Classification Scorecards • Asset Grouping identifies areas of improvement and concentration of risk or examines specific critical cyber assets – Intra- and Inter-Agency (Bureau/Service) Benchmark Comparisons nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 22. SCAP: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 23. Asset Identification & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 24. Compliance & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 25. Vulnerabilities & Benchmark Community nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 26. HQ Security Performance Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 27. Benchmark Federal Notional Diagram Cyberscope reporting and benchmark comparisons Cyberscope Assets Vulnerabilities Configuration Internal Benchmark Scorecards, by Asset Group, SCAP sources plus Department local agencies bureaus FISMA locations requirements nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 28. Questions? • Contact information: Keren Cummins, Director Federal and MidAtlantic Programs (301) 379-2493 kcummins@ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 29. nCircle Company Confidential © 2012 nCircle. All Rights Reserved.