Your SlideShare is downloading. ×
Evidence-Based Risk Management
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Evidence-Based Risk Management

323

Published on

Wade Baker from the Verizon RISK Team gave this presentation at the NESCO Town Hall in May 30-31 in New Orleans, LA. Wade discussed various aspects related to sharing incident information, threat …

Wade Baker from the Verizon RISK Team gave this presentation at the NESCO Town Hall in May 30-31 in New Orleans, LA. Wade discussed various aspects related to sharing incident information, threat agents along with a great explanation as to what evidence-based Risk management is and looks like.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
323
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Evidence-Based RiskManagementWade Baker, Verizon RISK Team
  • 2. My favorite (professional) topics• Security incidents (as in studying them – not experiencing them)• Information sharing (specifically incident-related info)• Data analysis (how else will we learn?)• Risk management (but not the ‘yellow x red = orange’ kind)
  • 3. Data Breach Investigations Report (DBIR) series An ongoing study into the world of cybercrime that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and, of course, what might be done to prevent it.
  • 4. 2012 DBIR Contributors
  • 5. Methodology: Data Collection and Analysis• DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data.• Enables case data to be shared anonymously to RISK Team for analysisVERIS is a (open and free) set of metrics designed to provide a commonlanguage for describing security incidents (or threats) in a structured andrepeatable manner.VERIS: https://verisframework.wiki.zoho.com/
  • 6. Sharing incident information TACTICAL STRATEGIC What point solutions How do I measure &should I implement now? manage risk over time? ✔* X
  • 7. Unpacking the 2012 DBIRAn overview of our results and analysis
  • 8. Sample characteristics• 855 incidents of confirmed data compromise• 174 million stolen data records• All varieties of data included (CC#s, PII, IP, etc)• Victims of all industries, sizes, geographic regions• Cases worked by Verizon, investigated by law enforcement, or reported to (Irish) CERT
  • 9. Threat Agents
  • 10. Threat Agents: Larger Orgs
  • 11. Threat Agents: IP & classified data 92% 49% 2% External Internal Partner
  • 12. Threat Agents: External
  • 13. Threat Actions
  • 14. Threat Actions: Larger Orgs
  • 15. Threat Actions: IP & classified data Malware 38% Hacking 51% Social 48% Misuse 57% Physical 0% Error 2% Environmental 0%
  • 16. Top Threat Actions
  • 17. Top Threat Actions: Larger Orgs
  • 18. Top Threat Action Types: IP & classified data
  • 19. Most Compromised Assets
  • 20. Asset Ownership, Hosting, and Management
  • 21. Compromised Data
  • 22. Compromised Data Smaller Orgs
  • 23. Attack Difficulty
  • 24. Attack Targeting
  • 25. The 3-Day Workweek
  • 26. Timespan of events
  • 27. Timespan of events: Larger Orgs
  • 28. Timespan: IP & classified data Minutes Hours Days Weeks Months Years POE to Comp 10% 65% 10% 10% 3% 3% Comp to Disc 0% 18% 21% 13% 7% 41% Disc to Cont 0% 0% 16% 13% 71% 0%
  • 29. Breach Discovery
  • 30. Breach Discovery
  • 31. Recommendations: Larger Orgs
  • 32. Evidence-Base Risk ManagementWhat is it, and what does it look like?
  • 33. What is EBRM? EBRM aims to apply the best available evidence gained from empirical research to measure and manage information risk.
  • 34. Measuring and managing information riskTo properly manage risk, we must measure it.To properly measure risk,we must understand our information assets, the threats that can harmthem, the impact of such events, and the controls that offer protection.
  • 35. A threat event that is measurable (and thusmanageable) identifies the following 4 A s:Agent: Whose actions affected the assetAction: What actions affected the assetAsset: Which assets were affectedAttribute: How the asset was affected
  • 36. evidence?
  • 37. Data Breach Investigations Report (DBIR) series = evidence for measuring and managing risk
  • 38. Diagnose Ailments
  • 39. ✔Policy✔Policy ✔People✔People ✔Process✔Process ✔Technology✔Technology ✔Policy ✔People ✔Process ✔Technology ✔ Treatment strategy
  • 40. Evidence-Based Risk Management
  • 41. What are the benefits of EBRM?• Metrics –  Builds outcome-based metrics around security processes and failures in order to get a better read on the security pulse of the organization.• Remediation –  Strengthen security posture by identifying gaps, pinpointing the most critical remediation strategies, and focusing longer-term strategic planning.• Efficiency –  Enable better and more justified decision-making, improve resource allocation, reduce unproductive security spending, and generally achieve “more bang for the buck.”• Communication –  Increase information flows across organizational and functional boundaries. Create and communicate ongoing performance measures to key stakeholders.
  • 42. DBIR: www.verizon.com/enterprise/databreachVERIS: https://verisframework.wiki.zoho.com/Blog: http://www.verizon.com/enterprise/securityblogEmail: dbir@verizon.com

×