st t i s it m t i strategic security metrics for the wall ...€¦ · over 20 years in infosec, it,...

St t i S it M t i Strategic Security Metrics for the Wall Street Journalfor the Wall Street Journal

Pete LindstromPrincipal, VP of Research

Spire Security, LLC

© 2013 Spire Security. All rights reserved.

About MeAbout MePete LindstromPrincipal, VP of Research

Over 20 years in InfoSec, IT, Finance

p ,Director, ISSA

Independent analyst performing reading, writing, ‘rithmetic on risk and security matters

F M i ( t ) ‘Bi Si ’ IT A dit (P C) Former Marine (veteran), ‘Big Six’ IT Auditor (PwC), Internal Auditor (GMAC Mortgage), Security Architect & Manager (Wyeth)

BBA Finance, University of Notre Dame; reformed CISA and CISSP


I’m a Twit! @SpireSec2

WSJ: The Headlines and StoriesWSJ: The Headlines and Stories


3

What I learned from the WSJWhat I learned from the WSJ

Nobody agrees on (financial) value! Nobody agrees on (financial) value!

Execs want to drive efficiency and effectiveness.

They do this by looking at how They do this by looking at how inputs affect outputs. (e.g. “return on”)on )


4

WSJ: The Financial SectionWSJ: The Financial Section


5555555

Let’s Check on a StockLet s Check on a Stock


6


7777777


8888888

WSJ Financials Tell Me…WSJ Financials Tell Me…

Business execs love numbers Business execs love numbers… when they matter!

Execs *can* learn as much as they want – if there is a reason.

Execs don’t all focus on the same numbersnumbers.

Execs love to compare.


9

What I didn’t findWhat I didn t find

Patch coverage Patch coverage

Number of vulnerabilities

Policy violations

Number of users created


10

What we need in CybersecurityWhat we need in Cybersecurity

Focus on cybersecurity issues related Focus on cybersecurity issues related to the dreaded “am I secure?”

A li d d l t hi h l l (f A normalized model at a high level (for execs) that can drill down into details (for you and yours)(for you and yours).

A set of metrics that can be compared and contrasted and don’t (directly) drive operational decisions.


11

A StrategicT h l Ri kTechnology Risk FrameworkFramework


A Strategic Risk FrameworkENTERPRISE

A Strategic Risk Framework

to external to external


1313

Our IT Environment Drives ValueVALUEENTERPRISE

cost

Our IT Environment Drives Value


cost

cost


1414

Implicit Information Asset ValueImplicit Information Asset Value

Cost Minimum Value

?Enterprise

?xEconomic

IT OpEx

Costs Costs

IT CapEx

At least this much But not this much

AccountingExpenses (typical TCO)


15

At least this muchMaybe this much

Connections: IT usage eventsVALUEENTERPRISE

cost

Connections: IT usage events

CONNECTIONSmessages


cost

connections

sessions

flows

cost


1616

IT Connections(Events) Network Layer: Flows

o Source IP, Dest IP, Dest Port

IT Connections(Events)

o Source IP, Dest IP, Dest Porto Inbound and/or Outbound

Host Layer: Connectionso Sessions under managementgo Number of logins

Application Layer: Sessionso Authentication Events

Data Layer: Transactionso Messageso Business Activities (financial trades, purchase orders,

published articles etc )published articles, etc.)o Queries – Record Retrieval


17

We apply controls to transactionsVALUEENTERPRISE

cost

We apply controls to transactions

CONNECTIONSmessages


cost

connections

CONTROLS

sessions

flows

cost


1818

The Four DisciplinesThe Four Disciplines

Identity Mgt:M i U

Trust Mgt:Designing

2

Managing Users and other

sources

g gsecurity policy and process

33

Threat Mgt: Vuln. Mgt:

1

Threat Mgt:Monitoring

activities and events

Vuln. Mgt:Hardening the

systems4


19

Or functionallyOr functionally…• Reviewing technology platforms for

weaknesses (operating systems COTS• Creating user accounts• Modifying user accounts

Identity Management Vulnerability Management

weaknesses (operating systems, COTS applications, custom applications)

• Remediating weaknesses (applying patches, rewriting code)

• Shielding weaknesses (limiting access

• Modifying user accounts• Disabling/deleting user accounts• Authenticating users to resources• Granting access to specific

resourcesto resources)• Restricting access to specific

resources

• Identifying attacks and compromises• Blocking attacks and fixing

compromises

• Training users• Testing users• Defining policies and technical

Threat Management Trust Management

compromises• Responding to incidents• Conducting forensic analyses

Defining policies and technical baselines

• Applying policies and technical baselines

• Audits and assessments


20

An Outcome-based Approach

Desirable Event Undesirable Event

An Outcome based Approach

Test Positive False Positive –legitimate activity

True Positive –illegitimate activity g y

improperly identifiedg y

properly identified

Test Negative True Negative –legitimate activity

False Negative –illegitimate activitylegitimate activity

properly identifiedillegitimate activity improperly identified


21

Ineffective controls lead to incidentsVALUEENTERPRISE

cost

Ineffective controls lead to incidents

CONNECTIONSmessages


cost

connections

CONTROLS

sessions

flows

costINCIDENTS


2222

Define Attacks and CompromisesDefine Attacks and CompromisesConfidentiality

nn S iff C (“ t l”) L kIntegrity

a/In

form

atio

na/

Info

rmat

ion Sniff Copy (“steal”) Leak

Spoof, Replay, Insert Modify RedirectAvailability

Productivity

Dat

aD

ata

Overload Delete OverloadProductivity

propriety

Res

ourc

es

Overload Distract Consume

R

Inbound(In-Transit)

