Implementing a security metrics dashboard in Telefónica España · 2009-01-14 · Implementing a...

transcript

Implementing a security metrics dashboard in Telefónica España

TELEFÓNICA I+DDate: 1/14/2009

Vicente Segura (vsg@tid.es)

4th ETSI Security Workshop14 January 2009 - ETSI, Sophia Antipolis, France

TELEFÓNICA I+D

01 Introduction

- Objectives

- Main challenges

02 Methods and tools for collecting measures

- High level security framework

- Methods and tools

TELEFÓNICA I+D

03 Composing derived measures

- Composing department derived measures

- Example of a tree of derived measures

04 Tool screenshots

05 Conclusion

IntroductionObjectives

� To assess compliance andmeet some requirements:

— To adapt to the particularstructure of the organization

Organization

Department 1

System 1_1 System 1_2 System 1_... System 1_y

Department 2

Department …

Department n

TELEFÓNICA I+D

— To assess compliance withas many standards andregulations as needed

— To automate collection ofdata to assess compliancewhen possible

ISO 27004

Telefónica

IntroductionChallenges

� To facilitate (and automate) thecollection of measures fromexisting systems

� To compose derived measuresfrom the collected basemeasures

— We obtain base measures of

Organization

Departmen Departmen Departmen Departmen

TELEFÓNICA I+D

— We obtain base measures ofindividual systems, but wewant to have an insight ofthe compliance of an entiredepartment

� To identify proper derivedmeasures to assess compliance

Department 1

System 1_1

Attribute 1_1_1

Attribute 1_1_2

Attribute 1_1_...

Attribute 1_1_z

System 1_2

System 1_...

System 1_y

Department 2

Department …

Department n

SBIXX Percentage of systems that implements RBAC to control

Methods and tools for collecting measuresHigh level security framework

Security metrics dashboard

Policy

TELEFÓNICA I+D

Process People Technology

Policy definition

Enforcement

Monitoring and responding

Measuring and reporting

Vulnerability management

BCP and DRP

User base centralized

management

Traffic filtering

Identity and access

management

Education and awareness

Risk management

Awareness and education assessment

Patch manage

Security configuration management

Network access control

Source: Forrester - “Defining a high level security f ramework”

Organization security policy

Questionnaire

Security metrics dashboard

Methods and tools for collecting measuresMethods for collecting measures (1/2)

TELEFÓNICA I+D

Process People Technology

Measures managed by existing systems

Measures not managed by existing systems

Methods and tools for collecting measuresMethods for collecting measures (2/2)

Environment 1

Agent HT

Security metrics dashboardAutomated attributes collection

Manual attributes collection

TELEFÓNICA I+D

Environment 2

Environment 3

Questionnaire

� We configure its behaviour in an XML file:

— It can send measures periodically

— For each measured Environment 1

Methods and tools for collecting measuresAgent configuration

TELEFÓNICA I+D

— For each measured attribute we must indicate where to take its:

– Value

– Context

— We also can collect the quality of the measure

Composing derived measuresAdaptation to organization requirements

Organization

Department 1

Department 2

Department …

Department n

But we are also interested in obtaining derived measures at these levels

TELEFÓNICA I+D

System 1_1

Attribute 1_1_1

Attribute 1_1_2

Attribute 1_1_...

Attribute 1_1_z

System 1_2 System 1_... System 1_y

Most of the measures are obtained at this level

Composing derived measuresComposing department derived measures

Department 1System 1_1 System 1_2

System 1_… System 1_n

TELEFÓNICA I+D

System attributes measures

Department derived measures

Collection agent

Department attributes measures

Composing derived measuresTree of measures for each department

Global compliance

Authentication and Identification

Business Continuity

Backup and recovery Software control Network and

communications

Network segmentation Monitoring Secure

management

Audit and monitoring

records

Systems developments

and maintenance

Information classification Access Control

TELEFÓNICA I+D

% of systems that have different networks for management, users

access and backup

% of systems segmented according

risk requirements

% of systems monitored by IDS

% of server which are securely

managed

Number of systems monitored by IDS

Number of systems securely managed

Number of systems rightly segment

Number of systems with different networks for

management, user access and backup Number of systems

Derived measures

Base measures per department

Tool screenshotsCompliance levels for each department

TELEFÓNICA I+D

* The data contained in this screenshot are not rea l

Tool screenshotsCompliance levels for each department

TELEFÓNICA I+D

Tool screenshotsHistoric evolution of compliance

TELEFÓNICA I+D

Tool screenshotsManagement of measures and derived measures

TELEFÓNICA I+D

Tool screenshotsManagement of measures and derived measures

TELEFÓNICA I+D

Tool screenshotsManagement of derived measures tree

TELEFÓNICA I+D

Conclusion

� Other uses of security metrics: risk analysis?

� Organizations have much more information than they think: let´s take it and use it

� Future steps:

— To extend compliance assessment to other generic contexts (services, business processes). Not just areas and systems

TELEFÓNICA I+D

(services, business processes). Not just areas and systems

— To define ontologies to configure the agent

TELEFÓNICA I+D

Implementing a security metrics dashboard in Telefónica España · 2009-01-14 · Implementing a...

Documents