Security Planning Susan Lincke Defining Security Metrics

Security Planning

Susan Lincke

Defining Security Metrics

Security Planning: An Applied Approach | 04/19/23 | 2

SABSA High-Level Framework


Gap Analysis

The difference between where you are and where you want to be: (For example:# malware infections/monthRate of finding illegal software, hardwareSecurity awareness training averages


SEI/COBIT Level 4 Monitoring:Includes Metrics

Metrics inform management (and independent auditors) of the effectiveness of the security program

Monitoring achievement of control objective may be more important than perfecting security procedures


Which metrics to use?

Business-DrivenAddresses specific business risks•Inherent industry risksTailored to organizationMeasures adherence to control objectives

Technology-DrivenAddresses recent threats observed by CERT•CERT: Computer Emergency Readiness TeamAddresses recent forensic data


Monitoring Function: Business-Driven Metrics

TacticalMetrics

Opera-tional

Metrics

StrategicMetrics

Metrics

Executive mgmt is interested in risk, budget, policy.Review every 6 months-1 year

Determine effectiveness of security program: risk changes, compliance, incident response tests. Review quarterly to half-year

Technical details:E.g., firewall, logs, IPS, vulnerability tests.Review weekly.Automate statistics.


Monitoring Function: Business-Driven Metrics

TacticalMetrics

Opera-tional

Metrics

StrategicMetrics

Metrics

Project Plan or Budget MetricsRisk performanceDisaster Recovery Test resultsAudit resultsRegulatory compliance results

Policy compliance metricsExceptions to policy/standardsChanges in process or system affecting riskIncident management effectiveness

Vulnerability Scan resultsServer config. standards complianceIDS monitoring resultsFirewall log analysisPatch mgmt status


Which metrics?

Step 1: What are the most important security areas … threats …. regulation … to monitor in your organization?

Step 2: Which metrics make the most sense to collect. Can they be automated?

Step 3: Consider the 3 perspectives: strategic, tactical, operational metrics, relative to 3 audiences.


Monitoring Function: MetricsRisk:The aggregate ALE% of risk eliminated, mitigated, transferred# of open risks due to inaction

Cost Effectiveness:What is: Cost of workstation security per userCost of email spam and virus protection per mailbox

Operational PerformanceTime to detect and contain incidents% packages installed without problem% of systems audited in last quarter

Organizational Awareness:% of employees passing quiz, after training vs. 3 months later% of employees taking training

Technical Security Architecture# of malware identified and neutralizedTypes of compromises, by severity & attack typeAttack attempts repelled by control devicesVolume of messages, KB processed by communications control devices

Security Process Monitoring:Last date and type of BCP, DRP, IRP testingLast date asset inventories were reviewed & updatedFrequency of executive mgmt review activities compared to planned


Monitoring Function: Metrics cont’dSecurity Management Framework:Completeness and clarity of security documentationInclusion of security in each project planRate of issue recurrence

Compliance:Rate of compliance with regulation or policyRate of automation of compliance testsFrequency of compliance testing

Secure Software Development:Rate of projects passing compliance auditsPercent of development staff certified in securityRate of teams reporting code reviews on high-risk code in past 6 months

Incident Response Metrics# of Reported Incidents# of Detected IncidentsAverage time to respond to incidentAverage time to resolve an incidentTotal number of incidents successfully resolvedTotal damage from reported or detected incidentsTotal damage if incidents had not been contained in a timely manner


Workbook: MetricsMetrics Selected

Category Metric Calculation & Collection Method

Period of Reporting

Strategic Cost of security/terminal

Information Tech. Group

1 year

Cost of incidents Incident Response totals

6 months

Tactical % employees passing FERPA quiz

Annual email requesting testing

1 year

% employees completing FERPA training

Two annual trainings with sign-in. Performance review

1 year

# Hours Web unavailable

Incident Response form 6 months

Opera-tional

# brute force attacks Incident Response form 1 month

# malware infections Incident Response form 1 month

Major Risks:FERPA Violation

Cracking Attempt

Web AvailabilityLunatic gunman

What are the most important areas to monitor in your organization?


TECHNOLOGY-DRIVEN METRICS

SANS-Recommended

Critical Controls for Effective Cyber Defense


Creating a baseline configuration of network


Noticing inappropriate ‘additions’ to the network

New PCNew wireless

New AP


Checking the security configuration of network

Patched? Legal software? Firewall on & security configured? Antivirus on and patched?Limit USB access?

WPA2 AES,EAP/TLS?

Withstands attacks?SQL, buffer overflow,cross-site scripting,clickjacking, …

MonitorNetwork?


Noticing inappropriate actions

New sys admin or user acct

Transfer of confidential data or illegalpackets

Detect new network service


SANS: Critical Controls for Effective Cyber Defense

Typical SANS Metric:

Temporarily install unauthorized software, hardware or configuration on a device. It should be: •found within 24 hours (or best: 2 minutes)•isolated within one hour confirmed by alert/email•reported every 24 hours until issue is resolved.


SANS Critical Control 1:Inventory of Authorized Devices

Ensure all devices (with IP address) on network are known, configured properly, and patched. Scan network daily or use DHCP reports or passive monitoring. Compare results with baseline configuration.

Metric: Temporarily install unauthorized device.


SANS: Critical Control 2:Inventory of Authorized Software

Ensure all software is approved and recently patched •Whitelist defines the permitted list of software. •Blacklist defines illegal software (e.g., IT tools). •Endpoint Security Suites (ESS) contain antivirus, antispyware, firewall, IDS/IPS, s/w white/blacklisting.

