Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nabil Malik - Security performance metrics

1,216 views

Published on

  • Be the first to comment

Nabil Malik - Security performance metrics

  1. 1. Security Performance Metrics<br />Nabil A. Malik<br />nabil.malik@gmail.com<br />
  2. 2. Agenda<br />Background<br />Security Evolution<br />Security Metrics<br />Measuring Technical Security<br />Measuring Security Program<br />
  3. 3. 1 - Background<br />What is Information Security?<br />What is Risk Management?<br />Why do we need Security Measurements?<br />Objectives:<br />Understanding Security Evolution<br />Measuring Security<br />
  4. 4. 2- Security Evolution<br />The Past<br />A Technical Function<br />Technical Security – Firewall, IDS, Access Control<br />The Present<br />An Assurance Function – mostly Risk Management<br />Risk Management Process<br />The Doughnut-Shaped Cycle<br />The Future<br />Metrics supplementing Risk Management<br />
  5. 5. 2 - Security Evolution<br />
  6. 6. 2- Security Evolution<br />Assessment<br />Reporting<br />Prioritization<br />Mitigation<br />Follow them, and you got risk management!<br />Good for Vendors – Service charges at each cycle<br />Unpleasant for Consumers – Never Clean<br />
  7. 7. 2- Security Evolution<br />The Problem:<br />Captures the easy part (identification and fixing)<br />Misses on the hard part (quantification and valuation of risk)<br />Vendor tools are agnostic about the organizational context<br />Real Risk Management should be identification, rating, mitigation, and above all, quantification ofthe risks<br />Thus, today’s Risk Management = Identify + Fix<br />
  8. 8. 2- Security Evolution<br />FUD is the old-model (Past and Present)<br />FEAR, UNCERTAINTY, and DOUBT (FUD)<br />The FEAR of the catastrophic consequence of an information attack<br />The UNCERTAINTY about Vulnerabilities<br />The DOUBT about the sufficiency of existing controls<br />Shall we continue to rely on Oracles, Fortune Tellers (Vendors!) to give us security advise and hope it will keep us safe?<br />
  9. 9. 3 - Security Metrics<br />Business Questions:<br />Is my security better this year?<br />What am I getting out of my security investment?<br />How do I compare to my peers?<br />Answers:<br />Readily answered in other business context<br />Silence and Embarrassment in security context<br />Metric = “A system of measurement”<br />
  10. 10. 3 - Security Metrics<br />Good Metrics are:<br />Consistently measured<br />Cheap to gather<br />Expressed as a cardinal number or percentage<br />Expressed using at least one unit of measure<br />Contextually specific<br />
  11. 11. 4 – Measuring Technical SecurityPerimeter Defense - Email<br />
  12. 12. 4 – Measuring Technical SecurityPerimeter Defense – Anti-Malware<br />
  13. 13. 4 – Measuring Technical SecurityCoverage and Control<br />
  14. 14. 4 – Measuring Technical SecurityAvailability and Reliability<br />
  15. 15. 5 – Measuring Security Program<br />Frameworks: COBIT, ISO 2700X, NIST..<br />Security Program contains Controls<br />Some Controls are also Processes<br />Examples of Security Processes include:<br />Risk Management<br />Policy Development and Compliance<br />Human Resource Security<br />Human Education<br />Incident Management<br />Information Continuity Management<br />
  16. 16. 5 – Measuring Security Program- Planning and Organization-<br />
  17. 17. 5 – Measuring Security Program- Acquisition and Implementation -<br />
  18. 18. 5 – Measuring Security Program- Delivery and Support -<br />
  19. 19. 5 – Measuring Security Program- Delivery and Support -<br />
  20. 20. 5 – Measuring Security Program- Monitor and Evaluate -<br />
  21. 21. Questions?<br />Nabil A. Malik<br />nabil.malik@gmail.com<br />

×