So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Oddscentralohioissa
If you’re implementing Office 365, Box, Salesforce, Google Apps – or virtually any SaaS application – and concerned about balancing security, compliance, and privacy, this is a session you can’t afford to miss. Join Bob Gilbert, Netskope’s Chief Evangelist and the author of the popular white paper, No Tradeoffs: Cloud Security and Privacy Don’t Need to Be at Odds: How Netskope Supports Privacy by Design, for a lively and interactive session featuring:
Cloud security best practices for business & IT leaders
Overcoming the shadow IT "chicken or egg" compliance dilemma
Dr. Cavoukian's Privacy by Design framework, how it applies to SaaS and how Cloud Access Security Brokers can help
Real-world case studies for balancing security and privacy in cloud security
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
During this talk we will be discussing hardware reverse engineering and why this is becoming a new way for attackers to compromise company networks. We will discuss how vendors are now leaving potentially malicious code within firmware and how some attackers could exploit these vulnerabilities. We will also discuss why it is important for companies to spend time reviewing hardware for vulnerabilities prior to deploying the systems within your company’s network and outlining a process on how to perform this work.
The presenters will outline each phase of the hardware reverse engineering assessment, outlining how to exploit various vulnerabilities that you may discover and provide a list the software and tools that will be needed to support this work. Finally we will talk about how you should be documenting your findings for management and how to properly disclose the findings to the vendor once the test has been completed.
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...centralohioissa
In January, the FDA has draft recommendations for medical device security after the sale. Among other things, the recommendations tell manufacturers how to evaluate security risks, how to build a program for coordinated vulnerability disclosure program, and how to intake vulnerability reports from researchers. While the security of medical devices is especially important given the potential consequences, we can learn from the FDA recommendations regardless of our industry. Any recommendations adopted by the FDA for medical devices are likely to be implemented across other verticals for their IoT devices as well. Whether you manufacture, purchase, integrate, implement, or generally try to run away from IoT devices, there’s plenty to take away from this session while learning about the future of IoT device security.
With all the hype around Cloud and SDN, business decision makers are finding themselves trying to navigate through many new concepts and consequently needing to change the way they have traditionally selected their IT infrastructure. Technologies are now becoming more integrated and it is more important than ever to help your business be agile enough to keep up with the demands of your users and your customers. Come hear from Lisa Guess to learn how organizations can embrace Cloud technologies such as automation, SDN and Orchestration platforms to help you build next-generation networks.
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
For the past several years, software-defined networking (SDN) has been a popular buzz word in the networking industry. In many ways, networking has always been defined by software. Software is pervasive within all of the technology that impacts our lives and networking is no different. However, networks have been constrained by the way software has been configured, delivered and managed—literally within a box, updated monolithically, managed through command lines that are reminiscent to the days of minicomputers and DOS in the 1980’s. Well, almost.
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Oddscentralohioissa
If you’re implementing Office 365, Box, Salesforce, Google Apps – or virtually any SaaS application – and concerned about balancing security, compliance, and privacy, this is a session you can’t afford to miss. Join Bob Gilbert, Netskope’s Chief Evangelist and the author of the popular white paper, No Tradeoffs: Cloud Security and Privacy Don’t Need to Be at Odds: How Netskope Supports Privacy by Design, for a lively and interactive session featuring:
Cloud security best practices for business & IT leaders
Overcoming the shadow IT "chicken or egg" compliance dilemma
Dr. Cavoukian's Privacy by Design framework, how it applies to SaaS and how Cloud Access Security Brokers can help
Real-world case studies for balancing security and privacy in cloud security
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
During this talk we will be discussing hardware reverse engineering and why this is becoming a new way for attackers to compromise company networks. We will discuss how vendors are now leaving potentially malicious code within firmware and how some attackers could exploit these vulnerabilities. We will also discuss why it is important for companies to spend time reviewing hardware for vulnerabilities prior to deploying the systems within your company’s network and outlining a process on how to perform this work.
The presenters will outline each phase of the hardware reverse engineering assessment, outlining how to exploit various vulnerabilities that you may discover and provide a list the software and tools that will be needed to support this work. Finally we will talk about how you should be documenting your findings for management and how to properly disclose the findings to the vendor once the test has been completed.
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
Modern elastic cloud infrastructure is fundamentally breaking traditional security approaches. Public cloud has no natural perimeter and network segmentation leaving individual cloud servers exposed. In private cloud, malicious East-West traffic inside the network is a serious threat. As new workloads are added and retired dynamically, change control is difficult, and updating granular firewall rules and security policies becomes a risky, manual process. Join us and learn the 6 Critical Criteria to secure your public, private or hybrid cloud – on-demand, anywhere, at any scale.
