5 Tips for LeveragingEnterprise Security Intelligence

DWAYNE MELANÇON & CINDY VALLADARES

5 Tips for LeveragingEnterprise Security Intelligence

DWAYNE MELANÇON & CINDY VALLADARES

April 2013

TODAY’S SPEAKERS

Dwayne Melançon

Chief Technology Officer

@ThatDwayne

Cindy Valladares

Sr. Manager Corporate Communications

@cindyv

4

Enterprise Security IntelligenceFrom the Gartner Files

Emerging as a comprehensive and holistic alternative to traditional disjointed security approaches that will enable stronger security enterprise-wide, optimal decision-making and better business results

5

Benefits of Enterprise Security Intelligence

Higher accuracy of security vulnerability detection, remediation and protection based on technology interaction and correlation

Better correlation and impact analysis across all sources of security information

Detailed understanding of enterprise security Improved decision making

1. UNDERSTAND YOUR ORGANIZATION’S RISK APPETITE

2. PRIORITIZE BASED ON HIGHEST RISK & IMPACT

3. ADD CONTEXT TO YOUR INCIDENT DETECTION

4. ESTABLISH KEY SECURITY INDICATORS

5. MEASURE PROGRESS AND COMMUNICATE RESULTS

5 TIPS FOR LEVERAGING

ENTERPRISE SECURITY INTELLIGENCE

7

#1: Understand Organization’s Risk Appetite

8

Pyramid of Pain

9

#2: Prioritize Based on Highest Risk & Impact

Apply risk ranking/scoring methods Better utilization of resources Prioritize security threats Be proactive about security

10

Aligned With Security Policy

11

#3: Add Context to Your Incident Detection

System State Intelligence Provides full awareness of the state of your systems Anchors your system to a ‘known and trusted state’ Monitors continuously for changes and deviations Uses that awareness to detect suspicious events Enables security context and prioritization Know the security state of your systems

IT SECURITY & COMPLIANCE AUTOMATION

SYSTEM STATE INTELLIGENCE

SYSTEM STATEINTELLIGENCE

12

Asset ViewTripwire

Enterprise

Log / Event

Correlation Engine

IT SECURITY & COMPLIANCE AUTOMATION

SYSTEM STATE INTELLIGENCE

SYSTEM STATEINTELLIGENCE

SIEMPLATFORMS

(ArcSight)

GRCSOLUTIONS

(Archer)

CHANGEMANAGEMENT

(Remedy)

13

CMDBAsset Management

Identity

3rd PartySecurity Controls

Asset ViewTripwire

Enterprise

Log / Event

Correlation Engine

14

What About SIEM Alone?

““Most end users believe the [SIEM] technology is at best a hassle and at worst an abject failure. SIEM is widely regarded as too complex, and too slow to implement, without providing enough customer value to justify the investment.”

15

Event Integration Framework Process

16

#4: Establish Key Security Indicators

Visualize risk, policy scoring and trends Combine data from multiple controls Make your security efforts visible, measurable and

accountable

17

Effective Metrics Guidance

Must align to the goals of the business Measure only what you can control Use quantitative, not qualitative data Don’t over research – collection and analytics should not be

complicated Show trends analysis Drive discussion, decisions, and actions Promote healthy competition

18

Examples Of Metrics That Work

Leading or Preparatory Indicators: Intended to drive proactive behaviour and habits

Intended to identify and measure precursors of risk or vulnerability

Configuration Quality: % of configurations compliant with target security standards (risk-aligned)

i.e. >95% in Critical; >75% in Medium

% of unauthorised or undocumented changes

patch compliance by target area based on risk level

i.e. % of systems patched within 72 hours for Critical;

…within 1 week for Medium, etc.

19

Examples Of Metrics That Work

Lagging or Operational Indicators Intended to measure effectiveness of operational controls

Intended to drive improved efficiency & effectiveness

Control effectiveness: % of incidents detected by an automated control

% of incidents resulting in loss

mean time to discover security incidents

% of changes that followed change process

% of incidents detected by each control or process

20

Examples Of Metrics That Work

Program Effectiveness Intended to track and measure non-technical aspects of security efforts

Security program progress: % of staff (by business area) completing security training

average scores (by business area) for security recall test

% of employees (by business area) who responded to “phishing tests”

21

Some Caveats

Keep things manageable Short lists, small numbers, primary colors

Beware of False Flags Is cost a primary measure of security effectiveness?

Don’t sign somebody else’s deal Can you control what you’re being measured against?

22

#5: Measure Progress & Communicate Results

Continuously monitor Nobody can afford 100% secure – cover based on risk Aim for a balanced approach to security

Report On Status & Progress vs. Goals

24

Compare Various Business Units

25

Tripwire Newsletter FeaturingComplimentary Gartner Research

How System State Intelligence fits into Enterprise Security Intelligence

How Tripwire solutions add business context and detect incidents early

http://gtnr.it/129rpPW

tripwire.com | @TripwireInc

DWAYNE MELANÇON -- @THATDWAYNE

CINDY VALLADARES -- @CINDYV

THANK YOU