Evidence-Based Risk Management

Post on 27-Jan-2015

108 views 3 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Wade Baker from the Verizon RISK Team gave this presentation at the NESCO Town Hall in May 30-31 in New Orleans, LA. Wade discussed various aspects related to sharing incident information, threat agents along with a great explanation as to what evidence-based Risk management is and looks like.

transcript

Evidence-Based Risk Management

Wade Baker, Verizon RISK Team

My favorite (professional) topics

• Security incidents (as in studying them – not experiencing them) • Information sharing (specifically incident-related info) • Data analysis (how else will we learn?) • Risk management (but not the ‘yellow x red = orange’ kind)

Data Breach Investigations Report (DBIR) series

An ongoing study into the world of cybercrime that

analyzes forensic evidence to uncover how sensitive data is

stolen from organizations, who’s doing it, why they’re

doing it, and, of course, what might be done to prevent it.

2012 DBIR Contributors

Methodology: Data Collection and Analysis

VERIS: https://verisframework.wiki.zoho.com/

• DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data.

• Enables case data to be shared anonymously to RISK Team for analysis

VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.

Sharing incident information

TACTICAL

What point solutions should I implement now?

✔*

STRATEGIC

How do I measure & manage risk over time?

X

Unpacking the 2012 DBIR An overview of our results and analysis

Sample characteristics

• 855 incidents of confirmed data compromise • 174 million stolen data records • All varieties of data included (CC#s, PII, IP, etc) • Victims of all industries, sizes, geographic regions • Cases worked by Verizon, investigated by law enforcement, or reported to (Irish) CERT

Threat Agents

Threat Agents: Larger Orgs

Threat Agents: IP & classified data

92%

49%

2%

External Internal Partner

Threat Agents: External

Threat Actions

Threat Actions: Larger Orgs

Threat Actions: IP & classified data

38%

51%

48%

57%

0%

2%

0%

Malware

Hacking

Social

Misuse

Physical

Error

Environmental

Top Threat Actions

Top Threat Actions: Larger Orgs

Top Threat Action Types: IP & classified data

Most Compromised Assets

Asset Ownership, Hosting, and Management

Compromised Data

Compromised Data

Smaller Orgs

Attack Difficulty

Attack Targeting

The 3-Day Workweek

Timespan of events

Timespan of events: Larger Orgs

Timespan: IP & classified data

Minutes Hours Days Weeks Months Years POE to Comp 10% 65% 10% 10% 3% 3% Comp to Disc 0% 18% 21% 13% 7% 41% Disc to Cont 0% 0% 16% 13% 71% 0%

Breach Discovery

Breach Discovery

Recommendations: Larger Orgs

Evidence-Base Risk Management What is it, and what does it look like?

What is EBRM?

EBRM aims to apply the best available evidence gained from empirical research to

measure and manage information risk.

Measuring and managing information risk

To properly manage risk, we must measure it.

To properly measure risk, we must understand our information assets, the threats that can harm

them, the impact of such events, and the controls

that offer protection.

A threat event that is measurable (and thus manageable) identifies the following 4 A�s:

Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected

evidence?

Data Breach Investigations Report (DBIR) series

= evidence for measuring and managing risk

Diagnose Ailments

✔ Treatment strategy

✔Policy ✔People ✔Process ✔Technology

✔Policy ✔People ✔Process ✔Technology

✔Policy ✔People ✔Process ✔Technology

Evidence-Based Risk Management

What are the benefits of EBRM?

• Metrics –  Builds outcome-based metrics around security processes and failures in order to

get a better read on the security pulse of the organization.

• Remediation –  Strengthen security posture by identifying gaps, pinpointing the most critical

remediation strategies, and focusing longer-term strategic planning.

• Efficiency –  Enable better and more justified decision-making, improve resource allocation,

reduce unproductive security spending, and generally achieve “more bang for the buck.”

• Communication –  Increase information flows across organizational and functional boundaries.

Create and communicate ongoing performance measures to key stakeholders.

DBIR: www.verizon.com/enterprise/databreach VERIS: https://verisframework.wiki.zoho.com/ Blog: http://www.verizon.com/enterprise/securityblog Email: dbir@verizon.com

Top related

DEMO Evidence Based Diabetic Foot Risk Screening Tool -- Level 1 Summary
Documents
Can Macroeconomists Forecast Risk? Event-Based Evidence ...
Documents
Evidence for the Risk-based Prevention of Dental Caries Laughlin.pdf · Evidence for the Risk-based Prevention of Dental Caries ... • Anticipatory guidance and ... Evidence for
Documents
Community based landslide risk reduction: evidence …...Community based landslide risk reduction: evidence and challenges Prof. Malcolm G Anderson Session 11: Landslide Risk Assessments
Documents
Evidence-Based Medicine · Evidence-Based Medicine ANewApproachtoTeachingthe PracticeofMedicine Evidence-Based MedicineWorking Group ANEWparadigmformedicalpractice is emerging. Evidence-based
Documents
Risk Assessment in Juvenile Justice: Enhancing Decision ... · YLS/CMI: Evidence-Based Risk Assessment Considerable research evidence by independent parties ~ Evidence-based Assessment
Documents
Performance*Based.RiskSharing.Arrangements. for.Drugs.and ... · outcomes-based schemes, risk-sharing agreements, coverage with evidence development, access with evidence development,
Documents
Evidence-Based Medicine for clinical years Sep 13 2016 · “Evidence-based medicine is the integration of best research evidence with clinical expertise ... year risk 0.33%) a significant
Documents
Evidence-based environmental decisions: Bridging the gap ...€¦ · Evidence-based environmental decisions: Bridging the gap between epidemiology and risk assessment ... Environmental
Documents
Scientific Advice, Risk and Evidence Based Policy Making
Documents
Evidence-Based Medicine and Statistics · “evidence-based dentistry” 156,000 “evidence-based pediatrics” 33,900 “evidence-based surgery” 33,700 “evidence-based veterinary
Documents
Evidence-Based Practices in the Criminal Justice System · Introduction . What Is the Evidence? Evidence-based policy and practice is focused on reducing offender risk, which in turn
Documents
EVIDENCE BASED PRACTICES: AN OVERVIEW OF RISK …
Documents
Evidence- and risk-based planning for a climate-smart agriculture
Science
Risk-based Selection in Unemployment Insurance: Evidence ...
Documents
Evidence-based arguments as a tool supporting risk ... · 3 Evidence-based Arguments Argument is an attempt to persuade someone of something, by giving reasons and/or evidence for
Documents
Medically At-Risk Drivers Evidence-Based Decisions
Documents
Does Loan Maturity Matter in Risk-based Pricing? Evidence ... · Does Loan Maturity Matter in Risk-based Pricing? Evidence from Consumer Loan ... endorsed by CERGE-EI or the GDN.
Documents
Evidence and risk-based planning for a climate-smart ... · Evidence and risk-based planning for a climate-smart agriculture Julian Ramirez-Villegas Christine Lamanna, Mark van Wijk,
Documents
Evidence-based Risk Assessement - UNFCCC · 2020. 3. 17. · 11 Climate Risk Modelling Up and coming •Producing an evidence-based assessment to foster transparency and trust in
Documents

Copyright © 2018 DOCUMENTS