SlideShare a Scribd company logo

Data Metrics and Automation: A Strange Loop - SIRAcon 2015

Michael Roytman
Michael Roytman

Data informs Metrics, and Metrics are the basis for Automation in all fields. In information security, we are a at critical new juncture - an influx of data allows us to automate whole new subsets of the field. Doing so systematically and methodically, with appropriate frameworks, is a bigger challenge.

Internet
1 of 58
Download to read offline
DATA, METRICS, AND AUTOMATION: A STRANGE LOOP @MROYTMAN
Data D M Metrics Automation
DAN GEER & BRUCE SCHNEIER & ANDREW JAQUITH & ALEX HUTTON &
 ED BELLIS
SQUAD GOALS: WHAT IS GOOD DATA? (Bellis, Hutton) WHAT IS A GOOD METRIC? (Jaquith, Geer) WHAT CAN BE AUTOMATED? (Geer, Schneier)
SQUAD GOALS: What parts of risk management should be automated? (Schneier, Bellis) What ought to be left to the humans? (Schneier, Hutton) What makes a good product? (Schneier)
ATTACKERS ARE BETTER AT AUTOMATION
WE ARE SLOW
ATTACKERS ARE FAST
ATTACKERS ARE BETTER AT AUTOMATION
2014 Q1 Q2 Q3 Q4
WE NEED BETTER AUTOMATION
WE NEED BETTER AUTOMATION CURRENT VULN MANAGEMENT: AUTOMATED VULN DISCOVERY MANUAL-ISH VULN SCANNING MANUAL THREAT INTELLIGENCE MANUAL VULN SCORING MANUAL REMEDIATION PRIORITIZATION
MANUAL
WE NEED BETTER DATA: BETTER BASE RATES FOR EXPLOITATION BETTER EXPLOIT AVAILABILITY BETTER VULNERABILITY TRENDS BETTER BREACH DATA BETTER M E T R I C S
SOMETIMES WE MAKE BAD DECISIONS SOMETIMES WE HAVE BAD METRICS
METRICS ARE DECISION SUPPORT
GOOD METRICS ARE OBJECTIVE FUNCTIONS FOR AUTOMATION
WHAT MAKES A METRIC GOOD?
TWEET WITH ME NOW #WHATISAGOODMETRIC
HEARTBLEED CVSS 5 SHELLSHOCK CVSS 10 POODLE CVSS 4.3
CVSS IS NOT THE PROBLEM
CVSS FOR PRIORITIZATION IS A SYSTEMIC PROBLEM
CVSS AS A BREACH VOLUME PREDICTOR:
ATTACKERS CHANGE TACTICS DAILY
WHAT DEFINES A GOOD METRIC? GOOD DATA
TWEET WITH ME NOW #WHATISGOODDATA
WHICH SYSTEM IS MORE SECURE? $1,000 $1,000,000 CONTROL 1 CONTROL 1 ASSET 1 ASSET 2
TYPES OF METRICS -EXCLUDE REAL LIFE THREAT ENVIRONMENT TYPE 1 % FALLING FOR SIMULATED PHISHING EMAIL CVSS SCORE -OCCURANCE RATE CONTROLLED -INTERACTION WITH THREAT ENVIRONMENT TYPE 2 # INFECTED MACHINES OF ISP % VULNS WITH METASPLOIT MODULE -DESCRIBE UNDESIRED EVENTS
WHAT DEFINES A GOOD METRIC? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC - NO GAMING! 7. COMPUTED AUTOMATICALLY
MEAN TIME TO INCIDENT DISCOVERY? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY X ✓ ✓ X ✓ ✓ X
VULNERABILITY SCANNING COVERAGE? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
CVSS FOR REMEDIATION? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ X X X ✓ X ✓
YOU NEED DATA TO MAKE DATA
METASPLOIT PRESENT ON VULN? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
YOU NEED DATA TO MAKE METRICS ! Probability* (You*Will*Be*Breached*On*A*Particular*Open*Vulnerability)? !"#$%&'($#)*+,(,-,#.% /)#*0ℎ#.%!00')#2%3$%4ℎ#,)%5&6) 43-*(%!"#$%&'($#)*+,(,-,#. 6%
PROBABILITY A VULNERABILITY HAVING CVSS SCORE > X HAS OBSERVED BREACHES 0 2 4 6 8 10 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value (the proportion of positive test results that are true positives) of remediating a vulnerability with property X:
AN ENGINE, NOT A CAMERA
CONNECTING THE DOTS
1. EVERYTHING THAT CAN BE AUTOMATED WILL BE AUTOMATED
2. METRICS ARE AN OBJECTIVE FUNCTION FOR AUTOMATION
3.GOOD METRICS DEFINE WHAT CAN BE AUTOMATED
Corollary 1. Criteria for good metrics define what can (and can’t) be automated.
4. AUTOMATION GENERATES TREND DATA, MAKES INFERENCE POSSIBLE
Corollary 2. The rate of data growth (availability, integrity, context-specificity) is the upper bound on the rate of automation.
ASKING THE RIGHT QUESTIONS
Question 1. What defines good data? 1a. How do we measure the rate of data growth? 1b. How do we measure data integrity?
Question 2. What defines a good metric?
Question 3. What makes a product good?
