st t i s it m t i strategic security metrics for the wall ...€¦ · over 20 years in infosec, it,...
TRANSCRIPT
St t i S it M t i Strategic Security Metrics for the Wall Street Journalfor the Wall Street Journal
Pete LindstromPrincipal, VP of Research
Spire Security, LLC
© 2013 Spire Security. All rights reserved.
About MeAbout MePete LindstromPrincipal, VP of Research
Over 20 years in InfoSec, IT, Finance
p ,Director, ISSA
Independent analyst performing reading, writing, ‘rithmetic on risk and security matters
F M i ( t ) ‘Bi Si ’ IT A dit (P C) Former Marine (veteran), ‘Big Six’ IT Auditor (PwC), Internal Auditor (GMAC Mortgage), Security Architect & Manager (Wyeth)
BBA Finance, University of Notre Dame; reformed CISA and CISSP
© 2013 Spire Security. All rights reserved.
I’m a Twit! @SpireSec2
WSJ: The Headlines and StoriesWSJ: The Headlines and Stories
© 2013 Spire Security. All rights reserved.
3
What I learned from the WSJWhat I learned from the WSJ
Nobody agrees on (financial) value! Nobody agrees on (financial) value!
Execs want to drive efficiency and effectiveness.
They do this by looking at how They do this by looking at how inputs affect outputs. (e.g. “return on”)on )
© 2013 Spire Security. All rights reserved.
4
WSJ: The Financial SectionWSJ: The Financial Section
© 2013 Spire Security. All rights reserved.
5555555
Let’s Check on a StockLet s Check on a Stock
© 2013 Spire Security. All rights reserved.
6
© 2013 Spire Security. All rights reserved.
7777777
© 2013 Spire Security. All rights reserved.
8888888
WSJ Financials Tell Me…WSJ Financials Tell Me…
Business execs love numbers Business execs love numbers… when they matter!
Execs *can* learn as much as they want – if there is a reason.
Execs don’t all focus on the same numbersnumbers.
Execs love to compare.
© 2013 Spire Security. All rights reserved.
9
What I didn’t findWhat I didn t find
Patch coverage Patch coverage
Number of vulnerabilities
Policy violations
Number of users created
© 2013 Spire Security. All rights reserved.
10
What we need in CybersecurityWhat we need in Cybersecurity
Focus on cybersecurity issues related Focus on cybersecurity issues related to the dreaded “am I secure?”
A li d d l t hi h l l (f A normalized model at a high level (for execs) that can drill down into details (for you and yours)(for you and yours).
A set of metrics that can be compared and contrasted and don’t (directly) drive operational decisions.
© 2013 Spire Security. All rights reserved.
11
A StrategicT h l Ri kTechnology Risk FrameworkFramework
© 2013 Spire Security. All rights reserved.
A Strategic Risk FrameworkENTERPRISE
A Strategic Risk Framework
to external to external
© 2013 Spire Security. All rights reserved.
1313
Our IT Environment Drives ValueVALUEENTERPRISE
cost
Our IT Environment Drives Value
to external to external
cost
cost
© 2013 Spire Security. All rights reserved.
1414
Implicit Information Asset ValueImplicit Information Asset Value
Cost Minimum Value
?Enterprise
?xEconomic
IT OpEx
Costs Costs
IT CapEx
At least this much But not this much
AccountingExpenses (typical TCO)
© 2013 Spire Security. All rights reserved.
15
At least this muchMaybe this much
Connections: IT usage eventsVALUEENTERPRISE
cost
Connections: IT usage events
CONNECTIONSmessages
to external to external
cost
connections
sessions
flows
cost
© 2013 Spire Security. All rights reserved.
1616
IT Connections(Events) Network Layer: Flows
o Source IP, Dest IP, Dest Port
IT Connections(Events)
o Source IP, Dest IP, Dest Porto Inbound and/or Outbound
Host Layer: Connectionso Sessions under managementgo Number of logins
Application Layer: Sessionso Authentication Events
Data Layer: Transactionso Messageso Business Activities (financial trades, purchase orders,
published articles etc )published articles, etc.)o Queries – Record Retrieval
© 2013 Spire Security. All rights reserved.
