SlideShare a Scribd company logo

DeepSec 2014 - The Measured CSO

Alexander Hutton
Alexander Hutton

Alex Hutton's 2014 Keynote for DeepSec on The Measured CSO.

Technology
1 of 130
Download to read offline
THE MEASURED CSO ALEX  HUTTON  -­‐  A  TOO  BIG  TO  FAIL  BANK   @ALEXHUTTON
SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here? SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there? SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here? SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there? SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here? SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there? SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here?
1.1 WHO AM I
• Security Engineer • Security Product Management • E-Commerce Site Design / Manager • Risk Consultant • OCTAVE / NIST • FAIR • Verizon DBIR • IANS Faculty • Director, Operations / Technology Risk • Director, Information Security 1.1 WHO AM I
1.2 WHAT IS THIS TOPIC
“…when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be.” William Thomson, 
 1st Baron Kelvin 
 & Measurement Badass
The Journey Towards Knowledge (and therefore, security) 1.2 WHAT IS THIS TOPIC
WHERE ARE WE (OUR INDUSTRY)
Security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers. 
 Dan Geer, Security Badass
Unfortunately…
Science is based on inductive observations to derive meaning and understanding and measurement on quality (ratio) scales, so what about InfoSec? Where do we sit in the family of sciences?
We’re the Crazy Uncle with tinfoil hat antennae used to talk to the space aliens of Regulus V, has 47 cats, and who too frequently (but benignly) forgets to wear pants.
Take, for example, CVSS
“the Base Equation multiplies Impact by 0.6 and Exploitability by 0.4”
= ShinyJet Engine X Peanut Butter
“the Base Equation multiplies Impact by 0.6 and Exploitability by 0.4”
20 adding one willy-nilly doesn’t suddenly transform ordinal rankings into ratio values. decimals aren’t magic.
At our present skill in measurement of security, we generally have an ordinal scale at best, not an interval scale and certainly not a ratio scale. In plain terms, this means we can say whether X is better than Y but how much better and compared to what is not so easy. 
 
 – Again, Baddss Dan Geer
State of the Industry
 - proto-science - somewhat random fact gathering (mainly of readily accessible data) - a“morass”of interesting, trivial, irrelevant observations - a variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering Thomas Kuhn 
 Philosophy of Science Badass
1.3 HOW DID WE GET HERE
1.3 HOW DID WE GET HERE The tragedy of two mistakes
FIRST MISTAKE: LIMITING OURSELVES
 (security is an engineering issue?)
• OSI Model 
 (original version)
• OSI Model 
 (SOA Remix)
• OSI Model 
 (Mika’s 
 12” Extended 
 Dance Version) 10: Religion Operator Layer
SECOND MISTAKE: BLIND LEADING THE BLIND
BLIND MAN 1: THE FUD FACTORY
FUD FACTORY EXAMPLE - MOBILE VS WEB
Google Trend: Web Security Mobile Malware
#RSAC 36 Clustering of over 5,000 incidents Espionage Point of Sale Skimming Devices Theft/ Loss Error Employee Misuse Web Applications DBIR Top Patterns:
Web Only: Web Applications
In FinServ vs. All Industries
DBIR Global Representation of Assets in Cases:
DBIR Global Representation of Assets in Cases: NHTCU investigation into groups using mobile malware showed that in less than a year’s time, five variations of mobile malware for one specific bank could be detected. Modest estimates suggest that criminals gained around €50,000 per week using this specific form of mobile malware, harvesting over 4,000 user credentials from 8,500 infected bank customers in just a few months. Mobile malware does not move the needle in our stats as we focus on organizational security incidents as opposed to consumer device compromises.
DBIR Global Representation of Assets in Cases: NHTCU investigation into groups using mobile malware showed that in less than a year’s time, five variations of mobile malware for one specific bank could be detected. Modest estimates suggest that criminals gained around €50,000 per week using this specific form of mobile malware, harvesting over 4,000 user credentials from 8,500 infected bank customers in just a few months. Mobile malware does not move the needle in our stats as we focus on organizational security incidents as opposed to consumer device compromises.
BLIND MAN 2: THE ACCOUNTING-CONSULTANCY INDUSTRIAL COMPLEX
Complex (adaptive)
 Systems
 a system composed of interconnected parts that as a whole exhibit one or more properties not obvious from the properties of the individual parts
These “risk” statements you’re making... I don’t think you’re doing it right. - (Chillin’ Friederich Hayek)
BLIND MAN 3: OUR BROKEN MODELS
“the Base Equation multiplies Impact by 0.6 and Exploitability by 0.4”
ROYTMAN: ON VULNERABILITIES
ROYTMAN: ON VULNERABILITIES
A CSO MUST BECOME “MEASURED” TO ESCAPE THE MISTAKES OF THE PAST AND PUSH INTO THE FUTURE
SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there?
• What Is a CISO (throne of blood image WHAT IS A CSO
• What Is a CISO (throne of blood image WHAT IS A MEASURED CSO
W.E. DEMING Father of Total Quality Management and inspiration that drove the Japanese “post- war economic miracle.”
IT WAS NO MIRACLE. 
 
