practical measures for measuring security
DESCRIPTION
Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider.TRANSCRIPT
![Page 1: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/1.jpg)
CH
RI S
MU
L L I NS
PR
AC
TI C
AL M
EA
SU
RE
S F
OR
ME
AS
UR
I NG
SE
CU
RI T
Y
TU
ES
DA
Y,
3: 5
5P
M
![Page 2: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/2.jpg)
WELCOME TO SECURE360 2012
Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.
Please complete the Session Survey front and back (this is Room 7), and leave on your seat.
Note: “Session” is Tuesday or Wednesday
Are you tweeting? #Sec360
![Page 3: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/3.jpg)
AGENDA
Are you Ready?
The Problem of Measuring Security
Metric Myths
Characteristics of Effective Metrics
Defining Your Metrics
The Process of Measurement
Sample Metrics
Implementing Metrics
Presenting Metrics
A Mature Metrics Program
Page 3
![Page 4: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/4.jpg)
WHY HAVEN’T YOU SOLVED THIS YET?
Is the Organization ready?
What’s the Tone from the Top?
Is it Security someone’s Job?
Do you have Policy in place?
Are resources allocated to identify and detect issues?
Are resources allocated to remediate issues?
Are you Level 4?
Page 4
![Page 5: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/5.jpg)
Page 5
![Page 6: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/6.jpg)
TYPICAL PROBLEMS OF MEASURING SECURITY
Risk is difficult to define precisely
Attack SurfaceCurrent EnvironmentAsset ValueMeasures not linked to
action
Measures often focus on outcomes
Page 6
![Page 7: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/7.jpg)
7 Myths that hold people back 92.467% of the time.METRIC MYTHS
1. Metrics must be Objective and Tangible
2. Metrics must have discrete values
3. Metrics must be absolute
4. Metrics are costly
5. You can’t manage what you can’t measure
6. It’s essential to measure outcomes
7. You need precise, accurate data
Page 7
![Page 8: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/8.jpg)
(This is probably NOT a good example)CHARACTERISTICS OF A GOOD METRIC
Attackability Computation.
Page 8
An Attack Surface Metric, Carnegie Mellon University, 2005
![Page 9: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/9.jpg)
CHARACTERISTICS OF A GOOD METRIC
1. Directly Relates to an objective
2. Should have a logical stakeholder
3. Collection should be inexpensive, simple and standardized
4. Should have a resolution appropriate for maturity
5. Should be phase appropriate
6. Should have applicability defined
7. Should have an indicated action
Page 9
![Page 10: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/10.jpg)
DEFINING YOUR METRICS
Page 10
![Page 11: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/11.jpg)
Metrics Relating to Security ControlsDEVELOPING YOUR METRICS
1. Should map directly to a defined control
2. Use data describing the security control’s implementation to generate required measures
3. Characterize the measure as applicable to system categorization (low, med, high)
Page 11
![Page 12: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/12.jpg)
Metrics Relating to Security Program PerformanceDEVELOPING YOUR METRICS
1. Map to InfoSec Goals & Objectives that encompass performance
2. Use the data describing the information security program performance to generate required measures
Page 12
![Page 13: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/13.jpg)
On your Mark, get Set…NOW THAT YOU HAVE YOUR METRICS
Document in a standard format See 800-55 for an excellent template
Prioritize and Select
Establish Performance Targets
Evaluate Metric performance and relevance periodically, incorporate feedback
Page 13
![Page 14: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/14.jpg)
SAMPLE METRICS
• Percentage of the agency’s information system budget devoted to information security
• Percentage of “high” vulnerabilities mitigated within defined time periods after discovery
• Percentage of remote access points used to gain unauthorized access
• Percentage of information system security personnel that have received security training
• Average frequency of audit records review and analysis for inappropriate activity
Page 14
![Page 15: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/15.jpg)
SAMPLE METRICS (CONTINUED)
• Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation
• Percentage approved and implemented configuration changes identified in the latest automated baseline configuration
• Percentage of information systems that have conducted annual contingency plan testing
• Percentage of users with access to shared accounts
Page 15
![Page 16: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/16.jpg)
SAMPLE METRICS (CONTINUED)
• Percentage of incidents reported within required time frame per applicable incident category
• Percentage of system components that undergo maintenance in accordance with formal maintenance schedules
• Percentage of media that passes sanitization procedures
• Percentage of physical security incidents allowing unauthorized entry into facilities containing information systems
Page 16
![Page 17: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/17.jpg)
SAMPLE METRICS (CONTINUED)
• Percentage of employees who are authorized to access information systems only after they sign an acknowledgement that they have read and understood rules of behavior
• Percentage of individuals screened before being granted access to organizational information and information systems
• Percentage of vulnerabilities remediated within organization-specified time frames
Page 17
![Page 18: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/18.jpg)
SAMPLE METRICS (CONTINUED)
• Percentage of system and service acquisition contracts that include security requirements and/or specifications
• Percentage of mobile devices that meet approved cryptographic policies
• Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated
Page 18
![Page 19: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/19.jpg)
IMPLEMENTING METRICS
Page 19
![Page 20: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/20.jpg)
EXAMPLE: A METRIC IN ACTION
Page 20
![Page 21: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/21.jpg)
Do you REALLY have to use Excel?PRESENTING METRICS
Page 21
![Page 22: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/22.jpg)
WHEN YOU GET BACK TO THE OFFICE ON MONDAY:
1. Are you ready?
2. Engage Stakeholders
3. Identify Your Metrics - Leverage CIS, NIST 800-55
4. Automate collection & reporting
5. Act on what you find
6. Make it look good!
7. Document the value
8. Re-evaluate periodically
Page 22
![Page 23: Practical Measures for Measuring Security](https://reader033.vdocument.in/reader033/viewer/2022061111/54556bfcb1af9f40378b488f/html5/thumbnails/23.jpg)
REFERENCES / CREDITS
CMMI: http://www.sei.cmu.edu/cmmi/
http://www.noticebored.com/html/metrics.html
Center for Internet Security Consensus Security Metrics: http://benchmarks.cisecurity.org/en-us/?route=downloads.metrics
NIST 800-55: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
http://www.geckoboard.com/
Page 23