SlideShare une entreprise Scribd logo

Security Metrics

Conferencias FIST
Conferencias FIST
Technologie
1  sur  30
Télécharger pour lire hors ligne
Conferencia FIST Marzo/Madrid 2008 @ Sponsored by: Security Management Metrics Vicente Aceituno, 2008
About me Vice president of the ISSA Spain chapter. www.issa-spain.org Vice president of the FIST Conferences association. www.fistconference.org Author of a number of articles: Google: vaceituno wikipedia Director of the ISM3 Consortium The consortium promotes ISM3, an ISMS standard ISM3 is the main source for this presentation. www.ism3.com
Management vs Engineering Security Engineering: Design and build systems than can be used securely. Security Management: Employ people and systems (that can be well or badly engineered) safely.
Targets vs Outcomes Activity and Targets are weakly linked. Targets: +Security / -Risk Trust Activity: Keep systems updated Assign user accounts Inform users of their rights
Definition Metrics are quantitative measurements that can be interpreted in the context of a series of previous or equivalent measurements. Metrics make management possible: 1. Measurement – Some call this “metrics” too. 2. Interpretation – Some call this “indicator”. 3. Investigation – (When appropriate, logs are key here) Common cause Special cause 4. Rationalization 5. Informed Decision
Qualitative vs Quantitative Measurement William Thomson (Lord Kelvin): “I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be”: “What can’t be measured, can’t Meaning: be managed”
Interpretation It doesn’t make sense to set thresholds beforehand. You have to learn what is normal to find out what is abnormal. Thresholds can be fuzzy. False positives and false negatives. Example: 1000 students tested for HIV, 10 have it. HIV Have HIV Don’t have HIV Test positive for HIV 9 99 Test negative for HIV 1 891
Interpretation Is it successful? Is it normal? How does it compare against peers?
Interpretation Are outcomes better fit to their purpose? Are outcomes getting closer or further from target? Are we getting fewer false positives and false negatives? Are we using resources more efficiently?
Rationalization Is the correction/change working? Is it cost effective? Can we meet our targets with the resources we have? Are we getting the same outputs with fewer resources?
Decisions
Good Metrics are SMARTIED S.M.A.R.T Specific: The metric is relevant to the process being measured. Measurable: Metric measurement is feasible with reasonable cost. Actionable: It is possible to act on the process to improve the metric. Relevant: Improvements in the metric meaningfully enhances the contribution of the process towards the goals of the management system. Timely: The metric measurement is fast enough for being used effectively. +Interpretable: Interpretation is feasible (there is comparable data) with reasonable cost (false positives or false negatives rates are low enough) +Enquirable: Investigation is feasible with reasonable cost. +Dynamic: The metric values change over time.
Fashion vs Results Real Time vs Continuous Improvement Management is far more than Incident Response. Risk Assessment as a Metric Only as useful as Investigation results. Certification / Audit Compliant / Not compliant is NOT a Metric.
What are good Metrics? Activity: The number of outcomes produced in a time period; Scope: The proportion of the environment or system that is protected by the process. Update: The time since the last update or refresh of process outcomes. (Are outcomes recent enough to be valid?) Availability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions, and the time interval between interruptions. Efficiency / ROSI: Ratio of outcomes to the cost of the investment in the process. (Are we getting the same outcomes with fewer resources? Are we getting more/better outcomes with the same resources?)