 What Deming taught the Japanese was “management by fact.”
• Improvements to the system are never ending. • The only people who really know where the real potentials for improvement are the workers. • The system is always changing. • There are countless ways for the system to go wrong. • Statistics (metrics) are used to focus the conversation on fact and improvement • Goals for quality are cross- silo • Theories for improvements are implemented and tested. • The management uses the workers as essential "instruments" in understanding what is.
A MEASURED CSO: • Relies on metrics, data, intel for good decisions, • Invests in improvements to People, Process and Technology, • Puts innovation for improvements to the system (improvements = security, cost) in the hands of the operator, • Ensures that there is a feedback loop for effectiveness initiatives, and • Works tirelessly within the bureaucracy to improve all aspects of the system.
THE MEASURED CSO’S MISSION: • To provide the best and least-cost security for shareholders, and continuity of employment for his workers. • We, as an industry, know that “best” and”least-cost” are not necessarily contradictory • We also have a HUGE continuity issue
THE MEASURED CSO USES METRICS TO IMPROVE THE SYSTEM.
WHAT IS THAT SYSTEM - 
 
 That which Defends 
 (Detects, Responds, & Prevents).
THE MEASURED CSO USES METRICS TO: • Develop and improve the People, Process, and Technology to Defend • Plan / Build / Manage those defenses
THE SYSTEMS FOR DEVELOPING METRICS ARE MORE IMPORTANT THAN THE SYSTEMS OF DOGMA THAT DEFINE “STANDARDS” OF OPERATION.
THE SYSTEMS FOR DEVELOPING METRICS ARE MORE IMPORTANT THAN THE SYSTEMS OF DOGMA THAT DEFINE “STANDARDS” OF OPERATION. Sorry, ISACA
THE SYSTEMS FOR DEVELOPING METRICS ARE MORE IMPORTANT THAN THE SYSTEMS OF DOGMA THAT DEFINE “STANDARDS” OF OPERATION. • There are two systems which the CSO must manage across (at least 4 audiences) • Those that support “defend” • Those that support Plan/Build/Manage
MEASURED CSO SYSTEM 1: THE METRICS AND MODELS THAT “DEFEND”
EPIDEMIOLOGY
EPIDEMIOLOGY Risk Factors (Determinants) Variables associated with increased frequency of event. Risk Markers
 Variable that is quantitatively associated with a disease or other outcome, but direct alteration of the risk marker does not necessarily alter the risk of the outcome. Correlation vs. Causation Risk factors or determinants are correlational and not necessarily causal, because correlation does not prove causation.
EPIDEMIOLOGY Risk Factors (Determinants) Variables associated with increased frequency of event. Risk Markers
 Variable that is quantitatively associated with a disease or other outcome, but direct alteration of the risk marker does not necessarily alter the risk of the outcome. Correlation vs. Causation - Risk factors or determinants are correlational and not necessarily causal, because correlation does not prove causation. THE MEANS TO FIND PATTERNS
Example of a medical approach:
 Dr. Peter Tippett & Verizon DBIR
A security incident (or threat scenario) is modeled as a series of events. Every event 
 is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected VERIS (Vocabulary for Event Recording & Incident Sharing) 70
72
Object-Oriented Modeling VERIS (Vocabulary for Event Recording & Incident Sharing) 73 1 2 3 4 5>" >" >" >"Incident as a chain of events>"
Object-Oriented Modeling VERIS (Vocabulary for Event Recording & Incident Sharing) 74 1 2 3 4 5>" >" >" >"Incident as a chain of events>" A “Pattern”
VERIS: Classification of Events by Risk Factor
Complex System? VERIS FOUND PATTERNS!
#RSAC 36 Clustering of over 5,000 incidents Espionage Point of Sale Skimming Devices Theft/ Loss Error Employee Misuse Web Applications DBIR Top Patterns:
THE KEY TO THE MEASURED CSO SYSTEM 1: FRAMEWORK, DATA, MODELS
√∫∑ Framework Models Data = ∩ VERIS+
actor information asset information impact information controls information risk Classifying sets of security information
√∫∑ Framework Models Data = ∩ Data Warehousing+
82 Apache Storm
83 Data MapReduce Process Analytics & Reporting Threat Intel Feeds Control Data Control Logs System Logs Event  History  &  Loss   Loss  Distribu8on  Dev.   B.I.A. Control Data Control Logs System Logs Configuration Data Vulnerability Data HR Information Process Behaviors XML CSV EDI LOG SQL JSON Text Binary Objects createmap reduce Traditional RDBMS Systems Workflow Analytics Reporting
ModelssuggestingIOC=true
88 1 2 3 4 5>" >" >" >"Incident as a chain of events>"
89 1 2 3 4 5>" >" >" >"Incident as a chain of events>" X X X
90 Example of data enrichment: Asset Intel : Vendor-owned SaaS application
√∫∑ Framework Models Data = ∩
MEASURED CSO SYSTEM 1: THE METRICS AND MODELS THAT “DEFEND” AGAINST THREAT PATTERNS. (real and anticipated or forecasted)
MEASURED CSO SYSTEM 2: THE METRICS NEEDED TO PLAN/BUILD/MANAGE SYSTEMS (OPERATIONS)
THE MEASURED CSO MUST ALSO INCLUDE A KEEN UNDERSTANDING AND PARTNERSHIP WITH IT OPERATIONS
THE MICROMORT 
 