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...centralohioissa
In January, the FDA has draft recommendations for medical device security after the sale. Among other things, the recommendations tell manufacturers how to evaluate security risks, how to build a program for coordinated vulnerability disclosure program, and how to intake vulnerability reports from researchers. While the security of medical devices is especially important given the potential consequences, we can learn from the FDA recommendations regardless of our industry. Any recommendations adopted by the FDA for medical devices are likely to be implemented across other verticals for their IoT devices as well. Whether you manufacture, purchase, integrate, implement, or generally try to run away from IoT devices, there’s plenty to take away from this session while learning about the future of IoT device security.
With all the hype around Cloud and SDN, business decision makers are finding themselves trying to navigate through many new concepts and consequently needing to change the way they have traditionally selected their IT infrastructure. Technologies are now becoming more integrated and it is more important than ever to help your business be agile enough to keep up with the demands of your users and your customers. Come hear from Lisa Guess to learn how organizations can embrace Cloud technologies such as automation, SDN and Orchestration platforms to help you build next-generation networks.
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
For the past several years, software-defined networking (SDN) has been a popular buzz word in the networking industry. In many ways, networking has always been defined by software. Software is pervasive within all of the technology that impacts our lives and networking is no different. However, networks have been constrained by the way software has been configured, delivered and managed—literally within a box, updated monolithically, managed through command lines that are reminiscent to the days of minicomputers and DOS in the 1980’s. Well, almost.
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments. The talk will focus on three different organizations at different maturity levels and how security automation processes were applied and adapted to fit their development lifecycle.
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
Global regulations are driving the needs for businesses in all sectors to have cybersecurity programs that are designed to fit the organizations risk profile. At the same time, there is a lack of clarity on how much one should spend on managing these risks and the sophistication and number of risk mitigants that are required to manage these risks.
Company executives and board of directors are held personally liable for having the appropriate oversight and management of these controls and are looking for their CISO and CIROs to provide them assurance that these controls are in place and operating effectively. An attempt to balance the requirements and the expectations is a delicate balance. This presentation will look at the regulatory landscape and how this landscape is affecting client, executive, and board-level expectations for cybersecurity risk management. It will also provide some recommendations on how to approach the development of a cybersecurity risk management program.
Gavin Hill - Lessons From the Human Immune Systemcentralohioissa
All signs point to a future world of more complex, harder to detect cyber threats. Our adversaries are exploiting what seems to be our strengths. Intel predicts the next big hacker marketplace to be in the sale of digital certificates – already selling for more than $1000 each on Russian marketplaces. Gartner expects 50% of network attacks to use encrypted SSL/TLS in less than 2 years. What’s to do? The human immune system has evolved to defend and destroy complex and oftentimes overwhelming attacks. What can we learn from it? How can we create a future that’s more resistant as we use more software, more clouds, more apps, and more connected devices.
Read how Synoptek has proven to be an excellent partner for the companies looking to minimize security risk levels and has helped them take preventive and protective measures.
Presented by Patrick Miller, The Anfield Group and Jason Ile, Tripwire
Abstract: This presentation emphasis the importance of building an environment where compliance is a natural byproduct of effective security controls. The presenters discuss how to establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of IT operations, software and service development, project management and Internal audit.
Additional, the presenters explore the various benefits of continuous monitoring and how to achieve it through a step-by-step practice.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
In the spirit of Continuous Improvement, we must ask ourselves - Are we doing the best job we can? In this presentation Gary will present some ideas and concepts that can be used to improve the security posture within your organization. These ideas and concepts are not your typical solutions, rather they will force you to make a fundamental change in your approach to implementing security and underlying assumptions about good security practices. This presentation will challenge conventional thinking about how to build a successful security program. After all, what do you have to lose? Are we really winning the cybersecurity war?
IT Service & Asset Management Better TogetherIvanti
Service-desk tickets. Lost laptops. End-user complaints. Too often IT teams get stuck being reactive rather than proactive. But what if you could do more than simply react?
In this webinar you’ll gain the insights you need to solve business problems proactively with IT Service (ITSM) and IT Asset Management (ITAM) working together.
Our panel of speakers discussed real-world use cases where combining ITSM and ITAM processes, data and insights can be part of an overall plan to maximize operational efficiencies and improve service delivery, while also optimizing compliance and cost.
Database monitoring - First and Last Line of Defense Imperva
In the battle to defend your data you have an edge over the hacker that can prevent or minimize the damage of a database breach. You have the advantage of operating within your own environment and can deploy automated surveillance capabilities to watch sensitive data. When a hacker breaches the firewall or compromises a privileged user they are beyond the reach of most security measures. Only a data centric solution that directly monitors data access will be able to spot and stop the abnormal activity.
View this presentation to learn how SecureSphere data protection solutions can help you improve your security profile and protect your company against a database breach.
