Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Chaitanya Kunthe - Security Metrics - Interop Mumbai 2009

1,596 views

Published on

You cannot improve what you cannot measure. This also applies to Information Security. We do not have well accepted measurements and metrics for information security although many standards have described them. The workshop will create background by explaining some well known Risk Management standards from ISO and NIST and then proceed to establish criteria for establishing measurements for information security. A case study for a major bank will be discussed where a comprehensive metrics program was developed. A practical methodology for setting up a good risk measurements program will be explained.

Published in: Technology
  • Be the first to comment

Chaitanya Kunthe - Security Metrics - Interop Mumbai 2009

  1. 1. Information Security Metrics Chaitanya Kunthe Head – Consultancy Services ckunthe@mielesecurity.com © 2009 MIEL eSecurity Pvt Ltd Confidential MUMBAI — PUNE — AHMEDABAD — BANGALORE — HYDERABAD — CHENNAI — LONDON — UAE — USA Consulting - Products Solutions - R&D – Education
  2. 2. Unfortunately, no one can be told what the Metrics is… You have to see it for yourself… You take the red pill, You take the blue pill, You stay in wonderland and The story ends, you wake up I show you how deep the In your bed and believe Rabbit hole goes… Whatever you want to believe Remember, all I am offering is the truth, nothing more… 2 -Morpheus, (The Matrix) © 2009 MIEL eSecurity Pvt Ltd Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  3. 3. Objectives • Understanding Security Metrics • What • Why • A few common views on metrics • Practical Implementation © 2009 MIEL eSecurity Pvt Ltd 3 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  4. 4. Understanding Security Metrics What IS “The Metrics”? – Definitions • “Information Security measures are used to facilitate decision making and improve performance and accountability through the collection, analysis and reporting of relevant performance related data” – NIST 800 – 55 Rev 1 • Measurement - the action or set of actions that make it possible to obtain the value of a measurement for the attribute of an entity using a form of measurement – ISO/IEC 3rd WD 27004 © 2009 MIEL eSecurity Pvt Ltd 4 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  5. 5. Understanding Security Metrics What IS “The Metrics”? – Simplification • Consistently gathered, quantifiable data, analyzed to provide an organization a view of the efficiency and effectiveness of the information security practices implemented within. A defined method to collect Is the process being data at pre-defined followed correctly and intervals regularly? Is the process effective in Identify what data to collect meeting information and what it will signify security? What does this mean to the organization? © 2009 MIEL eSecurity Pvt Ltd 5 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  6. 6. Understanding Security Metrics Why do we need Metrics? • “It is easy to lie with statistics, but it is easier to lie without them” – Fred Mosteller • Increase accountability • Improve Information Security Effectiveness • Demonstrate compliance • Provide quantifiable inputs for resource allocation decisions © 2009 MIEL eSecurity Pvt Ltd 6 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  7. 7. A few common views on Metrics The list • NIST SP 800-55 • ISO 27004 • SSE CMM • CoBIT 4.1 © 2009 MIEL eSecurity Pvt Ltd 7 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  8. 8. A few common views on Metrics NIST 800 – 55 Rev. 1 Results-Oriented Measures Analysis Quantifiable Performance Measures Practical Information Security Policies and Procedures Strong Upper Management Support © 2009 MIEL eSecurity Pvt Ltd 8 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  9. 9. A few common views on Metrics NIST 800 – 55 Rev. 1 Stakeholders Interests Goals and IS Policies and IS program Objectives procedures implementation Business/ Program Level of Mission impact Results implementation © 2009 MIEL eSecurity Pvt Ltd 9 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  10. 10. A few common views on Metrics NIST 800 – 55 Rev. 1 • Roles and Responsibilities – Agency Head – Chief Information Officer – Senior Agency Information Security Officer – Program Manager/ Information System Owner – Information System Security Officer – Other Related Roles © 2009 MIEL eSecurity Pvt Ltd 10 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  11. 11. A few common views on Metrics NIST 800 – 55 (Types of Measures) Percentage of servers patched by the latest application patches Implementation Percentage of security Measures management team members who attended the last meetings Percentage of servers where the Effectiveness/ patch was not applied after a Efficiency week of release Number of security decisions approved by the management Impact Measures Reduction in laptop theft due to implementation of biometric access control © 2009 MIEL eSecurity Pvt Ltd 11 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  12. 