August 17, 2010

August 17, 2010

Opening Remarks:Five Years of MetricsAndrew JaquithSenior AnalystForrester Research

3Entire contents © 2009 Forrester Research, Inc. All rights reserved.

About Andrew Jaquith

• Senior analyst at Forrester since October 2008

• Coverage: client security, data security, mobile security

• Recent research:

– Apple’s iPhone and iPad: Secure Enough for Business? (Aug 2010)

– Market Overview: Enterprise Rights Management (June 2010)

– Own Nothing. Control Everything (January 2010)

– Data-Centric Security Requires Devolution, Not a Revolution (2009)

• Senior analyst at Yankee Group 2005-2008

• Co-founder of pioneering security consultancy @stake

• Author of best-selling security book, Security Metrics

• Founder, securitymetrics.org. Co-developer of Apache JSPWiki

Andrew and Khalid Kark will be facilitating a Security Metrics Workshopat Forrester’s IT Security Forum in Boston, September 15th-16th 2010


Five Years Later, Are Security Metrics Still a Fad?


Agenda

• Welcome

• Five Years of Metrics

• Nuts and Bolts


Metricon 2.0: Jeremiah Grossman (2007)

• Excellent “texture and depth” on prevailing practices

– 18 month snapshot: Jan 2006-August 2007

– 128m websites

• Factoid I scribbled down: 7 out of 10 sites have “critical” or “urgent” vulns


Mini-Metricon 2.5: Verizon’s 1st DBIR

• First look at “curated” enterprise metrics about intrusions and data breach incidents

• Terrific insights about attacker paths

• Disabused the insider threat argument


Metricon 3.0: Caroline Wong, eBay (2008)

• Gosh, a real live enterprise! And a household name…

• Great snapshot of how fraud and security relate

• Metrics I scribbled down: eBay watches the number of compromised accounts.

– Also: # of “maliciously compromised” accounts


Mini-Metricon 3.5: Maureen Doyle (2009)

• Analysis of 100 weeks of code commits and code quality for 14 open-source PHP apps

– Vuln density: 8.88 vulns/KLOC

– Some correlation between cyclomatic complexity and security defects

• Neat insight I scribbled down:

– Study found no correlation between security defects and code churn


Metricon 4.0: James Cowie, Renesys (2009)

• Used three metrics to determine the “cluefullness” of organizations connecting to the Internet

– Compliance - are your routing advertisements compliant with what you have

– Availability - how available is your network?

– Diversity - how diverse are your providers?

• Money quote I scribbled down:

– “How do we make people change their behavior? Easy. Cut right to the base emotions: fear and shame.”


Agenda

• Welcome


• Nuts and Bolts


Agenda

• Welcome


• Nuts and Bolts


Today’s schedule

900 – 9:30 Welcome

9:30 – 10:30 Metrics Present (part 1)

Morning break


Lunch break


Afternoon break

3:15 – 4:15 Metrics Future

4:15 – 5:30 Rump session

5:30+ Beer (sponsored by Blue Canopy)


Nuts and Bolts

• Wireless

– SSID: usenix. Password: usenix2010

• Lunch

– 12:30-1:45, Thurgood Marshall South West

• Beers

– 5:30-6:30, Harding (this room)

• USENIX Happy Hour

– 6-7 pm, Thurgood Marshall North East


Rules for living

• This is safe environment

• We will publish official (high level) proceedings

• Anything you ask to be “off the record” will stay so

• Save your e-mail for break times

• Assertiveness is welcome. Rudeness is not

• Stay engaged

• Have fun


Enjoy the Day

Andrew Jaquith

Senior Analyst, Security and Risk

+1 617.613.6410

[email protected]

www.forrester.com

Twitter: arj

Documents

August 17, 2010