Why do many managed services relationships fail? And fail again? Both organizations need to be aligned up front and hold hands during onboarding. This presentation covers the top five focus areas. Many MSSP relationships are doomed at the onboarding stage when an organization first becomes a customer. Given how critical these early stage activities are to your partnership, it's imperative to understand the top five areas of focus: technology deployment (the easy part, getting the tech running); the call tree (who do I wake up at 3 a.m.?); process sync (the fun part: mutual synchronization on who does what and when); access, access, access (you need access to do something); and the context of technology (the need to understand your shop).
What you’ll take away:
Understand proven success criteria for successful outsourcing of security operations
Learn how to align security technologies to security processes, and the key focus areas of security operations
Access to key checklists and charts to drive onboarding of managed services
An understanding of specific terms and conditions that need to be included in data-related contracts under applicable laws
Discover how other organizations have succeeded and failed in MSSP relations
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
Cloud security: Accelerating cloud adoption Dell World
Organizations now have an opportunity to more rapidly overcome their security concerns by using third-party cloud platforms. In this session, Dell SecureWorks security experts discuss the Shared Security Responsibility model, how organizations need to think about security architecture in the cloud, and new Dell SecureWorks services that are helping organizations plan, architect, manage and respond to threats in the cloud.
Pat Sprehe and Steve Longenecker provide insights into how to evaluate a potential MSP provider, how to engage with vendors, best practices and checklists for your daily and monthly interactions, annual planning with your outsourced IT manager, and how to plan and practice for emergency communications with your provider if your accounts are hacked or you suspect an attack. We cover any outsourced IT function, including databases or security management as stand alone services, as well as managed services generally.
EMC XtremIO and EMC Isilon scale-out architectures make them an ideal fit to handle the demanding Splunk requirements around intensive workloads. EMC brings the same enterprise-class data services to Splunk that earned them best of breed status across the board in area such Scale-Out NAS storage, data protection, compliance and performance tiering.
Stay out of headlines for non compliance or data breachSridhar Karnam
Tight alignment between compliance and security capabilities can make each component stronger than it would be by itself. Organizations that blend the two not only more effectively combat targeted attacks and data breaches, but also more easily meet compliance requirements and avoid expensive fines. Learn how leading organizations are leveraging continuous monitoring and incident response management to achieve a more secure and compliant enterprise.
Doing Analytics Right - Designing and Automating AnalyticsTasktop
There is no “one-sized fits all” of development analytics. It is not as simple as “here are the measures you need, go implement them.” The world of software delivery is too complex, and software organizations differ too significantly, to make it that simple. As discussed in the first webinar, the analytics you need depend on your unique business goals and environment.
That said, the design of your analytics solution will still require:
* The dashboards,
* the required data, and
* an appropriate choice of analytical techniques and statistics to apply to the data.
This webinar will describe a straightforward method for finding your analytic solution. In particular, we will explain how to adapt the Goal, Question, Metric (GQM) method to development processes. In addition, we will explain how to avoid “the light is brighter here” analytics anti-pattern: the idea that organizations tend to design metrics programs around the data they can easily get, rather than figuring out how to get the data they really need.
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments. The talk will focus on three different organizations at different maturity levels and how security automation processes were applied and adapted to fit their development lifecycle.
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
Global regulations are driving the needs for businesses in all sectors to have cybersecurity programs that are designed to fit the organizations risk profile. At the same time, there is a lack of clarity on how much one should spend on managing these risks and the sophistication and number of risk mitigants that are required to manage these risks.
Company executives and board of directors are held personally liable for having the appropriate oversight and management of these controls and are looking for their CISO and CIROs to provide them assurance that these controls are in place and operating effectively. An attempt to balance the requirements and the expectations is a delicate balance. This presentation will look at the regulatory landscape and how this landscape is affecting client, executive, and board-level expectations for cybersecurity risk management. It will also provide some recommendations on how to approach the development of a cybersecurity risk management program.
Gavin Hill - Lessons From the Human Immune Systemcentralohioissa
All signs point to a future world of more complex, harder to detect cyber threats. Our adversaries are exploiting what seems to be our strengths. Intel predicts the next big hacker marketplace to be in the sale of digital certificates – already selling for more than $1000 each on Russian marketplaces. Gartner expects 50% of network attacks to use encrypted SSL/TLS in less than 2 years. What’s to do? The human immune system has evolved to defend and destroy complex and oftentimes overwhelming attacks. What can we learn from it? How can we create a future that’s more resistant as we use more software, more clouds, more apps, and more connected devices.
Read how Synoptek has proven to be an excellent partner for the companies looking to minimize security risk levels and has helped them take preventive and protective measures.
Presented by Patrick Miller, The Anfield Group and Jason Ile, Tripwire
Abstract: This presentation emphasis the importance of building an environment where compliance is a natural byproduct of effective security controls. The presenters discuss how to establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of IT operations, software and service development, project management and Internal audit.
