View Presentation - PPT - SANS Technology Institute

advertisement
Establishing a Security
Metrics Program
Tiger Team Final Report
Chris Cain & Erik Couture
October 2011
SANS Technology Institute - Candidate for Master of Science Degree
Introduction
•
•
•
•
Team Members
Mandate
Overall project aim
Methodology
SANS Technology Institute - Candidate for Master of Science Degree
Security Metrics Overview
• “How secure are we?”
• “Are our security investments making a
difference?”
• “Where can we have the most impact on
our security posture?"
SANS Technology Institute - Candidate for Master of Science Degree
Why Metrics?
• Metrics vs Measurement
• The importance of context and knowledge,
not just data
• The challenge of what to measure
SANS Technology Institute - Candidate for Master of Science Degree
Goal/Scope
• Paint a clear picture of our security posture
• Identify areas of greatest risk
• Help educate resource allocation towards
areas of greatest security gain
• Educate senior management on possible
business impacts of our security posture
• Provide a method to monitor the
effectiveness of our policy and technological
changes over time
SANS Technology Institute - Candidate for Master of Science Degree
Example 1
Secure Firewalls, Routers, and Switches
Aim
Firewalls
• Visibility of the
Routers
Switches
‘ground truth’
Workstations
• Ensure minimal
Laptops
ports/services exposed Servers
Input Data
0
5
10
15
20
25
Nov
•Network Device Threat Level
•Average days to fix configuration issues
•Total insecure configurations found
Visualization
• Horizontal bar charts – give a good sense of progress over
several reporting periods and between each device type
SANS Technology Institute - Candidate for Master of Science Degree
30
Oct
Sept
Example 2
Boundary Defense
Aim
• Reduce by 80% the number of internet entry points
• Achieve 100% of hosts pointed at secure DNS servers
• Achieve 100% physical network verification.
Input Data
• Total quantity of defenses scored Score from 1 to 5
• Boundary Defense Threat Level (subjectively assigned)
Visualization
• Line graph comparing boundary
device types against their scores
SANS Technology Institute - Candidate for Master of Science Degree
Example 3
Incident Response Capability
Aim
• Assess ability to detect and respond
• Fuse/visualize end-to-end IH timelines
16
14
Input Data
12
• Mean time to incident recovery 108
6
• Number of Lessons Learned
4
as a result of the incident.
2
• Mean time to incident eradication 0
Sept
Oct
Nov
Avg Time to Detect (hrs)
Avg Time to Eradicate (hrs)
• Mean time to incident detection/identification
Avg Time to Recover (hrs)
Visualization
• Stacked Bar Chart – allows reader to quickly compare the
relative time involved in each phase of incident handling
SANS Technology Institute - Candidate for Master of Science Degree
Visualization / Dashboard (1)
SANS Technology Institute - Candidate for Master of Science Degree
Visualization / Dashboard (2)
SANS Technology Institute - Candidate for Master of Science Degree
Recommendations
• The establishment of an enterprise-wide security
metrics program.
• The adoption of the SANS Top 20 Security
Controls framework as a basis for the ongoing
gathering and reporting of security metrics.
• The institution of a security metrics board which will
regularly assess the effectiveness and adjust the
security metrics program.
SANS Technology Institute - Candidate for Master of Science Degree
References
•
•
•
•
•
•
•
•
•
•
Twenty Critical Security Controls for Cyber Defense: SANS/CAG
NIST Special Publication 800-61
Beautiful Security Metrics by Elizabeth Nichols
Twenty Most Important Controls and Metrics for Effective Cyber Defense
and Continuous FISMA Compliance by John Gilligan
Seven Myths about Information Security Metrics by Dr. Gary Hinson
Security Metrics, Replacing Fear, Uncertainty and Doubt, Gary McGraw
FISMA FY2011 - CIO Reporting Metrics by US DHS
IT Security Metrics, A Practical Framework for Measuring Security &
Protecting Data, Lance Hayden, Ph.D.
A Guide to Security Metrics (SANS Reading Room), Shirley C. Payne
CSO Security and Risk by Scott Berinato
SANS Technology Institute - Candidate for Master of Science Degree
Download