 A one in a million chance of death
 
 Ronald A. Howard
Activities that increase the death risk by roughly one micromort, and their associated cause of death (wikipedia): Traveling 6 miles by motorbike (accident) Traveling 17 miles by walking (accident) Traveling 10 miles by bicycle (accident) Traveling 230 miles (370 km) by car (accident)
 Traveling 1000 miles (1600 km) by jet (accident) Traveling 6000 miles (9656 km) by train (accident) Traveling 12,000 miles (19,000 km) by jet in the United States (terrorism) 
 Increase in death risk for other activities on a per event basis: Hang gliding – 8 micromorts per trip Ecstacy (MDMA) – 0.5 micromorts per tablet (most cases involve other drugs)
Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident)
Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident) Ecstacy (MDMA) – 0.5 micromorts per 
 tablet (most cases involve other drugs)
Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident)
Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident)
The Measured CSO must know where IT is overweight, smoking ecstasy, while riding a rocket-powered bicycle on the railing of a bridge.
DATA: VISIBLE OPS FOR SECURITY
104 Example of data enrichment: Asset Intel : Vendor-owned SaaS application
SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
106 MOST METRICS PROGRAMS
If we consider a single metric as a building block
108 It should be used by the CSO to paint a picture of the security program
109 Whose context is the whole of IT.
110 But because we gather what is most readily available - most metrics programs look like my living room. How does the measured CSO get context?
GOAL, QUESTION, METRIC Conceptual level (goal) goals defined for an object for a variety of reasons, with respect to various models, from various points of view. Operational level (question) questions are used to define models of the object of study and then focuses on that object to characterize the assessment or achievement of a specific goal. Quantitative level (metric) metrics, based on the models, is associated with every question in order to answer it in a measurable way. Victor Basili
GQM FOR FUN & PROFIT Goals establish what we want to accomplish. Questions help us understand how to meet the goal. They address context. Metrics identify the measurements that are needed to answer the questions. Goal 1 Goal 2 Q1 Q2 Q3 Q4 Q5 M1 M2 M3 M4 M5 M6 M7
Execution Models Data Goal 1 Goal 2 Q1 Q2 Q3 Q4 Q5 M1 M2 M3 M4 M5 M6 M7 GQM FOR FUN & PROFIT
GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient
GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient % Coverage by Business Units %Coverage by Asset category %Coverage by Risk Unix Windows Server Desktop OS Components Likelihood Impact Most Significant Failures Repeat Offenders By Asset Category By Location (DMZ, Semi-Pub, Internal) By Business Unit By Asset Category By Location (DMZ, Semi-Pub, Internal) By Business Unit
GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient What should our Priorities be for timeliness? What is Policy for timeliness? What other Considerations for Timeliness? What is time to patch like for assets with worst Likelihoods? What is time to patch like for assets with worst Impacts? What % are Late by What are our Repeat Offenders? likelihood Impact by asset category by business unit by risk UNIX Windows Server Desktop likelihood impact
GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient Cost Risk Reduction Hour per Asset spent Patching By Asset Category By Location (DMZ, Semi-Pub, Internal) By Cost Per Hour Hour per Asset, by ALE per Hour Hour per asset category
GQM EXAMPLE: PATCH MANAGEMENT • The Measured CSO creates a scorecard of KRI’s & KPI’s that Includes:
 • Historical values • “Triggers” • “Thresholds” (each of these?) aren’t perfect, but establish a hypothesis for testing & optimization.
Now you’re ready to come correct, my Bias! - (Chillin’ Friederich Hayek)
MEASURED CSO FRAMEWORK FOR GQM: NIST CSF NIST CSF Identify Protect Detect Respond Recover Asset Management Business Environment risk assessment risk management strategy Governance Access Control Awareness and Traininig Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Response Communications Response Analysis Response Mitigation Response Improvements Recovery Planning Improvements Communications
SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
√∫∑ Framework Models Data = ∩
124 Example of data enrichment: Asset Intel : Vendor-owned SaaS application
ETL AND STORE ALL THE THINGS!!!
126 Data MapReduce Process Analytics & Reporting Threat Intel Feeds Control Data Control Logs System Logs Event  History  &  Loss   Loss  Distribu8on  Dev.   B.I.A. Control Data Control Logs System Logs Configuration Data Vulnerability Data HR Information Process Behaviors XML CSV EDI LOG SQL JSON Text Binary Objects createmap reduce Traditional RDBMS Systems Workflow Analytics Reporting
ModelssuggestingIOC=true

 “If you do not know how to ask the right question, you discover nothing.”
RESOURCES FOR  GQM  AND  MICROMORTS  -­‐  WIKIPEDIA   FOR  DBIR  DATA,  THE  VERIZON  DBIR   FOR  DEMING  QUOTES,  THE  WORKS  OF  MYRON  TRIBUS:   http://www.qla.com.au/papersTribus/Oslo3.pdf   http://www.unreasonable-­‐learners.com/wp-­‐content/uploads/2011/03/ Germ-­‐Theory-­‐of-­‐Management-­‐Myron-­‐Tribus1.pdf   http://www.qla.com.au/papersTribus/DEMINGS_.PDF  

Recommended

Objective self modeling real you
Objective self modeling real youObjective self modeling real you
Objective self modeling real youRamesh Jain
 
From health persona to societal health uci 131202
From health persona to societal health uci 131202From health persona to societal health uci 131202
From health persona to societal health uci 131202Ramesh Jain
 
Micro reports and Situation Recognition at social machines workshop
Micro reports and Situation Recognition at social machines workshopMicro reports and Situation Recognition at social machines workshop
Micro reports and Situation Recognition at social machines workshopRamesh Jain
 
