1 / 16

August 17, 2010

August 17, 2010. About Andrew Jaquith. Senior analyst at Forrester since October 2008 Coverage: client security, data security, mobile security Recent research: Apple’s iPhone and iPad: Secure Enough for Business? (Aug 2010) Market Overview: Enterprise Rights Management (June 2010)

zev
Download Presentation

August 17, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. August 17, 2010

  2. About Andrew Jaquith • Senior analyst at Forrester since October 2008 • Coverage: client security, data security, mobile security • Recent research: • Apple’s iPhone and iPad: Secure Enough for Business? (Aug 2010) • Market Overview: Enterprise Rights Management (June 2010) • Own Nothing. Control Everything (January 2010) • Data-Centric Security Requires Devolution, Not a Revolution (2009) • Senior analyst at Yankee Group 2005-2008 • Co-founder of pioneering security consultancy @stake • Author of best-selling security book, Security Metrics • Founder, securitymetrics.org. Co-developer of Apache JSPWiki Andrew and Khalid Kark will be facilitating a Security Metrics Workshopat Forrester’s IT Security Forum in Boston, September 15th-16th 2010

  3. Five Years Later, Are Security Metrics Still a Fad?

  4. Agenda • Welcome • Five Years of Metrics • Nuts and Bolts

  5. Metricon 2.0: Jeremiah Grossman (2007) • Excellent “texture and depth” on prevailing practices • 18 month snapshot: Jan 2006-August 2007 • 128m websites • Factoid I scribbled down: 7 out of 10 sites have “critical” or “urgent” vulns

  6. Mini-Metricon 2.5: Verizon’s 1st DBIR • First look at “curated” enterprise metrics about intrusions and data breach incidents • Terrific insights about attacker paths • Disabused the insider threat argument

  7. Metricon 3.0: Caroline Wong, eBay (2008) • Gosh, a real live enterprise! And a household name… • Great snapshot of how fraud and security relate • Metrics I scribbled down: eBay watches the number of compromised accounts. • Also: # of “maliciously compromised” accounts

  8. Mini-Metricon 3.5: Maureen Doyle (2009) • Analysis of 100 weeks of code commits and code quality for 14 open-source PHP apps • Vuln density: 8.88 vulns/KLOC • Some correlation between cyclomatic complexity and security defects • Neat insight I scribbled down: • Study found no correlation between security defects and code churn

  9. Metricon 4.0: James Cowie, Renesys (2009) • Used three metrics to determine the “cluefullness” of organizations connecting to the Internet • Compliance - are your routing advertisements compliant with what you have • Availability - how available is your network? • Diversity - how diverse are your providers? • Money quote I scribbled down: • “How do we make people change their behavior? Easy. Cut right to the base emotions: fear and shame.”

  10. Agenda • Welcome • Five Years of Metrics • Nuts and Bolts

  11. Agenda • Welcome • Five Years of Metrics • Nuts and Bolts

  12. Today’s schedule

  13. Nuts and Bolts • Wireless • SSID: usenix. Password: usenix2010 • Lunch • 12:30-1:45, Thurgood Marshall South West • Beers • 5:30-6:30, Harding (this room) • USENIX Happy Hour • 6-7 pm, Thurgood Marshall North East

  14. Rules for living • This is safe environment • We will publish official (high level) proceedings • Anything you ask to be “off the record” will stay so • Save your e-mail for break times • Assertiveness is welcome. Rudeness is not • Stay engaged • Have fun

  15. Enjoy the Day Andrew Jaquith Senior Analyst, Security and Risk +1 617.613.6410 ajaquith@forrester.com www.forrester.com Twitter: arj

More Related