Additional, the presenters explore the various benefits of continuous monitoring and how to achieve it through a step-by-step practice.
DevSecOps Personas – what Developers, Security, and Operations think when it comes to people/tech/processes/culture when it comes to rolling out DevSecOps programs.
Each of these teams have different drivers, ambitions, blockers, and challenges when it comes to a successful DevSecOps program. As Dale Carnegie said, ‘The only way to get anyone to do anything, is to make them want to do it’ - all the tech and process in the world isn’t going to make it successful if the people and culture (and heart) are not in it. So let’s share what we’ve seen from 100s of company interactions, understand better where everyone is coming from, and how to approach a DevSecOps program that can move the needle like Marty McFly playing Doc Brown’s guitar. We’ve love this to be interactive, so bring your stories and questions.
Gary's Bio
Gary Robinson has been working in software and cyber security for 20+ years, as a coder, pen tester, consultant, Security Architect at Citi, Global Board member at OWASP, and heading up Uleska to focus on DevSecOps for the last 5 years. Gary’s focused on the people, process, technology, and culture aspect of DevSecOps – as someone who’s worked in all three spaces during his time – and what drivers, blockers, etc each experience with ‘DevSecOps’, ‘shift-left’, ‘secure by design’, and the rest.
--------
Find out more about us www.uleska.com/
Follow us on LinkedIn https://www.linkedin.com/company/uleska/
Follow us on Twitter https://twitter.com/uleska_sec/
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
In the spirit of Continuous Improvement, we must ask ourselves - Are we doing the best job we can? In this presentation Gary will present some ideas and concepts that can be used to improve the security posture within your organization. These ideas and concepts are not your typical solutions, rather they will force you to make a fundamental change in your approach to implementing security and underlying assumptions about good security practices. This presentation will challenge conventional thinking about how to build a successful security program. After all, what do you have to lose? Are we really winning the cybersecurity war?
IT Service & Asset Management Better TogetherIvanti
Service-desk tickets. Lost laptops. End-user complaints. Too often IT teams get stuck being reactive rather than proactive. But what if you could do more than simply react?
In this webinar you’ll gain the insights you need to solve business problems proactively with IT Service (ITSM) and IT Asset Management (ITAM) working together.
Our panel of speakers discussed real-world use cases where combining ITSM and ITAM processes, data and insights can be part of an overall plan to maximize operational efficiencies and improve service delivery, while also optimizing compliance and cost.
Database monitoring - First and Last Line of Defense Imperva
In the battle to defend your data you have an edge over the hacker that can prevent or minimize the damage of a database breach. You have the advantage of operating within your own environment and can deploy automated surveillance capabilities to watch sensitive data. When a hacker breaches the firewall or compromises a privileged user they are beyond the reach of most security measures. Only a data centric solution that directly monitors data access will be able to spot and stop the abnormal activity.
View this presentation to learn how SecureSphere data protection solutions can help you improve your security profile and protect your company against a database breach.
Why do many managed services relationships fail? And fail again? Both organizations need to be aligned up front and hold hands during onboarding. This presentation covers the top five focus areas. Many MSSP relationships are doomed at the onboarding stage when an organization first becomes a customer. Given how critical these early stage activities are to your partnership, it's imperative to understand the top five areas of focus: technology deployment (the easy part, getting the tech running); the call tree (who do I wake up at 3 a.m.?); process sync (the fun part: mutual synchronization on who does what and when); access, access, access (you need access to do something); and the context of technology (the need to understand your shop).
What you’ll take away:
Understand proven success criteria for successful outsourcing of security operations
Learn how to align security technologies to security processes, and the key focus areas of security operations
Access to key checklists and charts to drive onboarding of managed services
An understanding of specific terms and conditions that need to be included in data-related contracts under applicable laws
Discover how other organizations have succeeded and failed in MSSP relations
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
Cloud security: Accelerating cloud adoption Dell World
Organizations now have an opportunity to more rapidly overcome their security concerns by using third-party cloud platforms. In this session, Dell SecureWorks security experts discuss the Shared Security Responsibility model, how organizations need to think about security architecture in the cloud, and new Dell SecureWorks services that are helping organizations plan, architect, manage and respond to threats in the cloud.
Pat Sprehe and Steve Longenecker provide insights into how to evaluate a potential MSP provider, how to engage with vendors, best practices and checklists for your daily and monthly interactions, annual planning with your outsourced IT manager, and how to plan and practice for emergency communications with your provider if your accounts are hacked or you suspect an attack. We cover any outsourced IT function, including databases or security management as stand alone services, as well as managed services generally.
EMC XtremIO and EMC Isilon scale-out architectures make them an ideal fit to handle the demanding Splunk requirements around intensive workloads. EMC brings the same enterprise-class data services to Splunk that earned them best of breed status across the board in area such Scale-Out NAS storage, data protection, compliance and performance tiering.