Automated Decision Making with Predictive Applications – Big Data Düsseldorf
Automated Decision Making with Predictive Applications – Big Data DüsseldorfAutomated Decision Making with Predictive Applications – Big Data Düsseldorf
Automated Decision Making with Predictive Applications – Big Data DüsseldorfLars Trieloff
 
Multimedia rescue 161018
Multimedia rescue 161018Multimedia rescue 161018
Multimedia rescue 161018Ramesh Jain
 
Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Michael McKeon
 
How to get value out of data
How to get value out of dataHow to get value out of data
How to get value out of dataLars Trieloff
 
DeepFakes H4D Stanford 2019
DeepFakes H4D Stanford 2019DeepFakes H4D Stanford 2019
DeepFakes H4D Stanford 2019Stanford University
 

Recommended

Objective self modeling real you
Objective self modeling real youObjective self modeling real you
Objective self modeling real youRamesh Jain
 
From health persona to societal health uci 131202
From health persona to societal health uci 131202From health persona to societal health uci 131202
From health persona to societal health uci 131202Ramesh Jain
 
Micro reports and Situation Recognition at social machines workshop
Micro reports and Situation Recognition at social machines workshopMicro reports and Situation Recognition at social machines workshop
Micro reports and Situation Recognition at social machines workshopRamesh Jain
 
Automated Decision Making with Predictive Applications – Big Data Düsseldorf
Automated Decision Making with Predictive Applications – Big Data DüsseldorfAutomated Decision Making with Predictive Applications – Big Data Düsseldorf
Automated Decision Making with Predictive Applications – Big Data DüsseldorfLars Trieloff
 
Multimedia rescue 161018
Multimedia rescue 161018Multimedia rescue 161018
Multimedia rescue 161018Ramesh Jain
 
Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Michael McKeon
 
How to get value out of data
How to get value out of dataHow to get value out of data
How to get value out of dataLars Trieloff
 
DeepFakes H4D Stanford 2019
DeepFakes H4D Stanford 2019DeepFakes H4D Stanford 2019
DeepFakes H4D Stanford 2019Stanford University
 
Social Media in Pharma Summit 2011: Drug Safety
Social Media in Pharma Summit 2011: Drug SafetySocial Media in Pharma Summit 2011: Drug Safety
Social Media in Pharma Summit 2011: Drug SafetyMichael Ibara
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
3 Clear And Easy Ways To Write A News Report - WikiHow
3 Clear And Easy Ways To Write A News Report - WikiHow3 Clear And Easy Ways To Write A News Report - WikiHow
3 Clear And Easy Ways To Write A News Report - WikiHowAndrea Jones
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceGlobeSync Technologies
 
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexity
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexityBA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexity
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexityBA and Beyond
 
Solved Discussion Paper Handout All Students Are Requir
Solved Discussion Paper Handout All Students Are RequirSolved Discussion Paper Handout All Students Are Requir
Solved Discussion Paper Handout All Students Are RequirAngie Logan
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Alex Pinto
 
Interesting Research Paper Topics For Kids - 50 Scien
Interesting Research Paper Topics For Kids - 50 ScienInteresting Research Paper Topics For Kids - 50 Scien
Interesting Research Paper Topics For Kids - 50 ScienMichelle Benedict
 
Essay Help Australia For Students By Profe
Essay Help Australia For Students By ProfeEssay Help Australia For Students By Profe
Essay Help Australia For Students By ProfeScott Bou
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for DummiesWilliam L. McGill
 
R af d
R af dR af d
R af dWilliam L. McGill
 
Data Con LA 2022 - AI Ethics
Data Con LA 2022 - AI EthicsData Con LA 2022 - AI Ethics
Data Con LA 2022 - AI EthicsData Con LA
 
A Short Essay On Information Technology
A Short Essay On Information TechnologyA Short Essay On Information Technology
A Short Essay On Information TechnologyLisa Swager
 
SxSW 2015: Key Insights
SxSW 2015: Key InsightsSxSW 2015: Key Insights
SxSW 2015: Key InsightsDigitas Health LifeBrands
 
How to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignHow to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignMorten Rand-Hendriksen
 
Fraser Hill Essay
Fraser Hill EssayFraser Hill Essay
Fraser Hill EssayJessica Spyrakis
 
Travel Essay Examples
Travel Essay ExamplesTravel Essay Examples
Travel Essay ExamplesJessica Miller
 
Travel Essay Examples.pdf
Travel Essay Examples.pdfTravel Essay Examples.pdf
Travel Essay Examples.pdfCamila Fernandes
 
Reflective Nursing Essay
Reflective Nursing EssayReflective Nursing Essay
Reflective Nursing EssayLindsay Adams
 
Secure360 on Risk
Secure360 on RiskSecure360 on Risk
Secure360 on RiskAlexander Hutton
 
Evidence Based Risk management
Evidence Based Risk managementEvidence Based Risk management
Evidence Based Risk managementAlexander Hutton
 

More Related Content

Similar to DeepSec 2014 - The Measured CSO

Social Media in Pharma Summit 2011: Drug Safety
Social Media in Pharma Summit 2011: Drug SafetySocial Media in Pharma Summit 2011: Drug Safety
Social Media in Pharma Summit 2011: Drug SafetyMichael Ibara
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
3 Clear And Easy Ways To Write A News Report - WikiHow
3 Clear And Easy Ways To Write A News Report - WikiHow3 Clear And Easy Ways To Write A News Report - WikiHow
3 Clear And Easy Ways To Write A News Report - WikiHowAndrea Jones
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceGlobeSync Technologies
 
