350 likes | 372 Views
Defining Security Metrics. Security Planning Susan Lincke. SABSA High-Level Framework. Gap Analysis. The difference between where you are and where you want to be: (For example: # malware infections/month Rate of finding illegal software, hardware Security awareness training averages.
E N D
Defining Security Metrics Security Planning Susan Lincke
Gap Analysis The difference between where you are and where you want to be: (For example: • # malware infections/month • Rate of finding illegal software, hardware • Security awareness training averages
SEI/COBIT Level 4 Monitoring:Includes Metrics Metrics inform management (and independent auditors) of the effectiveness of the security program Monitoring achievement of control objective may be more important than perfecting security procedures
Which metrics to use? Business-Driven Technology-Driven Addresses recent threats observed by CERT CERT: Computer Emergency Readiness Team Addresses recent forensic data Addresses specific business risks • Inherent industry risks Tailored to organization Measures adherence to control objectives
Monitoring Function: Business-Driven Metrics Executive mgmt is interested in risk, budget, policy. Review every 6 months-1 year Technical details: E.g., firewall, logs, IPS, vulnerability tests. Review weekly. Automate statistics. Determine effectiveness of security program: risk changes, compliance, incident response tests. Review quarterly to half-year
Monitoring Function: Business-Driven Metrics Project Plan or Budget Metrics Risk performance Disaster Recovery Test results Audit results Regulatory compliance results Vulnerability Scan results Server config. standards compliance IDS monitoring results Firewall log analysis Patch mgmt status Policy compliance metrics Exceptions to policy/standards Changes in process or system affecting risk Incident management effectiveness
Which metrics? Step 1:What are the most important security areas … threats …. regulation … to monitor in your organization? Step 2: Which metrics make the most sense to collect. Can they be automated? Step 3: Consider the 3 perspectives: strategic, tactical, operational metrics, relative to 3 audiences.
Workbook: MetricsMetrics Selected What are the most important areas to monitor in your organization? Cracking Attempt Lunatic gunman Major Risks: FERPA Violation Web Availability
SANS-Recommended Critical Controls for Effective Cyber Defense Technology-Driven Metrics
Noticing inappropriate ‘additions’ to the network New PC New AP New wireless
Checking the security configuration of network Patched? Legal software? Firewall on & security configured? Antivirus on and patched? Limit USB access? WPA2 AES, EAP/ TLS? Monitor Network? Withstands attacks? SQL, buffer overflow, cross-site scripting, clickjacking, …
Noticing inappropriate actions New sys admin or user acct Transfer of confidential data or illegal packets Detect new network service
SANS: Critical Controls for Effective Cyber Defense Typical SANS Metric: Temporarily install unauthorized software, hardware or configuration on a device. It should be: • found within 24 hours (or best: 2 minutes) • isolated within one hour confirmed by alert/email • reported every 24 hours until issue is resolved.
SANS Critical Control 1:Inventory of Authorized Devices Ensure all devices (with IP address) on network are known, configured properly, and patched. Scan network daily or use DHCP reports or passive monitoring. Compare results with baseline configuration. Metric: Temporarily install unauthorized device.
SANS: Critical Control 2:Inventory of Authorized Software Ensure all software is approved and recently patched • Whitelist defines the permitted list of software. • Blacklist defines illegal software (e.g., IT tools). • Endpoint Security Suites (ESS) contain antivirus, antispyware, firewall, IDS/IPS, s/w white/blacklisting. Metric: Temporarily install unauthorized software on a device.
SANS Critical Control 3:Secure Configurations for Hardware & Software All devices are hardened using recommended security configurations • Illegal software list exists, includes Telnet, VNC, RDP • New software is quarantined and monitored. • Imaged software is maintained in an updated state. Build secure images, and use configuration checking tools daily. Metric: Temporarily attempt to change a set of random configurations.
SANS Critical Control 4:Continuous Vulnerability Assessment Run vulnerability scans on all systems at least weekly, preferably daily. Problem fixes are verified through additional scans. • Vulnerability scanning tools (updated) for: wireless, server, endpoint, etc. • Automated patch management tools notify via email when all systems have been patched. Metric: If the scan does not complete in 24 hours, an email notification occurs.
