SANS Technology Institute - Candidate for Master of Science Degree Establishing a Security Metrics Program Tiger Team Final Report Chris Cain & Erik Couture.

Slides:

Advertisements

Similar presentations

1 Establishing Performance Indicators in Support of The Illinois Commitment Presented to the Illinois Board of Higher Education December 11, 2001.

Advertisements

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

David A. Brown Chief Information Security Officer State of Ohio

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Risk Assessment Frameworks

Federal IT Security Professional - Manager FITSP-M Module 1.

Lecture 3 Strategic Planning for IT Projects (Chapter 7)

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

Charles Greene, CISSP, GSLC. Senior Information Security Architect I&AM Team Lead, DR Team Lead Virginia Commonwealth University Bachelor's Degree in.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Federal IT Security Professional - Auditor

Dell Connected Security Solutions Simplify & unify.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Campus Network Development Network Architecture, Universal Access & Security.

Lecture 3 Title: Information Technology Project Methodology By: Mr Hashem Alaidaros MIS 434.

Professional Certificate in Electoral Processes Understanding and Demonstrating Assessment Criteria Facilitator: Tony Cash.

PMC Update on Cyber Sprint June 18, Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Weaving Security Blankets Make your own bespoke defensive toolkit Presentation by Max Cizauskas For BSides Toronto 2015.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

R 0 G125 B 177 R 78 G 47 B 145 R 185 G 50 B 147 R 245 G132 B 107 R 255 G234 B 83 R 123 G193 B 67 R149 G169 B 202 Goal Setting Guide 2015.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

February 2, 2016 | Chicago NFA Cybersecurity Workshop.

System of Environmental-Economic Accounting Sokol Vako United Nations Statistics Division Training for the worldwide implementation of the System of Environmental.

Information Security tools for records managers Frank Rankin.

The NIST Special Publications for Security Management By: Waylon Coulter.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.

Kevin Watson and Ammar Ammar IT Asset Visibility.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

Advanced Planning Brief to Industry Jerry L. Davis DAS, Office of Information Security June 9, 2011.

Critical Security Controls

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Capabilities Matrix Access and Authentication

Cyber Protections: First Step, Risk Assessment

Implementing and Auditing the Critical Controls

NRC Cyber Security Regulatory Overview

The Strategic Information Technology Formulation

Software Assurance Maturity Model

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

National Cyber Security

Level 2 Diploma Unit 11 IT Security

Cyber Risk & Cyber Insurance - Overview

IS Risk Management Framework Overview

Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.

Risk Mitigation & Incident Response Week 12

Discussion points for Interpretation Document on Cybersecurity

Cyber Security in a Risk Management Framework

DSC Contract Management Committee Meeting

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Presentation transcript:

SANS Technology Institute - Candidate for Master of Science Degree Establishing a Security Metrics Program Tiger Team Final Report Chris Cain & Erik Couture October 2011

SANS Technology Institute - Candidate for Master of Science Degree Introduction Team Members Mandate Overall project aim Methodology

SANS Technology Institute - Candidate for Master of Science Degree Security Metrics Overview “How secure are we?” “Are our security investments making a difference?” “Where can we have the most impact on our security posture?"

SANS Technology Institute - Candidate for Master of Science Degree Why Metrics? Metrics vs Measurement The importance of context and knowledge, not just data The challenge of what to measure

SANS Technology Institute - Candidate for Master of Science Degree Goal/Scope Paint a clear picture of our security posture Identify areas of greatest risk Help educate resource allocation towards areas of greatest security gain Educate senior management on possible business impacts of our security posture Provide a method to monitor the effectiveness of our policy and technological changes over time

SANS Technology Institute - Candidate for Master of Science Degree Example 1 Secure Firewalls, Routers, and Switches Aim Visibility of the ‘ground truth’ Ensure minimal ports/services exposed Input Data Network Device Threat Level Average days to fix configuration issues Total insecure configurations found Visualization Horizontal bar charts – give a good sense of progress over several reporting periods and between each device type

SANS Technology Institute - Candidate for Master of Science Degree Example 2 Boundary Defense Aim Reduce by 80% the number of internet entry points Achieve 100% of hosts pointed at secure DNS servers Achieve 100% physical network verification. Input Data Total quantity of defenses scored Score from 1 to 5 Boundary Defense Threat Level (subjectively assigned) Visualization Line graph comparing boundary device types against their scores

SANS Technology Institute - Candidate for Master of Science Degree Example 3 Incident Response Capability Aim Assess ability to detect and respond Fuse/visualize end-to-end IH timelines Input Data Mean time to incident recovery Number of Lessons Learned as a result of the incident. Mean time to incident eradication Mean time to incident detection/identification Visualization Stacked Bar Chart – allows reader to quickly compare the relative time involved in each phase of incident handling

SANS Technology Institute - Candidate for Master of Science Degree Visualization / Dashboard (1)

SANS Technology Institute - Candidate for Master of Science Degree Visualization / Dashboard (2)

SANS Technology Institute - Candidate for Master of Science Degree Recommendations The establishment of an enterprise-wide security metrics program. The adoption of the SANS Top 20 Security Controls framework as a basis for the ongoing gathering and reporting of security metrics. The institution of a security metrics board which will regularly assess the effectiveness and adjust the security metrics program.

SANS Technology Institute - Candidate for Master of Science Degree References Twenty Critical Security Controls for Cyber Defense: SANS/CAG NIST Special Publication Beautiful Security Metrics by Elizabeth Nichols Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance by John Gilligan Seven Myths about Information Security Metrics by Dr. Gary Hinson Security Metrics, Replacing Fear, Uncertainty and Doubt, Gary McGraw FISMA FY CIO Reporting Metrics by US DHS IT Security Metrics, A Practical Framework for Measuring Security & Protecting Data, Lance Hayden, Ph.D. A Guide to Security Metrics (SANS Reading Room), Shirley C. Payne CSO Security and Risk by Scott Berinato