Stay out of headlines for non compliance or data breachSridhar Karnam
Tight alignment between compliance and security capabilities can make each component stronger than it would be by itself. Organizations that blend the two not only more effectively combat targeted attacks and data breaches, but also more easily meet compliance requirements and avoid expensive fines. Learn how leading organizations are leveraging continuous monitoring and incident response management to achieve a more secure and compliant enterprise.
Doing Analytics Right - Designing and Automating AnalyticsTasktop
There is no “one-sized fits all” of development analytics. It is not as simple as “here are the measures you need, go implement them.” The world of software delivery is too complex, and software organizations differ too significantly, to make it that simple. As discussed in the first webinar, the analytics you need depend on your unique business goals and environment.
That said, the design of your analytics solution will still require:
* The dashboards,
* the required data, and
* an appropriate choice of analytical techniques and statistics to apply to the data.
This webinar will describe a straightforward method for finding your analytic solution. In particular, we will explain how to adapt the Goal, Question, Metric (GQM) method to development processes. In addition, we will explain how to avoid “the light is brighter here” analytics anti-pattern: the idea that organizations tend to design metrics programs around the data they can easily get, rather than figuring out how to get the data they really need.
Pin the tail on the metric v01 2016 octSteven Martin
This presentation takes a different approach to metrics. Instead of listing the Top 10 field-tested metrics, we first talk about goals as prerequisites for metrics. Next, we discuss characteristics of good and bad metrics. We end with walking through an activity called “Pin the Tail on the Metric,” a technique to facilitate the critical thinking needed to determine what types of metrics can help your organization discuss trade-offs, options, and ultimately make better forward-looking decisions.
Pin the tail on the metric v00 75 min versionSteven Martin
This presentation shows a different approach to metrics. Instead of listing the Top 10 field-tested metrics, we first talk about goals as prerequisites for metrics. Next, we discuss characteristics of good and bad metrics. We end with walking through an activity called “Pin the Tail on the Metric,” a technique to facilitate the critical thinking needed to determine what types of metrics can help your organization discuss trade-offs, options, and ultimately make better forward-looking decisions.
Discussion that was held at RSA on the five steps CISO's can use to assess their enterprise security program and architect one that meets the organizations objectives and reduces its exposure to risk.
Post 11. Long term GoalThe Group’s goal is to offer attranhcrowley
Post 1
1. Long term Goal:
“The Group’s goal is to offer attractive, safe and environmentally sound vehicles which can compete in an increasingly tough market and set world standards in their respective class."
2.Balanced Scorecard:
Financial Perspectives:
Profit: 6.5 percent to 7.5 percent.
Operating return on Sales: 6.5 – 7.5%
Return on investment: 12-14%
Customer Perspectives:
Market penetration:
Offer affordable city cars, functional light commercial vehicles.
Inspire new customers and keep them loyal.
Internal Business Process:
Property, Plant and Equipment improvements
Learning and growth:
Employee satisfaction:
Competent and committed employees
Take on responsibility for the environment and society.
Develop sustainability as management principle
3.Balanced Scorecard effects on Manager:
Balanced score card helps manager to develop an efficient policy which leads to achieving the organizational goal.
4.Lead and Lag Measure:
Lead indicators are measures of non-financial and financial outcomes that guide management in making current decisions which yields results in the future. For example, here return on investment would be a lead indicator.
Lag indicators are results of management decisions which are made earlier. For example, here lag indicator is company’s cash flow.
Post 2
I chose Capital One.
Website of bank: https://www.capitalone.com/
1. What do you think that banks overall long-terms goals are?
Based on my research Chase banks long-term goal might be improve more services on making everything digital and to get more market and increasing the wealth and expanding the mortgage business.
2. Develop a balanced scorecard for the bank, include two to five measures in each of the scorecard’s perspective.
Financial: Advance cash flow and profitability of every plan or strategy in the Capital One company, Creating return in investments by growth by advances and aggregate deposits, Enough for liquid cash flow and get return and long-term and short-term investments.
Customer: Profits through customers on high in demand products, Customers belief and trust to increase loyalty and firm by measuring and solving customers’ needs via complaints and measure growth rate of customers in bank per month.
Internal process: To recruit and maintain eligible employees and develop a new process and strategy and achieve objective goals and develop new working environment which will help to develop more automating process and advance process in transaction which will help to increase average time for processing transactions in the firm.
Organization Captivity: In this advanced tech world, customers always focus on easy way banking everywhere, so up-to-date facilities will increase customers in the bank. Also, it should benefit employee’s growth in training and satisfaction. This will help to develop new business ideas and increase the market value of firm.
3. How would the balanced scorecard would affect the way managers develop the banks stra ...
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
More often than not, company executives ask the wrong questions about software security. This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives. Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity. She’ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example.