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexity
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexityBA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexity
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexityBA and Beyond
 
Solved Discussion Paper Handout All Students Are Requir
Solved Discussion Paper Handout All Students Are RequirSolved Discussion Paper Handout All Students Are Requir
Solved Discussion Paper Handout All Students Are RequirAngie Logan
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Alex Pinto
 
Interesting Research Paper Topics For Kids - 50 Scien
Interesting Research Paper Topics For Kids - 50 ScienInteresting Research Paper Topics For Kids - 50 Scien
Interesting Research Paper Topics For Kids - 50 ScienMichelle Benedict
 
Essay Help Australia For Students By Profe
Essay Help Australia For Students By ProfeEssay Help Australia For Students By Profe
Essay Help Australia For Students By ProfeScott Bou
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Data Con LA 2022 - AI Ethics
Data Con LA 2022 - AI EthicsData Con LA 2022 - AI Ethics
Data Con LA 2022 - AI EthicsData Con LA
 
A Short Essay On Information Technology
A Short Essay On Information TechnologyA Short Essay On Information Technology
A Short Essay On Information TechnologyLisa Swager
 
How to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignHow to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignMorten Rand-Hendriksen
 
Reflective Nursing Essay
Reflective Nursing EssayReflective Nursing Essay
Reflective Nursing EssayLindsay Adams
 

Similar to DeepSec 2014 - The Measured CSO (20)

Social Media in Pharma Summit 2011: Drug Safety
Social Media in Pharma Summit 2011: Drug SafetySocial Media in Pharma Summit 2011: Drug Safety
Social Media in Pharma Summit 2011: Drug Safety
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
3 Clear And Easy Ways To Write A News Report - WikiHow
3 Clear And Easy Ways To Write A News Report - WikiHow3 Clear And Easy Ways To Write A News Report - WikiHow
3 Clear And Easy Ways To Write A News Report - WikiHow
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
 
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexity
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexityBA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexity
BA and Beyond 19 Sponsor spotlight - Namahn - Beating complexity with complexity
 
Solved Discussion Paper Handout All Students Are Requir
Solved Discussion Paper Handout All Students Are RequirSolved Discussion Paper Handout All Students Are Requir
Solved Discussion Paper Handout All Students Are Requir
 
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline ...
 
Interesting Research Paper Topics For Kids - 50 Scien
Interesting Research Paper Topics For Kids - 50 ScienInteresting Research Paper Topics For Kids - 50 Scien
Interesting Research Paper Topics For Kids - 50 Scien
 
Essay Help Australia For Students By Profe
Essay Help Australia For Students By ProfeEssay Help Australia For Students By Profe
Essay Help Australia For Students By Profe
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
R af d
R af dR af d
R af d
 
Data Con LA 2022 - AI Ethics
Data Con LA 2022 - AI EthicsData Con LA 2022 - AI Ethics
Data Con LA 2022 - AI Ethics
 
A Short Essay On Information Technology
A Short Essay On Information TechnologyA Short Essay On Information Technology
A Short Essay On Information Technology
 
SxSW 2015: Key Insights
SxSW 2015: Key InsightsSxSW 2015: Key Insights
SxSW 2015: Key Insights
 
How to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web DesignHow to Not Destroy the World - the Ethics of Web Design
How to Not Destroy the World - the Ethics of Web Design
 
Fraser Hill Essay
Fraser Hill EssayFraser Hill Essay
Fraser Hill Essay
 
Travel Essay Examples
Travel Essay ExamplesTravel Essay Examples
Travel Essay Examples
 
Travel Essay Examples.pdf
Travel Essay Examples.pdfTravel Essay Examples.pdf
Travel Essay Examples.pdf
 
Reflective Nursing Essay
Reflective Nursing EssayReflective Nursing Essay
Reflective Nursing Essay
 

More from Alexander Hutton

Evidence Based Risk management
Evidence Based Risk managementEvidence Based Risk management
Evidence Based Risk managementAlexander Hutton
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Mortman/Hutton Security B-Sides Presentation
Mortman/Hutton Security B-Sides PresentationMortman/Hutton Security B-Sides Presentation
Mortman/Hutton Security B-Sides PresentationAlexander Hutton
 

More from Alexander Hutton (7)

Secure360 on Risk
Secure360 on RiskSecure360 on Risk
Secure360 on Risk
 
Evidence Based Risk management
Evidence Based Risk managementEvidence Based Risk management
Evidence Based Risk management
 
2011 mini metricon
2011 mini metricon2011 mini metricon
2011 mini metricon
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
 
Alex hutton metricon
Alex hutton metriconAlex hutton metricon
Alex hutton metricon
 
Hutton B Side Sf
Hutton B Side SfHutton B Side Sf
Hutton B Side Sf
 
Mortman/Hutton Security B-Sides Presentation
Mortman/Hutton Security B-Sides PresentationMortman/Hutton Security B-Sides Presentation
Mortman/Hutton Security B-Sides Presentation
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

