Your SlideShare is downloading. ×
0
only the wisest and stupidest of
                 men never change
                 Confucius




Tuesday, August 10, 2010
Cybertrust Security




                    Bridging Risk Modeling,
                    Threat Modeling, and
             ...
State of the Industry
                 Ranum: Pseudoscience

                 Hutton: Kuhn’s Protoscience

               ...
Cybertrust Security




                                       Impact Landscape




                                      ...
Managing risk means aligning
            the capabilities of the
            organization, and the exposure
            of...
Cybertrust Security




                                       Verizon RISK Team: Operating Model



                     ...
Cybertrust Security




                           A Brief Overview of VERIS
                           (the Verizon Enter...
Verizon has shared data




Tuesday, August 10, 2010
-   2010 ~ 900
                               cases
                               -   (900 million
                      ...
Verizon is sharing our
                 framework




Tuesday, August 10, 2010
Verizon Enterprise Risk & Incident Sharing
               (VERIS) Framework
                     it’s open*!



          ...
What is the Verizon Incident Sharing (VERIS)
               Framework?

                   - A means         to create met...
What makes up the VERIS framework?


                   -   Demographics
                   -   Incident Classification
  ...
What VERIS Contains
         The Incident Classification section employs Verizon’s A4 event model

                       ...
Cybertrust Security




                           incident narrative                     incident metrics

              ...
Cybertrust Security
                             case studies                         data set

                          ...
Cybertrust Security       VERIS Data Comes From...



                          -   External Sources
                     ...
Good Lord Of The Dance,
      Models and data sharing!
Tuesday, August 10, 2010
Cybertrust Security        Using VERIS (DBIR) Data
                               (Verizon’s Internal Model)




         ...
Cybertrust Security    Using VERIS (DBIR) Data
                           (Verizon’s Internal Model)




Tuesday, August 1...
Cybertrust Security




                           What VERIS Does




                             Data-driven decisions
...
Friederich Hayek
     invades my dreams to
     give me visions of a
     future approach

                           or, ...
the synthesis of
                                                                                               informatio...
from Mark Curphey’s SecurityBull$#!*




Tuesday, August 10, 2010
Tuesday, August 10, 2010
Tuesday, August 10, 2010
Tuesday, August 10, 2010
These “risk” statements
                     you’re making, I don’t
                     think you’re doing it right.

   ...
Tuesday, August 10, 2010
Tuesday, August 10, 2010
Tuesday, August 10, 2010
Tuesday, August 10, 2010
Tuesday, August 10, 2010
Cybertrust Security




                          VERIS Software (shhhhhhh)




                             -
           ...
Cybertrust Security
                           Using VERIS (DBIR) Data
                           (data sharing)


       ...
multitude of
                                                                                               probabilistic ...
impact Landscape

                                                                                 the deconstruction of r...
a VERIS-data based scorecard with
                                                          synthesis not based on probabi...
a VERIS-data based scorecard with
                                                          synthesis not based on probabi...
evidence based medicine, meet information security



                           What is evidence-based risk
             ...
Risk	
  Modeling	
  becomes	
  Opera;onally	
  Important




Tuesday, August 10, 2010
Patterns are cool.

                     - (Chillin’ Friederich
                     Hayek)




Tuesday, August 10, 2010
Cybertrust Security
                             case studies                         data set

                          ...
data set                       knowledge & wisdom

                                                            discovery
d...
threat information

                                                          discovery
demographics               inciden...
threat information - shared data

                                                          discovery
demographics        ...
Tuesday, August 10, 2010
evidence-based risk management:

                           data driven treatment.




Tuesday, August 10, 2010
Cybertrust Security




                    https://verisframework.wiki.zoho.com
                     @alexhu(on




Tuesd...
Upcoming SlideShare
Loading in...5
×

Alex hutton metricon

967

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
967
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Alex hutton metricon"