17
We apply controls to transactionsVALUEENTERPRISE
cost
We apply controls to transactions
CONNECTIONSmessages
to external to external
cost
connections
CONTROLS
sessions
flows
cost
© 2013 Spire Security. All rights reserved.
1818
The Four DisciplinesThe Four Disciplines
Identity Mgt:M i U
Trust Mgt:Designing
2
Managing Users and other
sources
g gsecurity policy and process
33
Threat Mgt: Vuln. Mgt:
1
Threat Mgt:Monitoring
activities and events
Vuln. Mgt:Hardening the
systems4
© 2013 Spire Security. All rights reserved.
19
Or functionallyOr functionally…• Reviewing technology platforms for
weaknesses (operating systems COTS• Creating user accounts• Modifying user accounts
Identity Management Vulnerability Management
weaknesses (operating systems, COTS applications, custom applications)
• Remediating weaknesses (applying patches, rewriting code)
• Shielding weaknesses (limiting access
• Modifying user accounts• Disabling/deleting user accounts• Authenticating users to resources• Granting access to specific
resourcesto resources)• Restricting access to specific
resources
• Identifying attacks and compromises• Blocking attacks and fixing
compromises
• Training users• Testing users• Defining policies and technical
Threat Management Trust Management
compromises• Responding to incidents• Conducting forensic analyses
Defining policies and technical baselines
• Applying policies and technical baselines
• Audits and assessments
© 2013 Spire Security. All rights reserved.
20
An Outcome-based Approach
Desirable Event Undesirable Event
An Outcome based Approach
Test Positive False Positive –legitimate activity
True Positive –illegitimate activity g y
improperly identifiedg y
properly identified
Test Negative True Negative –legitimate activity
False Negative –illegitimate activitylegitimate activity
properly identifiedillegitimate activity improperly identified
© 2013 Spire Security. All rights reserved.
21
Ineffective controls lead to incidentsVALUEENTERPRISE
cost
Ineffective controls lead to incidents
CONNECTIONSmessages
to external to external
cost
connections
CONTROLS
sessions
flows
costINCIDENTS
© 2013 Spire Security. All rights reserved.
2222
Define Attacks and CompromisesDefine Attacks and CompromisesConfidentiality
nn S iff C (“ t l”) L kIntegrity
a/In
form
atio
na/
Info
rmat
ion Sniff Copy (“steal”) Leak
Spoof, Replay, Insert Modify RedirectAvailability
Productivity
Dat
aD
ata
Overload Delete OverloadProductivity
propriety
Res
ourc
es
Overload Distract Consume
R
Inbound(In-Transit)
Stored(At-Rest)
Outbound(In-Transit)
Relay/Bounce Abuse (illegal) Propagate
© 2013 Spire Security. All rights reserved.
23
Attacks Compromises
Incidents result in lossVALUEENTERPRISE
cost
Incidents result in loss
CONNECTIONSmessages
to external to external
cost
connections
CONTROLS
sessions
flows
costINCIDENTS
© 2013 Spire Security. All rights reserved.
2424
LOSS
Source: 2011 Annual Study: Cost of a Data Breach, Ponemon Institute Report
© 2013 Spire Security. All rights reserved.
25
y , p
The Messy VersionVALUEENTERPRISE
cost
The Messy Version
CONNECTIONSmessages
to external to external
cost
connections
CONTROLS
sessions
flows
costINCIDENTS
© 2013 Spire Security. All rights reserved.
2626
LOSS
This looks better…VALUEENTERPRISE
cost
This looks better…VALUE
TRANSACTIONSmessages
to external to external
costCONNECTIONS
connections
CONTROLSCONTROLS
sessions
flows
costINCIDENTSINCIDENTS
© 2013 Spire Security. All rights reserved.