KENNASECURITY.COM @MROYTMAN
References Security Metrics www.securitymetrics.org Society of Information Risk Analysts https://societyinforisk.org/ National Weather Service Research Forum http://www.nws.noaa.gov/mdl/vlab/forum/VLab_forum.php Dan Geer’s Full Day Tutorial On Measuring Security http://geer.tinho.net/measuringsecurity.tutorial.pdf Yasasin, Emrah, and Guido Schryen. "Derivation of Requirements for IT Security Metrics–An Argumentation Theory Based Approach." (2015). Savola, Reijo M. "Towards a taxonomy for information security metrics."Proceedings of the 2007 ACM workshop on Quality of protection. ACM, 2007. Böhme, Rainer, et al. "4.3 Testing, Evaluation, Data, Learning (Technical Security Metrics)–Working Group Report." Socio- Technical Security Metrics(2015): 20. B. Schneier. Attack trees: Modeling security threats. Dr. Dobb’s journal, 24(12):21–29, 1999. T. Dimkov, W. Pieters, and P. H. Hartel. Portunes: representing attack scenarios spanning through the physical, digital and social domain. In Proc. of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA/WITS’10), volume 6186 of LNCS, pp. 112–129. Springer, 2010. A. Beautement, M. A. Sasse, and M. Wonham. The compliance budget: Managing security behaviour in organisations. In Proc. of the 2008 Workshop on New Security Paradigms, NSPW’08, pp. 47–58, New York, NY, USA, 2008. ACM. B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proc. of the 2001 New Security Paradigms Workshop, pp. 97–104, New York, NY, USA, 2001. ACM.
A. Buldas, P. Laud, J. Priisalu, M. Saarepera, and J. Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, volume 4347 of LNCS, pp. 235–248. Springer, 2006. R. Böhme. Security metrics and security investment models. In Isao Echizen, Noboru Kunihiro, and Ryoichi Sasaki, editors, Advances in Information and Computer Security, volume 6434 of LNCS, pp. 10–24. Springer, 2010. P. Finn and M. Jakobsson. Designing ethical phishing experiments. Technology and Society Magazine, IEEE, 26(1):46–58, 2007. M. E. Johnson, E. Goetz, and S. L. Pfleeger. Security through information risk management. IEEE Security & Privacy, 7(3):45–52, May 2009. R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49–51, 2011. E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke. Model-based security metrics using adversary view security evaluation (ADVISE). In Proc. of the 8th Int’l Conf. on Quantitative Evaluation of Systems (QEST’11), pp. 191–200, 2011. B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2(2–3): 211–229, 1993. H. Molotch. Against security: How we go wrong at airports, subways, and other sites of ambiguous danger. Princeton University Press, 2014. S. L. Pfleeger. Security measurement steps, missteps, and next steps. IEEE Security & Privacy, 10(4):5–9, 2012. W. Pieters. Defining “the weakest link”: Comparative security in complex systems of systems. In Proc. of the 5th IEEE Int’l Conf. on Cloud Computing Technology and Science (CloudCom’13), volume 2, pp. 39–44, Dec 2013. W. Pieters and M. Davarynejad. Calculating adversarial risk from attack trees: Control strength and probabilistic attackers. In Proc. of the 3rd Int’l Workshop on Quantitative Aspects in Security Assurance (QASA), LNCS, Springer, 2014. W. Pieters, S. H. G. Van der Ven, and C.W. Probst. A move in the security measurement stalemate: Elo-style ratings to quantify vulnerability. In Proc. of the 2012 New Security Paradigms Workshop, NSPW’12, pages 1–14. ACM, 2012. C.W. Probst and R. R. Hansen. An extensible analysable system model. Information security technical report, 13(4):235–246, 2008. M. J. G. Van Eeten, J. Bauer, H. Asghari, and S. Tabatabaie. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. OECD STI Working Paper 2010/5, Paris: OECD, 2010. Klaus, Tim. "Security Metrics-Replacing Fear, Uncertainty, and Doubt." Journal of Information Privacy and Security 4.2 (2008): 62-63.

