Enterprise Security Intelligence (ESI) is defined as an emerging concept that is a comprehensive and holistic alternative to traditional disjointed security approaches that will enable stronger enterprise-wide security, optimal decision making and better business results.
Tripwire’s CTO Dwayne Melançon discusses:
-Enterprise Security Intelligence concept and how to utilize it in your security efforts
-Practical tips for leveraging security intelligence and how it fits with Tripwire’s System State Intelligence
-How Tripwire provides an integrated solution that allows customers to look at security events with business context and detect an insecure system
The full webcast can be found here:
http://www.tripwire.com/register/the-emergence-of-enterprise-security-intelligence-amer/
14. ““Most end users believe the [SIEM]
technology is at best a hassle and
at worst an abject failure. SIEM is
widely regarded as too complex,
and too slow to implement, without
providing enough customer value
to justify the investment.”
Not all organizations deal with risk in the same manner. Important to understand how your organizations view risk and what’s their comfort levelTo do this properly you need to have many conversations with the business to better understand what it’s important to them
In order to better prioritize your efforts, I'm also seeing a wide variety of organizations who are beginning to implement formal risk scoring and ranking methods. Again these are often in conjunction with a prescribed framework.All of these things work together to really form a set of building blocks that you can use to prioritize things. This comes in handy when deciding what projects undertake what actions taken when investments to make so that you can actually bias your decisions where they benefit areas that have the highest risk or highest impact to the organization. In other words, they allow you to focus your resources on solving the biggest problems facing the organization.
In order to better prioritize your efforts, I'm also seeing a wide variety of organizations who are beginning to implement formal risk scoring and ranking methods. Again these are often in conjunction with a prescribed framework.All of these things work together to really form a set of building blocks that you can use to prioritize things. This comes in handy when deciding what projects undertake what actions taken when investments to make so that you can actually bias your decisions where they benefit areas that have the highest risk or highest impact to the organization. In other words, they allow you to focus your resources on solving the biggest problems facing the organization.
From the paper “Understanding and Selecting a SIEM and Log Management”, Securosis 2011https://securosis.com/blog/understanding-and-selecting-siem-lm-use-cases-part-1/ Also this is one from Securosis in their paper “Security Management 2.0: Time to Replace Your SIEM? Of the customers we talk with, there is general dissatisfaction with SIEM implementations – which in many cases have not delivered the expected value. The issues typically result from failure to scale, poor ease of use, challenges using the collected data in actionable timeframes, excessive effort for care & feeding and maintenance, or just customer execution failure.https://securosis.com/assets/library/reports/SecurityManagement2.0_FINAL-Multi.pdf
The final area relates back to the metrics I was talking about before. I see organizations attempting to establish key risk indicators and key risk objectives to help them measure progress. Focusing on of repeatable framework, and crisp measurement, allows you to begin managing by fact rather than by emotion or always paying attention to the latest and loudest person who shows up with some kind of a cause.
Support the business's goals, and the connection to those goals should be clearBe controllableBe quantitative, not qualitativeBe easy to collect and analyzeBe subject to trendingBonus points if your metrics…Drive discussions and decisions in the business.Promote healthy competition.