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
It is critical to measure the right things in order to make better-informed management decisions, take appropriate actions and change behaviors. But how do managers figure out what those right things are? A measurement approach tied to strategic business objectives ensures that planning, budgeting and the allocation of operational resources are focused on what matters to the organization.
(Source : RSA Conference USA 2017)
LITA Executive Webinar with Niels Loader
Niels will share the insights gained in determining and implementing metrics within IT, particularly focusing on the metrics used in a Lean IT organization. He will focus on the key pitfalls and successful strategies for getting to the right metrics and making them work.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
Metrics - You are what you measure (DevOps Perth)Rob Crowley
DevOps is no longer just the concern of cutting edge start-ups in Silicon Valley and is gaining wide scale adoption within established industries. This session focuses on the Metrics pillar of DevOps and explores how we can leverage metrics to drive the software delivery process based on data rather than gut feel and opinions.
Similar to Jack Nichelson - Information Security Metrics - Practical Security Metrics (20)
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
Most boards of directors don't have someone that understands cyber security issues. As a consequence, they can't provide the proper oversight over the companies they are responsible for. This presentation will cover the issues boards of directors need to understand, what questions board members need to ask and how to communicate with them.
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
Corporate cybercrime is usually blamed on outsiders, but sometimes, your employees can represent the biggest threat to your organization’s IT security. In this presentation, Kaspersky Lab’s Mark Villinski, will provide practical advice for educating your employees about cybersecurity. Attend to learn:
• How to create efficient and effective security policies
• Overview and statistics of the current threat landscape
• The importance of keeping your employees updated about the latest threats and scams
• Security solutions that can help keep your systems updated and protected
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
Key legal data security concerns for 2016; Privacy and security preparation; Vendor management; When and how to engage outside counsel & advisors; EU Privacy update; Sample enforcement actions.
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
In this session information will be presented on Third Party Risk Governance. The presenter will provide a better understand of the what’s, why’s and how’s of a Third Party Risk Governance program and provide some suggestions on sources for a program as well as some of the typical “gotchas”. This presentation will also provide common objections from the recipients of assessments and how to overcome those objections as well as discuss contract language that can be added to your products and services contracts.
Tre Smith - From Decision to Implementation: Who's On First?centralohioissa
This presentation will explore tactics to improve organizational control implementations that meet the spirit of organizational risk decisions. An approach that may help to improve the time it takes to see organizational policy reflected in everyday workplace practice and technologies. Starting with clarifying “Who’s On First?”
By 2014, medical facilities nationwide implemented Electronic Health Records (EHR) as mandated by congress. Today, most of these systems are still using shared kiosk Windows accounts. This talk explores the risks of shared accounts, and alternatives that can provide much greater security and accountability, while maintaining ease of access.
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...centralohioissa
Disaster recovery, emergency response and business continuity plans are usually developed when no disaster exists. We think we’ve covered all contingencies. We think we’ve trained all the appropriate players. We’ve tested. We’ve re-tested. We think we’re ready to face whatever event there is looming out their with our name on it! The real world has a nasty habit of triggering disasters at the least opportune time, often featuring a twist that throws plans into disarray.
This presentation focuses on three real-world plans, each of which with a fatal flaw. We will discuss elements that should be in a plan beyond the normal guidance from the Disaster Recovery Institute (DRI) and a set of actions that should be included in planning and preparation.
Rafeeq Rehman - Breaking the Phishing Attack Chaincentralohioissa
Many security research reports show that phishing is significant contributing factor to data breaches. Verizon data breach investigations report (DBIR) shows that attackers used phishing as their entry point in two third of the security incidents, especially in cyber espionage category. Although the phenomenon of phishing is nothing new, the attackers are enhancing their techniques and using phishing more effectively.
The good news is that understanding the phishing attack chain helps in stopping these attacks, break the phishing chain, and avert a data breach. This session is to understand different phases of phishing attacks and developing a comprehensive strategy to manage risk associated with these attacks.
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...centralohioissa
We call it security awareness training, but all we ever give our employees is regurgitated knowledge. Their passwords suck, public wifi is bad, and email is deceiving. Mix in some yearly reviews of policies and procedures and you have the perfect recipe for an employee who stopped listening hours ago. You don't truly learn something until you understand "why" and that comes when employees are engaged and motivated. This is my take on how to engage through gaming and why it works.
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
IT Security Initiatives create strategic and operational value to all enterprises; however, many IT professionals do not know how to economically quantify and forecast the benefits of IT security. Additionally, the new digital business ecosystem is resulting in rapid business cycles, which require faster speed and agility in all IT areas and IT services. The new ecosystem, largely caused by the Internet-of-Things, mobility and the Cloud, create a challenge for selecting and prioritizing IT security tools and projects. This session will present an overview of principles, models, trends and best practices, which can have been adopted by individuals and organizations to get right IT security initiatives approved.