2727
LOSSLOSS
Tactical / Strategic PyramidTactical / Strategic Pyramid
Corporate Corporate Reports:
Money, ratios, index
Measures of broad matters as quality compare to that of
competitors; time required to launch new products
Moving “up the stack” without losing clarity is p
Measures that help to establish departmental quality goals and to evaluate departmental performance against goals.
g ythe challenge
Technological units of measure for individual elements of product, process,
service
© 2013 Spire Security. All rights reserved.
28
Source: How to Measure Performance, U.S. DoE
to external to external
ENTERPRISEcost
CONNECTIONS
VALUE
CONNECTIONS
VALUE
messages
connections
to external to external
co ect o s
CONTROLS CONTROLS
sessions
flowsINCIDENTS INCIDENTS
costLOSS
INCIDENTS
LOSS
INCIDENTS
© 2013 Spire Security. All rights reserved.
2929
Top Ten Strategic MetricsTop Ten Strategic Metrics1. Connection Value - (Total Value of IT
and Information Assets $ / Total Transactions)
6. Loss to Value Ratio (LTV) - (Total Losses $ / Total Value of IT and Information Assets $)Transactions)
2. Connection Cost - (Total Cost of IT and Information Assets $ / Total Transactions)
Information Assets $)
7. Control Effectiveness Ratio (CE) -((Good Allowed Control Events + Bad Denied Control Events) / Total Number a sact o s)
3. Controls per Conneaction - (Total Number of Inline Control Events / Total Transactions)
e ed Co t o e ts) / ota u beof Inline Control Events)
8. Incidents per Million (IPM); Incidents per Billion (IPB) - ((Total Number of Incidents / Total Transactions) x One
4. Cost per Control (CPC) - (Total Cost of Control $ / Total Number of Inline Control Events)
Incidents / Total Transactions) x One Million or Billion)
9. Incident Prevention Rate (IPR) - (1 –(Total Incidents / (Good Denied + Total
5. Security to Value Ratio (STV) - (Total Security Costs $ / Total Value of IT and Information Assets $)
(Total Incidents / (Good Denied Total Incidents)))
10. Risk Aversion Ratio (RAR) - (Good Denied / Total Incidents)
© 2013 Spire Security. All rights reserved.
30
Strategic Security DreamStrategic Security Dream“Last month, our IT and information assets generated $20 million in revenue in support of 15 000 people using 350million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 timesapplied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. As a result, over 4 million connections were blocked instantly for not meeting our basic requirements (with 99.75% success rate) and we identified 1700 suspect connections that required further analysis. We ultimately determined that 5 of those 1700 were tt t d i t i hi h b tl t dattempted intrusions which we subsequently acted upon
according to established procedures. There were no losses associated with the incidents.”
© 2013 Spire Security. All rights reserved.
31
Strategic Security DreamStrategic Security Dream
“Last month’s activity has brought to light some opportunitiesLast month s activity has brought to light some opportunities for improvement. We revisited our policies associated with the 4 million blocked connections and determined that approximately 10,000 (.25%) should have been allowedapproximately 10,000 (.25%) should have been allowed and we made a configuration change to address the issue. In addition, the policy associated with the 1695 initially suspected connections were evaluated and changes to our security posture were made that should reduce these ‘false positives’ by 50%. To address the 5 incidents, we have instituted remedial training for the individuals involved and i t t d th ff t d t ith finstrumented the affected systems with new means for intrusion detection.”
© 2013 Spire Security. All rights reserved.
32
© 2013 Spire Security. All rights reserved.
33333333333333
Cybersecurity Posture• Connection Value• Connection Cost• Controls per Connection• Cost per Control• Security to Value Ratio• Loss to Value Ratio• Control Effectiveness
Ratio• Incidents per Million• Incidents per Million• Incident Prevention Rate• Risk Aversion Ratio
© 2013 Spire Security. All rights reserved.
34343434343434
Y f db k i ti l!Your feedback is essential!Pete Lindstrom
Blog: spiresecurity.comI’m a Twit! @SpireSec
© 2013 Spire Security. All rights reserved.