Download - Evidence-Based Risk Management
Evidence-Based Risk Management
Wade Baker, Verizon RISK Team
My favorite (professional) topics
• Security incidents (as in studying them – not experiencing them) • Information sharing (specifically incident-related info) • Data analysis (how else will we learn?) • Risk management (but not the ‘yellow x red = orange’ kind)
Data Breach Investigations Report (DBIR) series
An ongoing study into the world of cybercrime that
analyzes forensic evidence to uncover how sensitive data is
stolen from organizations, who’s doing it, why they’re
doing it, and, of course, what might be done to prevent it.
2012 DBIR Contributors
Methodology: Data Collection and Analysis
VERIS: https://verisframework.wiki.zoho.com/
• DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data.
• Enables case data to be shared anonymously to RISK Team for analysis
VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.
Sharing incident information
TACTICAL
What point solutions should I implement now?
✔*
STRATEGIC
How do I measure & manage risk over time?
X
Unpacking the 2012 DBIR An overview of our results and analysis
Sample characteristics
• 855 incidents of confirmed data compromise • 174 million stolen data records • All varieties of data included (CC#s, PII, IP, etc) • Victims of all industries, sizes, geographic regions • Cases worked by Verizon, investigated by law enforcement, or reported to (Irish) CERT
Threat Agents
Threat Agents: Larger Orgs
Threat Agents: IP & classified data
92%
49%
2%
External Internal Partner
Threat Agents: External
Threat Actions
Threat Actions: Larger Orgs
Threat Actions: IP & classified data
38%
51%
48%
57%
0%
2%
0%
Malware
Hacking
Social
Misuse
Physical
Error
Environmental
Top Threat Actions
Top Threat Actions: Larger Orgs
Top Threat Action Types: IP & classified data
Most Compromised Assets
Asset Ownership, Hosting, and Management
Compromised Data
Compromised Data
Smaller Orgs
Attack Difficulty
Attack Targeting
The 3-Day Workweek
Timespan of events
Timespan of events: Larger Orgs
Timespan: IP & classified data
Minutes Hours Days Weeks Months Years POE to Comp 10% 65% 10% 10% 3% 3% Comp to Disc 0% 18% 21% 13% 7% 41% Disc to Cont 0% 0% 16% 13% 71% 0%
Breach Discovery
Breach Discovery
Recommendations: Larger Orgs
Evidence-Base Risk Management What is it, and what does it look like?
What is EBRM?
EBRM aims to apply the best available evidence gained from empirical research to
measure and manage information risk.
Measuring and managing information risk
To properly manage risk, we must measure it.
To properly measure risk, we must understand our information assets, the threats that can harm
them, the impact of such events, and the controls
that offer protection.
A threat event that is measurable (and thus manageable) identifies the following 4 A�s:
Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected
evidence?
Data Breach Investigations Report (DBIR) series
= evidence for measuring and managing risk
Diagnose Ailments
✔ Treatment strategy
✔Policy ✔People ✔Process ✔Technology
✔Policy ✔People ✔Process ✔Technology
✔Policy ✔People ✔Process ✔Technology
Evidence-Based Risk Management
What are the benefits of EBRM?
• Metrics – Builds outcome-based metrics around security processes and failures in order to
get a better read on the security pulse of the organization.
• Remediation – Strengthen security posture by identifying gaps, pinpointing the most critical
remediation strategies, and focusing longer-term strategic planning.
• Efficiency – Enable better and more justified decision-making, improve resource allocation,
reduce unproductive security spending, and generally achieve “more bang for the buck.”
• Communication – Increase information flows across organizational and functional boundaries.
Create and communicate ongoing performance measures to key stakeholders.
DBIR: www.verizon.com/enterprise/databreach VERIS: https://verisframework.wiki.zoho.com/ Blog: http://www.verizon.com/enterprise/securityblog Email: [email protected]