Security Metrics That Don’t Suck

Slides:



Advertisements
Similar presentations
Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP
Advertisements

1 From a Commodity to an Expert Master your IT business and your life.
Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Business 16 Stanford Department of Continuing Education Class # 7, 11/9/09 Business Plan to Operating Plan.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
Northwestern University Network Security
Managing the Unexpected …and keeping people safe at the same time Jason Rowley Group Health and Safety Director Carillion.
Presented by: Dr. Munam Ali Shah
Chapter 15: Our Economy and You Social Science. Income Managing your money takes several steps, the first of which involves what you make There are several.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
For brownies this PowerPoint will help you understand computer viruses and help stop them!!!!
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
CSCE 201 Secure Software Development Best Practices.
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
Computer Security By Duncan Hall.
Society & Computers PowerPoint
Insurance
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Cyber Info Gathering Techniques
Measuring Fundraising Effectiveness: A Conversation Guide for Boards & Leadership Teams This deck is designed to help guide conversations for Resource.
What You Should Know About INSURANCE
Building A Security Program From The Ground Up
Improving Loss Control: How to Get the Attention of the CFO
Cyber Security: State of the Nation
How to build a good reputation online
Outline Introduction Characteristics of intrusion detection systems
Answer the questions to reveal the blocks and guess the picture.
What You Should Know About INSURANCE
John Butters Running Tiger Teams
Information Security: Risk Management or Business Enablement?
Call AVG Antivirus Support | Fix Your PC
Cyber Security in the Mortgage Industry
Is Your Online Security Intelligent? Internet Performance Management
CONSUMER PROTECTIONS.
Secure Browsing Because malware usually doesn’t identify itself.
Insurance What is Insurance?
Security Threats Severity Analysis
8 Reasons You Need a Security Penetration Test
Utilizing Internal Audit Metrics to Advance Your Department
WHAT SHOULD AN EXECUTIVE EXPECT FROM INFORMATION SECURITY
Build a better Catfish 2018 RVASec.
National Cyber Security
Improving the Reporting and Reward for Risk Some less enlightened attitudes to risk and insurance:
Money Master Student Map
Risk Management CSCE 489/689 (Software Security) Fall 2018
Insurance What is Insurance?
Types of Insurance Advanced Level.
Mastering Interview Questions
Types of Insurance Advanced Level.
A shift in the market is taking place.
What You Should Know About INSURANCE
RETURN ON INVESTMENT IS THE MEASUREMENT OF “HARD & TANGABLE” FACTORS
What You Should Know About INSURANCE
What You Should Know About INSURANCE
Jasmine Thornton L. Johnson
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Keeping Our Data Secure
6. Application Software Security
Employee Cybersecurity Program
Business Case Template
Delivering a “Wow” Membership Experience
Figuring out CyberSecurity Return On Investment
Preparing for the unexpected
Presentation transcript:

Security Metrics That Don’t Suck Dr Mike Lloyd CTO

Problems in security metrics Security is the absence of something Can’t report how often you were NOT on the cover of WSJ

How fast is your treadmill? Many people start with process counting These measure busyness Not business How do you show gains? Just get busier?

An extreme case of measuring busyness Really bad metrics An extreme case of measuring busyness Bad metric → bad behavior → bad outcome

On the hamster wheel of pain Copyright RedSeal Networks, Inc. All rights reserved Security metrics 1.0 On the hamster wheel of pain (thanks, Andrew Jaquith!) Oh look, “stuff” happens …

Metrics close the control loop Ops has availability Management metrics Metrics close the control loop Ops has availability Security needs risk Focus on outcomes How easily could a breach occur? How effective is our spend? Are we making it harder to break in? Availability Operations Risk Security

Good measurements tell stories Which story depends on who’s on stage Actors in the play Good measurements tell stories Which story depends on who’s on stage The team member The CISO The CFO Any guesses?

The team members and the CISO Copyright RedSeal Networks, Inc. All rights reserved Within security The team members and the CISO Should we focus on network or endpoints? What are the top 10 risk contributors? Are we being effective?

The CISO talking to the CFO Out to the business The CISO talking to the CFO Look, we are being effective! Show reduction in risk Correlate with expenditures Ask for more money Dept of State, Feb 2011

About that “asking for money” bit … The CFO wants ROI I spend $X, I save $Y We tell FUD stories “Look at Sony – want that?” We’re sick of it, so are they You have an unexpected ally Thought about your company’s insurance agent? Not an actual agent – real ones are much nicer

Insurance brings focus Data Breach Insurance is available Pay to transfer risks They see many breaches You only see yours They learn what works CFO can define “good security” as “that which reduces my insurance premiums” Measure your posture, negotiate a discount If we do this right, we could actually measure what we all do for a living!

Enough why – time for what

Assets you need to protect Resources Assets you need to protect Everyone has some examples PII, regulatory assets, IP, etc Some truly “mission critical” Financial, energy, government, military Knowledge of vulnerabilities Bad guys exploit them, so you scan Counter-measures It starts with the firewall

Simulate attacks before they happen We want to know our defensive posture That involves finding the weak points Attack a model of the network Measure ease of compromise Use standards where possible Copyright RedSeal Networks, Inc. All rights reserved

Risk from Network-Based Attacks Blocking Rule High Risk Low Risk Blocking Rule Blocking Rule Pivot Attack Blocking ACL Pivot Attack High Risk Low Risk Copyright RedSeal Networks, Inc. All rights reserved

Sample attack chain – Before Internet DMZ Main Site Copyright RedSeal Networks, Inc. All rights reserved

Step 1 – Vulnerabilities exposed in DMZ Attackers can reach these Internet-facing servers Copyright RedSeal Networks, Inc. All rights reserved

Step 2 – Some attack paths sneak in Just a few pivot attacks are possible Copyright RedSeal Networks, Inc. All rights reserved

An attacker can get in if they find this before you fix it Step 3 – Attack fans out An attacker can get in if they find this before you fix it Copyright RedSeal Networks, Inc. All rights reserved

Penetration test results Sample result: External attackers can reach red hosts Then pivot to attack yellow hosts But no attack combination reached green hosts Copyright RedSeal Networks, Inc. All rights reserved

Turning attacks into measurements

Rolling up the scores

Dashboards for outbound proof How easily can attackers get in? How big is my attack surface? How much is non-compliant?

Dashboards for internal questions Are investments working? Where do we need to improve?

Defensive posture CAN be measured This drives to better outcomes Copyright RedSeal Networks, Inc. All rights reserved Conclusions Defensive posture CAN be measured This drives to better outcomes Measure posture => improved posture It helps the CFO “get it” You can sleep better Demonstrate effectiveness, not busyness

Insurance and the search for ALE As we’ll show, you can measure POSTURE How easily could someone break in? True risk tradeoffs require incidence data Sure, we know a vulnerability is bad … But how often does it cause losses? Risk wonks call this Annualized Loss Expectancy

Bad breaches are common But for any one company, big ones are rare Good ALE is hard to find Bad breaches are common But for any one company, big ones are rare Similar to car accidents Roughly one accident per person per lifetime How do you get a wide sample of accidents? Who can test effects of a safety measure? Insurers can!

Another complex arena: chess Are computers or humans best? Kasparov: “wrong question”! How to play the best chess? Human-computer teams Humans are good at strategy Computers don’t get tired Security faces related problems Attackers have adopted automation They will find whatever you miss Copyright RedSeal Networks, Inc. All rights reserved