Recommended

Machine Learning in Healthcare: What's Now & What's Next
Machine Learning in Healthcare: What's Now & What's NextMachine Learning in Healthcare: What's Now & What's Next
Machine Learning in Healthcare: What's Now & What's Next
PointClear Solutions
 
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
Hai Dongkixot
 
מיהו מנהל טוב
מיהו מנהל טובמיהו מנהל טוב
מיהו מנהל טוב
azimut G.B.S
 
Chuva de novembro marcia portella
Chuva de novembro marcia portellaChuva de novembro marcia portella
Chuva de novembro marcia portella
Luzia Gabriele
 
Snoopy friends
Snoopy friendsSnoopy friends
Snoopy friends
Arvind Verma
 
Tutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebookTutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebook
Pays Médoc
 
CLM Atlanta 2013_v2
CLM Atlanta 2013_v2CLM Atlanta 2013_v2
CLM Atlanta 2013_v2
Krista Fowler Acu
 
Ukti overview may 16 teesdale business club
Ukti overview may 16 teesdale business clubUkti overview may 16 teesdale business club
Ukti overview may 16 teesdale business club
Sue Beverley
 

Recommended

Machine Learning in Healthcare: What's Now & What's Next
Machine Learning in Healthcare: What's Now & What's NextMachine Learning in Healthcare: What's Now & What's Next
Machine Learning in Healthcare: What's Now & What's Next
PointClear Solutions
 
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
100 ideas that changed marketing - Collected from HubSpot by eBrand Vietnam
Hai Dongkixot
 
מיהו מנהל טוב
מיהו מנהל טובמיהו מנהל טוב
מיהו מנהל טוב
azimut G.B.S
 
Chuva de novembro marcia portella
Chuva de novembro marcia portellaChuva de novembro marcia portella
Chuva de novembro marcia portella
Luzia Gabriele
 
Snoopy friends
Snoopy friendsSnoopy friends
Snoopy friends
Arvind Verma
 
Tutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebookTutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebook
Pays Médoc
 
CLM Atlanta 2013_v2
CLM Atlanta 2013_v2CLM Atlanta 2013_v2
CLM Atlanta 2013_v2
Krista Fowler Acu
 
Ukti overview may 16 teesdale business club
Ukti overview may 16 teesdale business clubUkti overview may 16 teesdale business club
Ukti overview may 16 teesdale business club
Sue Beverley
 
Amazing Journey
Amazing JourneyAmazing Journey
Amazing Journey
Muhammad Emad
 
Prior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_FormPrior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_Form
Frederick Fisher, J.D.
 