DeepSec 2014 - The Measured CSO

  • 1. THE MEASURED CSO ALEX  HUTTON  -­‐  A  TOO  BIG  TO  FAIL  BANK   @ALEXHUTTON
  • 2. SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here? SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there? SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
  • 3. SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here? SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there? SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
  • 4. SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here? SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there? SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
  • 5. SECTION 1: BACKGROUND Who am I? What is this topic? Where are we? How did we get here?
  • 7. • Security Engineer • Security Product Management • E-Commerce Site Design / Manager • Risk Consultant • OCTAVE / NIST • FAIR • Verizon DBIR • IANS Faculty • Director, Operations / Technology Risk • Director, Information Security 1.1 WHO AM I
  • 8. 1.2 WHAT IS THIS TOPIC
  • 9. “…when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be.” William Thomson, 
 1st Baron Kelvin 
 & Measurement Badass
  • 10. The Journey Towards Knowledge (and therefore, security) 1.2 WHAT IS THIS TOPIC
  • 11. WHERE ARE WE (OUR INDUSTRY)
  • 12. Security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers. 
 Dan Geer, Security Badass
  • 14. Science is based on inductive observations to derive meaning and understanding and measurement on quality (ratio) scales, so what about InfoSec? Where do we sit in the family of sciences?
  • 15. We’re the Crazy Uncle with tinfoil hat antennae used to talk to the space aliens of Regulus V, has 47 cats, and who too frequently (but benignly) forgets to wear pants.
  • 17. “the Base Equation multiplies Impact by 0.6 and Exploitability by 0.4”
  • 18. = ShinyJet Engine X Peanut Butter
  • 19. “the Base Equation multiplies Impact by 0.6 and Exploitability by 0.4”
  • 20. 20 adding one willy-nilly doesn’t suddenly transform ordinal rankings into ratio values. decimals aren’t magic.
  • 21. At our present skill in measurement of security, we generally have an ordinal scale at best, not an interval scale and certainly not a ratio scale. In plain terms, this means we can say whether X is better than Y but how much better and compared to what is not so easy. 
 
 – Again, Baddss Dan Geer
  • 22. State of the Industry
 - proto-science - somewhat random fact gathering (mainly of readily accessible data) - a“morass”of interesting, trivial, irrelevant observations - a variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering Thomas Kuhn 
 Philosophy of Science Badass
  • 23. 1.3 HOW DID WE GET HERE
  • 24. 1.3 HOW DID WE GET HERE The tragedy of two mistakes
  • 25. FIRST MISTAKE: LIMITING OURSELVES
 (security is an engineering issue?)
  • 26. • OSI Model 
 (original version)
  • 27. • OSI Model 
 (SOA Remix)
  • 28. • OSI Model 
 (Mika’s 
 12” Extended 
 Dance Version) 10: Religion Operator Layer
  • 29. SECOND MISTAKE: BLIND LEADING THE BLIND
  • 30. BLIND MAN 1: THE FUD FACTORY
  • 31. FUD FACTORY EXAMPLE - MOBILE VS WEB
  • 32. Google Trend: Web Security Mobile Malware
  • 33. #RSAC 36 Clustering of over 5,000 incidents Espionage Point of Sale Skimming Devices Theft/ Loss Error Employee Misuse Web Applications DBIR Top Patterns:
  • 35. In FinServ vs. All Industries
  • 36. DBIR Global Representation of Assets in Cases:
  • 37. DBIR Global Representation of Assets in Cases: NHTCU investigation into groups using mobile malware showed that in less than a year’s time, five variations of mobile malware for one specific bank could be detected. Modest estimates suggest that criminals gained around €50,000 per week using this specific form of mobile malware, harvesting over 4,000 user credentials from 8,500 infected bank customers in just a few months. Mobile malware does not move the needle in our stats as we focus on organizational security incidents as opposed to consumer device compromises.
  • 38. DBIR Global Representation of Assets in Cases: NHTCU investigation into groups using mobile malware showed that in less than a year’s time, five variations of mobile malware for one specific bank could be detected. Modest estimates suggest that criminals gained around €50,000 per week using this specific form of mobile malware, harvesting over 4,000 user credentials from 8,500 infected bank customers in just a few months. Mobile malware does not move the needle in our stats as we focus on organizational security incidents as opposed to consumer device compromises.
  • 39. BLIND MAN 2: THE ACCOUNTING-CONSULTANCY INDUSTRIAL COMPLEX
  • 40.
  • 41.
  • 42. Complex (adaptive)
 Systems
 a system composed of interconnected parts that as a whole exhibit one or more properties not obvious from the properties of the individual parts
  • 43. These “risk” statements you’re making... I don’t think you’re doing it right. - (Chillin’ Friederich Hayek)
  • 44. BLIND MAN 3: OUR BROKEN MODELS
  • 45. “the Base Equation multiplies Impact by 0.6 and Exploitability by 0.4”
  • 48. A CSO MUST BECOME “MEASURED” TO ESCAPE THE MISTAKES OF THE PAST AND PUSH INTO THE FUTURE
  • 49. SECTION 2: ON THE ROLE OF THE CSO What is a CSO? What do they do? What is success? How do they get there?
  • 50. • What Is a CISO (throne of blood image WHAT IS A CSO
  • 51. • What Is a CISO (throne of blood image WHAT IS A MEASURED CSO
  • 52.
  • 53.
  • 54. W.E. DEMING Father of Total Quality Management and inspiration that drove the Japanese “post- war economic miracle.”
  • 55. IT WAS NO MIRACLE. 
 