What are good Metrics? Efficacy / Benchmark: Ratio of outcomes produced in comparison to the theoretical maximum. Measuring efficacy of a process implies the comparison against a baseline. (Are outputs better fit to their purpose?, Compare against industry/peers to show relative position) Load: Ratio of available resources in actual use to produce the outcomes, like CPU load, repositories capacity, bandwidth, licenses and overtime hours per employee. Accuracy: Rate of false positives and false negatives.
Examples Activity: Number of access attempts successful Scope: % Resources protected with Access Control Update: Time elapsed since last access attempt successful Availability: % of Time Access Control is available Efficiency / ROSI: Access attempts successful per euro Efficacy / Benchmark: Malicious access attempts failed vs Malicious access attempts successful. Legitimate access attempts failed vs Legitimate access attempts successful. Load: % mean and peak Gb, Mb/s, CPU and licenses in use.
Metrics and Capability Undefined. The process might be used, but it is not defined. Defined. The process is documented and used. Managed. The process is Defined and the results of the process are used to fix and improve the process. Controlled. The process is Managed and milestones and need of resources is accurately predicted. Optimized. The process is Controlled and improvement leads to a saving in resources
Capability: Undefined Measurement - None Interpretation - None
Capability: Defined Measurement - None Interpretation - None Investigation – (When appropriate, logs are key here) Common cause (changes in the environment, results of management decisions) Special cause (incidents) Rationalization for use of time, budget, people and other resources – Not possible Informed Decision – Not possible
Capability: Managed Measurement: Scope, Activity, Availability Interpretation: Normal?, Successful?, Trends? Benchmarking, How does it compare? Efficacy. Investigation (Common cause, Special cause) Find faults before they produce incidents. Rationalization… – Possible Informed Decision – Possible
Capability: Controlled Measurement: Load, Update Interpretation Can we meet our targets in time with the resources we have? What resources and time are necessary to meet our targets ? Investigation Find bottlenecks. Rationalization…- Possible Informed Decision, Planning – Possible
Capability: Optimized Measurement: Efficiency (ROSI) Interpretation Investigation Rationalization Informed Decision, Planning, Tradeoffs (point of diminishing returns) – Possible
Metric Specification Name of the metric; Description of what is measured; How is the metric measured; How often is the measurement taken; How are the thresholds calculated; Range of values considered normal for the metric; Best possible value of the metric; Units of measurement.
Metrics Representation
Metrics Representation
Metrics Representation Access Rights Granted 16000,0 1800,0 14000,0 1600,0 12000,0 1400,0 10000,0 1200,0 8000,0 1000,0 6000,0 800,0 4000,0 600,0 2000,0 400,0 0,0 200,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 1 4 7 10 13 16 19 22 25 28 31 34 37 40 k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee W Weeks Access Rights Granted Access Rights Granted 1800,0 1600,0 1600,0 1400,0 1400,0 1200,0 1200,0 1000,0 1000,0 800,0 800,0 600,0 600,0 400,0 400,0 200,0 200,0 0,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 6 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 k4 k k k k k k k k k k k k k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee W W Weeks Weeks
Using Metrics Acumulado de Recomendaciones por Responsable (Suma de días) 2500 Mr Blue 2000 Mr Pink Mr Yellow 1500 Mr Purple Mr Soft Blue Mr Red 1000 Mr Green Mr Orange 500 0 o Fe r o o ie e zo pt sto o Ag o O re ic bre e ril ay ni r li er br e Ab N tub b Ju ar Ju Se o En m m br M m M c ie ie ov D
Using security management metrics Key Goal Indicators Key Performance Indicators Services Levels Agreements / Underpinnig Contracts Balanced Scorecard (Customer, Internal, Stakeholder, Innovation - Goals and Measures)
Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
@ with the sponsorship of: THANK YOU www.fistconference.org

