SlideShare a Scribd company logo

Exposure Index

Holger Himmel
Holger Himmel

An IT Security Speedometer Approach. The Exposure Index is a model to merge threats- and vulnerability-metrics to one consolidated index value for management reporting. These slides show how to categorize metrics, normalize and weight them in the index system. Further discussion for this model is much appreciated.

Technology
1 of 18
Download to read offline
Exposure Index An IT Security Speedometer Approach Holger Himmel, Dr. Aleksandra Sowa
“Everything should be made as simple as possible, but not simpler.”
Exposure = Threat + Vulnerability = + Data Breach = Hacker + Weak Encryption Exposure Index = Threat Index + Vulnerability Index
Step One – Sort your Metrics Question: Do your metrics measure threats or do they measure how vulnerable you are? IDS alerts Client-side malware incidents Firewall scans Failed login attempts Applications up to date Operating system update quote Attacker activity on honeypot Employee awareness training quote Number of phishing mails blocked Accounts with administrative priviledges Server hardening There are hundreds more… Malware-pattern update quote
Step One – Sort your Metrics Your vulnerability metrics cluster like that: “[…] the most important figures that one needs for management are unknown or unknowable […], but successful management must nevertheless take account of them.” - W. Edwards Deming
Step Two – The Vulnerability Index 1. Normalize your metrics. What does it mean if your (whatever) metric says “89,2%” or “1,630”? Is it good or bad? Normalization puts the metrics into your context and lets you define what is “good” and what is “worst case”. To make it simple, lets give “good” a “0” and “worst case and beyond” a “10”. In this example, 100% (protection) is “good” (=0) and “worst case” is “80%” (=10). The scale is linear. Our metric delivers a value “89,2%”. So it is a “6”. Normalization Scale 80,00% 10 82,00% 9 84,00% 8 86,00% 7 88,00% 6 90,00% 5 92,00% 4 94,00% 3 96,00% 2 98,00% 1 100,00% 0 „89,2%“ „6“
Step Two – The Vulnerability Index 2. Give each metric a weight to adjust the impact in your index system There are metrics, measuring your vulnerability (or protection-level) that are more important than others. Giving them an index weight, gives you the possibility to increase the metrics impact in the index. To make it simple, lets give “normal” a “1”. So you got normalization and weight. Lets put it together: Normscale Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 100,00% 0 1 X Metric 2 92,70% 8 2 X Metric 3 60,00% 10 1 X Metric 4 99,70% 1 1 X Metric 5 99,00% 1 1 X Metric 6 80,10% 4 1 X
Step Two – The Vulnerability Index 3. Calculate the score The formula is: ( ) = [ ∗ ] ! " # Normscale Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 100,00% 0 1 X Metric 2 92,70% 8 2 X Metric 3 60,00% 10 1 X Metric 4 99,70% 1 1 X Metric 5 99,00% 1 1 X Metric 6 80,10% 4 1 X Score = 0*1 + 8*2 + 10*1 + 1*1 + 1*1 + 4*1 = 32 Every child in elementary school should make it. It‘s simple!
Step Two – The Vulnerability Index 4. Calculate the index value in % The formula is: $ % & '$ ( = ∑ [* ( ∗ ]! " # ∗ 100 $ % & '$ ( = 32 10 ∗ 1 + 10 ∗ 2 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1 ∗ 100 = 32 70 ∗ 100 = 45.7 Normscale Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 100,00% 0 1 X 10 Metric 2 92,70% 8 2 X 20 Metric 3 60,00% 10 1 X 10 Metric 4 99,70% 1 1 X 10 Metric 5 99,00% 1 1 X 10 Metric 6 80,10% 4 1 X 10 Score 32 70(=100%)
Step Three – The Threat Index Your threat related metrics cluster like that: All threat metrics have one thing in common: You‘ve got nearly no possibility to control them. “Blocked phishing mails” is a good example for metrics, you can’t influence. You can’t set a goal like “Next month, I only want to count 100,000 blocked phishing mails.” On vulnerability metrics, you are able to set goals: “Next month, I want my malware patterns to be 100% up to date.”
Step Three – The Threat Index 1. Normalize your metrics. (That’s a little bit more tricky.) Example: You measure 200,000 blocked phishing mails last month. Good or bad? When you got an average of 6,000,000 blocked phishing mails per month, it’s “good”. If you count 4,000 in average, it’s nearly “worst case”. Thus, putting your threat related metrics in an historical context seems to be a good idea.
Date Phishing Mails August-14 943,407 September-14 1,632,682 October-14 1,218,232 November-14 898,688 December-14 1,211,293 January-15 1,228,161 February-15 660,670 March-15 1,920,309 April-15 1,286,725 May-15 983,008 June-15 691,404 July-15 824,108 Step Three – The Threat Index 1. Normalize your metrics. One way to do it: Pick up 3 maximum values and calculate the average. That’s your “worst case” (10) in your norm scale. Example: You got these 12 historical values and your norm scale calculation is: Maximum Three 1,920,309 1,632,682 1,286,725 Average 1,613,239 Normscale Absolute value Normalized Value 0% 0 0 -10% 161,324 1 -20% 322,648 2 -30% 483,972 3 -40% 645,295 4 -50% 806,619 5 -60% 967,943 6 -70% 1,129,267 7 -80% 1,290,591 8 -90% 1,451,915 9 90% and more 1,613,239 10 Your most recent value is „755,432”. Which gives you a normalized “5”.
Step Three – The Threat Index 2. Calculate the index value in % The next steps (weight, score count) are similar to the vulnerability index. 4 '$ ( = 71 100 ∗ 100 = 71 Normscale Internal metrics Recent Comparison Percent Normalized Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 755.432 1.613.239 46,8% 5 1 X 10 Metric 2 133 173 77,0% 8 2 X 20 Metric 3 521 639 81,6% 9 1 X 10 Metric 4 145 178 81,6% 9 2 X 20 Metric 5 11 16 67,3% 7 3 X 30 Other threat metrics Cybersecurityindex.com 2.814 2.764 1,8% 2 1 X 10 Score 71 100
Step Four – Putting it all together Calculate the Exposure Index 5(6 7 '$ ( = $ % & '$ ( + 4 '$ ( 2 5(6 7 '$ ( = 32 + 71 2 = 89. 8 Feel free to calculate differently! 32 71 51.5
Step Four – Putting it all together low vulnerability low or less threats high vulnerability high or many threats high vulnerability / low or less threats low vulnerability / many threats Exposure = Threat + Vulnerability
The Model is… • …scalable to suit any organization size, from small business to big multinational companies • …based on systematics of the German Federal Office for Network and Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) • …customizable, since based on metrics • …efficient, if the appropriate metrics are chosen • …flexible, since based on continuous security deployment • …implementable as maturity model, if the set of metrics is kept constant • …brain-based - not only evidence-based
Last words • The Exposure Index should be a starting point for drill-down analysis • Mind the “blind spot”! • Suite the model to your needs • It’s a model developed for the senior management • Add metrics you need • Make it simple, but not too simple! • Your business intelligence team can support you! • Start automation as early as possible • Shorten your metrics-reporting-cycle (from monthly to weekly, to daily) • Define realistic norm scales
Feedback appreciated Holger Himmel himmel@posteo.de https://de.linkedin.com/in/holgerhimmel Dr. Aleksandra Sowa a_sowa@web.de https://de.linkedin.com/in/asowa Further literature (german) - H.Himmel, Index der Gefährdungslage, IT-Governance, May 2015, p. 17 - H.Himmel and A.Sowa, Ein Tacho für IT-Sicherheit, <kes> - Zeitschrift für Informations-Sicherheit, August 2015, p. 37 Credits Picture of Albert Einstein: Photographer: Yousuf Karsh, archived by www.calie.org Tachometer: www.clker.com

