Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ISSA Sacramento: Security Metrics - So What?

633 views

Published on

ISSA Sacramento chapter presentation on security metrics and communications.

  • Be the first to comment

  • Be the first to like this

ISSA Sacramento: Security Metrics - So What?

  1. 1. ISSA SACRAMENTO SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO 09/17/2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  2. 2. Security Metrics – So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  3. 3. What You Will Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  4. 4. IT Security’s Job Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  5. 5. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  6. 6. If You Were a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  7. 7. Which Statement for Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  8. 8. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  9. 9. Choose Wisely Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  10. 10. Example: Risk & Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  11. 11. Example: Escape Fire Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  12. 12. Example: Escape Fire Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  13. 13. Example: Naughty Business Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  14. 14. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  15. 15. Example: Risk Reduction Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  16. 16. Example: Risk Reduction Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  17. 17. Example: Prove Cost Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  18. 18. Example: Prove Cost Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  19. 19. Example: Prove Cost Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  20. 20. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  21. 21. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  22. 22. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  23. 23. Allgress Solution Objectives Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  24. 24. Parting Words of Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  25. 25. Q&A William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com

×