SANS Critical Control 5:Malware Defense Antivirus/antispyware is always updated • Run against all data: shared files, server data, mobile data. Additional controls: blocking social media, limiting external devices (USB), using web proxy gateways, network monitoring. • Endpoint security suites report tool is updated and active on all systems Metric: For install of benign malware (e.g., security/hacking tool), antivirus prevents installation or execution or quarantines software • Sends an alert/email within one hour indicating specific device and owner
SANS Critical Control 6:Application S/W Security New application software is tested for security vulnerabilities: • Web vulnerabilities: buffer overflow, SQL injection, cross-site scripting, cross-site request forgery, clickjacking of code, and performance during DDOS attacks. • Input validated for size, type • No system error messages reported directly to user Automated testing includes static code analyzers and automated web scanning. Configurations include application firewalls and hardened databases. Metric: An attack on the software generates a log/email within 24 hours (or less). Automated web scanning occurs weekly or daily
SANS Critical Control 7:Wireless Device Control Wireless access points are securely configured with WPA2 protocol and AES encryption. • Extensible Authentication Protocol-Transport Layer Security (EAP/TLS) provides mutual authentication. • Only registered, security-approved devices are able to connect Wireless networks are configured for the minimum required radio footprint. Metrics: Wireless intrusion detection systems detect available wireless access points and deactivate rogue access points within 1 hour Vulnerability scanners can detect unauthorized wireless access points connected to the Internet.
SANS Critical Control 8:Data Recovery Capability Backups are maintained at least weekly and more often for critical data. Backups are encrypted and securely stored. Multiple staff can perform backup/recovery. Metric: Test backups quarterly for a random sample of systems. This includes operating system, software, and data restoration.
SANS Critical Control 9:Security Skills Assessment Security awareness training: required for end users, system owners Security training: necessary for programmers, system, security and network administrators Metric: Test security awareness understanding • Periodically test social engineering tests via phishing emails and phone call • Employees who fail a test must attend a class
SANS Critical Control 10:Secure Network Configurations A configuration DB tracks approved configurations in config. mgmt. for network devices: firewalls, routers, switches. Tools perform rule set sanity checking for Access Control Lists. Two-factor identification is used for network devices. Metric: Any change to the configuration of a network device is reported within 24 hours
SANS Critical Controls 11. Control of Network Ports, Protocols and Services: • Default Deny packets. • Periodically review for restriction • Metric: Measure time to recognize added network service 12. Controlled Administrative Privilege: • Minimal elevated privileges • Passwords are complex, changed periodically, 2-factor • Metric: Measure time to recognize new sys admin
SANS Critical Controls 13. Boundary Defense: • Use firewall zones to filter incoming and outgoing traffic. • Blacklist & whitelist network addresses • Metric: Measure time to recognize unauthorized packets 14. Analysis of Security Audit Logs: • Server logs are write-only and archived for months. • Firewalls log all allowed and blocked traffic. • Unauthorized access attempts are logged • Metric: Measure time to recognize no log space
SANS Critical Controls 15. Need to Know Access: Prevent exfiltration of data (e.g., to competitors) • Classify data • Use restrictive firewall configurations • Log access to confidential data • Metric: Measure time to recognize unauthorized access 16. Account Monitoring and Control: Terminated accounts -> removed Expired password/ disabled/ locked out accounts, -> investigated Failed logins -> lockouts Inactivity -> locked sessions Unusual time access -> alert Data exfiltration recognized by keywords. Metric: Measure time to recognize new/ changed user accounts
SANS Critical Controls 17. Data Loss Prevention: Prevent exfiltration of proprietary or confidential info • Encrypt mobile and USB devices • Disable USB Metric: Measure time to recognize transfer of confidential data file 18. Incident Response: • Incident Response Plan defines who does what for various conditions • IRP includes contact information for third party contractors
SANS Critical Controls 19. Secure Network Engineering: Separate zones exist: DMZ, middleware, private network • DMZ accessed through proxy firewall • DMZ DNS is in DMZ; internal DNS is in internal zone, … Emergency config. for restricted network is ready for quick deployment. 20. Penetration Tests: • Penetration tests = vulnerability tests + attacker tests • Red Team exercises test incident response team reactions • Metric: Measure false positive, false negative, true positive rate
Question The difference between where an organization performs and where they intend to perform is known as: • Gap analysis • Quality Control • Performance Measurement • Benchmarking
Question The MOST important metrics when measuring compliance include: Metrics most easily automated Metrics related to intrusion detection Those recommended by best practices Metrics measuring conformance to policy
Question SANS recommends that an initial maximum allowable time to detect a problem in a network or server configuration is: • Two minutes • One hour • One day • One week