Upload
percival-parks
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Security is Not A Four Letter Word
Michael A. DavisChief Executive Officer
Savid Technologies, Inc.
http://www.savidtech.com
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Who am I?» Michael A. Davis
– CEO of Savid Technologies– Published Author
• Hacking Exposed, HE: Malware and Rootkits• IT Auditor Magazine, InformationWeek, DarkReading
– Speaker at Major Security Conferences• Defcon, CanSecWest, Toorcon, Hack In The Box
– Open Source Software Developer• Snort• Nmap• Dsniff
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Author
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
InformationWeek Contributor
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
The Issue
“Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
They are paying attention
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
You Protect, They Apologize
According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com)
Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Metrics, we need metrics!
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Why do we care?» Management asks:
– “Are we Secure?”
» Without metrics: – “Depends how you look at it”
» With Metrics: – “Look at our risk score before this project, it
dropped 15%. We are more secure today than yesterday”
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Motorola CISO on Metrics» “Security experts can't measure their
success without security metrics, and what can't be measured can't be effectively managed.” (William Boni, PresidentCISO, Motorola Inc. www.secmet.org)
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
What is success?» From IPTI Study» High performers maintain a posture of compliance
– Fewest number of repeat audit findings– One-third amount of audit preparation effort
» High performers find and fix security breaches faster– 5 times more likely to detect breaches by automated control– 5 times less likely to have breaches result in a loss event
» When high performers implement changes…– 14 times more changes– One-half the change failure rate– One-quarter the change failure rate– 10x faster MTTR for Sev 1 outages
» When high performers manage IT resources…– One-third the amount of unplanned work– 8 times more projects and IT services– 6 times more applications
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Where/What to measure
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Examples of metrics» Baseline Defenses Coverage (AV, FW, etc)
– Measurement of how well you are protecting your enterprise against the most basic information security threats.
– 94% to 98%; less than 90% cause for concern
» Patch Latency– Time between a patch’s release and your successful
deployment of that patch.– Express as averages and criticality
» Platform Security Scores– Measures your hardening guidelines
» Compliance– Measure departments against security standards– Number of Linux servers at least 90% compliant with the Linux
platform security standard
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
SMART Metrics
» Specific: The outcome or end result is very clear to me and all audiences.
» Measurable: You can tell if you have achieved your goal because you can count it or see it.
» Attainable: While achieving the outcome might be a challenge, it is possible with the current team and resources.
» Results-Oriented: The goal is inline with the results expected by the district CSIP, APR, Building goals and plans.
» Time bound: A specific date has been set by which to achieve the goal.
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Categorize the metric» Prevention – Prevent attack from taking
place
» Detection – Violation of policy
» Response – Respond to stop an attack
» Recovery – Assess damage, continue if attack is successful
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Example Metric Catalog
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Visualization – Pretty Graphs» Good Visualization of Metrics
– Don’t oversimplify– Don’t be overly ornate– Do use a consistent scale– Do include a benchmark
» Without a benchmark, metrics are useless!
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Balanced Score Card
Financial (F1-F4)
Security unit costs
On-time rate of accreditations
Enterprise risk rating
Business impact of incidents
Projects on-time/budget
Cyber PBI ratings
Lower unit costs 100% on time Maintain .3
rating <25hrs/Q <10% variance >95% green
Target
Initiative
Customer (C1-C4)
Communication ComplianceCustomer Support
Program InputTime per
accreditationCustomer
Satisfaction
>80% survey scores
>70% survey scores
>80% survey scores
>90% governance participation
>95% CA/avg times
>80% survey scores
Target
Initiative
Internal Processes (IP1-IP7)
AOE: Opex reduction
AOE: SLA performance
CSIPP: unplanned
work
DISS: AOP risk mapping
DISS: BP tied to risk
DISS: Red capabilities
>=2.5% Q/Q <10% variance <=3/Q >=80%>=30% key processes
Positive trend
Target
Initiative
Hits target. Initiative on track
Short of target. Initiative recoverable
Failed process. Initiative not recoverable
Target not defined. No initiative
Learning and Growth (LG1-LG3)
Training roadmap
Planned role rotations
Attrition reduction
Strategic training
X X
<10% schedule variance
>=1/QReduced
attrition rate
>50% training mapped to initiatives
X X
Target
Initiative
Note: BSC target performance scores are represented here for explanatory purposes only
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Who are you?
ROI
ROSI
TCO
Cost/Benefit
Analysis
Modified Annual LossExpectancy
Patch Latency
SPAM/AV Stats
# of Vuln
s
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
We all do them
Source: 2011 InformationWeek Analytics Strategic Security Survey
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
The Reality
Source: 2011 InformationWeek Analytics Strategic Security Survey
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Your Assumptions Are Wrong» You are not “in the business”
– Uphill battle to believe ROI
» Too many variables– Don’t be a geek– .6, .55, .61 – It doesn’t matter
» Accuracy > Precision– Correctly reflects the size of the thing being
measured– Repeatable
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Communication» Talking about numbers and risk is hard
– Difficult to conceptualize
» It didn’t happen last year, it won’t this year
» Lack of descriptive scenarios that relate actual risk to investment and to changes in environment
» You are not a sales person but you have to “Sell Security”
» You have not been educated on “how” to communicate complex projects
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Business Strategy is Key» How do you “industry data”?
» How do you relate every security metric to the business strategic objectives?
» Reduced Risk isn’t always important– Probability is what matters
» Your numbers are a point in time and don’t show internal trends
» The stakeholders, and core team, can make or break your plans
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
2011 Strategic Security Report» All the 2011 Survey Data
» Latest Trends– Mobile Threats– Social Media– Virtualization
» Contact me for a free copy (worth $199!)
» [email protected](708) 243-2850
Copyright ©2011 Savid Technologies, Inc. All Rights Reserved
Conclusion» Thank you
» Michael A. [email protected](708) 243-2850
» Questions?