Evidence-Based Risk Management


Published on

Wade Baker from the Verizon RISK Team gave this presentation at the NESCO Town Hall in May 30-31 in New Orleans, LA. Wade discussed various aspects related to sharing incident information, threat agents along with a great explanation as to what evidence-based Risk management is and looks like.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Evidence-Based Risk Management

  1. 1. Evidence-Based RiskManagementWade Baker, Verizon RISK Team
  2. 2. My favorite (professional) topics• Security incidents (as in studying them – not experiencing them)• Information sharing (specifically incident-related info)• Data analysis (how else will we learn?)• Risk management (but not the ‘yellow x red = orange’ kind)
  3. 3. Data Breach Investigations Report (DBIR) series An ongoing study into the world of cybercrime that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and, of course, what might be done to prevent it.
  4. 4. 2012 DBIR Contributors
  5. 5. Methodology: Data Collection and Analysis• DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data.• Enables case data to be shared anonymously to RISK Team for analysisVERIS is a (open and free) set of metrics designed to provide a commonlanguage for describing security incidents (or threats) in a structured andrepeatable manner.VERIS: https://verisframework.wiki.zoho.com/
  6. 6. Sharing incident information TACTICAL STRATEGIC What point solutions How do I measure &should I implement now? manage risk over time? ✔* X
  7. 7. Unpacking the 2012 DBIRAn overview of our results and analysis
  8. 8. Sample characteristics• 855 incidents of confirmed data compromise• 174 million stolen data records• All varieties of data included (CC#s, PII, IP, etc)• Victims of all industries, sizes, geographic regions• Cases worked by Verizon, investigated by law enforcement, or reported to (Irish) CERT
  9. 9. Threat Agents
  10. 10. Threat Agents: Larger Orgs
  11. 11. Threat Agents: IP & classified data 92% 49% 2% External Internal Partner
  12. 12. Threat Agents: External
  13. 13. Threat Actions
  14. 14. Threat Actions: Larger Orgs
  15. 15. Threat Actions: IP & classified data Malware 38% Hacking 51% Social 48% Misuse 57% Physical 0% Error 2% Environmental 0%
  16. 16. Top Threat Actions
  17. 17. Top Threat Actions: Larger Orgs
  18. 18. Top Threat Action Types: IP & classified data
  19. 19. Most Compromised Assets
  20. 20. Asset Ownership, Hosting, and Management
  21. 21. Compromised Data
  22. 22. Compromised Data Smaller Orgs
  23. 23. Attack Difficulty
  24. 24. Attack Targeting
  25. 25. The 3-Day Workweek
  26. 26. Timespan of events
  27. 27. Timespan of events: Larger Orgs
  28. 28. Timespan: IP & classified data Minutes Hours Days Weeks Months Years POE to Comp 10% 65% 10% 10% 3% 3% Comp to Disc 0% 18% 21% 13% 7% 41% Disc to Cont 0% 0% 16% 13% 71% 0%
  29. 29. Breach Discovery
  30. 30. Breach Discovery
  31. 31. Recommendations: Larger Orgs
  32. 32. Evidence-Base Risk ManagementWhat is it, and what does it look like?
  33. 33. What is EBRM? EBRM aims to apply the best available evidence gained from empirical research to measure and manage information risk.
  34. 34. Measuring and managing information riskTo properly manage risk, we must measure it.To properly measure risk,we must understand our information assets, the threats that can harmthem, the impact of such events, and the controls that offer protection.
  35. 35. A threat event that is measurable (and thusmanageable) identifies the following 4 A s:Agent: Whose actions affected the assetAction: What actions affected the assetAsset: Which assets were affectedAttribute: How the asset was affected
  36. 36. evidence?
  37. 37. Data Breach Investigations Report (DBIR) series = evidence for measuring and managing risk
  38. 38. Diagnose Ailments
  39. 39. ✔Policy✔Policy ✔People✔People ✔Process✔Process ✔Technology✔Technology ✔Policy ✔People ✔Process ✔Technology ✔ Treatment strategy
  40. 40. Evidence-Based Risk Management
  41. 41. What are the benefits of EBRM?• Metrics –  Builds outcome-based metrics around security processes and failures in order to get a better read on the security pulse of the organization.• Remediation –  Strengthen security posture by identifying gaps, pinpointing the most critical remediation strategies, and focusing longer-term strategic planning.• Efficiency –  Enable better and more justified decision-making, improve resource allocation, reduce unproductive security spending, and generally achieve “more bang for the buck.”• Communication –  Increase information flows across organizational and functional boundaries. Create and communicate ongoing performance measures to key stakeholders.
  42. 42. DBIR: www.verizon.com/enterprise/databreachVERIS: https://verisframework.wiki.zoho.com/Blog: http://www.verizon.com/enterprise/securityblogEmail: dbir@verizon.com