Recommandé

WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...Symantec
 
Ffiec presentation
Ffiec presentationFfiec presentation
Ffiec presentation1stMarinerBank
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Adv Prashant Mali
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android applicationIAEME Publication
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
 

Recommandé

WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...Symantec
 
Ffiec presentation
Ffiec presentationFfiec presentation
Ffiec presentation1stMarinerBank
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Adv Prashant Mali
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android applicationIAEME Publication
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
 
Security Metrics
Security MetricsSecurity Metrics
Security MetricsConferencias FIST
 
Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesDr. Mazlan Abbas
 
Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)AIMS Education
 
013 Research Paper Methods Section Social
013 Research Paper Methods Section Social013 Research Paper Methods Section Social
013 Research Paper Methods Section SocialNicole Williams
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Biuspp metrex
Biuspp metrexBiuspp metrex
Biuspp metrexJosé Quintás Alonso
 
Biocatalogue Talk Slides
Biocatalogue Talk SlidesBiocatalogue Talk Slides
Biocatalogue Talk SlidesBioCatalogue
 
WIPAC Monthly - December 2016
WIPAC Monthly - December 2016WIPAC Monthly - December 2016
WIPAC Monthly - December 2016Water Industry Process Automation & Control
 
Peter Clarke, CTO at Isle of Man Government - A dive into the clouds
Peter Clarke, CTO at Isle of Man Government - A dive into the cloudsPeter Clarke, CTO at Isle of Man Government - A dive into the clouds
Peter Clarke, CTO at Isle of Man Government - A dive into the cloudsGlobal Business Events
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptxARESProject1
 
Documentary Essay Definition
Documentary Essay DefinitionDocumentary Essay Definition
Documentary Essay DefinitionTameka Howard
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
RS in the context of Big Data-v4
RS in the context of Big Data-v4RS in the context of Big Data-v4
RS in the context of Big Data-v4Khadija Atiya
 
Invisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesInvisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesTechSoup Canada
 
Analytics in IOT
Analytics in IOTAnalytics in IOT
Analytics in IOTMitesh Gupta
 
Effective monitoring with StatsD
Effective monitoring with StatsDEffective monitoring with StatsD
Effective monitoring with StatsDDatadog
 
WideTag Social Energy Meter
WideTag Social Energy MeterWideTag Social Energy Meter
WideTag Social Energy Meterwidetag
 
How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?Ganes Kesari
 
Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open SolarisConferencias FIST
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 

Contenu connexe

Similaire à Security Metrics

Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesDr. Mazlan Abbas
 
Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)AIMS Education
 
013 Research Paper Methods Section Social
013 Research Paper Methods Section Social013 Research Paper Methods Section Social
013 Research Paper Methods Section SocialNicole Williams
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Biocatalogue Talk Slides
Biocatalogue Talk SlidesBiocatalogue Talk Slides
Biocatalogue Talk SlidesBioCatalogue
 
Peter Clarke, CTO at Isle of Man Government - A dive into the clouds
Peter Clarke, CTO at Isle of Man Government - A dive into the cloudsPeter Clarke, CTO at Isle of Man Government - A dive into the clouds
Peter Clarke, CTO at Isle of Man Government - A dive into the cloudsGlobal Business Events
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptxARESProject1
 
Documentary Essay Definition
Documentary Essay DefinitionDocumentary Essay Definition
Documentary Essay DefinitionTameka Howard
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
RS in the context of Big Data-v4
RS in the context of Big Data-v4RS in the context of Big Data-v4
RS in the context of Big Data-v4Khadija Atiya
 
Invisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesInvisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesTechSoup Canada
 
Effective monitoring with StatsD
Effective monitoring with StatsDEffective monitoring with StatsD
Effective monitoring with StatsDDatadog
 
WideTag Social Energy Meter
WideTag Social Energy MeterWideTag Social Energy Meter
WideTag Social Energy Meterwidetag
 
How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?Ganes Kesari
 

Similaire à Security Metrics (20)

Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's Perspectives
 
Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)
 
013 Research Paper Methods Section Social
013 Research Paper Methods Section Social013 Research Paper Methods Section Social
013 Research Paper Methods Section Social
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & Monetization
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & Monetization
 
Biuspp metrex
Biuspp metrexBiuspp metrex
Biuspp metrex
 
Biocatalogue Talk Slides
Biocatalogue Talk SlidesBiocatalogue Talk Slides
Biocatalogue Talk Slides
 
WIPAC Monthly - December 2016
WIPAC Monthly - December 2016WIPAC Monthly - December 2016
WIPAC Monthly - December 2016
 
Peter Clarke, CTO at Isle of Man Government - A dive into the clouds
Peter Clarke, CTO at Isle of Man Government - A dive into the cloudsPeter Clarke, CTO at Isle of Man Government - A dive into the clouds
Peter Clarke, CTO at Isle of Man Government - A dive into the clouds
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptx
 