Recommended

Analyzing Performance Test Data
Analyzing Performance Test DataAnalyzing Performance Test Data
Analyzing Performance Test DataOptimus Information Inc.
 
VCE Physics: Dealing with numerical measurments
VCE Physics: Dealing with numerical measurmentsVCE Physics: Dealing with numerical measurments
VCE Physics: Dealing with numerical measurmentsAndrew Grichting
 
Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions
Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions
Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions Caveon Test Security
 
An Introduction to Bayesisan Decision Analysis
An Introduction to Bayesisan Decision Analysis An Introduction to Bayesisan Decision Analysis
An Introduction to Bayesisan Decision Analysis Medgate Inc.
 
MLSEV Virtual. Searching for Anomalies
MLSEV Virtual. Searching for AnomaliesMLSEV Virtual. Searching for Anomalies
MLSEV Virtual. Searching for AnomaliesBigML, Inc
 
Assignment on APSS
Assignment on APSSAssignment on APSS
Assignment on APSSUzma Hasan
 
Predictive Analytics, Predicting LIkely Donors and Donation Amounts
Predictive Analytics, Predicting LIkely Donors and Donation AmountsPredictive Analytics, Predicting LIkely Donors and Donation Amounts
Predictive Analytics, Predicting LIkely Donors and Donation AmountsMichele Vincent
 
Predicting Likely Donors and Donation Amounts
Predicting Likely Donors and Donation AmountsPredicting Likely Donors and Donation Amounts
Predicting Likely Donors and Donation AmountsMichele Vincent
 

Recommended

Analyzing Performance Test Data
Analyzing Performance Test DataAnalyzing Performance Test Data
Analyzing Performance Test DataOptimus Information Inc.
 
