Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality

2,325 views

Published on

Presented on May 17, 2012 for InnoTech Dallas. All rights reserved.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,325
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality

  1. 1. BUILDING BRIDGESSecurity Metrics to Narrow the Chasm Between Perception and Reality Brian A. Engle CISO, Texas Health and Human Services Commission
  2. 2. AgendaIn the beginning…  What created the perception chasm?  Contributing factors that widen the chasmTruth, Fact and Reality  Primary support materials to bridge the gap  Construction elements and designWhere can the bridge take us…  Practical uses and worthy destinations5/15/2012 DIR Information Security Forum 2
  3. 3. Speaking in tonguesPonemon Second Annual Cost of Cyber Crime Study Viruses, worms, Trojans ==> 100% Malware ==> 96% Malicious Code ==> 42% Virtually all organizations experienced attacks relating to viruses, worms and/or trojans over the four-week benchmarking period. Ninety-six percent experienced malware attacks, 82 percent experienced botnets, 64 percent experienced Web-based attacks, 44 percent experienced stolen or hijacked computing devices, 42 percent experienced malicious code, and 30 percent experienced malicious insiders. Footnote - Malware attacks and malicious code attacks are inextricably linked. We classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack. 5/15/2012 DIR Information Security Forum 3
  4. 4. The Bigger Picture Standards interpreted and implemented with tribal inconsistency Ambiguous regulations, laws, audit and compliance requirements Qualitative risk math in vivid Technicolor Voodoo and Magic Fairy Dust Personality based bias and trust The “End of the World” as we know it vulnerabilities Misguided faith in legacy protection and various technologies 5/15/2012 DIR Information Security Forum 4
  5. 5. Mobility Virtualization Cyber <InsertTermHere> threat war terrorists activists hacktivists bully Consumerization cybercybercybercyber5/15/2012 DIR Information Security Forum 5
  6. 6. You want me on that wall… You need me on that wall… What happened to the wall?5/15/2012 DIR Information Security Forum 6
  7. 7. Executive DashboardFinancial MetricsInvestment metrics do not validate security  ROI for Security?  Cost Avoidance?  Insurance Comparisons% of Security Spend Compared to Overall ITSpend  Comparative, but irrelevantConsider % of Security Spend Compared toOverall Company Expenditures5/15/2012 DIR Information Security Forum 7
  8. 8. Gartner Security Maturity Model5/15/2012 DIR Information Security Forum 8
  9. 9. So close, yet so far away…5/15/2012 DIR Information Security Forum 9
  10. 10. 5/15/2012 DIR Information Security Forum 10
  11. 11. Jaquith’s Laws of Metrics Consistently measured without subjective criteria Expressed as a cardinal number or percentage, not qualitative Expressed using at least one unit of measure Contextually specific / relevant such that they are actionable Cheap to gather 5/15/2012 DIR Information Security Forum 11
  12. 12. 3 “Simple” Metrics1. What you do - and conversely what you don’t do2. The effectiveness, maturity and breadth of coverage of what you do3. The risk that is in the remainder of the factorable computation of 1 and 25/15/2012 DIR Information Security Forum 12
  13. 13. Truth, Fact and RealityWhat you do  How well is it working? (effectiveness)  Are you doing it everywhere you need to be? (scope/depth/breadth)  Can you continue doing it consistently? (maturity)  How much does it cost?What you don’t do  Dig for the denominator5/15/2012 DIR Information Security Forum 13
  14. 14. What you do People, Process and Technology Activities, Functions and Interactions Objectives, Outputs and Oversight Technological countermeasures and defenses = Controls5/15/2012 DIR Information Security Forum 14
