evidence-based risk management
DESCRIPTION
Wade Baker from the Verizon RISK Team gave this presentation at the NESCO Town Hall in May 30-31 in New Orleans, LA. Wade discussed various aspects related to sharing incident information, threat agents along with a great explanation as to what evidence-based Risk management is and looks like.TRANSCRIPT
![Page 1: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/1.jpg)
Evidence-Based Risk Management
Wade Baker, Verizon RISK Team
![Page 2: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/2.jpg)
My favorite (professional) topics
• Security incidents (as in studying them – not experiencing them) • Information sharing (specifically incident-related info) • Data analysis (how else will we learn?) • Risk management (but not the ‘yellow x red = orange’ kind)
![Page 3: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/3.jpg)
Data Breach Investigations Report (DBIR) series
An ongoing study into the world of cybercrime that
analyzes forensic evidence to uncover how sensitive data is
stolen from organizations, who’s doing it, why they’re
doing it, and, of course, what might be done to prevent it.
![Page 4: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/4.jpg)
2012 DBIR Contributors
![Page 5: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/5.jpg)
Methodology: Data Collection and Analysis
VERIS: https://verisframework.wiki.zoho.com/
• DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data.
• Enables case data to be shared anonymously to RISK Team for analysis
VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.
![Page 6: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/6.jpg)
Sharing incident information
TACTICAL
What point solutions should I implement now?
✔*
STRATEGIC
How do I measure & manage risk over time?
X
![Page 7: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/7.jpg)
Unpacking the 2012 DBIR An overview of our results and analysis
![Page 8: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/8.jpg)
Sample characteristics
• 855 incidents of confirmed data compromise • 174 million stolen data records • All varieties of data included (CC#s, PII, IP, etc) • Victims of all industries, sizes, geographic regions • Cases worked by Verizon, investigated by law enforcement, or reported to (Irish) CERT
![Page 9: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/9.jpg)
Threat Agents
![Page 10: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/10.jpg)
Threat Agents: Larger Orgs
![Page 11: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/11.jpg)
Threat Agents: IP & classified data
92%
49%
2%
External Internal Partner
![Page 12: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/12.jpg)
Threat Agents: External
![Page 13: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/13.jpg)
Threat Actions
![Page 14: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/14.jpg)
Threat Actions: Larger Orgs
![Page 15: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/15.jpg)
Threat Actions: IP & classified data
38%
51%
48%
57%
0%
2%
0%
Malware
Hacking
Social
Misuse
Physical
Error
Environmental
![Page 16: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/16.jpg)
Top Threat Actions
![Page 17: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/17.jpg)
Top Threat Actions: Larger Orgs
![Page 18: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/18.jpg)
Top Threat Action Types: IP & classified data
![Page 19: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/19.jpg)
Most Compromised Assets
![Page 20: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/20.jpg)
Asset Ownership, Hosting, and Management
![Page 21: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/21.jpg)
Compromised Data
![Page 22: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/22.jpg)
Compromised Data
Smaller Orgs
![Page 23: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/23.jpg)
Attack Difficulty
![Page 24: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/24.jpg)
Attack Targeting
![Page 25: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/25.jpg)
The 3-Day Workweek
![Page 26: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/26.jpg)
Timespan of events
![Page 27: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/27.jpg)
Timespan of events: Larger Orgs
![Page 28: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/28.jpg)
Timespan: IP & classified data
Minutes Hours Days Weeks Months Years POE to Comp 10% 65% 10% 10% 3% 3% Comp to Disc 0% 18% 21% 13% 7% 41% Disc to Cont 0% 0% 16% 13% 71% 0%
![Page 29: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/29.jpg)
Breach Discovery
![Page 30: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/30.jpg)
Breach Discovery
![Page 31: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/31.jpg)
Recommendations: Larger Orgs
![Page 32: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/32.jpg)
Evidence-Base Risk Management What is it, and what does it look like?
![Page 33: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/33.jpg)
What is EBRM?
EBRM aims to apply the best available evidence gained from empirical research to
measure and manage information risk.
![Page 34: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/34.jpg)
Measuring and managing information risk
To properly manage risk, we must measure it.
To properly measure risk, we must understand our information assets, the threats that can harm
them, the impact of such events, and the controls
that offer protection.
![Page 35: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/35.jpg)
A threat event that is measurable (and thus manageable) identifies the following 4 A�s:
Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected
![Page 36: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/36.jpg)
evidence?
![Page 37: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/37.jpg)
Data Breach Investigations Report (DBIR) series
= evidence for measuring and managing risk
![Page 38: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/38.jpg)
![Page 39: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/39.jpg)
![Page 40: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/40.jpg)
Diagnose Ailments
![Page 41: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/41.jpg)
✔ Treatment strategy
✔Policy ✔People ✔Process ✔Technology
✔Policy ✔People ✔Process ✔Technology
✔Policy ✔People ✔Process ✔Technology
![Page 42: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/42.jpg)
Evidence-Based Risk Management
![Page 43: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/43.jpg)
What are the benefits of EBRM?
• Metrics – Builds outcome-based metrics around security processes and failures in order to
get a better read on the security pulse of the organization.
• Remediation – Strengthen security posture by identifying gaps, pinpointing the most critical
remediation strategies, and focusing longer-term strategic planning.
• Efficiency – Enable better and more justified decision-making, improve resource allocation,
reduce unproductive security spending, and generally achieve “more bang for the buck.”
• Communication – Increase information flows across organizational and functional boundaries.
Create and communicate ongoing performance measures to key stakeholders.
![Page 44: Evidence-Based Risk Management](https://reader033.vdocuments.us/reader033/viewer/2022052522/54c687b94a7959fb258b45a7/html5/thumbnails/44.jpg)
DBIR: www.verizon.com/enterprise/databreach VERIS: https://verisframework.wiki.zoho.com/ Blog: http://www.verizon.com/enterprise/securityblog Email: [email protected]