Kollárova simon uzrt 2016
Kollárova simon uzrt 2016Kollárova simon uzrt 2016
Kollárova simon uzrt 2016
Krisztián Simon
 
Self instroduction
Self instroductionSelf instroduction
Self instroduction
Yetta Chen
 
เบ็ดเตล็ด
เบ็ดเตล็ดเบ็ดเตล็ด
เบ็ดเตล็ด
tiffany14021975
 
5 reasons to change your kitchen
5 reasons to change your kitchen5 reasons to change your kitchen
5 reasons to change your kitchen
AlarisKitchens
 
SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013
David Thompson
 
نقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوبنقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوب
Farhad Zargari
 
British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016
maditabalnco
 
Resumecoverletter 2016
Resumecoverletter 2016Resumecoverletter 2016
Resumecoverletter 2016
Maureen Riccio
 
πινόκιο 1
πινόκιο 1πινόκιο 1
πινόκιο 1
dex3
 
Brown Stripes
Brown StripesBrown Stripes
Brown Stripes
SteveChapman
 
Presentation_Girish Vala
Presentation_Girish ValaPresentation_Girish Vala
Presentation_Girish Vala
Girish Vala
 
Module outline itd dmzjan2015
Module outline itd dmzjan2015Module outline itd dmzjan2015
Module outline itd dmzjan2015
G-ny Gynie
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Michael Roytman
 
Who Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyWho Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security Strategy
Kenna
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
Michael Roytman
 
Cyber Security Models - CxT Group
Cyber Security Models - CxT GroupCyber Security Models - CxT Group
Cyber Security Models - CxT Group
CXT Group
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
healdkathaleen
 
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docxRunning head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
jeanettehully
 
New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
New Research Articles - 2018 November Issue- Advanced Computing: An Internat... New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
acijjournal
 
Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020
IJNSA Journal
 

More Related Content

Viewers also liked

Prior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_FormPrior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_Form
Frederick Fisher, J.D.
 
Self instroduction
Self instroductionSelf instroduction
Self instroduction
Yetta Chen
 
เบ็ดเตล็ด
เบ็ดเตล็ดเบ็ดเตล็ด
เบ็ดเตล็ด
tiffany14021975
 
Presentation_Girish Vala
Presentation_Girish ValaPresentation_Girish Vala
Presentation_Girish Vala
Girish Vala
 
Module outline itd dmzjan2015
Module outline itd dmzjan2015Module outline itd dmzjan2015
Module outline itd dmzjan2015
G-ny Gynie
 

Viewers also liked (14)

Amazing Journey
Amazing JourneyAmazing Journey
Amazing Journey
 
Prior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_FormPrior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_Form
 
Kollárova simon uzrt 2016
Kollárova simon uzrt 2016Kollárova simon uzrt 2016
Kollárova simon uzrt 2016
 
Self instroduction
Self instroductionSelf instroduction
Self instroduction
 
เบ็ดเตล็ด
เบ็ดเตล็ดเบ็ดเตล็ด
เบ็ดเตล็ด
 
5 reasons to change your kitchen
5 reasons to change your kitchen5 reasons to change your kitchen
5 reasons to change your kitchen
 
SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013
 
نقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوبنقش نخبگان و متخصصین در حکمرانی خوب
نقش نخبگان و متخصصین در حکمرانی خوب
 
British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016
 
Resumecoverletter 2016
Resumecoverletter 2016Resumecoverletter 2016
Resumecoverletter 2016
 
πινόκιο 1
πινόκιο 1πινόκιο 1
πινόκιο 1
 
Brown Stripes
Brown StripesBrown Stripes
Brown Stripes
 
Presentation_Girish Vala
Presentation_Girish ValaPresentation_Girish Vala
Presentation_Girish Vala
 
Module outline itd dmzjan2015
Module outline itd dmzjan2015Module outline itd dmzjan2015
Module outline itd dmzjan2015
 

Similar to Data Metrics and Automation: A Strange Loop - SIRAcon 2015

Who Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyWho Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security Strategy
Kenna
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
Michael Roytman
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
healdkathaleen
 
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docxRunning head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
jeanettehully
 
New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
New Research Articles - 2018 November Issue- Advanced Computing: An Internat... New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
acijjournal
 
Jackie Rees
Jackie ReesJackie Rees
Jackie Rees
butest
 
MITS Advanced Research TechniquesResearch ProposalCandidate.docx
MITS Advanced Research TechniquesResearch ProposalCandidate.docxMITS Advanced Research TechniquesResearch ProposalCandidate.docx
MITS Advanced Research TechniquesResearch ProposalCandidate.docx
roushhsiu
 
