310 likes | 323 Views
Security Measures & Metrics. Pete Lindstrom, CISSP Research Director Spire Security, LLC www.spiresecurity.com petelind@spiresecurity.com. Security Metrics I. Security Metrics (Part 1): Building the Framework
E N D
Security Measures & Metrics Pete Lindstrom, CISSP Research Director Spire Security, LLC www.spiresecurity.com petelind@spiresecurity.com
Security Metrics I Security Metrics (Part 1): Building the Framework There are obvious benefits to charting and quantifying the success of your security program. But where do you begin? This session -- part 1 of a 2-part mini-workshop -- outlines a practical approach to security metrics that links standard business practices with security functions. Find out from Information Security magazine contributing editor, Pete Lindstrom, Research Director for Spire Security, how to build a rock-solid foundation based on a model known as the "Four Disciplines of Security Management." Then learn about the elements of a cohesive security metrics program from a functional and resource-usage perspective. Plus, you leave with a solid understanding of the relative utility metrics for productivity, process efficiency, cost effectiveness and risk management.
What is the Four Disciplines Model? • A way to think about security • High-level without losing clarity • Detailed enough for technical folks • Identifies relationships • A taxonomy of objectives, functions, activities, and products. • A framework for security measurement.
Introducing the Four Disciplines 2 Trust Mgt: Designing security policy and process Identity Mgt: Managing Users and other sources 3 1 Vuln. Mgt: Hardening the systems Threat Mgt: Monitoring activities and events 4
Vulnerability Mgt Functions • Evaluate and harden configurations • By platform • Identify and remediate vulnerabilities • Software bugs • Configure firewalls / other access control • Reduce/filter anomalous traffic
Identity Management Functions • Validate user information • Create/modify user accounts and privileges • Disable/delete user accounts • Change/reset passwords • Validate sessions • Authorize access
Trust Management Functions • Create/modify user policies • Create/modify system policies - technical baselines • Design security architecture • Design/implement controls to prevent sniffing or copying data. • Design/implement controls to prevent modifying data.
Threat Management Functions • Identify anomalous activities • Monitor network and components • Aggregate alerts and logs • Collect physical information • Manage/resolve incidents • Incident response - take corrective action • Conduct forensic analysis of systems/data
Q1: Most Important? Which Discipline is most important to a strong security program? • Vulnerability Management (firewalls, vuln assess, patch) • Identity Management (provision, acct mgt, authent.) • Trust Management (policies, tech guides, crypto) • Threat Management (monitor, incident, forensics)
Q2: Most Time? Which Discipline does your organization spend the most time on? • Vulnerability Management (firewalls, vuln assess, patch) • Identity Management (provision, acct mgt, authent.) • Trust Management (policies, tech guides, crypto) • Threat Management (monitor, incident, forensics)
Fundamental Security Elements Activities: Four Disciplines People: Departments Admins Time: Hr/Day Month/Yr Costs: Salaries, Consulting HW, SW, Maint. Resources: User accts, systems, apps
Types of Metrics • Process Effectiveness – doing things right. (measure quality) • Staff Productivity – people doing more things. (measure volume) • Cycle Time – transaction time. (measure process efficiency) • Staff Efficiency – people doing things faster. (people / transaction / time) • Cost Effectiveness – transaction costs. (cost / activity)
Process Effectiveness Metrics “doing things right” • Key Elements: • Activities • errors • Examples: • Acct request errors • Remediation errors • False alarm rate • Policy exceptions error rates
Process Effectiveness • Measure quality by identifying error rates of activities • Identity Management • User account request errors • Vulnerability Management • Vulnerabilities not remediated • Threat Management • Improper incident management • Trust Management • Policy violations
Staff Productivity Metrics “people doing more things” • Elements: • People • Activities • Examples: • Accts per person • Vulns per person • Patches per person
Staff Productivity • Productivity and workload for all manual activities (activities/people) • Identity Management • Requests per administrator • Account disablements per admin • Password resets per admin • Vulnerability Management • Vulnerabilities resolved per administrator • Threat Management • Incidents per person • Trust Management • Policy changes per person
Cycle Time Metrics avg “time to perform activity x” • Elements: • Time • Activities • Examples: • Accts per month • Vulns fixed per month • Patches per month
Cycle Time • Process efficiency • Identity Management • User account request time to complete • Vulnerability Management • Remediation time to complete • Threat Management • Incident response time to complete • Trust Management • Policy creation time to complete
Staff Efficiency Metrics “people doing things” quicker • Elements: • People • Activities • Time AdminsbyDepartment • Examples: • Accts per person/hr • Vulns per person/hr • Patches per person/hr 2000 Hours per FTE
Staff Efficiency • Combines staff productivity and cycle time metrics. • Identity Management • User account requests completed per person per day/week/month • Vulnerability Management • Vulnerabilities remediated per person per day/week/month • Threat Management • Incidents closed per person per day/week/month • Trust Management • Policies reviewed per person per day/week/month
Cost Effectiveness Metrics Cheaper transactions • Elements: • Activities • Costs • Examples: • Cost per acct • Cost per vuln fixed • Cost per patch
Cost Effectiveness • Dollars/activities; dollars/resources; dollars/demographics • Identity Management • Cost per request • Cost per password reset • Vulnerability Management • Cost per vulnerability • Cost per system setting • Threat Management • Cost per incident • Trust Management • Cost per policy • Cost per project
When to Use Metrics • Process Effectiveness • Six Sigma • Staff Productivity • ROI / promotions • Cycle Time • Balanced Scorecard • Staff Efficiency • ROI • Cost Effectiveness • Activity-based costing • ROI/TCO
Q3: Most Useful? Which metric type is most useful to your security program? • Process Effectiveness • Staff Productivity • Cycle Time • Staff Efficiency • Cost Effectiveness
Conclusions • Security functions are spread throughout organizations. • You can’t improve security until you measure it. • Ultimately, security is a business operation that should be run like a business operation.
Agree? Disagree? Pete Lindstrom petelind@spiresecurity.com www.spiresecurity.com