continuous monitoring and real time risk scoring
TRANSCRIPT
Continuous Monitoring
and Real Time Risk
Scoring
Erich Baumgartner, VP Federal
Q1 Labs – An IBM Company
J.R. Cunningham, Director of
Federal Strategy
Accuvant
2
Meeting the Information Requirements of
Federal Agencies
Two-phased compliance and security timeline
3
Security Intelligence for Continuous
Monitoring
Monitors network changes to detect vulnerabilities in the
network
Changes may be potential threats and policy/compliance
violations, resulting in security gaps
Compares configuration data from network security devices
with layer 7 network activity analysis
Continuously checks rule policy effectiveness and raises alerts
Provides single console view of risk exposure needed to
meet continuous monitoring requirements (risk management,
log management, SIEM, network behavior analysis)
4
Continuously Manage Risk with
Security Intelligence
Move beyond traditionally reactive security management
Multi-vendor network
configuration monitoring &
audit
Automated compliance
and risk assessment
Predictive threat modeling & simulation
Risk Indicators
Configuration/ Topology
Network Activity
Vulnerability Management
Network & vulnerability context
5
Accuvant & Q1 Labs
Traditional SVARs Technology Driven
Traditional Consulting Audit/Compliance Driven
6
J.R. Cunningham Accuvant
7
What is Continuous Monitoring?
“…determine if the
complete set of
planned, required,
and deployed
security controls
within
an information
system or
inherited by the
system continue
to be effective
over time…” NIST
SP 800-37
8
Why is Continuous Monitoring Critical? (Beyond the Obvious Answer – “It’s Required”)
Intelligent Cyber Security- Applying
countermeasures to only systems needing those
controls
Threat Intelligence – Understanding as much
about the enemy and threat vectors as possible
Acquisition excellence – find the “big ROI”
Situational Awareness – decision superiority
delivered with “speed of need”
“If an agency has $1 to spend today, where
should they spend it and why?”
9
Continuous Monitoring and Situational
Awareness
Thre
at Co
un
term
ea
sure
Malware
Insider Threat
Device/Data Theft
Leakage
DDoS
Espionage
Endpoint Protection
Network Defenses
Encryption
DLP
SIEM
RBAC
Situational
Awareness
10
Choosing Meaningful Metrics
Organizational
Data
Vulnerability & Patch
Management
Software & Data Asset
Management
Network &
Configuration
Management
Compliance & Audit
Management
Security Information &
Event Management
• Accurate
• Repeatable
• Potential for Risk Relevance
(either alone or with other
data)
• Should be known in industry
• Not Necessarily Actionable
• Can sometimes validate or
invalidate other data
11
Industry Standard Metrics (measurablesecurity.mitre.org)
12
Finding the Risk Relevant Data
Organizational
Data
Vulnerability & Patch
Management
Software & Data Asset
Management
Network &
Configuration
Management
Compliance & Audit
Management
Security Information &
Event Management
Risk Relevant
Data
• Some level of aggregation
• Also a repeatable process
• Begins to inform SA
• Not necessarily actionable
• Centrally managed
13
Security Intelligence Across the
Infrastructure – Anomaly Detection
14
Squelching the Noise
15
Informative and Actionable Output
Q1 Report Screen Here
16
Pre-built NIST reporting
17
Risk Based Decisions
* NIST SP 800-39
18
What to do next?
Watch our recent webcasts http://q1labs.com/resource-
center/media-center.aspx
Download the “Gartner SIEM Critical Capabilities” report
http://q1labs.com/resource-center/analyst-
reports/details.aspx?id=17
Download the “Continuous Monitoring for Government
Agencies” paper http://q1labs.com/resource-center/white-
papers/details.aspx?id=137
Read our blog http://blog.q1labs.com/
Follow us on Twitter: @q1labs @ibmsecurity