SlideShare a Scribd company logo

Practical Measures for Measuring Security

Download as PPTX, PDF
Chris Mullins
Chris Mullins

Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider.

TechnologyNews & Politics
1 of 24
WELCOME TO SECURE360 2012  Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.  Please complete the Session Survey front and back (this is Room 7), and leave on your seat. Note: “Session” is Tuesday or Wednesday  Are you tweeting? #Sec360
AGENDA Are you Ready? The Problem of Measuring Security Metric Myths Characteristics of Effective Metrics Defining Your Metrics The Process of Measurement Sample Metrics Implementing Metrics Presenting Metrics A Mature Metrics Program Page 3
WHY HAVEN’T YOU SOLVED THIS YET? Is the Organization ready? What’s the Tone from the Top? Is it Security someone’s Job? Do you have Policy in place? Are resources allocated to identify and detect issues? Are resources allocated to remediate issues? Are you Level 4? Page 4
Page 5
TYPICAL PROBLEMS OF MEASURING SECURITY Risk is difficult to define precisely Attack Surface Current Environment Asset Value Measures not linked to action Measures often focus on outcomes Page 6
METRIC MYTHS 7 Myths that hold people back 92.467% of the time. 1. Metrics must be Objective and Tangible 2. Metrics must have discrete values 3. Metrics must be absolute 4. Metrics are costly 5. You can’t manage what you can’t measure 6. It’s essential to measure outcomes 7. You need precise, accurate data Page 7
CHARACTERISTICS OF A GOOD METRIC (This is probably NOT a good example) Attackability Computation. An Attack Surface Metric, Carnegie Mellon University, 2005 Page 8
CHARACTERISTICS OF A GOOD METRIC 1. Directly Relates to an objective 2. Should have a logical stakeholder 3. Collection should be inexpensive, simple and standardized 4. Should have a resolution appropriate for maturity 5. Should be phase appropriate 6. Should have applicability defined 7. Should have an indicated action Page 9
DEFINING YOUR METRICS Page 10
DEVELOPING YOUR METRICS Metrics Relating to Security Controls 1. Should map directly to a defined control 2. Use data describing the security control’s implementation to generate required measures 3. Characterize the measure as applicable to system categorization (low, med, high) Page 11
DEVELOPING YOUR METRICS Metrics Relating to Security Program Performance 1. Map to InfoSec Goals & Objectives that encompass performance 2. Use the data describing the information security program performance to generate required measures Page 12
NOW THAT YOU HAVE YOUR METRICS On your Mark, get Set… Document in a standard format  See 800-55 for an excellent template Prioritize and Select Establish Performance Targets Evaluate Metric performance and relevance periodically, incorporate feedback Page 13
SAMPLE METRICS • Percentage of the agency’s information system budget devoted to information security • Percentage of “high” vulnerabilities mitigated within defined time periods after discovery • Percentage of remote access points used to gain unauthorized access • Percentage of information system security personnel that have received security training • Average frequency of audit records review and analysis for inappropriate activity Page 14
SAMPLE METRICS (CONTINUED) • Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation • Percentage approved and implemented configuration changes identified in the latest automated baseline configuration • Percentage of information systems that have conducted annual contingency plan testing • Percentage of users with access to shared accounts Page 15
SAMPLE METRICS (CONTINUED) • Percentage of incidents reported within required time frame per applicable incident category • Percentage of system components that undergo maintenance in accordance with formal maintenance schedules • Percentage of media that passes sanitization procedures • Percentage of physical security incidents allowing unauthorized entry into facilities containing information systems Page 16
SAMPLE METRICS (CONTINUED) • Percentage of employees who are authorized to access information systems only after they sign an acknowledgement that they have read and understood rules of behavior • Percentage of individuals screened before being granted access to organizational information and information systems • Percentage of vulnerabilities remediated within organization- specified time frames Page 17
SAMPLE METRICS (CONTINUED) • Percentage of system and service acquisition contracts that include security requirements and/or specifications • Percentage of mobile devices that meet approved cryptographic policies • Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated Page 18
IMPLEMENTING METRICS Page 19
EXAMPLE: A METRIC IN ACTION Page 20
PRESENTING METRICS Do you REALLY have to use Excel? Page 21
WHEN YOU GET BACK TO THE OFFICE ON MONDAY: 1. Are you ready? 2. Engage Stakeholders 3. Identify Your Metrics - Leverage CIS, NIST 800-55 4. Automate collection & reporting 5. Act on what you find 6. Make it look good! 7. Document the value 8. Re-evaluate periodically Page 22
REFERENCES / CREDITS CMMI: http://www.sei.cmu.edu/cmmi/ http://www.noticebored.com/html/metrics.html Center for Internet Security Consensus Security Metrics: http://benchmarks.cisecurity.org/en-us/?route=downloads.metrics NIST 800-55: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf http://www.geckoboard.com/ Page 23
THANK YOU! Chris Mullins cmullins@alertlogic.com @chrisbmullins 713.581.4332