Top Download Article in Computer Science & Information Technology Research: O...
Top Download Article in Computer Science & Information Technology Research: O...Top Download Article in Computer Science & Information Technology Research: O...
Top Download Article in Computer Science & Information Technology Research: O...
AIRCC Publishing Corporation
 
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docxRunning Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
jeanettehully
 
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docxRunning Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
todd521
 
Managing insider threat
Managing insider threatManaging insider threat
Managing insider threat
milliemill
 

Similar to Data Metrics and Automation: A Strange Loop - SIRAcon 2015 (20)

Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
 
Who Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyWho Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security Strategy
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
 
Cyber Security Models - CxT Group
Cyber Security Models - CxT GroupCyber Security Models - CxT Group
Cyber Security Models - CxT Group
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
 
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docxRunning head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
 
New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
New Research Articles - 2018 November Issue- Advanced Computing: An Internat... New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
New Research Articles - 2018 November Issue- Advanced Computing: An Internat...
 
Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020
 
Most trending articles 2020 - International Journal of Network Security & Its...
Most trending articles 2020 - International Journal of Network Security & Its...Most trending articles 2020 - International Journal of Network Security & Its...
Most trending articles 2020 - International Journal of Network Security & Its...
 
Contextual Analysis
Contextual AnalysisContextual Analysis
Contextual Analysis
 
Security Introspection for Software Reuse
Security Introspection for Software ReuseSecurity Introspection for Software Reuse
Security Introspection for Software Reuse
 
Jackie Rees
Jackie ReesJackie Rees
Jackie Rees
 
May 2022: Most Downloaded Articles in Computer Science &Information Technology
May 2022: Most Downloaded Articles in Computer Science &Information TechnologyMay 2022: Most Downloaded Articles in Computer Science &Information Technology
May 2022: Most Downloaded Articles in Computer Science &Information Technology
 
MITS Advanced Research TechniquesResearch ProposalCandidate.docx
MITS Advanced Research TechniquesResearch ProposalCandidate.docxMITS Advanced Research TechniquesResearch ProposalCandidate.docx
MITS Advanced Research TechniquesResearch ProposalCandidate.docx
 
Top Download Article in Computer Science & Information Technology Research: O...
Top Download Article in Computer Science & Information Technology Research: O...Top Download Article in Computer Science & Information Technology Research: O...
Top Download Article in Computer Science & Information Technology Research: O...
 
New Research Articles 2021 June Issue International Journal of Computer Scien...
New Research Articles 2021 June Issue International Journal of Computer Scien...New Research Articles 2021 June Issue International Journal of Computer Scien...
New Research Articles 2021 June Issue International Journal of Computer Scien...
 
April 2021: Top 10 View Article in Computer Science & Information Technology
April 2021: Top 10 View Article in Computer Science & Information TechnologyApril 2021: Top 10 View Article in Computer Science & Information Technology
April 2021: Top 10 View Article in Computer Science & Information Technology
 
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docxRunning Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
 
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docxRunning Head SECURITY MODEL 1SECURITY MODEL 7.docx
Running Head SECURITY MODEL 1SECURITY MODEL 7.docx
 
Managing insider threat
Managing insider threatManaging insider threat
Managing insider threat
 

More from Michael Roytman

O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability Final
Michael Roytman
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done Right
Michael Roytman
 

More from Michael Roytman (13)

CyberTechEurope.pptx
CyberTechEurope.pptxCyberTechEurope.pptx
CyberTechEurope.pptx
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability Final
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With Predictions
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting Exploitability
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach Landscape
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done Right
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What Matters
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability Management
 

Recently uploaded

Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
gwenoracqe6
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
SUHANI PANDEY
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
Escorts Call Girls
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
soniya singh
 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
kojalkojal131
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 

Recently uploaded (20)

Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 

Data Metrics and Automation: A Strange Loop - SIRAcon 2015

  • 1. DATA, METRICS, AND AUTOMATION: A STRANGE LOOP @MROYTMAN
  • 2.
  • 4. DAN GEER & BRUCE SCHNEIER & ANDREW JAQUITH & ALEX HUTTON &
 ED BELLIS
  • 5. SQUAD GOALS: WHAT IS GOOD DATA? (Bellis, Hutton) WHAT IS A GOOD METRIC? (Jaquith, Geer) WHAT CAN BE AUTOMATED? (Geer, Schneier)
  • 6. SQUAD GOALS: What parts of risk management should be automated? (Schneier, Bellis) What ought to be left to the humans? (Schneier, Hutton) What makes a good product? (Schneier)
  • 7.
  • 14. WE NEED BETTER AUTOMATION CURRENT VULN MANAGEMENT: AUTOMATED VULN DISCOVERY MANUAL-ISH VULN SCANNING MANUAL THREAT INTELLIGENCE MANUAL VULN SCORING MANUAL REMEDIATION PRIORITIZATION
  • 16. WE NEED BETTER DATA: BETTER BASE RATES FOR EXPLOITATION BETTER EXPLOIT AVAILABILITY BETTER VULNERABILITY TRENDS BETTER BREACH DATA BETTER M E T R I C S
  • 17. SOMETIMES WE MAKE BAD DECISIONS SOMETIMES WE HAVE BAD METRICS
  • 20. WHAT MAKES A METRIC GOOD?
  • 21. TWEET WITH ME NOW #WHATISAGOODMETRIC
  • 23.
  • 24. CVSS IS NOT THE PROBLEM
  • 25. CVSS FOR PRIORITIZATION IS A SYSTEMIC PROBLEM
  • 26. CVSS AS A BREACH VOLUME PREDICTOR:
  • 28. WHAT DEFINES A GOOD METRIC? GOOD DATA
  • 29. TWEET WITH ME NOW #WHATISGOODDATA
  • 30. WHICH SYSTEM IS MORE SECURE? $1,000 $1,000,000 CONTROL 1 CONTROL 1 ASSET 1 ASSET 2
  • 31. TYPES OF METRICS -EXCLUDE REAL LIFE THREAT ENVIRONMENT TYPE 1 % FALLING FOR SIMULATED PHISHING EMAIL CVSS SCORE -OCCURANCE RATE CONTROLLED -INTERACTION WITH THREAT ENVIRONMENT TYPE 2 # INFECTED MACHINES OF ISP % VULNS WITH METASPLOIT MODULE -DESCRIBE UNDESIRED EVENTS
  • 32. WHAT DEFINES A GOOD METRIC? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC - NO GAMING! 7. COMPUTED AUTOMATICALLY
  • 33. MEAN TIME TO INCIDENT DISCOVERY? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY X ✓ ✓ X ✓ ✓ X
  • 34. VULNERABILITY SCANNING COVERAGE? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
  • 35. CVSS FOR REMEDIATION? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ X X X ✓ X ✓
  • 36. YOU NEED DATA TO MAKE DATA
  • 37. METASPLOIT PRESENT ON VULN? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
  • 38. YOU NEED DATA TO MAKE METRICS ! Probability* (You*Will*Be*Breached*On*A*Particular*Open*Vulnerability)? !"#$%&'($#)*+,(,-,#.% /)#*0ℎ#.%!00')#2%3$%4ℎ#,)%5&6) 43-*(%!"#$%&'($#)*+,(,-,#. 6%
  • 39. PROBABILITY A VULNERABILITY HAVING CVSS SCORE > X HAS OBSERVED BREACHES 0 2 4 6 8 10 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
  • 40. 0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value (the proportion of positive test results that are true positives) of remediating a vulnerability with property X:
  • 42.
  • 43.
  • 44.
  • 46. 1. EVERYTHING THAT CAN BE AUTOMATED WILL BE AUTOMATED
  • 47. 2. METRICS ARE AN OBJECTIVE FUNCTION FOR AUTOMATION
  • 48. 3.GOOD METRICS DEFINE WHAT CAN BE AUTOMATED
  • 49. Corollary 1. Criteria for good metrics define what can (and can’t) be automated.
  • 50. 4. AUTOMATION GENERATES TREND DATA, MAKES INFERENCE POSSIBLE
  • 51. Corollary 2. The rate of data growth (availability, integrity, context-specificity) is the upper bound on the rate of automation.
  • 53. Question 1. What defines good data? 1a. How do we measure the rate of data growth? 1b. How do we measure data integrity?
  • 54. Question 2. What defines a good metric?
  • 55. Question 3. What makes a product good?
