COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR

Slides:



Advertisements
Similar presentations
1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Advertisements

Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.
Discovery – The Next Generation!: Business Context of Risk Presentation to the North London Branch British Computer Society 19 March, 2008 Dr. Victoria.
University of Florida Incident Tracking and Reporting Kathy Bergsma
Service Design – Section 4.5 Service Continuity Management.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
2008 General Meeting Assemblée générale 2008 Toronto, Ontario 2008 General Meeting Assemblée générale 2008 Toronto, Ontario Canadian Institute of Actuaries.
1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
B RITISH B ANKERS' A SSOCIATION Operational Risk & the Regulatory Environment Simon Hills Director - Prudential Capital team.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
GBA IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.
2006 General Meeting Assemblée générale 2006 Chicago, Illinois 2006 General Meeting Assemblée générale 2006 Chicago, Illinois Canadian Institute of Actuaries.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.
© 2008 Morningstar, Inc. All rights reserved. 3/1/2008 LCN Role of Immediate Annuities in Retirement.
Credit risk vs. Market risk Credit risk is the risk that a borrower or counterparty may fail to fulfill an obligation whereas market risk is the risk to.
Introduction to Information Security
Microsoft Belgium Security Summit Georges Ataya S olvay B usiness S chool, ISACA Belux Detlef Eckert Microsoft EMEA.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
1 CONFIDENTIAL ©2015 AIR WORLDWIDE New Approaches for Managing Cyber Risk.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Advanced EFSA Learning Programme Session 4.3. Forecast Analysis & Scenario Development.
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
By, CA K RAGHU, PAST PRESIDENT – INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA.
CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.
ENABLING A COST/ BENEFIT ANALYSIS OF IMPLEMENTING ENCRYPTION- AT-REST USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016.
COST BENEFITS OF IMPLEMENTING CREDIT CARD DATABASE TOKENIZATION USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE
USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Risk Triage Rod Carney, CRISC 11/13/2014.
1.Introduction Omani Legislation PDO Policy SIEP PDO HSE Management System – Implementation and Monitoring PDO HSE Cases.
A Decision Framework for Vehicle Inspection and Maintenance Programs Using Health Benefit Analysis Ying Li University of North Carolina at Chapel Hill,
Business Continuity Planning 101
Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets CRM008 Speakers: Chris Cooper, VP, Operational Risk Officer; RGA Reinsurance Company.
DISASTER VULNERABILITY, RISK AND CAPACITY
Physical Security Governance Model
CompTIA Security+ Study Guide (SY0-401)
Types of risk Market risk
HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?
Risk Assessment.
Cyber Security: State of the Nation
Responding to Intrusions
Risk Mgt and the use of derivatives
Security Engineering.
Hyper-V Cloud Proof of Concept Kickoff Meeting <Customer Name>
Energy Risk Management Credit Rating Perspective
Hazards Planning and Risk Management Risk Analysis and Assessment
RISK MANAGEMENT An Overview: NIPC Model
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
Use of Simulation for Cyber Security Risk and Consequence Assessment
Types of risk Market risk
LECTURE NO. 2 INTRODUCTION TO HAZARDS
Business Impact Analysis 101
Receivables management
Cybersecurity Threat Assessment
Presented By: Erez Hevroni
Effective Risk Management in Decision Making Process
Risk Assessment Ali Ardalan MD, PhD Assistant Professor
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR Case Study Shared courtesy of RiskLens CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 ANALYSIS SCOPING Lack of timely application patching introduces threats to the ERP system and restricted data (auditors uncovered that the actual patching window exceeded the patching policy) RISK SCENARIO DESCRIPTION ERP Patching Process ASSET(S) DESCRIPTION Confidentiality LOSS TYPE Advanced Persistent Threat (APT) THREAT(S) DESCRIPTION CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 ANALYSIS SCOPING Assessing Risk Reduction Through Comparison of Scenarios Analyzed and quantified the risk for the ERP patching process in the current state Analyzed and quantified the risk for the ERP patching process if the patching window was reduced CONFIDENTIAL - FAIR INSTITUTE 2016

Average Annualized Risk Reduction 49.5M Improved Patching Process ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. Annualized Reduction in Loss Exposure (Risk) Analysis Minimum Average Maximum CHANGE Current State $0 $85.0M $1.4B Average Annualized
Risk Reduction 49.5M Improved Patching Process $35.5M $1.2B Min / Max values represent the absolute minimum of simulation results. CONFIDENTIAL - FAIR INSTITUTE 2016

ANALYSIS RESULTS ERP Impact Assumption Single Loss Event Scenario (ML = Most Likely) CONFIDENTIAL - FAIR INSTITUTE 2016

Reduce Vulnerability by approx. 55% Improved Patching Process ERP AND SAP PATCHING Average Annualized Loss Exposure Reduction in Vulnerability* Analysis Vulnerability CHANGE Current State 80% Reduce Vulnerability by approx. 55% Improved Patching Process 25% Vulnerability does not incorporate the susceptibility of underlying infrastructure components. *Vulnerability = what percentage of attacks would become loss events CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 INTERPRETING RESULTS Both Scenarios Threat event frequency for each is a calibrated estimate taking into account input from the Security Operations Center (SOC) Vulnerability is measured as it relates only to the patch, not applied to the system within each time window Primary loss is based on data provided by the incident response team Secondary loss is derived from a lookup table build based on data provided by the business units Secondary loss magnitude is modeled based on confidential data and IP data Frequency of fallout is assumed to be at or near 100% of events because of the nature of the data involved and of the profile of the threat community CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 INTERPRETING RESULTS Current State Scenario Resistance strength is measured here by looking at the backlog of patches outstanding Future Forecasted Scenario Resistance Strength is measured here by assuming all missing patches in the backlog are resolved Minimum resistance strength represents patches that live longer in the time window M/L expresses at any given time during the 90 day patch window how bad the missing patches are Max represents the least damaging patches that are more recent in the time window CONFIDENTIAL - FAIR INSTITUTE 2016

ANALYSIS LEVERAGED THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

Threat Event Frequency THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

Threat Event Frequency THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 ANALYSIS INPUT Incident response Investigation PRIMARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement SECONDARY LOSSES CONFIDENTIAL - FAIR INSTITUTE 2016

CONFIDENTIAL - FAIR INSTITUTE 2016 DECISION SUPPORT / ROI Forecasting risk reduction that can be achieved by consistently patching within 90-day window down from 180 days Risk-based rationale for cleaning up current backlog Using metrics to resolve a conflicting discussion between auditors and IT about the value of reducing the patch window and meeting the requirements of the patching policy THE RISK ANALYSIS SUPPORTED Analysis demonstrated that risk quantification can be integrated into customer’s risk analysis process While this new patching process will increase operational costs, the forecasted risk reduction is multiple times greater. CONFIDENTIAL - FAIR INSTITUTE 2016