Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Security is Not A Four Letter Word Michael A. Davis Chief Executive Officer Savid Technologies,

Copyright ©2011 Savid Technologies, Inc. All Rights Reserved

Security is Not A Four Letter Word

Michael A. DavisChief Executive Officer

Savid Technologies, Inc.

http://www.savidtech.com

http://www.savidtech.com/


Who am I?» Michael A. Davis

– CEO of Savid Technologies– Published Author

• Hacking Exposed, HE: Malware and Rootkits• IT Auditor Magazine, InformationWeek, DarkReading

– Speaker at Major Security Conferences• Defcon, CanSecWest, Toorcon, Hack In The Box

– Open Source Software Developer• Snort• Nmap• Dsniff


Author


InformationWeek Contributor


The Issue

“Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“


They are paying attention


You Protect, They Apologize

According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com)

Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)


Metrics, we need metrics!


Why do we care?» Management asks:

– “Are we Secure?”

» Without metrics: – “Depends how you look at it”

» With Metrics: – “Look at our risk score before this project, it

dropped 15%. We are more secure today than yesterday”


Motorola CISO on Metrics» “Security experts can't measure their

success without security metrics, and what can't be measured can't be effectively managed.” (William Boni, PresidentCISO, Motorola Inc. www.secmet.org)


What is success?» From IPTI Study» High performers maintain a posture of compliance

– Fewest number of repeat audit findings– One-third amount of audit preparation effort

» High performers find and fix security breaches faster– 5 times more likely to detect breaches by automated control– 5 times less likely to have breaches result in a loss event

» When high performers implement changes…– 14 times more changes– One-half the change failure rate– One-quarter the change failure rate– 10x faster MTTR for Sev 1 outages

» When high performers manage IT resources…– One-third the amount of unplanned work– 8 times more projects and IT services– 6 times more applications


Where/What to measure


Examples of metrics» Baseline Defenses Coverage (AV, FW, etc)

– Measurement of how well you are protecting your enterprise against the most basic information security threats.

– 94% to 98%; less than 90% cause for concern

» Patch Latency– Time between a patch’s release and your successful

deployment of that patch.– Express as averages and criticality

» Platform Security Scores– Measures your hardening guidelines

» Compliance– Measure departments against security standards– Number of Linux servers at least 90% compliant with the Linux

platform security standard


SMART Metrics

» Specific: The outcome or end result is very clear to me and all audiences.

» Measurable: You can tell if you have achieved your goal because you can count it or see it.

» Attainable: While achieving the outcome might be a challenge, it is possible with the current team and resources.

» Results-Oriented: The goal is inline with the results expected by the district CSIP, APR, Building goals and plans.

» Time bound: A specific date has been set by which to achieve the goal.


Categorize the metric» Prevention – Prevent attack from taking

place

» Detection – Violation of policy

» Response – Respond to stop an attack

» Recovery – Assess damage, continue if attack is successful


Example Metric Catalog


Visualization – Pretty Graphs» Good Visualization of Metrics

– Don’t oversimplify– Don’t be overly ornate– Do use a consistent scale– Do include a benchmark

» Without a benchmark, metrics are useless!


Balanced Score Card

Financial (F1-F4)

Security unit costs

On-time rate of accreditations

Enterprise risk rating

Business impact of incidents

Projects on-time/budget

Cyber PBI ratings

Lower unit costs 100% on time Maintain .3

rating <25hrs/Q <10% variance >95% green

Target

Initiative

Customer (C1-C4)

Communication ComplianceCustomer Support

Program InputTime per

accreditationCustomer

Satisfaction

>80% survey scores

>70% survey scores

>80% survey scores

>90% governance participation

>95% CA/avg times

>80% survey scores

Target

Initiative

Internal Processes (IP1-IP7)

AOE: Opex reduction

AOE: SLA performance

CSIPP: unplanned

work

DISS: AOP risk mapping

DISS: BP tied to risk

DISS: Red capabilities

>=2.5% Q/Q <10% variance <=3/Q >=80%>=30% key processes

Positive trend

Target

Initiative

Hits target. Initiative on track

Short of target. Initiative recoverable

Failed process. Initiative not recoverable

Target not defined. No initiative

Learning and Growth (LG1-LG3)

Training roadmap

Planned role rotations

Attrition reduction

Strategic training

X X

<10% schedule variance

>=1/QReduced

attrition rate

>50% training mapped to initiatives

X X

Target

Initiative

Note: BSC target performance scores are represented here for explanatory purposes only


Who are you?

ROI

ROSI

TCO

Cost/Benefit

Analysis

Modified Annual LossExpectancy

Patch Latency

SPAM/AV Stats

# of Vuln

s


We all do them

Source: 2011 InformationWeek Analytics Strategic Security Survey


The Reality

Source: 2011 InformationWeek Analytics Strategic Security Survey


Your Assumptions Are Wrong» You are not “in the business”

– Uphill battle to believe ROI

» Too many variables– Don’t be a geek– .6, .55, .61 – It doesn’t matter

» Accuracy > Precision– Correctly reflects the size of the thing being

measured– Repeatable


Communication» Talking about numbers and risk is hard

– Difficult to conceptualize

» It didn’t happen last year, it won’t this year

» Lack of descriptive scenarios that relate actual risk to investment and to changes in environment

» You are not a sales person but you have to “Sell Security”

» You have not been educated on “how” to communicate complex projects


Business Strategy is Key» How do you “industry data”?

» How do you relate every security metric to the business strategic objectives?

» Reduced Risk isn’t always important– Probability is what matters

» Your numbers are a point in time and don’t show internal trends

» The stakeholders, and core team, can make or break your plans


2011 Strategic Security Report» All the 2011 Survey Data

» Latest Trends– Mobile Threats– Social Media– Virtualization

» Contact me for a free copy (worth $199!)

» [email protected](708) 243-2850


Conclusion» Thank you

» Michael A. [email protected](708) 243-2850

» Questions?

Documents

Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Security is Not A Four Letter Word Michael A. Davis Chief Executive Officer Savid Technologies,