Old Presentation on Security Metrics 2005


Published on

This is my old presentation on Security Metrics 2005

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Old Presentation on Security Metrics 2005

    1. 1. <ul><li>Metrics: Optimizing Security Operations Performance </li></ul><ul><li>Dr Anton Chuvakin </li></ul><ul><li>Chief Security Strategist </li></ul><ul><li>November 2005 </li></ul>
    2. 2. WARNING! <ul><li>This is an old presentation; I am publishing it in the hopes that it will be useful for somebody. </li></ul><ul><li>I do not necessarily share all the views I held back in 2005! </li></ul><ul><li>And I ramble less now  </li></ul>
    3. 3. Agenda <ul><li>Catalysts for security performance metrics </li></ul><ul><li>Why security metrics are essential </li></ul><ul><li>Types of metrics and what to measure </li></ul><ul><li>Challenges surrounding metrics </li></ul><ul><li>The metrics lifecycle </li></ul>
    4. 4. Catalysts For Security Performance Metrics <ul><li>Enterprise compliance and governance initiatives </li></ul><ul><li>Need to manage security as a strategic business process </li></ul><ul><li>Pressure to demonstrate the efficiency of security technology and related efforts </li></ul>
    5. 5. Managing Information Security Strategically <ul><li>Compliance has shifted mindset from devices to process </li></ul><ul><li>Focus on continuous optimization </li></ul><ul><ul><li>Conduct security assessment </li></ul></ul><ul><ul><li>Define policies, process, metrics, and baselines </li></ul></ul><ul><ul><li>Collect data; measure results against baselines over time </li></ul></ul><ul><ul><li>Identify process and policy weaknesses </li></ul></ul><ul><ul><li>Refine policy, process, and metrics </li></ul></ul>
    6. 6. Creating a Culture of Measurement: Recommendations <ul><li>Define security policies and relevant metrics via security assessment </li></ul><ul><li>Capture all relevant security operational data </li></ul><ul><li>Generate reports off the data to measure success and identify performance gaps </li></ul><ul><li>Integrate security performance management data with enterprise compliance & governance initiatives </li></ul>
    7. 7. Why Security Metrics? <ul><li>You need to know if… </li></ul><ul><li>your security strategies are successful </li></ul><ul><li>you require more resources </li></ul><ul><li>there are in-efficiencies </li></ul><ul><li>you are compliant </li></ul>“ You can’t manage what you can’t measure”
    8. 8. Types of Metrics <ul><li>Technical </li></ul><ul><ul><li>eg: Percentage of systems with virus protection </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>eg: Average virus incident resolution time </li></ul></ul><ul><li>Risk </li></ul><ul><ul><li>eg: Risk of viruses for a specific business unit </li></ul></ul><ul><li>Cost </li></ul><ul><ul><li>eg: Average cost of virus incident </li></ul></ul>
    9. 9. Criteria for Good Metrics <ul><li>When determining the metrics that you will track, be SMART… </li></ul><ul><li>S pecific </li></ul><ul><li>M easurable </li></ul><ul><li>A ttainable </li></ul><ul><li>R epeatable </li></ul><ul><li>T ime-dependent </li></ul><ul><li>And… your results need to be ACTIONABLE ! </li></ul>
    10. 10. Metrics and Baselines <ul><li>Baselines are metrics that are compared to aggregated information about the past </li></ul><ul><li>Common baselines </li></ul><ul><ul><li>Yesterday (“NASDAQ is up by a 100”) </li></ul></ul><ul><ul><li>Average (“This took us 3 more time than the average case”) </li></ul></ul><ul><ul><li>Maximum (“The traffic is spiking 300% over the maximum!”) </li></ul></ul><ul><li>Baselines enjoy the ease of interpretation ! </li></ul>What is the difference?
    11. 11. Perceived Effectiveness of Metrics Source: CSO Magazine, 2005
    12. 12. Key Challenges with Security Metrics <ul><li>“Let’s make up some metrics…” </li></ul><ul><ul><li>Metrics must be based on policy to be effective </li></ul></ul><ul><li>Where is the data? </li></ul><ul><ul><li>Difficulties in acquiring raw data for measurement </li></ul></ul><ul><li>So many metrics, so little time… </li></ul><ul><ul><li>Which indicators should we compute and use? </li></ul></ul><ul><li>What does it mean? </li></ul><ul><ul><li>Interpreting the changes in measures parameters </li></ul></ul><ul><li>“Go back and try it again!!!” </li></ul><ul><ul><li>Challenges with presenting metrics to executives </li></ul></ul><ul><li>What do we do now? </li></ul><ul><ul><li>Defining actions and remediation planning </li></ul></ul>
    13. 13. Future of Security Metrics <ul><li>“ Information Security Management Metrics and Measurement” ( ISO 27004 ) in 2007-2009 </li></ul><ul><li>Increased adoption of NIST 800-55 </li></ul><ul><li>Legal and compliance drivers for standard metrics </li></ul><ul><li>Growth of “ best practices ”-based metrics </li></ul><ul><li>Convergence of security vendor metrics </li></ul><ul><li>More automation of metrics </li></ul>Metrics and Crystal Ball Gazing Don’t Mix, but…
    14. 14. Conclusion <ul><li>Security needs to be managed as a strategic business process (bla-bla-bla  ) </li></ul><ul><li>Enterprise compliance and governance initiatives are driving security performance metrics </li></ul><ul><li>Establishing a security metrics program is essential to determining if </li></ul><ul><ul><li>your security strategies are successful </li></ul></ul><ul><ul><li>you are compliant </li></ul></ul><ul><li>In the future metrics will be based on standards </li></ul>
    15. 15. Thanks for Viewing <ul><li>Dr Anton Chuvakin </li></ul><ul><li>http://www.chuvakin.org </li></ul><ul><li>Also see my blog at www.securitywarrior.org </li></ul>