Successfully reported this slideshow.

Solving Non Existant Problems v1.2

612 views

Published on

This talk focuses on gathering metrics and building a security program - one that actually solves real business security/risk problems. I walk the reader through the process of identifying key risks and actually measuring the problems, helping pin-point focus for the security organization.

A must-read if you work in InfoSec!

Published in: Technology, Business
  • Be the first to comment

Solving Non Existant Problems v1.2

  1. 1. 1<br />22 May 2009<br />Solving Problems That Don’t Exist!<br />building better security practices<br />Rafal M. Los<br />Solutions Specialist, HP ASC<br />
  2. 2. Session Overview<br />In today&apos;s enterprise, Web Application Security has come front and center for security managers as well as the business. The reason many well-funded, well-backed programs fail is because they miss the fundamental rule of problem solving – understand the problem. The secret to success is simple – understand your business context and build a program around that.<br />How can you develop an actionable, business-risk driven program for your enterprise? Understanding your role within the business is key, followed by successful identification of a cornerstone upon which to base the program. Evaluating data value, application visibility and business exposure one step at-a-time, and assigning real, measurable risk are the necessary steps to making sure your program is well-grounded in business value. Participants will be given a strong foundation to succeed, so they don&apos;t end up solving problems the business doesn&apos;t have.<br />
  3. 3. Fundamentals<br />Security is all about mitigating risk<br />Risk is a high-complexity problem<br />IT alonecan not eliminate risk<br />Security must work through the business<br />
  4. 4. Knowing Your Role<br />Role is fundamental to problem solving<br />Where you report into your organization makes a big difference<br />Identify your function and capacity<br />Is security tactical or strategic?<br />Is security a business stake-holder?<br />
  5. 5. Identifying a Cornerstone<br />Build your program on a key principle<br />You must answer this question:<br />“Why does the business care about security?”<br />External compliance or regulations<br />Internal governance requirements<br />Competitive differentiator/advantage<br />Incident prevention<br />
  6. 6. Security Program Charter<br />Publish a charter document<br />Apply these 5 key knowledge points<br />Focus on the cornerstone<br />Use content & context for business metrics<br />Publish the risk profile components<br />Emphasize transparency<br />Focus on building business value<br />This is your road map to success<br />
  7. 7. Business Value Metrics<br />Definition: metrics which can meaningfully quantify the business value proposition of risk mitigation<br />Keys to good metrics:<br />Must be business-input driven<br />Uniformity of perspective<br />Must never allow for “maybe”<br />
  8. 8. Context & Content<br />Assign concrete values to $Rn and $V<br />Content – <br />Monetary value of data asset ($V)<br />Context –<br />Assign asset value relative to environment<br />Value Ratio:<br />Data Value<br />Asset ($Vn)<br />= $Rn<br />total assets ($Vt)<br />
  9. 9. Context & Content<br />Site Visibility<br />Site Visibility (Vis): Metric derived from an identification of the public awareness of the site<br />Context – <br />3 Categories <br /><ul><li>High – Publicized, indexed, well-linked
  10. 10. example: company storefront
  11. 11. Moderate – Indexed, searchable, sparsely linked
  12. 12. Low – Non-indexed, private, non-linked</li></ul>Content – <br />How desired is the data in the site?<br />
  13. 13. Context & Content<br />Business Exposure (Exp): Public business risk profile derived from the dynamics of the business unit<br />High | Moderate | Low<br />Context – <br />What line of business is the company/unit in?<br />How does the line of business contribute to the amount of risk the company undertakes in daily operations?<br />Consider your business’s risk management group your best ally<br />Business Exposure<br />
  14. 14. Context & Content<br />Acme Credit Company<br />Acme Credit Company processes credit card transactions, and thus stores and processes hundreds of millions of credit cards weekly. Web site An is a portal for merchant processing of credit and debit payments, temporarily storing as many as one million credit cards for processing per day; this is the Acme Co’s primary business.<br />$Rn = .8 (most of the company’s total assets are here)<br />$V = $10,000,000 (business value of 1 million records)<br />Vis = Moderate (indexed, searchable, but non-publicized site)<br />Exp = High (credit card processors are a big target)<br />Case Study<br />
  15. 15. Building Risk Profiles<br />Allows for mathematically derived priorities based on business-driven input<br />Goals:<br />Transparency: formula for deriving priority metric is published<br />Objectivity: real numbers remove bias<br />Each site must have a risk profile<br />Prioritization Matrix<br />
  16. 16. Building Risk Profiles<br />Prioritization Matrix<br />Assigning Values to the Matrix<br />$V = Direct dollar-value of asset<br />$R = Computed ratio<br />Vis values<br />Exp values<br />
  17. 17. Building Risk Profiles<br />How does priority get computed?<br />Priority = Log10 ($V x $R x Vis x Exp)<br />Heavily weighted to data value<br />Rightfully so! Data value is important<br />$R works to segregate sites within a business<br />Vis and Exp work to distinguish between multiple businesses<br />The Formula<br />
  18. 18. Building Risk Profiles<br />The formula is not a Silver Bullet<br /> Prioritization addresses business value (of a site) objectively<br />Addressing business value increases the chance of your program’s success<br />Your Goal: risk reduction and business value<br />The Formula<br />
  19. 19. Executing<br />Demonstrate business understanding<br />Continue a two-way conversation<br />Be ready to change strategies with the business<br />
  20. 20. Questions?<br />Click on the questions tab on your screen, type in your question (and name if you wish) and hit submit.<br />

×