Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Metrics That Don’t Suck

Published byBrooke Park Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Metrics That Don’t Suck"— Presentation transcript:

1 Security Metrics That Don’t Suck
Dr Mike Lloyd CTO

2 Problems in security metrics
Security is the absence of something Can’t report how often you were NOT on the cover of WSJ

3 How fast is your treadmill?
Many people start with process counting These measure busyness Not business How do you show gains? Just get busier?

4 An extreme case of measuring busyness
Really bad metrics An extreme case of measuring busyness Bad metric → bad behavior → bad outcome

5 On the hamster wheel of pain
Copyright RedSeal Networks, Inc. All rights reserved Security metrics 1.0 On the hamster wheel of pain (thanks, Andrew Jaquith!) Oh look, “stuff” happens …

6 Metrics close the control loop Ops has availability
Management metrics Metrics close the control loop Ops has availability Security needs risk Focus on outcomes How easily could a breach occur? How effective is our spend? Are we making it harder to break in? Availability Operations Risk Security

7 Good measurements tell stories Which story depends on who’s on stage
Actors in the play Good measurements tell stories Which story depends on who’s on stage The team member The CISO The CFO Any guesses?

8 The team members and the CISO
Copyright RedSeal Networks, Inc. All rights reserved Within security The team members and the CISO Should we focus on network or endpoints? What are the top 10 risk contributors? Are we being effective?

9 The CISO talking to the CFO
Out to the business The CISO talking to the CFO Look, we are being effective! Show reduction in risk Correlate with expenditures Ask for more money Dept of State, Feb 2011

10 About that “asking for money” bit …
The CFO wants ROI I spend $X, I save $Y We tell FUD stories “Look at Sony – want that?” We’re sick of it, so are they You have an unexpected ally Thought about your company’s insurance agent? Not an actual agent – real ones are much nicer

11 Insurance brings focus
Data Breach Insurance is available Pay to transfer risks They see many breaches You only see yours They learn what works CFO can define “good security” as “that which reduces my insurance premiums” Measure your posture, negotiate a discount If we do this right, we could actually measure what we all do for a living!

12 Enough why – time for what

13 Assets you need to protect
Resources Assets you need to protect Everyone has some examples PII, regulatory assets, IP, etc Some truly “mission critical” Financial, energy, government, military Knowledge of vulnerabilities Bad guys exploit them, so you scan Counter-measures It starts with the firewall

14 Simulate attacks before they happen
We want to know our defensive posture That involves finding the weak points Attack a model of the network Measure ease of compromise Use standards where possible Copyright RedSeal Networks, Inc. All rights reserved

15 Risk from Network-Based Attacks
Blocking Rule High Risk Low Risk Blocking Rule Blocking Rule Pivot Attack Blocking ACL Pivot Attack High Risk Low Risk Copyright RedSeal Networks, Inc. All rights reserved

16 Sample attack chain – Before
Internet DMZ Main Site Copyright RedSeal Networks, Inc. All rights reserved

17 Step 1 – Vulnerabilities exposed in DMZ
Attackers can reach these Internet-facing servers Copyright RedSeal Networks, Inc. All rights reserved

18 Step 2 – Some attack paths sneak in
Just a few pivot attacks are possible Copyright RedSeal Networks, Inc. All rights reserved

19 An attacker can get in if they find this before you fix it
Step 3 – Attack fans out An attacker can get in if they find this before you fix it Copyright RedSeal Networks, Inc. All rights reserved

20 Penetration test results
Sample result: External attackers can reach red hosts Then pivot to attack yellow hosts But no attack combination reached green hosts Copyright RedSeal Networks, Inc. All rights reserved

21 Turning attacks into measurements

22 Rolling up the scores

23 Dashboards for outbound proof
How easily can attackers get in? How big is my attack surface? How much is non-compliant?

24 Dashboards for internal questions
Are investments working? Where do we need to improve?

25 Defensive posture CAN be measured This drives to better outcomes
Copyright RedSeal Networks, Inc. All rights reserved Conclusions Defensive posture CAN be measured This drives to better outcomes Measure posture => improved posture It helps the CFO “get it” You can sleep better Demonstrate effectiveness, not busyness

26

27 Insurance and the search for ALE
As we’ll show, you can measure POSTURE How easily could someone break in? True risk tradeoffs require incidence data Sure, we know a vulnerability is bad … But how often does it cause losses? Risk wonks call this Annualized Loss Expectancy

28 Bad breaches are common But for any one company, big ones are rare
Good ALE is hard to find Bad breaches are common But for any one company, big ones are rare Similar to car accidents Roughly one accident per person per lifetime How do you get a wide sample of accidents? Who can test effects of a safety measure? Insurers can!

29 Another complex arena: chess
Are computers or humans best? Kasparov: “wrong question”! How to play the best chess? Human-computer teams Humans are good at strategy Computers don’t get tired Security faces related problems Attackers have adopted automation They will find whatever you miss Copyright RedSeal Networks, Inc. All rights reserved

Download ppt "Security Metrics That Don’t Suck"

Similar presentations

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP +1-410-544-3435.

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP
1 From a Commodity to an Expert Master your IT business and your life.

1 From a Commodity to an Expert Master your IT business and your life.
Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.

Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Business 16 Stanford Department of Continuing Education Class # 7, 11/9/09 Business Plan to Operating Plan.

Business 16 Stanford Department of Continuing Education Class # 7, 11/9/09 Business Plan to Operating Plan.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
Northwestern University Network Security

Northwestern University Network Security
Managing the Unexpected …and keeping people safe at the same time Jason Rowley Group Health and Safety Director Carillion.

Managing the Unexpected …and keeping people safe at the same time Jason Rowley Group Health and Safety Director Carillion.
Presented by: Dr. Munam Ali Shah

Presented by: Dr. Munam Ali Shah
Chapter 15: Our Economy and You Social Science. Income Managing your money takes several steps, the first of which involves what you make There are several.

Chapter 15: Our Economy and You Social Science. Income Managing your money takes several steps, the first of which involves what you make There are several.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
For brownies this PowerPoint will help you understand computer viruses and help stop them!!!!

For brownies this PowerPoint will help you understand computer viruses and help stop them!!!!
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
HO20110473 1 © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:

1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
CSCE 201 Secure Software Development Best Practices.

CSCE 201 Secure Software Development Best Practices.

Similar presentations

Ads by Google