Recommended

Securitymetrics
SecuritymetricsSecuritymetrics
SecuritymetricsManish Kumar
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 

Recommended

Securitymetrics
SecuritymetricsSecuritymetrics
SecuritymetricsManish Kumar
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Information Security Project
Information Security ProjectInformation Security Project
Information Security Projectnovemberchild
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Manning Information Security Strategy
Manning Information Security StrategyManning Information Security Strategy
Manning Information Security StrategyDonald Tabone
 
Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?Lori McInnes
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)Kendall Gill
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolHernan Huwyler, MBA CPA
 
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in HealthcareMedigate
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
How to Secure Your Clinical Network
How to Secure Your Clinical NetworkHow to Secure Your Clinical Network
How to Secure Your Clinical NetworkMedigate
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Cyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job DescCyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job DescMitchell Lavender, CISSP, CISM
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesDonald E. Hester
 
Chapter003
Chapter003Chapter003
Chapter003Jeanie Delos Arcos
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!Heather Salmons Newswanger
 
MIS 22 Disaster Management
MIS 22 Disaster ManagementMIS 22 Disaster Management
MIS 22 Disaster ManagementTushar B Kute
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management Medigate
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Clinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthClinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthMedigate
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 

More Related Content

What's hot

Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?Lori McInnes
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)Kendall Gill
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolHernan Huwyler, MBA CPA
 
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in HealthcareMedigate
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
How to Secure Your Clinical Network
How to Secure Your Clinical NetworkHow to Secure Your Clinical Network
How to Secure Your Clinical NetworkMedigate
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Donald E. Hester
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesDonald E. Hester
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!Heather Salmons Newswanger
 
MIS 22 Disaster Management
MIS 22 Disaster ManagementMIS 22 Disaster Management
MIS 22 Disaster ManagementTushar B Kute
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management Medigate
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Clinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthClinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthMedigate
 

What's hot (20)

Building a security strategy?
Building a security strategy?Building a security strategy?
Building a security strategy?
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines School
 
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
5 Reasons Why Medigate is a Game Changer For IoT Security in Healthcare
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
How to Secure Your Clinical Network
How to Secure Your Clinical NetworkHow to Secure Your Clinical Network
How to Secure Your Clinical Network
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Cyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job DescCyber Risk and Security Analyst Job Desc
Cyber Risk and Security Analyst Job Desc
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: RolesUnderstanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
 
Chapter003
Chapter003Chapter003
Chapter003
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
MIS 22 Disaster Management
MIS 22 Disaster ManagementMIS 22 Disaster Management
MIS 22 Disaster Management
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security Management
 
Clinical Risk Management
Clinical Risk Management Clinical Risk Management
Clinical Risk Management
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Clinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of TruthClinical Device Efficiency - Dynamic Record of Truth
Clinical Device Efficiency - Dynamic Record of Truth
 

Similar to Practical Measures for Measuring Security

Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamJohn D. Johnson
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Anton Chuvakin
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsVMware Tanzu
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management FrameworkJoseph Wynn
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through SecurityEnergySec
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Managementjadams6
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...CompTIA
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practiceshusseinalshomali
 
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...Julie Rampello
 

Similar to Practical Measures for Measuring Security (20)

Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOpsInfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Management
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practices
 
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
Maximo KPI Maintenance & Asset Reliability Support Workshop IMC 2013 presenta...
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform EngineeringJemma Hussein Allen
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Practical Measures for Measuring Security