 What Deming taught the Japanese was “management by fact.”
  • 56. • Improvements to the system are never ending. • The only people who really know where the real potentials for improvement are the workers. • The system is always changing. • There are countless ways for the system to go wrong. • Statistics (metrics) are used to focus the conversation on fact and improvement • Goals for quality are cross- silo • Theories for improvements are implemented and tested. • The management uses the workers as essential "instruments" in understanding what is.
  • 57. A MEASURED CSO: • Relies on metrics, data, intel for good decisions, • Invests in improvements to People, Process and Technology, • Puts innovation for improvements to the system (improvements = security, cost) in the hands of the operator, • Ensures that there is a feedback loop for effectiveness initiatives, and • Works tirelessly within the bureaucracy to improve all aspects of the system.
  • 58. THE MEASURED CSO’S MISSION: • To provide the best and least-cost security for shareholders, and continuity of employment for his workers. • We, as an industry, know that “best” and”least-cost” are not necessarily contradictory • We also have a HUGE continuity issue
  • 59. THE MEASURED CSO USES METRICS TO IMPROVE THE SYSTEM.
  • 60. WHAT IS THAT SYSTEM - 
 
 That which Defends 
 (Detects, Responds, & Prevents).
  • 61. THE MEASURED CSO USES METRICS TO: • Develop and improve the People, Process, and Technology to Defend • Plan / Build / Manage those defenses
  • 62. THE SYSTEMS FOR DEVELOPING METRICS ARE MORE IMPORTANT THAN THE SYSTEMS OF DOGMA THAT DEFINE “STANDARDS” OF OPERATION.
  • 63. THE SYSTEMS FOR DEVELOPING METRICS ARE MORE IMPORTANT THAN THE SYSTEMS OF DOGMA THAT DEFINE “STANDARDS” OF OPERATION. Sorry, ISACA
  • 64. THE SYSTEMS FOR DEVELOPING METRICS ARE MORE IMPORTANT THAN THE SYSTEMS OF DOGMA THAT DEFINE “STANDARDS” OF OPERATION. • There are two systems which the CSO must manage across (at least 4 audiences) • Those that support “defend” • Those that support Plan/Build/Manage
  • 65. MEASURED CSO SYSTEM 1: THE METRICS AND MODELS THAT “DEFEND”
  • 67. EPIDEMIOLOGY Risk Factors (Determinants) Variables associated with increased frequency of event. Risk Markers
 Variable that is quantitatively associated with a disease or other outcome, but direct alteration of the risk marker does not necessarily alter the risk of the outcome. Correlation vs. Causation Risk factors or determinants are correlational and not necessarily causal, because correlation does not prove causation.
  • 68. EPIDEMIOLOGY Risk Factors (Determinants) Variables associated with increased frequency of event. Risk Markers
 Variable that is quantitatively associated with a disease or other outcome, but direct alteration of the risk marker does not necessarily alter the risk of the outcome. Correlation vs. Causation - Risk factors or determinants are correlational and not necessarily causal, because correlation does not prove causation. THE MEANS TO FIND PATTERNS
  • 69. Example of a medical approach:
 Dr. Peter Tippett & Verizon DBIR
  • 70. A security incident (or threat scenario) is modeled as a series of events. Every event 
 is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected VERIS (Vocabulary for Event Recording & Incident Sharing) 70
  • 71.
  • 72. 72
  • 73. Object-Oriented Modeling VERIS (Vocabulary for Event Recording & Incident Sharing) 73 1 2 3 4 5>" >" >" >"Incident as a chain of events>"
  • 74. Object-Oriented Modeling VERIS (Vocabulary for Event Recording & Incident Sharing) 74 1 2 3 4 5>" >" >" >"Incident as a chain of events>" A “Pattern”
  • 75. VERIS: Classification of Events by Risk Factor
  • 77. #RSAC 36 Clustering of over 5,000 incidents Espionage Point of Sale Skimming Devices Theft/ Loss Error Employee Misuse Web Applications DBIR Top Patterns:
  • 78. THE KEY TO THE MEASURED CSO SYSTEM 1: FRAMEWORK, DATA, MODELS
  • 83. 83 Data MapReduce Process Analytics & Reporting Threat Intel Feeds Control Data Control Logs System Logs Event  History  &  Loss   Loss  Distribu8on  Dev.   B.I.A. Control Data Control Logs System Logs Configuration Data Vulnerability Data HR Information Process Behaviors XML CSV EDI LOG SQL JSON Text Binary Objects createmap reduce Traditional RDBMS Systems Workflow Analytics Reporting
  • 84.
  • 85.
  • 86.
  • 88. 88 1 2 3 4 5>" >" >" >"Incident as a chain of events>"
  • 89. 89 1 2 3 4 5>" >" >" >"Incident as a chain of events>" X X X
  • 90. 90 Example of data enrichment: Asset Intel : Vendor-owned SaaS application
  • 92. MEASURED CSO SYSTEM 1: THE METRICS AND MODELS THAT “DEFEND” AGAINST THREAT PATTERNS. (real and anticipated or forecasted)
  • 93. MEASURED CSO SYSTEM 2: THE METRICS NEEDED TO PLAN/BUILD/MANAGE SYSTEMS (OPERATIONS)
  • 94. THE MEASURED CSO MUST ALSO INCLUDE A KEEN UNDERSTANDING AND PARTNERSHIP WITH IT OPERATIONS
  • 95. THE MICROMORT 
 
