1 / 12

Establishing a Security  Metrics Program Tiger Team Final Report

Establishing a Security  Metrics Program Tiger Team Final Report. Chris Cain & Erik Couture October 2011. SANS Technology Institute - Candidate for Master of Science Degree. Introduction. Team Members Mandate Overall project aim Methodology.

ulla
Download Presentation

Establishing a Security  Metrics Program Tiger Team Final Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Establishing a Security Metrics ProgramTiger Team Final Report Chris Cain & Erik Couture October 2011 SANS Technology Institute - Candidate for Master of Science Degree

  2. Introduction Team Members Mandate Overall project aim Methodology SANS Technology Institute - Candidate for Master of Science Degree

  3. Security Metrics Overview “How secure are we?” “Are our security investments making a difference?” “Where can we have the most impact on our security posture?" SANS Technology Institute - Candidate for Master of Science Degree

  4. Why Metrics? Metrics vs Measurement The importance of context and knowledge, not just data The challenge of what to measure SANS Technology Institute - Candidate for Master of Science Degree

  5. Goal/Scope Paint a clear picture of our security posture Identify areas of greatest risk Help educate resource allocation towards areas of greatest security gain Educate senior management on possible business impacts of our security posture Provide a method to monitor the effectiveness of our policy and technological changes over time SANS Technology Institute - Candidate for Master of Science Degree

  6. Example 1 Secure Firewalls, Routers, and Switches Aim Visibility of the ‘ground truth’ Ensure minimal ports/services exposed Input Data Network Device Threat Level Average days to fix configuration issues Total insecure configurations found Visualization Horizontal bar charts – give a good sense of progress over several reporting periods and between each device type SANS Technology Institute - Candidate for Master of Science Degree

  7. Example 2 Boundary Defense Aim Reduce by 80% the number of internet entry points Achieve 100% of hosts pointed at secure DNS servers Achieve 100% physical network verification. Input Data Total quantity of defenses scored Score from 1 to 5 Boundary Defense Threat Level (subjectively assigned) Visualization Line graph comparing boundary device types against their scores SANS Technology Institute - Candidate for Master of Science Degree

  8. Example 3Incident Response Capability Aim Assess ability to detect and respond Fuse/visualize end-to-end IH timelines Input Data Mean time to incident recovery Number of Lessons Learned as a result of the incident. Mean time to incident eradication Mean time to incident detection/identification Visualization Stacked Bar Chart – allows reader to quickly compare the relative time involved in each phase of incident handling SANS Technology Institute - Candidate for Master of Science Degree

  9. Visualization / Dashboard (1) SANS Technology Institute - Candidate for Master of Science Degree

  10. Visualization / Dashboard (2) SANS Technology Institute - Candidate for Master of Science Degree

  11. Recommendations The establishment of an enterprise-wide security metrics program. The adoption of the SANS Top 20 Security Controls framework as a basis for the ongoing gathering and reporting of security metrics. The institution of a security metrics board which will regularly assess the effectiveness and adjust the security metrics program. SANS Technology Institute - Candidate for Master of Science Degree

  12. References Twenty Critical Security Controls for Cyber Defense: SANS/CAG NIST Special Publication 800-61 Beautiful Security Metrics by Elizabeth Nichols Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance by John Gilligan Seven Myths about Information Security Metrics by Dr. Gary Hinson Security Metrics, Replacing Fear, Uncertainty and Doubt, Gary McGraw FISMA FY2011 - CIO Reporting Metrics by US DHS IT Security Metrics, A Practical Framework for Measuring Security & Protecting Data, Lance Hayden, Ph.D. A Guide to Security Metrics (SANS Reading Room), Shirley C. Payne CSO Security and Risk by Scott Berinato SANS Technology Institute - Candidate for Master of Science Degree

More Related