Documentary Essay Definition
Documentary Essay DefinitionDocumentary Essay Definition
Documentary Essay Definition
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414ppt
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414ppt
 
RS in the context of Big Data-v4
RS in the context of Big Data-v4RS in the context of Big Data-v4
RS in the context of Big Data-v4
 
Invisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesInvisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into Stories
 
Analytics in IOT
Analytics in IOTAnalytics in IOT
Analytics in IOT
 
Effective monitoring with StatsD
Effective monitoring with StatsDEffective monitoring with StatsD
Effective monitoring with StatsD
 
WideTag Social Energy Meter
WideTag Social Energy MeterWideTag Social Energy Meter
WideTag Social Energy Meter
 
How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?
 

Plus de Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

Plus de Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 

Dernier

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Dernier (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Security Metrics

  • 1. Conferencia FIST Marzo/Madrid 2008 @ Sponsored by: Security Management Metrics Vicente Aceituno, 2008
  • 2. About me Vice president of the ISSA Spain chapter. www.issa-spain.org Vice president of the FIST Conferences association. www.fistconference.org Author of a number of articles: Google: vaceituno wikipedia Director of the ISM3 Consortium The consortium promotes ISM3, an ISMS standard ISM3 is the main source for this presentation. www.ism3.com
  • 3. Management vs Engineering Security Engineering: Design and build systems than can be used securely. Security Management: Employ people and systems (that can be well or badly engineered) safely.
  • 4. Targets vs Outcomes Activity and Targets are weakly linked. Targets: +Security / -Risk Trust Activity: Keep systems updated Assign user accounts Inform users of their rights
  • 5. Definition Metrics are quantitative measurements that can be interpreted in the context of a series of previous or equivalent measurements. Metrics make management possible: 1. Measurement – Some call this “metrics” too. 2. Interpretation – Some call this “indicator”. 3. Investigation – (When appropriate, logs are key here) Common cause Special cause 4. Rationalization 5. Informed Decision
  • 6. Qualitative vs Quantitative Measurement William Thomson (Lord Kelvin): “I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be”: “What can’t be measured, can’t Meaning: be managed”
  • 7. Interpretation It doesn’t make sense to set thresholds beforehand. You have to learn what is normal to find out what is abnormal. Thresholds can be fuzzy. False positives and false negatives. Example: 1000 students tested for HIV, 10 have it. HIV Have HIV Don’t have HIV Test positive for HIV 9 99 Test negative for HIV 1 891
  • 8. Interpretation Is it successful? Is it normal? How does it compare against peers?
  • 9. Interpretation Are outcomes better fit to their purpose? Are outcomes getting closer or further from target? Are we getting fewer false positives and false negatives? Are we using resources more efficiently?
  • 10. Rationalization Is the correction/change working? Is it cost effective? Can we meet our targets with the resources we have? Are we getting the same outputs with fewer resources?
  • 12. Good Metrics are SMARTIED S.M.A.R.T Specific: The metric is relevant to the process being measured. Measurable: Metric measurement is feasible with reasonable cost. Actionable: It is possible to act on the process to improve the metric. Relevant: Improvements in the metric meaningfully enhances the contribution of the process towards the goals of the management system. Timely: The metric measurement is fast enough for being used effectively. +Interpretable: Interpretation is feasible (there is comparable data) with reasonable cost (false positives or false negatives rates are low enough) +Enquirable: Investigation is feasible with reasonable cost. +Dynamic: The metric values change over time.
  • 13. Fashion vs Results Real Time vs Continuous Improvement Management is far more than Incident Response. Risk Assessment as a Metric Only as useful as Investigation results. Certification / Audit Compliant / Not compliant is NOT a Metric.
