Implementing a security metrics dashboard in Telefónica España
TELEFÓNICA I+DDate: 1/14/2009
Vicente Segura ([email protected])
4th ETSI Security Workshop14 January 2009 - ETSI, Sophia Antipolis, France
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
01 Introduction
- Objectives
- Main challenges
02 Methods and tools for collecting measures
- High level security framework
- Methods and tools
Index
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
2
03 Composing derived measures
- Composing department derived measures
- Example of a tree of derived measures
04 Tool screenshots
05 Conclusion
IntroductionObjectives
� To assess compliance andmeet some requirements:
— To adapt to the particularstructure of the organization
Organization
Department 1
System 1_1 System 1_2 System 1_... System 1_y
Department 2
Department …
Department n
01
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
— To assess compliance withas many standards andregulations as needed
— To automate collection ofdata to assess compliancewhen possible
3
LOPD
CoBIT
ISO 27004
Telefónica
Data
IntroductionChallenges
� To facilitate (and automate) thecollection of measures fromexisting systems
� To compose derived measuresfrom the collected basemeasures
— We obtain base measures of
Agent
Organization
Departmen Departmen Departmen Departmen
01
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
— We obtain base measures ofindividual systems, but wewant to have an insight ofthe compliance of an entiredepartment
� To identify proper derivedmeasures to assess compliance
4
Department 1
System 1_1
Attribute 1_1_1
Attribute 1_1_2
Attribute 1_1_...
Attribute 1_1_z
System 1_2
System 1_...
System 1_y
Department 2
Department …
Department n
SBIXX Percentage of systems that implements RBAC to control
Methods and tools for collecting measuresHigh level security framework
Security metrics dashboard
Policy
02
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
Process People Technology
5
Policy definition
Enforcement
Monitoring and responding
Measuring and reporting
Vulnerability management
SIM
BCP and DRP
User base centralized
management
Traffic filtering
Identity and access
management
Education and awareness
BIA
Risk management
Awareness and education assessment
Patch manage
ment
Security configuration management
Network access control
Source: Forrester - “Defining a high level security f ramework”
Organization security policy
Agent
Questionnaire
Security metrics dashboard
Methods and tools for collecting measuresMethods for collecting measures (1/2)
02
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
6
Process People Technology
Measures managed by existing systems
Measures not managed by existing systems
Methods and tools for collecting measuresMethods for collecting measures (2/2)
Environment 1
Agent HT
TP
S
Security metrics dashboardAutomated attributes collection
Manual attributes collection
Agent
02
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
7
Environment 2
Environment 3
.csv
.csv
.csv
Agent
Agent
Agent
<xml>
<xml>
<xml>
Questionnaire
DB
DB
DB
� We configure its behaviour in an XML file:
— It can send measures periodically
— For each measured Environment 1
Agent
Methods and tools for collecting measuresAgent configuration
02
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
— For each measured attribute we must indicate where to take its:
– Value
– Context
— We also can collect the quality of the measure
8
.csv
Agent
<xml>
Composing derived measuresAdaptation to organization requirements
Organization
Department 1
Department 2
Department …
Department n
But we are also interested in obtaining derived measures at these levels
03
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
9
System 1_1
Attribute 1_1_1
Attribute 1_1_2
Attribute 1_1_...
Attribute 1_1_z
System 1_2 System 1_... System 1_y
Most of the measures are obtained at this level
Composing derived measuresComposing department derived measures
Department 1System 1_1 System 1_2
System 1_… System 1_n
44
03
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
10
System attributes measures
Department derived measures
Collection agent
11 22
33
Department attributes measures
Composing derived measuresTree of measures for each department
Global compliance
Authentication and Identification
Business Continuity
Backup and recovery Software control Network and
communications
Network segmentation Monitoring Secure
management
Audit and monitoring
records
Systems developments
and maintenance
Information classification Access Control
03
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
11
% of systems that have different networks for management, users
access and backup
% of systems segmented according
risk requirements
% of systems monitored by IDS
% of server which are securely
managed
Number of systems monitored by IDS
Number of systems securely managed
Number of systems rightly segment
Number of systems with different networks for
management, user access and backup Number of systems
Derived measures
Base measures per department
Tool screenshotsCompliance levels for each department
04
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
12
* The data contained in this screenshot are not rea l
Tool screenshotsCompliance levels for each department
04
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
13
* The data contained in this screenshot are not rea l
Tool screenshotsHistoric evolution of compliance
04
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
14
* The data contained in this screenshot are not rea l
Tool screenshotsManagement of measures and derived measures
04
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
15
* The data contained in this screenshot are not rea l
Tool screenshotsManagement of measures and derived measures
04
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
16
* The data contained in this screenshot are not rea l
Tool screenshotsManagement of derived measures tree
04
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
17
* The data contained in this screenshot are not rea l
Conclusion
� Other uses of security metrics: risk analysis?
� Organizations have much more information than they think: let´s take it and use it
� Future steps:
— To extend compliance assessment to other generic contexts (services, business processes). Not just areas and systems
05
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
(services, business processes). Not just areas and systems
— To define ontologies to configure the agent
18
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
19
TELEFÓNICA I+D
© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal© 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal
