Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Security is Not A Four Letter Word Michael A. Davis Chief Executive Officer Savid Technologies,

Published byPercival Parks Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Security is Not A Four Letter Word Michael A. Davis Chief Executive Officer Savid Technologies,"— Presentation transcript:

1 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Security is Not A Four Letter Word Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com

2 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Who am I? »Michael A. Davis –CEO of Savid Technologies –Published Author Hacking Exposed, HE: Malware and Rootkits IT Auditor Magazine, InformationWeek, DarkReading –Speaker at Major Security Conferences Defcon, CanSecWest, Toorcon, Hack In The Box –Open Source Software Developer Snort Nmap Dsniff

3 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Author

4 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved InformationWeek Contributor

5 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved The Issue “Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“

6 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved They are paying attention

7 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved You Protect, They Apologize According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com) Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)

8 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Metrics, we need metrics!

9 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Why do we care? »Management asks: –“Are we Secure?” »Without metrics: –“Depends how you look at it” »With Metrics: –“Look at our risk score before this project, it dropped 15%. We are more secure today than yesterday”

10 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Motorola CISO on Metrics »“Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.” (William Boni, President CISO, Motorola Inc. www.secmet.org)

11 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved What is success? »From IPTI Study »High performers maintain a posture of compliance –Fewest number of repeat audit findings –One-third amount of audit preparation effort »High performers find and fix security breaches faster –5 times more likely to detect breaches by automated control –5 times less likely to have breaches result in a loss event »When high performers implement changes… –14 times more changes –One-half the change failure rate –One-quarter the change failure rate –10x faster MTTR for Sev 1 outages »When high performers manage IT resources… –One-third the amount of unplanned work –8 times more projects and IT services –6 times more applications

12 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Where/What to measure Strategy/Governance Code Reviews, Project Risk Assessments, Exceptions/Waivers Tactical/Sec Ops Vuln Management, Patch Management, Incidents, etc IS Budget Spending/employee Policy gaps in existence Industry Standards Adopted Awareness Plan % projects going through assessment process # of policy exceptions # of risk acceptances % project doing code reviews Error rates Freq of vuln assessment # outstanding vulns Rate of fixing Trend of incident response losses

13 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Examples of metrics »Baseline Defenses Coverage (AV, FW, etc) –Measurement of how well you are protecting your enterprise against the most basic information security threats. –94% to 98%; less than 90% cause for concern »Patch Latency –Time between a patch’s release and your successful deployment of that patch. –Express as averages and criticality »Platform Security Scores –Measures your hardening guidelines »Compliance –Measure departments against security standards –Number of Linux servers at least 90% compliant with the Linux platform security standard

14 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved SMART Metrics »Specific: The outcome or end result is very clear to me and all audiences. »Measurable: You can tell if you have achieved your goal because you can count it or see it. »Attainable: While achieving the outcome might be a challenge, it is possible with the current team and resources. »Results-Oriented: The goal is inline with the results expected by the district CSIP, APR, Building goals and plans. »Time bound: A specific date has been set by which to achieve the goal.

15 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Categorize the metric »Prevention – Prevent attack from taking place »Detection – Violation of policy »Response – Respond to stop an attack »Recovery – Assess damage, continue if attack is successful

16 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Example Metric Catalog

17 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Visualization – Pretty Graphs »Good Visualization of Metrics –Don’t oversimplify –Don’t be overly ornate –Do use a consistent scale –Do include a benchmark »Without a benchmark, metrics are useless!

18 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Balanced Score Card Financial (F1-F4) Security unit costs On-time rate of accreditations Enterprise risk rating Business impact of incidents Projects on- time/budget Cyber PBI ratings Lower unit costs 100% on time Maintain.3 rating <25hrs/Q<10% variance>95% green Target Initiative Customer (C1-C4) CommunicationCompliance Customer Support Program Input Time per accreditation Customer Satisfaction >80% survey scores >70% survey scores >80% survey scores >90% governance participation >95% CA/avg times >80% survey scores Target Initiative Internal Processes (IP1-IP7) AOE: Opex reduction AOE: SLA performance CSIPP: unplanned work DISS: AOP risk mapping DISS: BP tied to risk DISS: Red capabilities >=2.5% Q/Q<10% variance<=3/Q>=80% >=30% key processes Positive trend Target Initiative Hits target. Initiative on track Short of target. Initiative recoverable Failed process. Initiative not recoverable Target not defined. No initiative Learning and Growth (LG1-LG3) Training roadmap Planned role rotations Attrition reduction Strategic training XX <10% schedule variance >=1/Q Reduced attrition rate >50% training mapped to initiatives XX Target Initiative Note: BSC target performance scores are represented here for explanatory purposes only

19 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Who are you? ROI ROSI TCO Cost/Benefit Analysis Modified Annual Loss Expectancy Patch Latency SPAM/AV Stats # of Vulns

20 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved We all do them Source: 2011 InformationWeek Analytics Strategic Security Survey

21 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved The Reality Source: 2011 InformationWeek Analytics Strategic Security Survey

22 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Your Assumptions Are Wrong »You are not “in the business” –Uphill battle to believe ROI »Too many variables –Don’t be a geek –.6,.55,.61 – It doesn’t matter »Accuracy > Precision –Correctly reflects the size of the thing being measured –Repeatable

23 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Communication »Talking about numbers and risk is hard –Difficult to conceptualize »It didn’t happen last year, it won’t this year »Lack of descriptive scenarios that relate actual risk to investment and to changes in environment »You are not a sales person but you have to “Sell Security” »You have not been educated on “how” to communicate complex projects

24 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Business Strategy is Key »How do you “industry data”? »How do you relate every security metric to the business strategic objectives? »Reduced Risk isn’t always important –Probability is what matters »Your numbers are a point in time and don’t show internal trends »The stakeholders, and core team, can make or break your plans

25 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved 2011 Strategic Security Report »All the 2011 Survey Data »Latest Trends –Mobile Threats –Social Media –Virtualization »Contact me for a free copy (worth $199!) »mdavis@savidtech.com (708) 243-2850

26 Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Conclusion »Thank you »Michael A. Davis mdavis@savidtech.com (708) 243-2850 mdavis@savidtech.com »Questions?

Download ppt "Copyright ©2011 Savid Technologies, Inc. All Rights Reserved Security is Not A Four Letter Word Michael A. Davis Chief Executive Officer Savid Technologies,"

Similar presentations

Implementing a Behavior Based Safety Process at Rockwell Automation

Implementing a Behavior Based Safety Process at Rockwell Automation
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing
1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.

1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
V i s i o n ACCOMPLISHED ™ Portfolio Management Breakthroughs Shelley Gaddie President Project Corps Pacific Northwest Portfolio Management Roundtable.

V i s i o n ACCOMPLISHED ™ Portfolio Management Breakthroughs Shelley Gaddie President Project Corps Pacific Northwest Portfolio Management Roundtable.
Mark Carey, CPA, CISA President Toll free: 866.335.2736 x101 International: 001.801.756.4180 x101 Business Continuity.

Mark Carey, CPA, CISA President Toll free: x101 International: x101 Business Continuity.
Password District Data Breach Exercise [District Name] [Date] [Logo]

Password District Data Breach Exercise [District Name] [Date] [Logo]
© Copyright 2004 Echo TM The Ultimate Service Improvement System Let Your Customers Define Great Service.

© Copyright 2004 Echo TM The Ultimate Service Improvement System Let Your Customers Define Great Service.
CHAPTER 9: LEARNING OUTCOMES

CHAPTER 9: LEARNING OUTCOMES
Public Relations Strategies and Tactics Tenth Edition

Public Relations Strategies and Tactics Tenth Edition
1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.

1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.
Copyright © 2011, 2007, 2004 by Saunders, an imprint of Elsevier Inc. All rights reserved. 1 Medical Practice Marketing and Customer Service Chapter 26.

Copyright © 2011, 2007, 2004 by Saunders, an imprint of Elsevier Inc. All rights reserved. 1 Medical Practice Marketing and Customer Service Chapter 26.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
1 ZIXCORP The Criticality of Email Security Dena Bauckman Director Product Management April 2015.

1 ZIXCORP The Criticality of Security Dena Bauckman Director Product Management April 2015.
Getting Smarter with Information An Information Agenda Approach

Getting Smarter with Information An Information Agenda Approach
Six Sigma By: Tim Bauman April 2, 2007. Overview What is Six Sigma? Key Concepts Methodologies Roles Examples of Six Sigma Benefits Criticisms.

Six Sigma By: Tim Bauman April 2, Overview What is Six Sigma? Key Concepts Methodologies Roles Examples of Six Sigma Benefits Criticisms.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Similar presentations

Ads by Google