  • 14. What are good Metrics? Activity: The number of outcomes produced in a time period; Scope: The proportion of the environment or system that is protected by the process. Update: The time since the last update or refresh of process outcomes. (Are outcomes recent enough to be valid?) Availability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions, and the time interval between interruptions. Efficiency / ROSI: Ratio of outcomes to the cost of the investment in the process. (Are we getting the same outcomes with fewer resources? Are we getting more/better outcomes with the same resources?)
  • 15. What are good Metrics? Efficacy / Benchmark: Ratio of outcomes produced in comparison to the theoretical maximum. Measuring efficacy of a process implies the comparison against a baseline. (Are outputs better fit to their purpose?, Compare against industry/peers to show relative position) Load: Ratio of available resources in actual use to produce the outcomes, like CPU load, repositories capacity, bandwidth, licenses and overtime hours per employee. Accuracy: Rate of false positives and false negatives.
  • 16. Examples Activity: Number of access attempts successful Scope: % Resources protected with Access Control Update: Time elapsed since last access attempt successful Availability: % of Time Access Control is available Efficiency / ROSI: Access attempts successful per euro Efficacy / Benchmark: Malicious access attempts failed vs Malicious access attempts successful. Legitimate access attempts failed vs Legitimate access attempts successful. Load: % mean and peak Gb, Mb/s, CPU and licenses in use.
  • 17. Metrics and Capability Undefined. The process might be used, but it is not defined. Defined. The process is documented and used. Managed. The process is Defined and the results of the process are used to fix and improve the process. Controlled. The process is Managed and milestones and need of resources is accurately predicted. Optimized. The process is Controlled and improvement leads to a saving in resources
  • 18. Capability: Undefined Measurement - None Interpretation - None
  • 19. Capability: Defined Measurement - None Interpretation - None Investigation – (When appropriate, logs are key here) Common cause (changes in the environment, results of management decisions) Special cause (incidents) Rationalization for use of time, budget, people and other resources – Not possible Informed Decision – Not possible
  • 20. Capability: Managed Measurement: Scope, Activity, Availability Interpretation: Normal?, Successful?, Trends? Benchmarking, How does it compare? Efficacy. Investigation (Common cause, Special cause) Find faults before they produce incidents. Rationalization… – Possible Informed Decision – Possible
  • 21. Capability: Controlled Measurement: Load, Update Interpretation Can we meet our targets in time with the resources we have? What resources and time are necessary to meet our targets ? Investigation Find bottlenecks. Rationalization…- Possible Informed Decision, Planning – Possible
  • 22. Capability: Optimized Measurement: Efficiency (ROSI) Interpretation Investigation Rationalization Informed Decision, Planning, Tradeoffs (point of diminishing returns) – Possible
  • 23. Metric Specification Name of the metric; Description of what is measured; How is the metric measured; How often is the measurement taken; How are the thresholds calculated; Range of values considered normal for the metric; Best possible value of the metric; Units of measurement.
  • 26. Metrics Representation Access Rights Granted 16000,0 1800,0 14000,0 1600,0 12000,0 1400,0 10000,0 1200,0 8000,0 1000,0 6000,0 800,0 4000,0 600,0 2000,0 400,0 0,0 200,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 1 4 7 10 13 16 19 22 25 28 31 34 37 40 k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee W Weeks Access Rights Granted Access Rights Granted 1800,0 1600,0 1600,0 1400,0 1400,0 1200,0 1200,0 1000,0 1000,0 800,0 800,0 600,0 600,0 400,0 400,0 200,0 200,0 0,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 6 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 k4 k k k k k k k k k k k k k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee W W Weeks Weeks
  • 27. Using Metrics Acumulado de Recomendaciones por Responsable (Suma de días) 2500 Mr Blue 2000 Mr Pink Mr Yellow 1500 Mr Purple Mr Soft Blue Mr Red 1000 Mr Green Mr Orange 500 0 o Fe r o o ie e zo pt sto o Ag o O re ic bre e ril ay ni r li er br e Ab N tub b Ju ar Ju Se o En m m br M m M c ie ie ov D
  • 28. Using security management metrics Key Goal Indicators Key Performance Indicators Services Levels Agreements / Underpinnig Contracts Balanced Scorecard (Customer, Internal, Stakeholder, Innovation - Goals and Measures)
  • 29. Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
  • 30. @ with the sponsorship of: THANK YOU www.fistconference.org