practical measures for measuring security
DESCRIPTION
Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider.TRANSCRIPT
CH
RI S
MU
L L I NS
PR
AC
TI C
AL M
EA
SU
RE
S F
OR
ME
AS
UR
I NG
SE
CU
RI T
Y
TU
ES
DA
Y,
3: 5
5P
M
WELCOME TO SECURE360 2012
Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.
Please complete the Session Survey front and back (this is Room 7), and leave on your seat.
Note: “Session” is Tuesday or Wednesday
Are you tweeting? #Sec360
AGENDA
Are you Ready?
The Problem of Measuring Security
Metric Myths
Characteristics of Effective Metrics
Defining Your Metrics
The Process of Measurement
Sample Metrics
Implementing Metrics
Presenting Metrics
A Mature Metrics Program
Page 3
WHY HAVEN’T YOU SOLVED THIS YET?
Is the Organization ready?
What’s the Tone from the Top?
Is it Security someone’s Job?
Do you have Policy in place?
Are resources allocated to identify and detect issues?
Are resources allocated to remediate issues?
Are you Level 4?
Page 4
Page 5
TYPICAL PROBLEMS OF MEASURING SECURITY
Risk is difficult to define precisely
Attack SurfaceCurrent EnvironmentAsset ValueMeasures not linked to
action
Measures often focus on outcomes
Page 6
7 Myths that hold people back 92.467% of the time.METRIC MYTHS
1. Metrics must be Objective and Tangible
2. Metrics must have discrete values
3. Metrics must be absolute
4. Metrics are costly
5. You can’t manage what you can’t measure
6. It’s essential to measure outcomes
7. You need precise, accurate data
Page 7
(This is probably NOT a good example)CHARACTERISTICS OF A GOOD METRIC
Attackability Computation.
Page 8
An Attack Surface Metric, Carnegie Mellon University, 2005
CHARACTERISTICS OF A GOOD METRIC
1. Directly Relates to an objective
2. Should have a logical stakeholder
3. Collection should be inexpensive, simple and standardized
4. Should have a resolution appropriate for maturity
5. Should be phase appropriate
6. Should have applicability defined
7. Should have an indicated action
Page 9
DEFINING YOUR METRICS
Page 10
Metrics Relating to Security ControlsDEVELOPING YOUR METRICS
1. Should map directly to a defined control
2. Use data describing the security control’s implementation to generate required measures
3. Characterize the measure as applicable to system categorization (low, med, high)
Page 11
Metrics Relating to Security Program PerformanceDEVELOPING YOUR METRICS
1. Map to InfoSec Goals & Objectives that encompass performance
2. Use the data describing the information security program performance to generate required measures
Page 12
On your Mark, get Set…NOW THAT YOU HAVE YOUR METRICS
Document in a standard format See 800-55 for an excellent template
Prioritize and Select
Establish Performance Targets
Evaluate Metric performance and relevance periodically, incorporate feedback
Page 13
SAMPLE METRICS
• Percentage of the agency’s information system budget devoted to information security
• Percentage of “high” vulnerabilities mitigated within defined time periods after discovery
• Percentage of remote access points used to gain unauthorized access
• Percentage of information system security personnel that have received security training
• Average frequency of audit records review and analysis for inappropriate activity
Page 14
SAMPLE METRICS (CONTINUED)
• Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation
• Percentage approved and implemented configuration changes identified in the latest automated baseline configuration
• Percentage of information systems that have conducted annual contingency plan testing
• Percentage of users with access to shared accounts
Page 15
SAMPLE METRICS (CONTINUED)
• Percentage of incidents reported within required time frame per applicable incident category
• Percentage of system components that undergo maintenance in accordance with formal maintenance schedules
• Percentage of media that passes sanitization procedures
• Percentage of physical security incidents allowing unauthorized entry into facilities containing information systems
Page 16
SAMPLE METRICS (CONTINUED)
• Percentage of employees who are authorized to access information systems only after they sign an acknowledgement that they have read and understood rules of behavior
• Percentage of individuals screened before being granted access to organizational information and information systems
• Percentage of vulnerabilities remediated within organization-specified time frames
Page 17
SAMPLE METRICS (CONTINUED)
• Percentage of system and service acquisition contracts that include security requirements and/or specifications
• Percentage of mobile devices that meet approved cryptographic policies
• Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated
Page 18
IMPLEMENTING METRICS
Page 19
EXAMPLE: A METRIC IN ACTION
Page 20
Do you REALLY have to use Excel?PRESENTING METRICS
Page 21
WHEN YOU GET BACK TO THE OFFICE ON MONDAY:
1. Are you ready?
2. Engage Stakeholders
3. Identify Your Metrics - Leverage CIS, NIST 800-55
4. Automate collection & reporting
5. Act on what you find
6. Make it look good!
7. Document the value
8. Re-evaluate periodically
Page 22
REFERENCES / CREDITS
CMMI: http://www.sei.cmu.edu/cmmi/
http://www.noticebored.com/html/metrics.html
Center for Internet Security Consensus Security Metrics: http://benchmarks.cisecurity.org/en-us/?route=downloads.metrics
NIST 800-55: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
http://www.geckoboard.com/
Page 23
THANK YOU!
Chris [email protected]@chrisbmullins713.581.4332