VCE Physics: Dealing with numerical measurments
VCE Physics: Dealing with numerical measurmentsVCE Physics: Dealing with numerical measurments
VCE Physics: Dealing with numerical measurmentsAndrew Grichting
 
Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions
Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions
Caveon Webinar Series: Using Decision Theory for Accurate Pass/Fail Decisions Caveon Test Security
 
An Introduction to Bayesisan Decision Analysis
An Introduction to Bayesisan Decision Analysis An Introduction to Bayesisan Decision Analysis
An Introduction to Bayesisan Decision Analysis Medgate Inc.
 
MLSEV Virtual. Searching for Anomalies
MLSEV Virtual. Searching for AnomaliesMLSEV Virtual. Searching for Anomalies
MLSEV Virtual. Searching for AnomaliesBigML, Inc
 
Assignment on APSS
Assignment on APSSAssignment on APSS
Assignment on APSSUzma Hasan
 
Predictive Analytics, Predicting LIkely Donors and Donation Amounts
Predictive Analytics, Predicting LIkely Donors and Donation AmountsPredictive Analytics, Predicting LIkely Donors and Donation Amounts
Predictive Analytics, Predicting LIkely Donors and Donation AmountsMichele Vincent
 
Predicting Likely Donors and Donation Amounts
Predicting Likely Donors and Donation AmountsPredicting Likely Donors and Donation Amounts
Predicting Likely Donors and Donation AmountsMichele Vincent
 
Codecamp Iasi 7 mai 2011 Monte Carlo Simulation
Codecamp Iasi 7 mai 2011 Monte Carlo SimulationCodecamp Iasi 7 mai 2011 Monte Carlo Simulation
Codecamp Iasi 7 mai 2011 Monte Carlo SimulationCodecamp Romania
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaHanaysha
 
Six Sigma Confidence Interval Analysis (CIA) Training Module
Six Sigma Confidence Interval Analysis (CIA) Training ModuleSix Sigma Confidence Interval Analysis (CIA) Training Module
Six Sigma Confidence Interval Analysis (CIA) Training ModuleFrank-G. Adler
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
05-risk_assesment.ppt
05-risk_assesment.ppt05-risk_assesment.ppt
05-risk_assesment.pptKareemRasmy1
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
July 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesJuly 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesAmanda Richardson
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Hernan Huwyler, MBA CPA
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxChandan Singh Ghodela
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Insurance Optimization
Insurance OptimizationInsurance Optimization
Insurance OptimizationAlbert Chu
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
Small Investments, Big Returns: Three Successful Data Science Use Cases
Small Investments, Big Returns: Three Successful Data Science Use CasesSmall Investments, Big Returns: Three Successful Data Science Use Cases
Small Investments, Big Returns: Three Successful Data Science Use CasesSense Corp
 
Experience Sharing on School Pentest Project
Experience Sharing on School Pentest ProjectExperience Sharing on School Pentest Project
Experience Sharing on School Pentest ProjecteLearning Consortium 電子學習聯盟
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

More Related Content

Similar to Exposure Index

Codecamp Iasi 7 mai 2011 Monte Carlo Simulation
Codecamp Iasi 7 mai 2011 Monte Carlo SimulationCodecamp Iasi 7 mai 2011 Monte Carlo Simulation
Codecamp Iasi 7 mai 2011 Monte Carlo SimulationCodecamp Romania
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaHanaysha
 
Six Sigma Confidence Interval Analysis (CIA) Training Module
Six Sigma Confidence Interval Analysis (CIA) Training ModuleSix Sigma Confidence Interval Analysis (CIA) Training Module
Six Sigma Confidence Interval Analysis (CIA) Training ModuleFrank-G. Adler
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
05-risk_assesment.ppt
05-risk_assesment.ppt05-risk_assesment.ppt
05-risk_assesment.pptKareemRasmy1
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
July 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesJuly 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesAmanda Richardson
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018Open Security Summit
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Hernan Huwyler, MBA CPA
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Insurance Optimization
Insurance OptimizationInsurance Optimization
Insurance OptimizationAlbert Chu
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
Small Investments, Big Returns: Three Successful Data Science Use Cases
Small Investments, Big Returns: Three Successful Data Science Use CasesSmall Investments, Big Returns: Three Successful Data Science Use Cases
Small Investments, Big Returns: Three Successful Data Science Use CasesSense Corp
 