  • 1.
  • 2. WELCOME TO SECURE360 2012  Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.  Please complete the Session Survey front and back (this is Room 7), and leave on your seat. Note: “Session” is Tuesday or Wednesday  Are you tweeting? #Sec360
  • 3. AGENDA Are you Ready? The Problem of Measuring Security Metric Myths Characteristics of Effective Metrics Defining Your Metrics The Process of Measurement Sample Metrics Implementing Metrics Presenting Metrics A Mature Metrics Program Page 3
  • 4. WHY HAVEN’T YOU SOLVED THIS YET? Is the Organization ready? What’s the Tone from the Top? Is it Security someone’s Job? Do you have Policy in place? Are resources allocated to identify and detect issues? Are resources allocated to remediate issues? Are you Level 4? Page 4
  • 6. TYPICAL PROBLEMS OF MEASURING SECURITY Risk is difficult to define precisely Attack Surface Current Environment Asset Value Measures not linked to action Measures often focus on outcomes Page 6
  • 7. METRIC MYTHS 7 Myths that hold people back 92.467% of the time. 1. Metrics must be Objective and Tangible 2. Metrics must have discrete values 3. Metrics must be absolute 4. Metrics are costly 5. You can’t manage what you can’t measure 6. It’s essential to measure outcomes 7. You need precise, accurate data Page 7
  • 8. CHARACTERISTICS OF A GOOD METRIC (This is probably NOT a good example) Attackability Computation. An Attack Surface Metric, Carnegie Mellon University, 2005 Page 8
  • 9. CHARACTERISTICS OF A GOOD METRIC 1. Directly Relates to an objective 2. Should have a logical stakeholder 3. Collection should be inexpensive, simple and standardized 4. Should have a resolution appropriate for maturity 5. Should be phase appropriate 6. Should have applicability defined 7. Should have an indicated action Page 9
  • 11. DEVELOPING YOUR METRICS Metrics Relating to Security Controls 1. Should map directly to a defined control 2. Use data describing the security control’s implementation to generate required measures 3. Characterize the measure as applicable to system categorization (low, med, high) Page 11
  • 12. DEVELOPING YOUR METRICS Metrics Relating to Security Program Performance 1. Map to InfoSec Goals & Objectives that encompass performance 2. Use the data describing the information security program performance to generate required measures Page 12
  • 13. NOW THAT YOU HAVE YOUR METRICS On your Mark, get Set… Document in a standard format  See 800-55 for an excellent template Prioritize and Select Establish Performance Targets Evaluate Metric performance and relevance periodically, incorporate feedback Page 13
  • 14. SAMPLE METRICS • Percentage of the agency’s information system budget devoted to information security • Percentage of “high” vulnerabilities mitigated within defined time periods after discovery • Percentage of remote access points used to gain unauthorized access • Percentage of information system security personnel that have received security training • Average frequency of audit records review and analysis for inappropriate activity Page 14
  • 15. SAMPLE METRICS (CONTINUED) • Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation • Percentage approved and implemented configuration changes identified in the latest automated baseline configuration • Percentage of information systems that have conducted annual contingency plan testing • Percentage of users with access to shared accounts Page 15
  • 16. SAMPLE METRICS (CONTINUED) • Percentage of incidents reported within required time frame per applicable incident category • Percentage of system components that undergo maintenance in accordance with formal maintenance schedules • Percentage of media that passes sanitization procedures • Percentage of physical security incidents allowing unauthorized entry into facilities containing information systems Page 16
  • 17. SAMPLE METRICS (CONTINUED) • Percentage of employees who are authorized to access information systems only after they sign an acknowledgement that they have read and understood rules of behavior • Percentage of individuals screened before being granted access to organizational information and information systems • Percentage of vulnerabilities remediated within organization- specified time frames Page 17
  • 18. SAMPLE METRICS (CONTINUED) • Percentage of system and service acquisition contracts that include security requirements and/or specifications • Percentage of mobile devices that meet approved cryptographic policies • Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated Page 18
  • 20. EXAMPLE: A METRIC IN ACTION Page 20
  • 21. PRESENTING METRICS Do you REALLY have to use Excel? Page 21
  • 22. WHEN YOU GET BACK TO THE OFFICE ON MONDAY: 1. Are you ready? 2. Engage Stakeholders 3. Identify Your Metrics - Leverage CIS, NIST 800-55 4. Automate collection & reporting 5. Act on what you find 6. Make it look good! 7. Document the value 8. Re-evaluate periodically Page 22
  • 23. REFERENCES / CREDITS CMMI: http://www.sei.cmu.edu/cmmi/ http://www.noticebored.com/html/metrics.html Center for Internet Security Consensus Security Metrics: http://benchmarks.cisecurity.org/en-us/?route=downloads.metrics NIST 800-55: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf http://www.geckoboard.com/ Page 23

Editor's Notes

  1. 1. It’s ok to measure subjective factors, such as “security awareness”, as long as you don’t measure subjectively.2. It’s easy to measure the number of people that attended security awareness training, but it’s more difficult to measure the effectiveness of that training. That doesn’t mean it’s impossible or not worthwhile, though. And survey and statistical theory can be applied to extract very useful information, especially when applied to a continuous scale.3. The number of security incidents this month, or the number of vulnerabilities patched are both absolute numbers, but without a good deal of context such as the total number of vulnerabilites, the size of the environment, the number of staff available to patch, etc – it makes it very hard to understand the real meaning behind these numbers. Surveying your staff to ask “Is security better or worse this month versus last month” is probably a much more telling number, measured over team, even though it has not absolute value.4. It can be costly measure, but this should be a function of your metric design. We’ll talk more about this in the next section.5. This is related to all of the previous myths. You can absolutely improve security and reduce risk without being able to measure.6. Just because your house did not burn down this month doesn’t mean that no one piled a stack of oily rage next to the gasoline can in the garage. With real world security, meauring outcomes is like talking about the need to keep the barn door closed after the horses are gone. Outcomes can be useful however, so don’t throw them out completely.7. A recent survey showed that 87.663% of security metrics were a load of hooey. The more decimal places you see, the more suspect you should be.
  2. Show vuln scan resultsSo what?Actions?Resources required?Business case?