Metric: Temporarily install unauthorized software on a device.


SANS Critical Control 3:Secure Configurations for Hardware &

SoftwareAll devices are hardened using recommended security configurations •Illegal software list exists, includes Telnet, VNC, RDP •New software is quarantined and monitored. •Imaged software is maintained in an updated state. Build secure images, and use configuration checking tools daily.

Metric: Temporarily attempt to change a set of random configurations.


SANS Critical Control 4:Continuous Vulnerability Assessment

Run vulnerability scans on all systems at least weekly, preferably daily. Problem fixes are verified through additional scans.•Vulnerability scanning tools (updated) for: wireless, server, endpoint, etc.•Automated patch management tools notify via email when all systems have been patched.

Metric: If the scan does not complete in 24 hours, an email notification occurs.


SANS Critical Control 5:Malware Defense

Antivirus/antispyware is always updated •Run against all data: shared files, server data, mobile data.

Additional controls: blocking social media, limiting external devices (USB), using web proxy gateways, network monitoring.• Endpoint security suites report tool is updated and active on all systems

Metric: For install of benign malware (e.g., security/hacking tool), antivirus prevents installation or execution or quarantines software• Sends an alert/email within one hour indicating specific device and owner


SANS Critical Control 6:Application S/W Security

New application software is tested for security vulnerabilities:•Web vulnerabilities: buffer overflow, SQL injection, cross-site scripting, cross-site request forgery, clickjacking of code, and performance during DDOS attacks. •Input validated for size, type •No system error messages reported directly to user

Automated testing includes static code analyzers and automated web scanning.

Configurations include application firewalls and hardened databases.

Metric: An attack on the software generates a log/email within 24 hours (or less).

Automated web scanning occurs weekly or daily


SANS Critical Control 7:Wireless Device Control

Wireless access points are securely configured with WPA2 protocol and AES encryption. • Extensible Authentication Protocol-Transport Layer Security (EAP/TLS)

provides mutual authentication. •Only registered, security-approved devices are able to connectWireless networks are configured for the minimum required radio footprint.

Metrics: Wireless intrusion detection systems detect available wireless access points and deactivate rogue access points within 1 hourVulnerability scanners can detect unauthorized wireless access points connected to the Internet.


SANS Critical Control 8:Data Recovery Capability

Backups are maintained at least weekly and more often for critical data. Backups are encrypted and securely stored. Multiple staff can perform backup/recovery.

Metric: Test backups quarterly for a random sample of systems. This includes operating system, software, and data restoration.


SANS Critical Control 9:Security Skills Assessment

Security awareness training: required for end users, system ownersSecurity training: necessary for programmers, system, security and network administrators

Metric: Test security awareness understanding

•Periodically test social engineering tests via phishing emails and phone call

•Employees who fail a test must attend a class


SANS Critical Control 10:Secure Network Configurations

A configuration DB tracks approved configurations in config. mgmt. for network devices: firewalls, routers, switches. Tools perform rule set sanity checking for Access Control Lists.Two-factor identification is used for network devices.

Metric: Any change to the configuration of a network device is reported within 24 hours


SANS Critical Controls

11. Control of Network Ports, Protocols and Services: Default Deny packets. Periodically review for restriction

Metric: Measure time to recognize added network service

12. Controlled Administrative Privilege: Minimal elevated privileges Passwords are complex, changed periodically, 2-factor

Metric: Measure time to recognize new sys admin



13. Boundary Defense: Use firewall zones to filter incoming and outgoing traffic. Blacklist & whitelist network addresses

Metric: Measure time to recognize unauthorized packets

14. Analysis of Security Audit Logs: Server logs are write-only and archived for months. Firewalls log all allowed and blocked traffic. Unauthorized access attempts are logged

Metric: Measure time to recognize no log space



15. Need to Know Access: Prevent exfiltration of data (e.g., to competitors)Classify data Use restrictive firewall configurationsLog access to confidential data

Metric: Measure time to recognize unauthorized access

16. Account Monitoring and Control: Terminated accounts -> removed

Expired password/ disabled/ locked out accounts, -> investigated

Failed logins -> lockouts

Inactivity -> locked sessions

Unusual time access -> alert

Data exfiltration recognized by keywords.

Metric: Measure time to recognize new/ changed user accounts



17. Data Loss Prevention: Prevent exfiltration of proprietary or confidential info •Encrypt mobile and USB devices•Disable USB

Metric: Measure time to recognize transfer of confidential data file

18. Incident Response: Incident Response Plan defines who does what for various conditionsIRP includes contact information for third party contractors



19. Secure Network Engineering: Separate zones exist: DMZ, middleware, private network •DMZ accessed through proxy firewall •DMZ DNS is in DMZ; internal DNS is in internal zone, …Emergency config. for restricted network is ready for quick deployment.

20. Penetration Tests: Penetration tests = vulnerability tests + attacker testsRed Team exercises test incident response team reactions

Metric: Measure false positive, false negative, true positive rate


Question

The difference between where an organization performs and where they intend to perform is known as:

1. Gap analysis2. Quality Control3. Performance Measurement4. Benchmarking


Question

The MOST important metrics when measuring compliance include:

1. Metrics most easily automated2. Metrics related to intrusion detection3. Those recommended by best practices4. Metrics measuring conformance to policy


Question

SANS recommends that an initial maximum allowable time to detect a problem in a network or server configuration is:

1. Two minutes2. One hour3. One day4. One week

Documents

Security Planning Susan Lincke Defining Security Metrics