Stored(At-Rest)

Outbound(In-Transit)

Relay/Bounce Abuse (illegal) Propagate


23

Attacks Compromises

Incidents result in lossVALUEENTERPRISE

cost

Incidents result in loss

CONNECTIONSmessages


cost

connections

CONTROLS

sessions

flows

costINCIDENTS


2424

LOSS

Source: 2011 Annual Study: Cost of a Data Breach, Ponemon Institute Report


25

y , p

The Messy VersionVALUEENTERPRISE

cost

The Messy Version

CONNECTIONSmessages


cost

connections

CONTROLS

sessions

flows

costINCIDENTS


2626

LOSS

This looks better…VALUEENTERPRISE

cost

This looks better…VALUE

TRANSACTIONSmessages


costCONNECTIONS

connections

CONTROLSCONTROLS

sessions

flows

costINCIDENTSINCIDENTS


2727

LOSSLOSS

Tactical / Strategic PyramidTactical / Strategic Pyramid

Corporate Corporate Reports:

Money, ratios, index

Measures of broad matters as quality compare to that of

competitors; time required to launch new products

Moving “up the stack” without losing clarity is p

Measures that help to establish departmental quality goals and to evaluate departmental performance against goals.

g ythe challenge

Technological units of measure for individual elements of product, process,

service


28

Source: How to Measure Performance, U.S. DoE


ENTERPRISEcost

CONNECTIONS

VALUE

CONNECTIONS

VALUE

messages

connections


co ect o s

CONTROLS CONTROLS

sessions

flowsINCIDENTS INCIDENTS

costLOSS

INCIDENTS

LOSS

INCIDENTS


2929

Top Ten Strategic MetricsTop Ten Strategic Metrics1. Connection Value - (Total Value of IT

and Information Assets $ / Total Transactions)

6. Loss to Value Ratio (LTV) - (Total Losses $ / Total Value of IT and Information Assets $)Transactions)

2. Connection Cost - (Total Cost of IT and Information Assets $ / Total Transactions)

Information Assets $)

7. Control Effectiveness Ratio (CE) -((Good Allowed Control Events + Bad Denied Control Events) / Total Number a sact o s)

3. Controls per Conneaction - (Total Number of Inline Control Events / Total Transactions)

e ed Co t o e ts) / ota u beof Inline Control Events)

8. Incidents per Million (IPM); Incidents per Billion (IPB) - ((Total Number of Incidents / Total Transactions) x One

4. Cost per Control (CPC) - (Total Cost of Control $ / Total Number of Inline Control Events)

Incidents / Total Transactions) x One Million or Billion)

9. Incident Prevention Rate (IPR) - (1 –(Total Incidents / (Good Denied + Total

5. Security to Value Ratio (STV) - (Total Security Costs $ / Total Value of IT and Information Assets $)

(Total Incidents / (Good Denied Total Incidents)))

10. Risk Aversion Ratio (RAR) - (Good Denied / Total Incidents)


30

Strategic Security DreamStrategic Security Dream“Last month, our IT and information assets generated $20 million in revenue in support of 15 000 people using 350million in revenue in support of 15,000 people using 350 applications. To accomplish this feat, over 32 million connections were attempted across our systems and we applied specific control measures an average of 2.4 timesapplied specific control measures an average of 2.4 times per connection to ensure the completeness and accuracy of our transactions. As a result, over 4 million connections were blocked instantly for not meeting our basic requirements (with 99.75% success rate) and we identified 1700 suspect connections that required further analysis. We ultimately determined that 5 of those 1700 were tt t d i t i hi h b tl t dattempted intrusions which we subsequently acted upon

according to established procedures. There were no losses associated with the incidents.”


31

Strategic Security DreamStrategic Security Dream

“Last month’s activity has brought to light some opportunitiesLast month s activity has brought to light some opportunities for improvement. We revisited our policies associated with the 4 million blocked connections and determined that approximately 10,000 (.25%) should have been allowedapproximately 10,000 (.25%) should have been allowed and we made a configuration change to address the issue. In addition, the policy associated with the 1695 initially suspected connections were evaluated and changes to our security posture were made that should reduce these ‘false positives’ by 50%. To address the 5 incidents, we have instituted remedial training for the individuals involved and i t t d th ff t d t ith finstrumented the affected systems with new means for intrusion detection.”


32


33333333333333

Cybersecurity Posture• Connection Value• Connection Cost• Controls per Connection• Cost per Control• Security to Value Ratio• Loss to Value Ratio• Control Effectiveness

Ratio• Incidents per Million• Incidents per Million• Incident Prevention Rate• Risk Aversion Ratio


34343434343434

Y f db k i ti l!Your feedback is essential!Pete Lindstrom

[email protected]

Blog: spiresecurity.comI’m a Twit! @SpireSec


st t i s it m t i strategic security metrics for the wall ...€¦ · over 20 years in infosec, it,...

Documents