Similar to Exposure Index (20)

Codecamp Iasi 7 mai 2011 Monte Carlo Simulation
Codecamp Iasi 7 mai 2011 Monte Carlo SimulationCodecamp Iasi 7 mai 2011 Monte Carlo Simulation
Codecamp Iasi 7 mai 2011 Monte Carlo Simulation
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq Hanaysha
 
Six Sigma Confidence Interval Analysis (CIA) Training Module
Six Sigma Confidence Interval Analysis (CIA) Training ModuleSix Sigma Confidence Interval Analysis (CIA) Training Module
Six Sigma Confidence Interval Analysis (CIA) Training Module
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
05-risk_assesment.ppt
05-risk_assesment.ppt05-risk_assesment.ppt
05-risk_assesment.ppt
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
July 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesJuly 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group Slides
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Insurance Optimization
Insurance OptimizationInsurance Optimization
Insurance Optimization
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk score
 
Small Investments, Big Returns: Three Successful Data Science Use Cases
Small Investments, Big Returns: Three Successful Data Science Use CasesSmall Investments, Big Returns: Three Successful Data Science Use Cases
Small Investments, Big Returns: Three Successful Data Science Use Cases
 
Experience Sharing on School Pentest Project
Experience Sharing on School Pentest ProjectExperience Sharing on School Pentest Project
Experience Sharing on School Pentest Project
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Exposure Index