 A one in a million chance of death
 
 Ronald A. Howard
  • 96. Activities that increase the death risk by roughly one micromort, and their associated cause of death (wikipedia): Traveling 6 miles by motorbike (accident) Traveling 17 miles by walking (accident) Traveling 10 miles by bicycle (accident) Traveling 230 miles (370 km) by car (accident)
 Traveling 1000 miles (1600 km) by jet (accident) Traveling 6000 miles (9656 km) by train (accident) Traveling 12,000 miles (19,000 km) by jet in the United States (terrorism) 
 Increase in death risk for other activities on a per event basis: Hang gliding – 8 micromorts per trip Ecstacy (MDMA) – 0.5 micromorts per tablet (most cases involve other drugs)
  • 97. Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident)
  • 98. Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident) Ecstacy (MDMA) – 0.5 micromorts per 
 tablet (most cases involve other drugs)
  • 99. Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident)
  • 100. Modern Risk Management is not only bad at describing risk, but it also is focused on reporting its own version “micromorts”Inefficiently. Traveling 10 miles by bicycle (accident)
  • 101. The Measured CSO must know where IT is overweight, smoking ecstasy, while riding a rocket-powered bicycle on the railing of a bridge.
  • 102. DATA: VISIBLE OPS FOR SECURITY
  • 103.
  • 104. 104 Example of data enrichment: Asset Intel : Vendor-owned SaaS application
  • 105. SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
  • 107. If we consider a single metric as a building block
  • 108. 108 It should be used by the CSO to paint a picture of the security program
  • 109. 109 Whose context is the whole of IT.
  • 110. 110 But because we gather what is most readily available - most metrics programs look like my living room. How does the measured CSO get context?
  • 111. GOAL, QUESTION, METRIC Conceptual level (goal) goals defined for an object for a variety of reasons, with respect to various models, from various points of view. Operational level (question) questions are used to define models of the object of study and then focuses on that object to characterize the assessment or achievement of a specific goal. Quantitative level (metric) metrics, based on the models, is associated with every question in order to answer it in a measurable way. Victor Basili
  • 112. GQM FOR FUN & PROFIT Goals establish what we want to accomplish. Questions help us understand how to meet the goal. They address context. Metrics identify the measurements that are needed to answer the questions. Goal 1 Goal 2 Q1 Q2 Q3 Q4 Q5 M1 M2 M3 M4 M5 M6 M7
  • 113. Execution Models Data Goal 1 Goal 2 Q1 Q2 Q3 Q4 Q5 M1 M2 M3 M4 M5 M6 M7 GQM FOR FUN & PROFIT
  • 114. GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient
  • 115. GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient % Coverage by Business Units %Coverage by Asset category %Coverage by Risk Unix Windows Server Desktop OS Components Likelihood Impact Most Significant Failures Repeat Offenders By Asset Category By Location (DMZ, Semi-Pub, Internal) By Business Unit By Asset Category By Location (DMZ, Semi-Pub, Internal) By Business Unit
  • 116. GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient What should our Priorities be for timeliness? What is Policy for timeliness? What other Considerations for Timeliness? What is time to patch like for assets with worst Likelihoods? What is time to patch like for assets with worst Impacts? What % are Late by What are our Repeat Offenders? likelihood Impact by asset category by business unit by risk UNIX Windows Server Desktop likelihood impact
  • 117. GQM EXAMPLE: PATCH MANAGEMENT Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient Cost Risk Reduction Hour per Asset spent Patching By Asset Category By Location (DMZ, Semi-Pub, Internal) By Cost Per Hour Hour per Asset, by ALE per Hour Hour per asset category
  • 118. GQM EXAMPLE: PATCH MANAGEMENT • The Measured CSO creates a scorecard of KRI’s & KPI’s that Includes:
 • Historical values • “Triggers” • “Thresholds” (each of these?) aren’t perfect, but establish a hypothesis for testing & optimization.
  • 119. Now you’re ready to come correct, my Bias! - (Chillin’ Friederich Hayek)
  • 120. MEASURED CSO FRAMEWORK FOR GQM: NIST CSF NIST CSF Identify Protect Detect Respond Recover Asset Management Business Environment risk assessment risk management strategy Governance Access Control Awareness and Traininig Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Response Communications Response Analysis Response Mitigation Response Improvements Recovery Planning Improvements Communications
  • 121. SECTION 3: BECOMING MEASURED What does that mean? What do we need? How do we do it? Where shall we go?
  • 123.
  • 124. 124 Example of data enrichment: Asset Intel : Vendor-owned SaaS application
  • 125. ETL AND STORE ALL THE THINGS!!!
  • 126. 126 Data MapReduce Process Analytics & Reporting Threat Intel Feeds Control Data Control Logs System Logs Event  History  &  Loss   Loss  Distribu8on  Dev.   B.I.A. Control Data Control Logs System Logs Configuration Data Vulnerability Data HR Information Process Behaviors XML CSV EDI LOG SQL JSON Text Binary Objects createmap reduce Traditional RDBMS Systems Workflow Analytics Reporting
  • 128.
  • 129. 
 “If you do not know how to ask the right question, you discover nothing.”
  • 130. RESOURCES FOR  GQM  AND  MICROMORTS  -­‐  WIKIPEDIA   FOR  DBIR  DATA,  THE  VERIZON  DBIR   FOR  DEMING  QUOTES,  THE  WORKS  OF  MYRON  TRIBUS:   http://www.qla.com.au/papersTribus/Oslo3.pdf   http://www.unreasonable-­‐learners.com/wp-­‐content/uploads/2011/03/ Germ-­‐Theory-­‐of-­‐Management-­‐Myron-­‐Tribus1.pdf   http://www.qla.com.au/papersTribus/DEMINGS_.PDF