12. A few common views on Metrics NIST 800 – 55 (How deep does the rabbit hole go?) Metric/ Measure Implementation/ Efficiency/ Effectiveness/ Impact “Percentage of end user systems where anti- Implementation virus is deployed” “Percentage of systems where anti-virus is Implementation up-to-date” Efficiency “Number of virus caught by the anti-virus Efficiency? Effectiveness? gateway” “Ratio of number of virus attacks to number Effectiveness of virus caught” “Ratio of number of virus attacks to number Effectiveness of virus attacks in industry segment” “Rupee value of savings to the virus attacks Can we even measure this? prevented” © 2009 MIEL eSecurity Pvt Ltd 12 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  13. 13. A few common views on Metrics ISO/IEC 3rd WD 27004 • “Do not try to bend Develop Metrics and prepare for the spoon. That is data collection impossible. Instead, only try to realize the truth. There is no Implement improvements Collect and analyze data spoon” Identify improvements © 2009 MIEL eSecurity Pvt Ltd 13 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  14. 14. A few common views on Metrics ISO/IEC 3rd WD 27004 • Model Definition – From Information needs to the entity attribute to be measured • Identify the method – Subjective and Objective methods • Identify the frequency – Intervals – daily, weekly, monthly, quarterly… © 2009 MIEL eSecurity Pvt Ltd 14 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  15. 15. A few common views on Metrics CoBIT and SSE CMM • Both use measures derived from the SEI – CMM model © 2009 MIEL eSecurity Pvt Ltd 15 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  16. 16. Welcome to the real world, Neo… Try and relax…This will feel a little weird I am trying to free your mind, Neo, but I can only show you the door. You are the one that has to walk through it. © 2009 MIEL eSecurity Pvt Ltd 16 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  17. 17. Practical Implementation of Metrics Where do we begin? Ask yourself these basic questions before entering “The Metrics”... Question Answer Does my organization link its business goals to IT goals and Information Security goals? Has my organization developed and implemented an information security programme? Has the information security programme been in existence for at least two years? © 2009 MIEL eSecurity Pvt Ltd 17 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  18. 18. Practical Implementation of Metrics Develop the model for measurement • Identify key policy • “All users will be statements that you trained on information would like to have security do’s and measures for don'ts every quarter” • Identify what the • # of users who measures are going attended the training to be courses © 2009 MIEL eSecurity Pvt Ltd 18 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  19. 19. Practical Implementation of Metrics Develop the model for measurement • Classify all the measures into the different categories – Implementation Metrics – Efficiency Metrics – Effectiveness Metrics – Impact Metrics © 2009 MIEL eSecurity Pvt Ltd 19 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  20. 20. Practical Implementation of Metrics Implementation of identified metrics • Identify methods to collect data Metric Data Collection Method # of employees to whom the •Review of HR records to see signed information security policies are security policy documents communicated •Review of end user training attendance records # of network scan attacks blocked at •Firewall Logs the firewall level # of times files with rating ‘ •DLP software logs confidential’ were tried to be sent outside the network # of users who entered the data •Biometric access control logs review centre for maintenance of equipment © 2009 MIEL eSecurity Pvt Ltd 20 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  21. 21. Practical Implementation of Metrics Implementation of identified metrics • Identify effort required to collect the identified metrics • Do a cost – benefit analysis to understand if the metrics need to be collected • Implement procedures to collect metrics © 2009 MIEL eSecurity Pvt Ltd 21 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  22. 22. Practical Implementation of Metrics Collection of data • Identify frequency of data collection • Wherever possible use technology to collect data – May not be possible to automate everything, but automate where you feel the cost benefit is justified • Wherever possible, build the data collection process into the existing security practice – Use of workflows will aid the metrics to a large extent © 2009 MIEL eSecurity Pvt Ltd 22 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  23. 23. Practical Implementation of Metrics Collection of data • What the security measurement tools vendors will never tell you... What they say What they actually mean Our software provides you a ...only for devices where our agent is complete view of information security installed, not for the other devices or within the organization your manual processes Our software captures 184 different ...yet, we cannot capture what measures for customized use in your missed us and went through to organization cause an incident © 2009 MIEL eSecurity Pvt Ltd 23 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  24. 