This document discusses the need for comprehensive risk management and automation for cyber security. It makes three key points: 1. Security is a process that requires monitoring across physical, technical and administrative controls to be effective. Comprehensive monitoring of vulnerabilities and threats is needed. 2. Automation is key to continuously monitoring for vulnerabilities and threats, and to modifying security behaviors through persistent enforcement and reinforcement of practices. 3. An effective approach is to automate information security "ensurance" through a system that incorporates both technical ("hard") data from security systems and human ("soft") feedback to provide comprehensive security assessment and reinforcement of policies to change behaviors.

1. Comprehensive Risk Management
for a Cyber-Secure Organization
Presented by
Joe Hessmiller
Director
Computer Aid, Inc.

2. The Take-Away
• Security is a Process.
• All Three Information Security Control Areas (Physical,
Technical and Administrative) Rely Heavily on
Comprehensive Monitoring to Be Effective
• Automation is Key to Continuously Monitoring Threat
Vulnerabilities (Conditions of Failure)
• Automation is Key to Modifying Behavior by Persistent
Enforcing and Reinforcing of Security Practices

3. At the End of this Presentation
You Will Be Able to…
• Present to Stakeholders the Need for
Automated Support for Information
Security ‘Ensurance’
• Present to Stakeholders an Effective
Approach to Automating Information
Security ‘Ensurance’

4. Bad Things Happen to Good
Systems
http://seekingalpha.com/article/1324971-pandemic-cyber-
security-failures-open-an-historic-opportunity-for-investors
Major Violations Occur
Too Frequently

5. The REAL Challenge of Information Security:
Preventing Human Error through Situational Awareness
“Industry has done a great job of increasing productivity and reducing costs, Habibi says, but the
time has come to focus on preventing human error. He sees human reliability as the next area
ripe for optimization across industry. Optimization is sorely needed here, according to Habibi,
because industry has “essentially created a monster of complex information systems combining
ERP, production management and real-time systems.”
A key concept of human reliability, according to Habibi is “situation awareness.” Habibi says that
situation awareness is essential to preventing errors because it addresses the physical
environment (e.g., control room ergonomics, lighting, temperature, comfort, traffic, noise.),
organizational culture (e.g., policies and procedures, shift schedules, reporting, work ethic,
motivation, training, knowledge and skills) and the human-automation relationship.”
The Human Reliability Challenge, David Greenfield, Director of
Content/Editor-in-Chief , AutomationWorld, April 25, 2013
http://www.automationworld.com/safety/human-reliability-challenge

6. Security is a Process
“If we've learned anything from the past couple of years, it's that
computer security flaws are inevitable. Systems break, vulnerabilities
are reported in the press, and still many people put their faith in the
next product, or the next upgrade, or the next patch. "This time it's
secure." So far, it hasn't been.
Security is a process, not a product. Products provide some
protection, but the only way to effectively do business in an insecure
world is to put processes in place that recognize the inherent insecurity
in the products. The trick is to reduce your risk of exposure regardless
of the products or patches.
The Process of Security, by Bruce Schneier, Information Security, April 2000

7. A Complex Process

8. Physical Logical Administrative
Preventative
Detective
Corrective
Deterrent
Recovery
Compensating
Control Application Areas
Functionality
Information
Security Matrix
A Complex Process
Organized Into Information Security Matrix
Areas of Vulnerability
Responses to Threats

9. Useful Policies DO Exist
Standards Exist for “Mature”
Policies and Procedures
http://www.pkfavantedge.com/wp-
content/uploads/2013/COBIT_Security.pdf
http://cmmiinstitute.com/assets/Security-and-
CMMI-SVC.pdf

10. Even Specific Security
Standards Exist
NIST SP 800-100 Information
Security Handbook: A Guide for
Managers
ISO 27002 Information
Security – Code of
Practice

11. Checklist Resources Available
http://www.slideshare.net/ATBHATTI/audit-checklist-for-
information-systems-14849697

12. Automated Tools Focused on
Specific Threats Exist
• Fireeye: Malware Protection Service (MPS)
• Microsoft: Systems Management Server (SMS) and
Active Directory (AD)
• TripWire (nCircle): IP360 and Configuration Compliance
Manager
• AlienVault: Unified Security Management
• Symantec: Protection Suite Enterprise Edition (ED),
NetBackup and Veritas Cluster Server (VCS)
• PfSense
• APC Infrastruxure
• VMware vSphere
• Honeywell: NOTIFIER fire alarm systems, Access
control systems and Intrusion detection systems
“Hard” Data Sources

13. But, Automation Has a Long
Way to Go
Automation possibilities in information security management 2011,
http://www.sba-research.org/wp-content/uploads/publications/PID1947709.pdf

14. We Need Comprehensive
Monitoring and Control
Effective automation
can address the
challenges.
Part of the solution is
consolidating
information security
monitoring data into a
comprehensive risk
management platform for
analysis and reporting.
Another part of the
solution is getting ALL of
the important data. This
includes feedback on
information security
conditions from the people
in the process.
Then, the main part is
possible; changing
behaviors BY monitoring
and control.
Administrative
Control Silo
Physical Control
Silo
Logical Control
Silo
Automated Conditions Monitoring
and Analysis System

15. What Does Comprehensive Information
Security Automation Look Like?
Controls,
Mechanisms
Standards,
Guidelines

16. The “Missing” Link in
Information Security Automation
Incorporate:
• “Hard” Data from Automated Systems with
• Human Feedback for
• COMPREHENSIVE Information Security Assessment and
• REINFORCEMENT of Information Security Policies
Automated Security
Control Room
‘Hard’ Data
From
Monitoring
Systems
‘Soft’ Data
From
Human
Assessments

17. Comprehensive, At-a-Glance
Insight Into Info Security Conditions

18. Accountability = Behavior Change
• Periodic Assessment
– Reminders of “Should Do’s
– Validation of “Did Do”s
– Two-way Feedback
• Situational Awareness
• Behaviors Change
“What gets measured, gets done.”

19. Why Automate Control
Functionality
• So It Will be Done Comprehensively
• So It Will Be Done Consistently
• So it Will Be Done Effectively
• So It Will Be Done Efficiently
• So We Will Have Comprehensive Data for
Analysis
• BEHAVIOR WILL BE CHANGED