  • 1. Exposure Index An IT Security Speedometer Approach Holger Himmel, Dr. Aleksandra Sowa
  • 2. “Everything should be made as simple as possible, but not simpler.”
  • 3. Exposure = Threat + Vulnerability = + Data Breach = Hacker + Weak Encryption Exposure Index = Threat Index + Vulnerability Index
  • 4. Step One – Sort your Metrics Question: Do your metrics measure threats or do they measure how vulnerable you are? IDS alerts Client-side malware incidents Firewall scans Failed login attempts Applications up to date Operating system update quote Attacker activity on honeypot Employee awareness training quote Number of phishing mails blocked Accounts with administrative priviledges Server hardening There are hundreds more… Malware-pattern update quote
  • 5. Step One – Sort your Metrics Your vulnerability metrics cluster like that: “[…] the most important figures that one needs for management are unknown or unknowable […], but successful management must nevertheless take account of them.” - W. Edwards Deming
  • 6. Step Two – The Vulnerability Index 1. Normalize your metrics. What does it mean if your (whatever) metric says “89,2%” or “1,630”? Is it good or bad? Normalization puts the metrics into your context and lets you define what is “good” and what is “worst case”. To make it simple, lets give “good” a “0” and “worst case and beyond” a “10”. In this example, 100% (protection) is “good” (=0) and “worst case” is “80%” (=10). The scale is linear. Our metric delivers a value “89,2%”. So it is a “6”. Normalization Scale 80,00% 10 82,00% 9 84,00% 8 86,00% 7 88,00% 6 90,00% 5 92,00% 4 94,00% 3 96,00% 2 98,00% 1 100,00% 0 „89,2%“ „6“
  • 7. Step Two – The Vulnerability Index 2. Give each metric a weight to adjust the impact in your index system There are metrics, measuring your vulnerability (or protection-level) that are more important than others. Giving them an index weight, gives you the possibility to increase the metrics impact in the index. To make it simple, lets give “normal” a “1”. So you got normalization and weight. Lets put it together: Normscale Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 100,00% 0 1 X Metric 2 92,70% 8 2 X Metric 3 60,00% 10 1 X Metric 4 99,70% 1 1 X Metric 5 99,00% 1 1 X Metric 6 80,10% 4 1 X
  • 8. Step Two – The Vulnerability Index 3. Calculate the score The formula is: ( ) = [ ∗ ] ! " # Normscale Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 100,00% 0 1 X Metric 2 92,70% 8 2 X Metric 3 60,00% 10 1 X Metric 4 99,70% 1 1 X Metric 5 99,00% 1 1 X Metric 6 80,10% 4 1 X Score = 0*1 + 8*2 + 10*1 + 1*1 + 1*1 + 4*1 = 32 Every child in elementary school should make it. It‘s simple!
  • 9. Step Two – The Vulnerability Index 4. Calculate the index value in % The formula is: $ % & '$ ( = ∑ [* ( ∗ ]! " # ∗ 100 $ % & '$ ( = 32 10 ∗ 1 + 10 ∗ 2 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1 ∗ 100 = 32 70 ∗ 100 = 45.7 Normscale Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 100,00% 0 1 X 10 Metric 2 92,70% 8 2 X 20 Metric 3 60,00% 10 1 X 10 Metric 4 99,70% 1 1 X 10 Metric 5 99,00% 1 1 X 10 Metric 6 80,10% 4 1 X 10 Score 32 70(=100%)
  • 10. Step Three – The Threat Index Your threat related metrics cluster like that: All threat metrics have one thing in common: You‘ve got nearly no possibility to control them. “Blocked phishing mails” is a good example for metrics, you can’t influence. You can’t set a goal like “Next month, I only want to count 100,000 blocked phishing mails.” On vulnerability metrics, you are able to set goals: “Next month, I want my malware patterns to be 100% up to date.”
  • 11. Step Three – The Threat Index 1. Normalize your metrics. (That’s a little bit more tricky.) Example: You measure 200,000 blocked phishing mails last month. Good or bad? When you got an average of 6,000,000 blocked phishing mails per month, it’s “good”. If you count 4,000 in average, it’s nearly “worst case”. Thus, putting your threat related metrics in an historical context seems to be a good idea.
  • 12. Date Phishing Mails August-14 943,407 September-14 1,632,682 October-14 1,218,232 November-14 898,688 December-14 1,211,293 January-15 1,228,161 February-15 660,670 March-15 1,920,309 April-15 1,286,725 May-15 983,008 June-15 691,404 July-15 824,108 Step Three – The Threat Index 1. Normalize your metrics. One way to do it: Pick up 3 maximum values and calculate the average. That’s your “worst case” (10) in your norm scale. Example: You got these 12 historical values and your norm scale calculation is: Maximum Three 1,920,309 1,632,682 1,286,725 Average 1,613,239 Normscale Absolute value Normalized Value 0% 0 0 -10% 161,324 1 -20% 322,648 2 -30% 483,972 3 -40% 645,295 4 -50% 806,619 5 -60% 967,943 6 -70% 1,129,267 7 -80% 1,290,591 8 -90% 1,451,915 9 90% and more 1,613,239 10 Your most recent value is „755,432”. Which gives you a normalized “5”.
  • 13. Step Three – The Threat Index 2. Calculate the index value in % The next steps (weight, score count) are similar to the vulnerability index. 4 '$ ( = 71 100 ∗ 100 = 71 Normscale Internal metrics Recent Comparison Percent Normalized Index Weight 0 1 2 3 4 5 6 7 8 9 10 Metric 1 755.432 1.613.239 46,8% 5 1 X 10 Metric 2 133 173 77,0% 8 2 X 20 Metric 3 521 639 81,6% 9 1 X 10 Metric 4 145 178 81,6% 9 2 X 20 Metric 5 11 16 67,3% 7 3 X 30 Other threat metrics Cybersecurityindex.com 2.814 2.764 1,8% 2 1 X 10 Score 71 100
  • 14. Step Four – Putting it all together Calculate the Exposure Index 5(6 7 '$ ( = $ % & '$ ( + 4 '$ ( 2 5(6 7 '$ ( = 32 + 71 2 = 89. 8 Feel free to calculate differently! 32 71 51.5
  • 15. Step Four – Putting it all together low vulnerability low or less threats high vulnerability high or many threats high vulnerability / low or less threats low vulnerability / many threats Exposure = Threat + Vulnerability
  • 16. The Model is… • …scalable to suit any organization size, from small business to big multinational companies • …based on systematics of the German Federal Office for Network and Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) • …customizable, since based on metrics • …efficient, if the appropriate metrics are chosen • …flexible, since based on continuous security deployment • …implementable as maturity model, if the set of metrics is kept constant • …brain-based - not only evidence-based
  • 17. Last words • The Exposure Index should be a starting point for drill-down analysis • Mind the “blind spot”! • Suite the model to your needs • It’s a model developed for the senior management • Add metrics you need • Make it simple, but not too simple! • Your business intelligence team can support you! • Start automation as early as possible • Shorten your metrics-reporting-cycle (from monthly to weekly, to daily) • Define realistic norm scales
  • 18. Feedback appreciated Holger Himmel himmel@posteo.de https://de.linkedin.com/in/holgerhimmel Dr. Aleksandra Sowa a_sowa@web.de https://de.linkedin.com/in/asowa Further literature (german) - H.Himmel, Index der Gefährdungslage, IT-Governance, May 2015, p. 17 - H.Himmel and A.Sowa, Ein Tacho für IT-Sicherheit, <kes> - Zeitschrift für Informations-Sicherheit, August 2015, p. 37 Credits Picture of Albert Einstein: Photographer: Yousuf Karsh, archived by www.calie.org Tachometer: www.clker.com