24. Practical Implementation of Metrics Analysis of metrics Number of changes to key systems – collected monthly Number of exception Antivirus reports approvals for use – collected daily of USB – collected monthly Management Output Number of review meeting – visitors with collected of laptops – annually collected weekly metrics © 2009 MIEL eSecurity Pvt Ltd 24 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  25. 25. Practical Implementation of Metrics What is the output of metrics analysis? • What the consultants will never say... – “We will give you as many metrics as the money you have. Analyzing and making them useful is not our concern” © 2009 MIEL eSecurity Pvt Ltd 25 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  26. 26. Practical Implementation of Metrics What is the output of metrics analysis? Metric What it can mean... Management review meeting happened Lack of management commitment is evident. once in year as against 4 times Information security may not take off unless there is Antivirus reports show 3-4 virus attempts Antivirus is working. blocked daily at the gateway level Number of changes to key systems has Investigate – a new system being deployed, doubled this month as compared to the causing the change? A change in the older average implementation causing problems? 7 new laptops allowed to connect USB Investigate – looks like a potential cause for drives. A total of 44 out of 51 laptops now policy change allowed Out of the 69 visitors this week, 38 Fire the consultant who told you to collect carried laptops this data. © 2009 MIEL eSecurity Pvt Ltd 26 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  27. 27. Practical Implementation of Metrics Reporting the Metrics • Security Metrics are useful at different levels in the organization Level of the organization What should be reported? Senior Management – •Level of security in terms of Red – Amber – Green Security Management •Legal and Contractual Compliance levels Forum Information Security •All the metrics officer Business Owners •Incident metrics •Exception metrics •Security Compliance levels © 2009 MIEL eSecurity Pvt Ltd 27 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  28. 28. Practical Implementation of Metrics Reporting the Metrics • Dashboards • Control Objective/Control wise score • Reports © 2009 MIEL eSecurity Pvt Ltd 28 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  29. 29. Practical Implementation of Metrics Policy Compliance Graph © 2009 MIEL eSecurity Pvt Ltd 29 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  30. 30. Practical Implementation of Metrics Policy Compliance – Another View © 2009 MIEL eSecurity Pvt Ltd 30 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  31. 31. Practical Implementation of Metrics Policy Implementation Levels © 2009 MIEL eSecurity Pvt Ltd 31 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  32. 32. Practical Implementation of Metrics Summary Information Security Policies and procedures Reporting of Develop a model metrics for measurement Identify methods Collection and for Analysis of data implementation © 2009 MIEL eSecurity Pvt Ltd 32 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  33. 33. Information Security Metrics Summary • Metrics can be very useful to measure and improve the security of the organization • Best if linked to business goals • Identify and measure only those metrics that will be useful to the organization • Use the metrics to identify and implement improvements – use the feedback to identify and improve the metrics • Best if incorporated into the daily processes of the organization © 2009 MIEL eSecurity Pvt Ltd 33 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  34. 34. About MIEL Who are we? MIEL is a pure-play pioneering, end-to-end, Information Security Solutions company, with strong values, an unique business model that has helped service more than 800 premium Indian and International clients with footprints in15 countries spread across the globe. What solutions do we deliver? We : • preach (education services), • practice what we preach (process and technical consulting) and • implement what we practice (product and service implementations) Who and what helps us deliver? Our management teams supported by quality processes and backed by highly trained resources, and a strong R&D environment, help deliver desired results and accolades. MIEL IS A CERT-IN EMPANELLED AND ISO 27001 CERTIFIED © 2009 MIEL eSecurity Pvt Ltd 34 Confidential MUMBAI — PUNE — AHMEDABAD — CHENNAI — LONDON — UAE Consulting - Products Solutions - R&D - Education
  35. 35. Thank You © 2009 MIEL eSecurity Pvt Ltd Confidential MUMBAI — PUNE — AHMEDABAD — BANGALORE — HYDERABAD — CHENNAI — LONDON — UAE — USA Consulting - Products Solutions - R&D – Education

×