Measureable Security Setting the benchmark for continual improvement

Shomiron Das Gupta Founder, NetMonastery NSPL

The Perfect Backdrop

-  14,000 Athletes -  205 Olympic Teams -  26 Sports in 39 Disciplines

-  Lifetime of dreams, years of effort, just for that moment of glory

-  So how does it feel to be the best in the world ?

The Sports Eval. System

Besides the dream our athletes are chasing, the London Olympics 2012 also becomes the theme of this talk!

Competition: A Culture

Some probable answers We compete to measure ourselves,

to evaluate our performance against the rest.

-  Why do we compete? -  Why do we want to assess our

performance every time?

-  Does this process help us improve? -  Are we able to set a higher

benchmarks for next time?

Some questions

Measurability: A Process •  Essential to identify each system that needs to be

measured and improved over time

•  Once identified a data collection process needs to be implemented

•  Evaluation and constant tracking of the information is key to set benchmarks

•  Finally, a rank / percentage / number against each essential process is what is required

What we can not measure, we can not Improve

Conclusion No. 1

Few Grey Areas: Attention! •  Vulnerability Assessment –  I already have vulnerability assessment systems –  Am I able to review the current risk we are running?

•  Attack Detection –  How secure are we? Do we have a number? –  What percentage of attacks can we detect?

•  Incident Handling –  Can my team detect attacks effectively? –  Are they able to respond in real-time?

Case Study: Attack Detection

-  I have everything, Intrusion Prevention, SIEM, WAF, the works

-  I have application security consulting and my team deploys secure coding practices

Scenario

-  I may be able to prevent attacks but are we able to detect them?

-  How do I know if my systems are able to detect all the attacks?

Realization

Talk: Application Security •  Microsoft – No more vulnerabilities L –  Where are those “heaps” of buffer overflows? –  Next gen attacks – hit only the applications –  You and I have made these apps

•  Safe Applications – Tested –  Good coding practices have been adopted –  Applications are tested thoroughly

•  No Attack Detection from Apps –  Apps notify exceptions to the app owners –  Apps provide no detection information

Attack detection is not possible without help from the Application

Conclusion No. 2

Measuring Detection Capability

SCORE LINE

201  of  420  

CAPEC – Blind SQL Injection

Assurance fails without comprehensiveness

Conclusion No. 3

Other Issues: Incident Handling

Most organizations have invested in developing their incident handling processes and procedures

Procedures We have built our security operations, but how can we assess the capability of the members of this team.

Capability

Being available and awake is the first step, but delivering the correct attack analysis at 3 am is the challenge.

Preparedness How do we check the preparedness of my team and their capability to consistently deliver the correct analysis.

Measurability

We have it, we just need to measure its efficiency.

Not My Solution: Pointers!

A comprehensive list of all the different attacks that exist, can be used to measure capability of your detection system

CAPEC Common Weakness Enumeration, is already been used by software industry for better coding practices.

CWE

Security Content Automation Protocol is a family of tools that helps to bring together various aspects of security monitoring.

SCAP The CERTIn conducts cyber drills to evaluate the detection capability and response systems of participating teams

Cyber Drills

Greener pastures for the Consulting Industry!

In the Quest for Being No. 1

Best Wishes from All of Us!

THANK YOU!! Shomiron Das Gupta

http://in.linkedin.com/in/shomiron