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
Say incident response to 10 people and odds are you'll get 10 different opinions on how to do it right. When evaluating tools and procedures for enterprise Incident Response it's helpful to understand how to approach this in a way that will cause the adversary maximum pain. This talk will review the essential requirements for IR tools and procedures in a vendor / tool neutral approach. Find out the right questions to ask and the strategies to make sure you get the most out of your incident response team.
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...centralohioissa
Securing an enterprise is never easy, especially if the organizations culture and orthodoxy does not accept change easily. Covering lessons learned from the perspective of an information security practitioner who has spent her career building security programs, we will look at the lessons learned on challenges and opportunities associated with implementing an information security program, addressing technical, security and business risks.
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoescentralohioissa
This presentation is to provide IT departments who have not leveraged their own data analytics skills for increasing the efficiency and effectiveness of compliance efforts to implement very low-cost solutions while achieving high returns on investment. Focusing on understanding how audit performs testing should assist IT organizations in designing their own compliance testing. Multiple examples will be provided to demonstrate how unlocking the potential of small and/or unstructured data and focusing on data relationships will improve overall data integrity and provide quantifiable measures of operational effectiveness.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
2. I defend my companies competitive
advantage by helping solve business
problems through technology to
work faster and safer.
Who is Jack Nichelson?
Director of Infrastructure & Security for Chart Industries.
Recognized as one of the “People Who Made a Difference in Security” by the
SANS Institute and Received the CSO50 award.
Adviser for Baldwin Wallace’s, State winner Collegiate Cyber Defense
Competition (CCDC) team. “Solving Problems, is my Passion”
Introduction
3. • How do you measure & report progress?
• Is your team focused on the right problems?
• How do you promote accountability &
transparency?
• How do you find waste, time and money?
• Are your projects improving the daily jobs of
your end users?
“Secure more with less, show continuous improvement and value”
Problem Statement
In an era of security breaches we tend to have only one metric
– Have my systems been compromised?
4. Why are Metrics Needed?
• Businesses use metrics to facilitate decision making
• Better data leads to better decisions
• Metrics allow organizations to set appropriate priorities
• Measurement allows comparison:
– Between our organization and industry benchmarks
– Between our organization and other organizations risk
levels
– Between levels of accepted risk over time
– Between business units within an organization
5. Metrics from the Business World
• The business world uses metrics all the time
• Consider the following examples:
– Price to Earnings Ratio
– Profit & Loss Statements
– Product Sales Quotas
– Number of Safety Incidents
– Unit Production
– Web Advertisement Click Counts
– Number of Facebook “Likes” per Post
6. Metrics in Technology
• Organizations even commonly use metrics to help measure
the performance of technology systems as well
• Consider the following examples:
– System uptime
– CPU Utilization Percentage
– Memory Use Percentage
– Average Email Mailbox Size
– Support Technician to Computer Node Ratio
– Help Desk Ticket Time to First Touch
– Help Desk Ticket Time to Resolution
7. IS Metrics: Too Broad?
• The first question we need to ask is, “What do we mean by
the term Information Security metrics?”
• IS Metrics is too broad of a term
• “Begin with the end in mind.” – Stephen Covey
• Measurement for measurement’s sake helps no one
• Organizations must be specific on what they are measuring
and the benefits they hope to achieve from it
8. Suggested Solution
Create an effective, sustainable security aware culture
that is results driven.
Foundation
Leading Change
Gemba Board
• Security
• Quality
• Delivery
• Cost
• People
Case Study Examples & Results
9. Begin With The End In Mind
Example of how some
simple goals that are
tracked as a team will
move security forward.
10. Primary Recommendation
1. Start small, excel at gathering a small number of metrics
2. Integrate these metrics into your business process
3. Grow the number of metrics you collect
• United States Department of State iPost began with only three
data sensors:
– Tenable Nessus
– Microsoft Active Directory
– Microsoft System Management Server (System Center)
12. Foundation
• Obtain a security charter from senior management
• Create an organization wide IS Steering Committee
• Document your organization’s overall security goals
• Create an asset inventory & Assign data owners to all of your systems
• Deploy a vulnerability scanner & scan your hosts on a regular basis
• Start with 4 data sources:
• Microsoft Active Directory
• Help Desk Ticketing System
• Microsoft System Center (SCCM)
• Tenable Nessus or Qualys
Recommended elements for getting started:
13. Leading Change
Step 1: Create Urgency - For change to happen, you
need to make the case why and be brutally honest.
Step 2: Form a Powerful Coalition – Get visible
support from key people and link metrics to
performance.
Step 3: Create a Vision for Change - Develop what
you "see" as the future that people can grasp easily
and remember.
Step 4: Communicate the Vision - Talk about it every
chance you get. Use the vision daily to make
decisions and solve problems.
