CH

RI S

MU

L L I NS

PR

AC

TI C

AL M

EA

SU

RE

S F

OR

ME

AS

UR

I NG

SE

CU

RI T

Y

TU

ES

DA

Y,

3: 5

5P

M

WELCOME TO SECURE360 2012

Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.

Please complete the Session Survey front and back (this is Room 7), and leave on your seat.

Note: “Session” is Tuesday or Wednesday

Are you tweeting? #Sec360

AGENDA

Are you Ready?

The Problem of Measuring Security

Metric Myths

Characteristics of Effective Metrics

Defining Your Metrics

The Process of Measurement

Sample Metrics

Implementing Metrics

Presenting Metrics

A Mature Metrics Program

Page 3

WHY HAVEN’T YOU SOLVED THIS YET?

Is the Organization ready?

What’s the Tone from the Top?

Is it Security someone’s Job?

Do you have Policy in place?

Are resources allocated to identify and detect issues?

Are resources allocated to remediate issues?

Are you Level 4?

Page 4

Page 5

TYPICAL PROBLEMS OF MEASURING SECURITY

Risk is difficult to define precisely

Attack SurfaceCurrent EnvironmentAsset ValueMeasures not linked to

action

Measures often focus on outcomes

Page 6

7 Myths that hold people back 92.467% of the time.METRIC MYTHS

1. Metrics must be Objective and Tangible

2. Metrics must have discrete values

3. Metrics must be absolute

4. Metrics are costly

5. You can’t manage what you can’t measure

6. It’s essential to measure outcomes

7. You need precise, accurate data

Page 7

(This is probably NOT a good example)CHARACTERISTICS OF A GOOD METRIC

Attackability Computation.

Page 8

An Attack Surface Metric, Carnegie Mellon University, 2005

CHARACTERISTICS OF A GOOD METRIC

1. Directly Relates to an objective

2. Should have a logical stakeholder

3. Collection should be inexpensive, simple and standardized

4. Should have a resolution appropriate for maturity

5. Should be phase appropriate

6. Should have applicability defined

7. Should have an indicated action

Page 9

DEFINING YOUR METRICS

Page 10

Metrics Relating to Security ControlsDEVELOPING YOUR METRICS

1. Should map directly to a defined control

2. Use data describing the security control’s implementation to generate required measures

3. Characterize the measure as applicable to system categorization (low, med, high)

Page 11

Metrics Relating to Security Program PerformanceDEVELOPING YOUR METRICS

1. Map to InfoSec Goals & Objectives that encompass performance

2. Use the data describing the information security program performance to generate required measures

Page 12

On your Mark, get Set…NOW THAT YOU HAVE YOUR METRICS

Document in a standard format See 800-55 for an excellent template

Prioritize and Select

Establish Performance Targets

Evaluate Metric performance and relevance periodically, incorporate feedback

Page 13

SAMPLE METRICS

• Percentage of the agency’s information system budget devoted to information security

• Percentage of “high” vulnerabilities mitigated within defined time periods after discovery

• Percentage of remote access points used to gain unauthorized access

• Percentage of information system security personnel that have received security training

• Average frequency of audit records review and analysis for inappropriate activity

Page 14

SAMPLE METRICS (CONTINUED)

• Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation

• Percentage approved and implemented configuration changes identified in the latest automated baseline configuration

• Percentage of information systems that have conducted annual contingency plan testing

• Percentage of users with access to shared accounts

Page 15

SAMPLE METRICS (CONTINUED)

• Percentage of incidents reported within required time frame per applicable incident category

• Percentage of system components that undergo maintenance in accordance with formal maintenance schedules

• Percentage of media that passes sanitization procedures

• Percentage of physical security incidents allowing unauthorized entry into facilities containing information systems

Page 16

SAMPLE METRICS (CONTINUED)

• Percentage of employees who are authorized to access information systems only after they sign an acknowledgement that they have read and understood rules of behavior

• Percentage of individuals screened before being granted access to organizational information and information systems

• Percentage of vulnerabilities remediated within organization-specified time frames

Page 17

SAMPLE METRICS (CONTINUED)

• Percentage of system and service acquisition contracts that include security requirements and/or specifications

• Percentage of mobile devices that meet approved cryptographic policies

• Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated

Page 18

IMPLEMENTING METRICS

Page 19

EXAMPLE: A METRIC IN ACTION

Page 20

Do you REALLY have to use Excel?PRESENTING METRICS

Page 21

WHEN YOU GET BACK TO THE OFFICE ON MONDAY:

1. Are you ready?

2. Engage Stakeholders

3. Identify Your Metrics - Leverage CIS, NIST 800-55

4. Automate collection & reporting

5. Act on what you find

6. Make it look good!

7. Document the value

8. Re-evaluate periodically

Page 22

REFERENCES / CREDITS

CMMI: http://www.sei.cmu.edu/cmmi/

http://www.noticebored.com/html/metrics.html

Center for Internet Security Consensus Security Metrics: http://benchmarks.cisecurity.org/en-us/?route=downloads.metrics

NIST 800-55: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf

http://www.geckoboard.com/

Page 23

THANK YOU!

Chris Mullinscmullins@alertlogic.com@chrisbmullins713.581.4332