measurable security at isaca annual conference 2012
TRANSCRIPT
Measureable Security Setting the benchmark for continual improvement
Shomiron Das Gupta Founder, NetMonastery NSPL
The Perfect Backdrop
- 14,000 Athletes - 205 Olympic Teams - 26 Sports in 39 Disciplines
- Lifetime of dreams, years of effort, just for that moment of glory
- So how does it feel to be the best in the world ?
The Sports Eval. System
Besides the dream our athletes are chasing, the London Olympics 2012 also becomes the theme of this talk!
Competition: A Culture
Some probable answers We compete to measure ourselves,
to evaluate our performance against the rest.
- Why do we compete? - Why do we want to assess our
performance every time?
- Does this process help us improve? - Are we able to set a higher
benchmarks for next time?
Some questions
Measurability: A Process • Essential to identify each system that needs to be
measured and improved over time
• Once identified a data collection process needs to be implemented
• Evaluation and constant tracking of the information is key to set benchmarks
• Finally, a rank / percentage / number against each essential process is what is required
What we can not measure, we can not Improve
Conclusion No. 1
Few Grey Areas: Attention! • Vulnerability Assessment – I already have vulnerability assessment systems – Am I able to review the current risk we are running?
• Attack Detection – How secure are we? Do we have a number? – What percentage of attacks can we detect?
• Incident Handling – Can my team detect attacks effectively? – Are they able to respond in real-time?
Case Study: Attack Detection
- I have everything, Intrusion Prevention, SIEM, WAF, the works
- I have application security consulting and my team deploys secure coding practices
Scenario
- I may be able to prevent attacks but are we able to detect them?
- How do I know if my systems are able to detect all the attacks?
Realization
Talk: Application Security • Microsoft – No more vulnerabilities L – Where are those “heaps” of buffer overflows? – Next gen attacks – hit only the applications – You and I have made these apps
• Safe Applications – Tested – Good coding practices have been adopted – Applications are tested thoroughly
• No Attack Detection from Apps – Apps notify exceptions to the app owners – Apps provide no detection information
Attack detection is not possible without help from the Application
Conclusion No. 2
Measuring Detection Capability
SCORE LINE
201 of 420
CAPEC – Blind SQL Injection
Assurance fails without comprehensiveness
Conclusion No. 3
Other Issues: Incident Handling
Most organizations have invested in developing their incident handling processes and procedures
Procedures We have built our security operations, but how can we assess the capability of the members of this team.
Capability
Being available and awake is the first step, but delivering the correct attack analysis at 3 am is the challenge.
Preparedness How do we check the preparedness of my team and their capability to consistently deliver the correct analysis.
Measurability
We have it, we just need to measure its efficiency.
Not My Solution: Pointers!
A comprehensive list of all the different attacks that exist, can be used to measure capability of your detection system
CAPEC Common Weakness Enumeration, is already been used by software industry for better coding practices.
CWE
Security Content Automation Protocol is a family of tools that helps to bring together various aspects of security monitoring.
SCAP The CERTIn conducts cyber drills to evaluate the detection capability and response systems of participating teams
Cyber Drills
Greener pastures for the Consulting Industry!
In the Quest for Being No. 1
Best Wishes from All of Us!
THANK YOU!! Shomiron Das Gupta
http://in.linkedin.com/in/shomiron