Embed Size (px)
DESCRIPTION
Citation preview
Agenda
1. Background
2. Security Evolution
3. Security Metrics
4. Measuring Technical Security
5. Measuring Security Program
1 - Background
• What is Information Security?• What is Risk Management?• Why do we need Security Measurements?• Objectives:
– Understanding Security Evolution– Measuring Security
2- Security Evolution• The Past– A Technical Function– Technical Security – Firewall, IDS, Access Control
• The Present– An Assurance Function – mostly Risk Management– Risk Management Process– The Doughnut-Shaped Cycle
• The Future– Metrics supplementing Risk Management
2 - Security Evolution
2- Security Evolution
1. Assessment2. Reporting3. Prioritization4. Mitigation
• Follow them, and you got risk management!• Good for Vendors – Service charges at each cycle• Unpleasant for Consumers – Never Clean
Assessment
Reporting
Prioritization
Mitigation
2- Security Evolution
• The Problem:– Captures the easy part (identification and fixing)– Misses on the hard part (quantification and
valuation of risk)– Vendor tools are agnostic about the organizational
context– Real Risk Management should be identification,
rating, mitigation, and above all, quantification of the risks
– Thus, today’s Risk Management = Identify + Fix
2- Security Evolution
• FUD is the old-model (Past and Present)
• FEAR, UNCERTAINTY, and DOUBT (FUD)– The FEAR of the catastrophic consequence of an information
attack– The UNCERTAINTY about Vulnerabilities– The DOUBT about the sufficiency of existing controls
• Shall we continue to rely on Oracles, Fortune Tellers (Vendors!) to give us security advise and hope it will keep us safe?
3 - Security Metrics
• Business Questions:– Is my security better this year?– What am I getting out of my security investment?– How do I compare to my peers?
• Answers:– Readily answered in other business context– Silence and Embarrassment in security context
• Metric = “A system of measurement”
3 - Security Metrics
Good Metrics are:
• Consistently measured• Cheap to gather• Expressed as a cardinal number or percentage• Expressed using at least one unit of measure• Contextually specific
4 – Measuring Technical SecurityPerimeter Defense - Email
Metric Purpose Source
Total messages per day (#) Establish the baseline Email System
Spam detected (#, %) Spam PollutionEmail
Security Gateway
False Negatives –Spam Missed (#, %)
Effectiveness of Anti-Spam Filter
Reported by End Users
False Positive (#, %) Effectiveness of Anti-Spam Filter
Reported by End Users
Spam Detection Failure Rate ( –vs PLUS +vs DIVIDEBY Spam Detected)
Effectiveness of Anti-Spam Filter SIM, Manual
4 – Measuring Technical SecurityPerimeter Defense – Anti-Malware
Metric Purpose Source
Malware detected on websites(#)
Propensity of users to surf infected websites
Web filtering Appliance
Malware detected in user files(#, %) Infection rate of endpoints Endpoint Anti-
Malware
Malware requiring manual cleanup (#, %)
Effort / Time / Cost spent in manual cleanup
Anti-MalwareTicketing System
Outgoing Malware detected at gateway (#) Internal Network Infection Rate Email Content
Filtering Gateway
4 – Measuring Technical SecurityCoverage and Control
Metric Purpose Source
Computers covered by Anti-Malware (%)
Extent of coverage of Anti-Malware control
- Anti-Malware Software- Network Management
Software
Hosts covered by Patch Management (%)
Identification of the gap in patch management
process
- Patch Management Software
- Systems Management Software
Unapplied Patch Latency (age of missing patch, per
node)
Size of window systems is vulnerable due to missing
patchPatch Management
Software
System Compliance with Approved Configuration
(%)
Show conformance against configuration
standards
Desktop Management Software
Change control system
4 – Measuring Technical SecurityAvailability and Reliability
Metric Purpose Source
Unplanned Downtime (%) Amount of variance in the change control process Monitoring Software
Mean time to recovery (time)
Time it takes to recover from incidents
- Trouble Ticketing- System logs
- Spreadsheets
Change Control Exceptions per period (#, %)
How often special exceptions are made for rushing through
changesChange Control
System
Change Control Violations per period (#, %)
How often Change Control is willfully violated
- Change Control System
- System Logs-SIM
5 – Measuring Security Program
• Frameworks: COBIT, ISO 2700X, NIST..• Security Program contains Controls• Some Controls are also Processes• Examples of Security Processes include:– Risk Management– Policy Development and Compliance– Human Resource Security– Human Education– Incident Management– Information Continuity Management
5 – Measuring Security Program- Planning and Organization-
Process Metric Purpose
Access and Manage IT Risks
% of Critical Assets with documented Risk
Assessment
How much do we know (or do not know) about the risks being faced by
other critical assets?
% of Critical Assets residing on Compliant
Systems
How many critical assets reside on systems that are compliance with organization’s security standards?
% of Critical Assets review for physical security
How many critical assets are physically protected?
Manage Human Resource Security
% of Job Descriptions defining InfoSec roles, responsibilities, skills,
certifications
Are security responsibilities included in JDs in order to ensure that stuff is aware about what is expected from
them?
5 – Measuring Security Program- Acquisition and Implementation -
Process Metric Purpose
Identify Automated Solutions
% of new systems with initial security consultations
How frequently are security teams engaged when business units draw up
requirements for new information systems?
Install and Accredit
Solutions and Changes
% of systems with security accreditation
(signed-off and risk accepted)
How many systems are there for which the owners have signed that they
understand and accept the residual risks.
Enable Operation and
Use
% of systems with operational procedures
related to security
How many systems have procedures related to monitoring, data security,
business continuity, security responsibilities etc.
5 – Measuring Security Program- Delivery and Support -
Process Metric Purpose
Educate and Train
Users
% of existing employees completing refresher training
Are employees receiving training at interval consistent with organization’s
policy?
Correlation of password strength or tailgating with
training deliveredAre security education efforts leading
to measurable results?
Access Control
% of user id assigned to more than one person
How many user id are shared for which accountability cannot be established?
% of systems with role based access implemented
How many systems have permissions granted to roles, and roles assigned to
users?
5 – Measuring Security Program- Delivery and Support -
Process Metric Purpose
Access Control
% of ‘HIGH-RISK’ users with both application and systems
access
What users possess signification amount of privileged access to
systems?
% of ‘HIGH-RISK’ users whose entitlements and activities are
reviewed in this periodHow many HIGH-RISK users privileges
and activities are being monitored
Managing Data
Bytes sent and received, by customers, external employees,
vendors, partners
How much information is flowing into the organization on a daily, monthly,
and yearly basis?
% of toxic data from all data How much information from all data is highly critical?
5 – Measuring Security Program- Monitor and Evaluate -
Process Metric Purpose
System Monitoring
% of system with monitored event and activity logs
To what extent does the organization monitor the security of its information
systems?
% of systems monitored for deviation against approved standards or configurations
To what extent are systems monitored for changes to their configuration?
Evaluate Internal Controls
% of critical system reviewed for effectiveness and
compliance with controlsAre security controls working as
designed?
Ensuring Regulatory Compliance
% of external requirements compliant per external audit
Have audits uncovered serious weakness in existing controls?