Okay, now for the moment we've all been waiting for. What are some of the metrics that actually work?If you're looking for some good resources in terms of metrics, if you're a Gartner client I suggest you look at some of the papers by Jeffrey Wheatman. He has done a lot of work on creating effective metrics, and will even review your metrics and provide feedback if you'd like.Some of the ones I've seen that I like or that I've seen work, are things like the ones you see on the screen here.The 1st category is configuration quality. This includes things like the percentage of configurations that are compliant with your check's target security standards, through a risk align the lands. What I mean by riskdoes this: once you've identified your critical assets establish a target. For example, you may target having 95% or more of the systems in your critical group configured in accordance with your configuration hardening standards. In the next category of risk whether that's higher medium or whatever, you may strive for 75% or more of your configurations being aligned with your target security standards.These metrics are good, because they are something you can control, and they decrease your attack surface which reduces your security risk.Configuration and quality metrics can also include things like the number of unauthorized changes, and patch compliance again by target area aligned with your risk level. In other words, focusing on your critical assets where you want to measure the percentage of systems that are patched within 72 hours.Remember, you need to measure things that you can directly influence otherwise you will fail.The 2nd category, control effectiveness, is designed to help you focus on what you can automate to improve your effectiveness, and decrease their reliance on people paying attention. For example, metrics like the percent of incidents detected by an automated control will help decrease the effort and cost required to detect security incidents.Tracking the percent of incidents resulting in loss, will get you focused on what's required to discover incidents more quickly and resolve them more quickly. The percentage of changes that follow the change process is a metric that will get you focused on implementing detective controls so that you can detect when people break the rules and go around your process.The 3rd category I've provided here, security program progress, is designed to track the effectiveness of aspects of your overall security program. For example one of the concerns in the risk study were threats from careless users, and the use of social media. Both of these can be remedied by better employee education around security and security practices. The 2 metrics I've provided here will help you track how effective that training is being implemented and received. The 1st will track what percentage of your overall oranisation has been trained. You'll note that I mention a breakout by business area. That's designed to help create a bit of competition between the different groups. This is an area where you want employees to take security training seriously, so if you begin to show scores by business area, by definition someone will be at the bottom of the list. No executive wants to be at the bottom of the list, so they will begin to help you drive security training as an important element of your program even if they're only doing it so they don't show up at the bottom of the list.Then, once you have been trained, periodically issue a security recall test or a retention test and again report the scores by business area. This will help you drive the overall retention across the oranisation and use competition to make it proceed more quickly.These are just some of the metrics that I've come across. If you have any others that are effective, I'd love to know about them. If you have any that you're struggling with, I'd love to engage with you to try to find out a better set of mechanisms to track progress.The most important thing here is that we all can learn from each other and improve the state-of-the-art around not only security actions but measuring the effectiveness of those actions.In a couple of slides shall see my contact information if you have anything to share on this topic, I would love to hear from you.
Okay, now for the moment we've all been waiting for. What are some of the metrics that actually work?If you're looking for some good resources in terms of metrics, if you're a Gartner client I suggest you look at some of the papers by Jeffrey Wheatman. He has done a lot of work on creating effective metrics, and will even review your metrics and provide feedback if you'd like.Some of the ones I've seen that I like or that I've seen work, are things like the ones you see on the screen here.The 1st category is configuration quality. This includes things like the percentage of configurations that are compliant with your check's target security standards, through a risk align the lands. What I mean by riskdoes this: once you've identified your critical assets establish a target. For example, you may target having 95% or more of the systems in your critical group configured in accordance with your configuration hardening standards. In the next category of risk whether that's higher medium or whatever, you may strive for 75% or more of your configurations being aligned with your target security standards.These metrics are good, because they are something you can control, and they decrease your attack surface which reduces your security risk.Configuration and quality metrics can also include things like the number of unauthorized changes, and patch compliance again by target area aligned with your risk level. In other words, focusing on your critical assets where you want to measure the percentage of systems that are patched within 72 hours.Remember, you need to measure things that you can directly influence otherwise you will fail.The 2nd category, control effectiveness, is designed to help you focus on what you can automate to improve your effectiveness, and decrease their reliance on people paying attention. For example, metrics like the percent of incidents detected by an automated control will help decrease the effort and cost required to detect security incidents.Tracking the percent of incidents resulting in loss, will get you focused on what's required to discover incidents more quickly and resolve them more quickly. The percentage of changes that follow the change process is a metric that will get you focused on implementing detective controls so that you can detect when people break the rules and go around your process.The 3rd category I've provided here, security program progress, is designed to track the effectiveness of aspects of your overall security program. For example one of the concerns in the risk study were threats from careless users, and the use of social media. Both of these can be remedied by better employee education around security and security practices. The 2 metrics I've provided here will help you track how effective that training is being implemented and received. The 1st will track what percentage of your overall oranisation has been trained. You'll note that I mention a breakout by business area. That's designed to help create a bit of competition between the different groups. This is an area where you want employees to take security training seriously, so if you begin to show scores by business area, by definition someone will be at the bottom of the list. No executive wants to be at the bottom of the list, so they will begin to help you drive security training as an important element of your program even if they're only doing it so they don't show up at the bottom of the list.Then, once you have been trained, periodically issue a security recall test or a retention test and again report the scores by business area. This will help you drive the overall retention across the oranisation and use competition to make it proceed more quickly.These are just some of the metrics that I've come across. If you have any others that are effective, I'd love to know about them. If you have any that you're struggling with, I'd love to engage with you to try to find out a better set of mechanisms to track progress.The most important thing here is that we all can learn from each other and improve the state-of-the-art around not only security actions but measuring the effectiveness of those actions.In a couple of slides shall see my contact information if you have anything to share on this topic, I would love to hear from you.