  15. 15. Not another standard5/15/2012 DIR Information Security Forum 15
  16. 16. Control Frameworks Framework, Standard or Segmentation Defined Controls Regulation NIST 800-53 26 Families 228 (v3 Moderate) ISO 17799 / 27002 12 Sections 140 1 TAC 202 9 Subsections 110Title 1 Part 10 Chapter 202 COBIT 5 Process Guidance Areas Metric Boatload 37 High Level Outputs PCI 12 Requirements 2115/15/2012 DIR Information Security Forum 16
  17. 17. Control Effectiveness, Scope, and MaturityObjective Defined Scope / Effectiveness Maturity Cost Crosswalk Owner / Control Depth CMM Connections Division / Region AC Provision Specific or 90% Optimizing $$$$ 1TAC202Ref Account Groups of HIPAA Req Apps IRS 1075 AC De- Specific or 25% Ad-Hoc $$$$ Standards, provision Groups of Compliance Account System Requirements AC Grant Function 75% Repeatable $$$$ Standards, Access role or org Compliance Priv. Requirements AC Revoke {SOX |PCI 25% Defined $$$$ Standards, Access | HIPAA} Compliance Priv. Systems Requirements 5/15/2012 DIR Information Security Forum 17
  18. 18. MetricsX out of Y Mandatory Compliance Control Activities Implemented  Performed, costing $$  Leaving a remainder of $$ for additional protection control activities  Requiring T time to implement new activities5/15/2012 DIR Information Security Forum 18
  19. 19. MetricsX out of Y Required Control Activities Implemented  Applied across Z scope  # Performed at E rate of effectiveness  # Performed below E rate of acceptable effectiveness  Time to remediate ineffective processes5/15/2012 DIR Information Security Forum 19
  20. 20. Operational Control Metric Dashboard 8 1012 8 1012 8 1012 6 14 6 14 6 14 4 16 4 16 4 16 2 18 2 18 2 18 0 20 0 20 0 20Physical and Environmental Access Control (AC) Configuration Management Protection (PE) (CF) 8 1012 8 1012 8 1012 6 14 6 14 6 14 4 16 4 16 4 16 2 18 2 18 2 18 0 20 0 20 0 20 Incident Response (IR) Digital Media Protection Personnel Security (PS) (MP) 5/15/2012 DIR Information Security Forum 20
  21. 21. Evaluating Residual Risk 5/15/2012 DIR Information Security Forum 21
  22. 22. Where Does the Bridge Lead?Internally  Actually answer the “Are we secure” question  Provide a sustainable program framework  Provide consistency (staff and management)Externally  Establish accountability and assurance 5/15/2012 DIR Information Security Forum 22
  23. 23. Where Can thethe BridgeWhere Can BridgeTake Us?Take Us?Outsource Providers  Trust but VERIFIED  To the cloud on more than a wing and prayerSecurity Product Vendors  Ingredients and functions of security program (Silver Bullets and Assorted Fairy Tales) 5/15/2012 DIR Information Security Forum 23
  24. 24. SummaryThere is a gap in the perception of security and the reality of what is providedIt takes a lot of effective activities that come at a cost to narrow the gapArticulating the size of the gap is difficultClosing the gap with truth and fact is costly, but absolutely necessary 5/15/2012 DIR Information Security Forum 24
  25. 25. About… Capitol of Texas ISSA The preeminent trusted global information security community http://www.austinissa.org @austinissa COMMUNITY -- KNOWLEDGE -- LEARNING -- CAREER HHSC HHSC oversees the operations of the health and human services system, provides administrative oversight of Texas health and human services programs, and provides direct administration of programs. $30B/Year - 200 programs - 56,000 Employees – 1,000 locations - 5 agencies Serving the citizens of Texas Teach Security, Teach Christ; Teach Security In Christ http://www.hackformers.org @hackformers5/15/2012 DIR Information Security Forum 25
  26. 26. Thank You! Questions? Contact Info: Brian.Engle@hhsc.state.tx.us @brianaengle5/15/2012 DIR Information Security Forum 26
  27. 27. Let’s start building some bridges.5/15/2012 DIR Information Security Forum 27

×