Ten Steps to Improve Enterprise Security Strategies

10 Steps to AchieveRisk-Based Security ManagementDANIEL BLANDER, TECHTONICACINDY VALLADARES, PRODUCT MARKETING AT TRIPWIRE

10 Steps to AchieveRisk-Based Security ManagementDaniel Blander, TechtonicaCindy Valladares, Product Marketing at Tripwire

IT SECURITY & COMPLIANCE AUTOMATION

@TripwireInc @cindyv

@djbphaedrus

Today’s Speakers

Daniel Blander

Techtonica

@djbphaedrus

Cindy Valladares

Product Marketing Manager

@cindyv



@djbphaedrus

A HISTORY OF EXCELLENCEHeadquartered in Portland, OregonFounded in 1997

Open source legacy since ‘80s

Over 300 employees worldwide

Over 6,000 customers in 96 countries46% of Fortune 500 rely on Tripwire technology

Award-winning, patented technology

4



@djbphaedrus

Interest in Risk Management is Spiking

Increasingly required to engage non-technical executives for budget

Habitual security spending not aligned with the business

More objective methods needed to allocate limited budgets

Scary things in the news, noticed by business guys

Compliance is driving the conversation around risk

IT SECURITY & COMPLIANCE AUTOMATION6


@djbphaedrus

Compliance Requirements Address Risk Management

PCI DSS v2.0 and Risk Management SIG• Req 12.1.2 – annual process that results in a formal risk assessment

• Req 5 Maintain a vulnerability mgt program - schedule based on risk/priority

• Req 6.2 Assigns risk ranking to newly discovered vulnerabilities

IT Grundschutz• Methodology for identification, characterization, analysis, evaluation,

assessment, treatment, acceptance and communication of risks

Basel II• Ensure that banks have adequate capital for the risks they’re exposed to

ISO 27005• Information security risk management standard

Monetary Authority of Singapore (MAS)• ITBRM – Internet Technology Banking Risk Management



@djbphaedrus

What is Risk-Based Security Management?

Let’s first define Risk

Risk = Probability (x) Impact

An approach that relates the costs of mitigating risks to the perceived value of an asset in the context of:• Threats

• Vulnerabilities

• Impacts to the business

Part of a wider Enterprise Risk Management system and specific to Information Security

The goal is to enable the business



@djbphaedrus

Framework of Risk-Based Security Management

Decisions based on identification, analysis and prioritization of risks • Based in observable facts and, whenever possible, measurable data

• Many long-held beliefs about information security are challenged.

Decisions can become more explicit• Open to examination, testing and refinement through discourse.

Risk analysis is the guide that, if based on factual data, can focus your efforts and worries in areas that produce the greatest benefits.



@djbphaedrus

10 Steps to Risk-Based Security Management

1. Identify What Matters

2. Collect Data on What Matters

3. Perform Risk Assessment – the Critical Juncture

4. Present to the Organization

5. Identify Control Objectives

6. Identify and Select Controls

7. Implement Controls

8. Operate Controls

9. Monitor and Measure

10.Operate a Feedback Loop



@djbphaedrus


Step 1: Identify What Matters• Intangible Assets: profits, business goals and objectives, good will

• Tangible Assets: cash, intellectual property, data

Step 2: Collect Data on What Matters• Asset valuation

• Impact

• Landscape of threats

• Sources of frequency, likelihood and probability (not possibility)

• Vulnerabilities



@djbphaedrus


Step 3: Perform Risk Assessment – the Critical Juncture• State the Objectives

• Methodology should meet needs of decision makers

• Use observable and tangible data

• Focus on accuracy not precision

• Identify probabilities and associated range of impact

• Use descriptions and measures that are re-usable

Step 4: Present to the Organization• Information must make stakeholders better able to make decisions

• Information must be in the context of what is relevant to stakeholders

• Analysis must be open to exploration and inquiry - refinement



@djbphaedrus


Step 5: Identify Control Objectives• What are the objectives of mitigation – the goal, not the technique

Step 6: Identify and Select Controls• Consider costs versus risk being mitigated

Step 7: Implement Controls• Ensure it supports the original objectives

Step 8: Operate Controls



@djbphaedrus


Step 9: Monitor and Measure• Is the control creating a observable or measurable change in original risk

• Collect measures and observations

Step 10: Operate a Feedback Loop• Security Management as a continuous cycle

• Use measures and observations

• Use to adjust risk analysis, control objectives, controls, operations

• Adjusts perceptions and approach



@djbphaedrus


1. Identify What Matters

2. Collect Data on What Matters

3. Perform Risk Assessment – the Critical Juncture

4. Present to the Organization

5. Identify Control Objectives

6. Identify and Select Controls

7. Implement Controls

8. Operate Controls

9. Monitor and Measure

10.Operate a Feedback Loop



@djbphaedrus

Risk-Based Security Management

Creates an environment of informed choice

Strives to reduce uncertainty and eliminate conjecture

Is best achieved through a plethora of relevant data

Is based on analysis of frequency of threats and vulnerabilities

Is cyclical and provides an opportunity for continuous learning

Involves feedback loops and challenging assumptions

www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5440Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980


@djbphaedrus 16

www.tripwire.com/blog@TripwireInc

Daniel Blander@djbphaedrus

Cindy Valladares@cindyv

http://www.tripwire.com/blog



@djbphaedrus

About The State of Risk-Based Security Management Report

Surveyed 2,145 individuals

Four countries: US, UK, Germany, Netherlands

Commissioned by Tripwire

Conducted by Ponemon Institute, an independent research organization