Okay, now for the moment we've all been waiting for. What are some of the metrics that actually work?If you're looking for some good resources in terms of metrics, if you're a Gartner client I suggest you look at some of the papers by Jeffrey Wheatman. He has done a lot of work on creating effective metrics, and will even review your metrics and provide feedback if you'd like.Some of the ones I've seen that I like or that I've seen work, are things like the ones you see on the screen here.The 1st category is configuration quality. This includes things like the percentage of configurations that are compliant with your check's target security standards, through a risk align the lands. What I mean by riskdoes this: once you've identified your critical assets establish a target. For example, you may target having 95% or more of the systems in your critical group configured in accordance with your configuration hardening standards. In the next category of risk whether that's higher medium or whatever, you may strive for 75% or more of your configurations being aligned with your target security standards.These metrics are good, because they are something you can control, and they decrease your attack surface which reduces your security risk.Configuration and quality metrics can also include things like the number of unauthorized changes, and patch compliance again by target area aligned with your risk level. In other words, focusing on your critical assets where you want to measure the percentage of systems that are patched within 72 hours.Remember, you need to measure things that you can directly influence otherwise you will fail.The 2nd category, control effectiveness, is designed to help you focus on what you can automate to improve your effectiveness, and decrease their reliance on people paying attention. For example, metrics like the percent of incidents detected by an automated control will help decrease the effort and cost required to detect security incidents.Tracking the percent of incidents resulting in loss, will get you focused on what's required to discover incidents more quickly and resolve them more quickly. The percentage of changes that follow the change process is a metric that will get you focused on implementing detective controls so that you can detect when people break the rules and go around your process.The 3rd category I've provided here, security program progress, is designed to track the effectiveness of aspects of your overall security program. For example one of the concerns in the risk study were threats from careless users, and the use of social media. Both of these can be remedied by better employee education around security and security practices. The 2 metrics I've provided here will help you track how effective that training is being implemented and received. The 1st will track what percentage of your overall oranisation has been trained. You'll note that I mention a breakout by business area. That's designed to help create a bit of competition between the different groups. This is an area where you want employees to take security training seriously, so if you begin to show scores by business area, by definition someone will be at the bottom of the list. No executive wants to be at the bottom of the list, so they will begin to help you drive security training as an important element of your program even if they're only doing it so they don't show up at the bottom of the list.Then, once you have been trained, periodically issue a security recall test or a retention test and again report the scores by business area. This will help you drive the overall retention across the oranisation and use competition to make it proceed more quickly.These are just some of the metrics that I've come across. If you have any others that are effective, I'd love to know about them. If you have any that you're struggling with, I'd love to engage with you to try to find out a better set of mechanisms to track progress.The most important thing here is that we all can learn from each other and improve the state-of-the-art around not only security actions but measuring the effectiveness of those actions.In a couple of slides shall see my contact information if you have anything to share on this topic, I would love to hear from you.