Home >Technology >Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality

Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality

Date post:18-May-2015
View:1,572 times
Download:0 times
Share this document with a friend
Presented on May 17, 2012 for InnoTech Dallas. All rights reserved.
  • 1. BUILDING BRIDGESSecurity Metrics to Narrow the Chasm Between Perception and Reality Brian A. Engle CISO, Texas Health and Human Services Commission

2. AgendaIn the beginning What created the perception chasm? Contributing factors that widen the chasmTruth, Fact and Reality Primary support materials to bridge the gap Construction elements and designWhere can the bridge take us Practical uses and worthy destinations5/15/2012 DIR Information Security Forum 2 3. Speaking in tonguesPonemon Second Annual Cost of Cyber Crime StudyViruses, worms, Trojans ==>100%Malware ==>96%Malicious Code==>42% Virtually all organizations experienced attacks relating to viruses, wormsand/or trojans over the four-week benchmarking period. Ninety-six percentexperienced malware attacks, 82 percent experienced botnets, 64 percentexperienced Web-based attacks, 44 percent experienced stolen or hijackedcomputing devices, 42 percent experienced malicious code, and 30 percentexperienced malicious insiders. Footnote - Malware attacks and malicious code attacks are inextricably linked.We classified malware attacks that successfully infiltrated the organizationsnetworks or enterprise systems as a malicious code attack.5/15/2012 DIR Information Security Forum3 4. The Bigger Picture Standards interpreted and implemented with tribalinconsistency Ambiguous regulations, laws, audit and compliancerequirements Qualitative risk math in vivid Technicolor Voodoo and Magic Fairy Dust Personality based bias and trust The End of the World as we know it vulnerabilities Misguided faith in legacy protection and varioustechnologies5/15/2012DIR Information Security Forum4 5. Mobility Virtualization Cyberthreat war terrorists activists hacktivists bullyConsumerization cybercybercybercyber5/15/2012DIR Information Security Forum 5 6. You want me on that wallYou need me on that wallWhat happened to the wall?5/15/2012 DIR Information Security Forum 6 7. Executive DashboardFinancial MetricsInvestment metrics do not validate security ROI for Security? Cost Avoidance? Insurance Comparisons% of Security Spend Compared to Overall ITSpend Comparative, but irrelevantConsider % of Security Spend Compared toOverall Company Expenditures5/15/2012DIR Information Security Forum 7 8. Gartner Security Maturity Model5/15/2012 DIR Information Security Forum 8 9. So close, yet so far away5/15/2012DIR Information Security Forum 9 10. 5/15/2012 DIR Information Security Forum 10 11. Jaquiths Laws of Metrics Consistently measured without subjective criteria Expressed as a cardinal number or percentage, notqualitative Expressed using at least one unit of measure Contextually specific / relevant such that they areactionable Cheap to gather 5/15/2012DIR Information Security Forum11 12. 3 Simple Metrics1. What you do - and conversely what you dont do2. The effectiveness, maturity and breadth of coverage of what you do3. The risk that is in the remainder of the factorable computation of 1 and 25/15/2012DIR Information Security Forum 12 13. Truth, Fact and RealityWhat you do How well is it working? (effectiveness) Are you doing it everywhere you need to be? (scope/depth/breadth) Can you continue doing it consistently? (maturity) How much does it cost?What you dont do Dig for the denominator5/15/2012DIR Information Security Forum 13 14. What you do People, Process and Technology Activities, Functions and Interactions Objectives, Outputs and Oversight Technological countermeasures and defenses = Controls5/15/2012DIR Information Security Forum 14 15. Not another standard5/15/2012 DIR Information Security Forum 15 16. Control Frameworks Framework, Standard orSegmentationDefined ControlsRegulationNIST 800-5326 Families 228 (v3 Moderate) ISO 17799 / 27002 12 Sections 140 1 TAC 2029 Subsections110Title 1 Part 10 Chapter 202COBIT 5 Process Guidance Areas Metric Boatload37 High Level Outputs PCI 12 Requirements 2115/15/2012 DIR Information Security Forum16 17. Control Effectiveness, Scope, and MaturityObjective DefinedScope /Effectiveness MaturityCostCrosswalk Owner /Control DepthCMM ConnectionsDivision / Region AC Provision Specific or 90%Optimizing $$$$ 1TAC202RefAccount Groups of HIPAA ReqApps IRS 1075 ACDe-Specific or 25%Ad-Hoc $$$$Standards,provision Groups of ComplianceAccountSystemRequirements ACGrant Function 75%Repeatable $$$$Standards, Access role or org CompliancePriv.Requirements ACRevoke {SOX |PCI 25%Defined$$$$Standards, Access| HIPAA} CompliancePriv.Systems Requirements5/15/2012DIR Information Security Forum 17 18. MetricsX out of Y Mandatory Compliance Control Activities Implemented Performed, costing $$ Leaving a remainder of $$ for additionalprotection control activities Requiring T time to implement new activities5/15/2012 DIR Information Security Forum 18 19. MetricsX out of Y Required Control Activities Implemented Applied across Z scope # Performed at E rate of effectiveness # Performed below E rate of acceptableeffectiveness Time to remediate ineffective processes5/15/2012 DIR Information Security Forum 19 20. Operational Control Metric Dashboard8 10128 1012 8 10126 146 14 6 14 4 164 16 4 162 182 18 2 180 200 20 0 20Physical and EnvironmentalAccess Control (AC)Configuration ManagementProtection (PE)(CF)8 10128 1012 8 1012614614 614 416416416218218 2180200 20 020Incident Response (IR) Digital Media Protection Personnel Security (PS) (MP) 5/15/2012DIR Information Security Forum20 21. Evaluating Residual Risk 5/15/2012 DIR Information Security Forum 21 22. Where Does the Bridge Lead?Internally Actually answer the Are we secure question Provide a sustainable program framework Provide consistency (staff and management)Externally Establish accountability and assurance 5/15/2012DIR Information Security Forum 22 23. Where Can thethe BridgeWhere Can BridgeTake Us?Take Us?Outsource Providers Trust but VERIFIED To the cloud on more than a wing and prayerSecurity Product Vendors Ingredients and functions of security program(Silver Bullets and Assorted Fairy Tales) 5/15/2012DIR Information Security Forum 23 24. SummaryThere is a gap in the perception of security and the reality of what is providedIt takes a lot of effective activities that come at a cost to narrow the gapArticulating the size of the gap is difficultClosing the gap with truth and fact is costly, but absolutely necessary 5/15/2012 DIR Information Security Forum 24 25. About Capitol of Texas ISSA The preeminent trusted global information security community http://www.austinissa.org @austinissaCOMMUNITY -- KNOWLEDGE -- LEARNING -- CAREERHHSCHHSC oversees the operations of the health and human services system, provides administrative oversight of Texas health and human services programs, and provides direct administration of programs.$30B/Year - 200 programs - 56,000 Employees 1,000 locations - 5 agencies Serving the citizens of Texas Teach Security, Teach Christ; Teach Security In Christ http://www.hackformers.org @hackformers5/15/2012DIR Information Security Forum25 26. Thank You!Questions?Contact Info:[email protected]@brianaengle5/15/2012 DIR Information Security Forum 26 27. Lets start building some bridges.5/15/2012 DIR Information Security Forum 27

Popular Tags:

Click here to load reader

Embed Size (px)