  • 57. References Security Metrics www.securitymetrics.org Society of Information Risk Analysts https://societyinforisk.org/ National Weather Service Research Forum http://www.nws.noaa.gov/mdl/vlab/forum/VLab_forum.php Dan Geer’s Full Day Tutorial On Measuring Security http://geer.tinho.net/measuringsecurity.tutorial.pdf Yasasin, Emrah, and Guido Schryen. "Derivation of Requirements for IT Security Metrics–An Argumentation Theory Based Approach." (2015). Savola, Reijo M. "Towards a taxonomy for information security metrics."Proceedings of the 2007 ACM workshop on Quality of protection. ACM, 2007. Böhme, Rainer, et al. "4.3 Testing, Evaluation, Data, Learning (Technical Security Metrics)–Working Group Report." Socio- Technical Security Metrics(2015): 20. B. Schneier. Attack trees: Modeling security threats. Dr. Dobb’s journal, 24(12):21–29, 1999. T. Dimkov, W. Pieters, and P. H. Hartel. Portunes: representing attack scenarios spanning through the physical, digital and social domain. In Proc. of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA/WITS’10), volume 6186 of LNCS, pp. 112–129. Springer, 2010. A. Beautement, M. A. Sasse, and M. Wonham. The compliance budget: Managing security behaviour in organisations. In Proc. of the 2008 Workshop on New Security Paradigms, NSPW’08, pp. 47–58, New York, NY, USA, 2008. ACM. B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proc. of the 2001 New Security Paradigms Workshop, pp. 97–104, New York, NY, USA, 2001. ACM.
  • 58. A. Buldas, P. Laud, J. Priisalu, M. Saarepera, and J. Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, volume 4347 of LNCS, pp. 235–248. Springer, 2006. R. Böhme. Security metrics and security investment models. In Isao Echizen, Noboru Kunihiro, and Ryoichi Sasaki, editors, Advances in Information and Computer Security, volume 6434 of LNCS, pp. 10–24. Springer, 2010. P. Finn and M. Jakobsson. Designing ethical phishing experiments. Technology and Society Magazine, IEEE, 26(1):46–58, 2007. M. E. Johnson, E. Goetz, and S. L. Pfleeger. Security through information risk management. IEEE Security & Privacy, 7(3):45–52, May 2009. R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49–51, 2011. E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke. Model-based security metrics using adversary view security evaluation (ADVISE). In Proc. of the 8th Int’l Conf. on Quantitative Evaluation of Systems (QEST’11), pp. 191–200, 2011. B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2(2–3): 211–229, 1993. H. Molotch. Against security: How we go wrong at airports, subways, and other sites of ambiguous danger. Princeton University Press, 2014. S. L. Pfleeger. Security measurement steps, missteps, and next steps. IEEE Security & Privacy, 10(4):5–9, 2012. W. Pieters. Defining “the weakest link”: Comparative security in complex systems of systems. In Proc. of the 5th IEEE Int’l Conf. on Cloud Computing Technology and Science (CloudCom’13), volume 2, pp. 39–44, Dec 2013. W. Pieters and M. Davarynejad. Calculating adversarial risk from attack trees: Control strength and probabilistic attackers. In Proc. of the 3rd Int’l Workshop on Quantitative Aspects in Security Assurance (QASA), LNCS, Springer, 2014. W. Pieters, S. H. G. Van der Ven, and C.W. Probst. A move in the security measurement stalemate: Elo-style ratings to quantify vulnerability. In Proc. of the 2012 New Security Paradigms Workshop, NSPW’12, pages 1–14. ACM, 2012. C.W. Probst and R. R. Hansen. An extensible analysable system model. Information security technical report, 13(4):235–246, 2008. M. J. G. Van Eeten, J. Bauer, H. Asghari, and S. Tabatabaie. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. OECD STI Working Paper 2010/5, Paris: OECD, 2010. Klaus, Tim. "Security Metrics-Replacing Fear, Uncertainty, and Doubt." Journal of Information Privacy and Security 4.2 (2008): 62-63.