  1. 1. only the wisest and stupidest of men never change Confucius Tuesday, August 10, 2010
  2. 2. Cybertrust Security Bridging Risk Modeling, Threat Modeling, and Operational Metrics With the VERIS Framework or: Data? WTH do we do now?! Alex  Hu(on @alexhu(on Tuesday, August 10, 2010
  3. 3. State of the Industry Ranum: Pseudoscience Hutton: Kuhn’s Protoscience • somewhat random fact gathering (mainly of readily accessible data) • a “morass” of interesting, trivial, irrelevant observations • A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering Tuesday, August 10, 2010
  4. 4. Cybertrust Security Impact Landscape Controls Landscape risk Asset Landscape Threat Landscape including capabilities (skills, resources, decision quality...) Tuesday, August 10, 2010
  5. 5. Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones Tuesday, August 10, 2010
  6. 6. Cybertrust Security Verizon RISK Team: Operating Model Framework = ∑ ∩ ∫√ Models Data - VERIS is our framework that provides context Tuesday, August 10, 2010
  7. 7. Cybertrust Security A Brief Overview of VERIS (the Verizon Enterprise Risk & Incident Sharing Framework) Tuesday, August 10, 2010
  8. 8. Verizon has shared data Tuesday, August 10, 2010
  9. 9. - 2010 ~ 900 cases - (900 million records) Tuesday, August 10, 2010
  10. 10. Verizon is sharing our framework Tuesday, August 10, 2010
  11. 11. Verizon Enterprise Risk & Incident Sharing (VERIS) Framework it’s open*! * kinda Tuesday, August 10, 2010
  12. 12. What is the Verizon Incident Sharing (VERIS) Framework? - A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - http://securityblog.verizonbusiness.com/wp-content/uploads/ 2010/03/VerIS_Framework_Beta_1.pdf Tuesday, August 10, 2010
  13. 13. What makes up the VERIS framework? - Demographics - Incident Classification - Event Modeling (a4) - Discovery & Mitigation - Impact Classification - Impact Modeling Tuesday, August 10, 2010
  14. 14. What VERIS Contains The Incident Classification section employs Verizon’s A4 event model A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected Incident as a chain of events > 1 > 2 > 3 > 4 > 5 14 Tuesday, August 10, 2010
  15. 15. Cybertrust Security incident narrative incident metrics discovery demographics incident classification (a4) impact classification + & mitigation 1> 2> 3> 4 > 5 $$$ Tuesday, August 10, 2010
  16. 16. Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$ Tuesday, August 10, 2010
  17. 17. Cybertrust Security VERIS Data Comes From... - External Sources - Internal Sources - DBIR + Secret Service is the start of the VERIS data set. Tuesday, August 10, 2010
  18. 18. Good Lord Of The Dance, Models and data sharing! Tuesday, August 10, 2010
  19. 19. Cybertrust Security Using VERIS (DBIR) Data (Verizon’s Internal Model) - Traditional GRC dictates “likelihood & impact” - VERIS Data can be used to in “traditional” risk management - weights - distribution development Tuesday, August 10, 2010
  20. 20. Cybertrust Security Using VERIS (DBIR) Data (Verizon’s Internal Model) Tuesday, August 10, 2010
  21. 21. Cybertrust Security What VERIS Does Data-driven decisions Tuesday, August 10, 2010
  22. 22. Friederich Hayek invades my dreams to give me visions of a future approach or, “How Jose Cardenal's sweet afro could change the industry!” Tuesday, August 10, 2010
  23. 23. the synthesis of information creates a “one true risk statement” which overtime becomes Impact Landscape a multitude of probabilistic point statements Controls Landscape risk Asset Landscape Threat Landscape Tuesday, August 10, 2010
  24. 24. from Mark Curphey’s SecurityBull$#!* Tuesday, August 10, 2010
  25. 25. Tuesday, August 10, 2010
  26. 26. Tuesday, August 10, 2010
  27. 27. Tuesday, August 10, 2010
  28. 28. These “risk” statements you’re making, I don’t think you’re doing it right. - (Chillin’ Friederich Hayek) Tuesday, August 10, 2010
  29. 29. Tuesday, August 10, 2010
  30. 30. Tuesday, August 10, 2010
  31. 31. Tuesday, August 10, 2010
  32. 32. Tuesday, August 10, 2010
  33. 33. Tuesday, August 10, 2010
  34. 34. Cybertrust Security VERIS Software (shhhhhhh) - screenshots here - Tuesday, August 10, 2010
  35. 35. Cybertrust Security Using VERIS (DBIR) Data (data sharing) - VERIS data can provide comparative analytics - This would be extremely useful in a notional view of risk management - Incidents are evidence of (in) effectiveness - hey Richard, time framing VERIS events might help answer the “why 2 hours” question you get! Tuesday, August 10, 2010
  36. 36. multitude of probabilistic point Impact Landscape statements... Controls Landscape risk Asset Landscape Threat Landscape Tuesday, August 10, 2010
  37. 37. impact Landscape the deconstruction of risk information to create a balanced scorecard? Controls Landscape Asset Landscape risk Threat Landscape Tuesday, August 10, 2010
  38. 38. a VERIS-data based scorecard with synthesis not based on probabilistic point statements, but on correlation to Impact Landscape successes and failures (can/should be supplemented with other operational and business metrics). Threats Frequencies Capabilities Variety Asset Landscape Controls Landscape (Patterns of tactics) risk Assets Frequencies in incidents vulnerability management capability & management metrics Threat Landscape Controls capability & management metrics incidents back to decision management Impact histories (internal, external) Tuesday, August 10, 2010
  39. 39. a VERIS-data based scorecard with synthesis not based on probabilistic point statements, but on correlation to Impact Landscape successes and failures. Informative: (We know these traits are more indicative of “failures” or “successes” Asset Landscape Controls Landscape - esp. if we could ever build on Visible Ops for risk Security research) Comparative: (“We rank well” or “We Threat Landscape suck eggs”) Business Relevant: (“Sucking eggs at these things leads to these sorts of compromise which leads to losses somewhere in this distribution.”) Tuesday, August 10, 2010
  40. 40. evidence based medicine, meet information security What is evidence-based risk management? a deconstructed, notional view of risk Tuesday, August 10, 2010
  41. 41. Risk  Modeling  becomes  Opera;onally  Important Tuesday, August 10, 2010
  42. 42. Patterns are cool. - (Chillin’ Friederich Hayek) Tuesday, August 10, 2010
  43. 43. Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$ Tuesday, August 10, 2010
  44. 44. data set knowledge & wisdom discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$ Tuesday, August 10, 2010
  45. 45. threat information discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$ Tuesday, August 10, 2010
  46. 46. threat information - shared data discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$ Tuesday, August 10, 2010
  47. 47. Tuesday, August 10, 2010
  48. 48. evidence-based risk management: data driven treatment. Tuesday, August 10, 2010
  49. 49. Cybertrust Security https://verisframework.wiki.zoho.com @alexhu(on Tuesday, August 10, 2010
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×