Culture Eats Strategy - Make metrics part of your culture
14. Leading Change
Step 5: Remove Obstacles - Empower the people you need to execute
your vision, and help the change move forward.
Step 6: Create Short-Term Wins - Nothing motivates like success
Step 7: Build on the Change - change projects fail because victory is
declared too early.
Step 8: Anchor the Changes in Corporate Culture - Your culture
determines what gets done, so the values behind your vision must
show in day-to-day work.
You have to work hard to change a culture successfully. If
you're too impatient, and if you expect too many results
too soon, your plans for change are more likely to fail.
15. Gemba Board
Gemba (現場) is a Japanese term referring to the place where value
is created. The idea of Gemba is that the problems are visible, and
the best improvement ideas will come from going to the Gemba.
16. Gemba Board: Security
Example Metrics:
• # of systems not monitored & tracked in inventory by Location or LoB
• # Top Vulnerabilities by Location or LoB
• # of Legacy Systems by Location or LoB
• # of Users with Local Admin & Accounts with Domain Admin
• # of Total Security Incidences by Location or LoB
• # of Past Due Security Awareness Training by Location or LoB
Security - The current security posture at a glance
17. Gemba Board: Quality
Example Metrics:
• # of Servers & Workstation missing OS & App patches (30 day SLA)
• # of infections/Re-Images tickets (3 day SLA)
• # of Security Event tickets (5 day SLA)
• # of Security Request tickets (15 days SAL)
• Cause Mapping Analysis to find root cause of problems
Quality – Results for SLA goals of events & requests
18. Gemba Board: Delivery
Delivery – Active Projects & Audits at a glance
Example Metrics:
• Active Projects Status
• Active Audit Status
• Remediation Progress by Location or LoB
• On-Site Awareness Training by Location
19. Gemba Board: Cost
Cost – P&L at a glance
Example Metrics:
• Operating budget spending plan (OPEX & CAPEX)
• ROIC Qualitatively Rating of Perceived Value
• Support Agreements Costs & Renew dates
• Consultant Support Agreements Costs & Renew dates
• Running total of cost savings
20. Gemba Board: People
People – Skills matrix at a glance
Example Metrics:
• Skills Matrix of everyone in Security
• Training and development plans
• On-Call & Vacation Schedules
• Awards
21. Practical Steps: Base
• To create an effective, sustainable program to implement
metrics, don’t start by creating metrics
• Recommendation would be:
1. Obtain a security management charter from senior
management
2. Create an organization wide IS Steering Committee
3. Document your organization’s overall security goals
4. Create & approve appropriate security policies,
procedures, & standards
5. Educate your organization on those documents
22. Practical Steps: Phase I
Once a base or foundation for information assurance is laid, then
you can begin with metrics
• The next phase would be to:
1. Identify what information security sensors you have
already successfully deployed
2. Determine what meaningful metrics can be gleaned from
these sensors
3. Deploy a tool that can centrally aggregate, normalize, and
report on the data collected by the sensors
4. Create basic reports based on the metrics from strep #2
5. Work with business owners to remediate risk
23. Practical Steps: Phase II
Now you are ready for continuous process improvement
• The last steps are to refine your effort, gather more data, and
remediate more risk:
1. Deploy additional sensors & aggregate the results
2. Determine meaningful metrics that new sensors can
bring
3. Collaborate with business owners to make metrics more
meaningful
4. Remediate new risks as they are discovered
5. Automate the response to as many metrics as possible
24. Software Tools to Help
• Open Source Projects:
– Practical Threat Analysis (PTA) Professional
– OSSIM Open Source SIEM
• Commercial Tools:
– Archer Technologies SmartSuite
– OpenPages Enterprise GRC
– Bwise GRC
– MetricStream
– Methodware ERA
– Protiviti Governance Portal
– CCH TeamMate, Sword, & Axentis
25. Bare Minimum Response
1. Create an asset inventory
2. Assign data owners to all of your systems
3. Deploy a vulnerability scanner & scan all of your hosts on a
regular basis
4. Create overall CVSS risk scores, by business unit, and publish
those scores to key business owners
5. Remediate the risk you discover
• Focus on the basics, then improve your efforts
• Run a 5K first, then try a marathon
26. Further Questions
• Jack Nichelson
– E-mail: Jack@Nichelson.net
– Twitter: @Jack0Lope
– Website: http://www.linkedin.com/in/nichelson
• Resource for further study:
– Security Metrics: Replacing Fear, Uncertainty,
and Doubt by Andrew Jaquith
Editor's Notes
Is the company plan working
Basic Health
Most Information Security metrics suck!
Survival of the fittest
System Thinking – A bunch of things that come together, for the pursuit of a common objective, in an environment or context that impacts them and their ability to achieve the objective!
Start small, excel at gathering a small number of metrics
Integrate these metrics into your business process
Grow the number of metrics you collect