SABSA High-Level Framework
Gap Analysis
The difference between
where you are and
where you want to be:
 # malware
 Rate of finding illegal
software, hardware
 Security awareness
training averages
SEI/COBIT Level 4 Monitoring:
Includes Metrics
Metrics inform management (and
independent auditors) of the effectiveness
of the security program
 Monitoring achievement of control
objective may be more important than
perfecting security procedures
Which metrics to use?
Addresses specific business
 Inherent industry risks
 Tailored to organization
 Measures adherence to
control objectives
Addresses recent threats
observed by CERT
 CERT: Computer
Emergency Readiness
 Addresses recent
forensic data
Monitoring Function:
Business-Driven Metrics
Executive mgmt is interested in
Strategic risk, budget, policy.
Metrics Review every 6 months-1 year
Determine effectiveness of
security program: risk changes,
compliance, incident response tests.
Review quarterly to half-year
Metrics Technical details:
E.g., firewall, logs, IPS,
vulnerability tests.
Review weekly.
Automate statistics.
Monitoring Function:
Business-Driven Metrics
Project Plan or Budget Metrics
Strategic Risk performance
Metrics Disaster Recovery Test results
Audit results
Regulatory compliance results
Policy compliance metrics
Exceptions to policy/standards
Changes in process or system
affecting risk
Incident management effectiveness
Metrics Vulnerability Scan results
Server config. standards
IDS monitoring results
Firewall log analysis
Patch mgmt status
Which metrics?
Step 1: What are the most important security
areas … threats …. regulation … to monitor in
your organization?
Step 2: Which metrics make the most sense
to collect. Can they be automated?
Step 3: Consider the 3 perspectives: strategic,
tactical, operational metrics, relative to 3
Monitoring Function: Metrics
The aggregate ALE
% of risk eliminated, mitigated,
# of open risks due to inaction
Cost Effectiveness:
What is:
Cost of workstation security per user
Cost of email spam and virus
protection per mailbox
Operational Performance
Time to detect and contain incidents
% packages installed without problem
% of systems audited in last quarter
Organizational Awareness:
% of employees passing quiz, after
training vs. 3 months later
% of employees taking training
Technical Security Architecture
# of malware identified and neutralized
Types of compromises, by severity &
attack type
Attack attempts repelled by control
Volume of messages, KB processed
by communications control devices
Security Process Monitoring:
Last date and type of BCP, DRP, IRP
Last date asset inventories were
reviewed & updated
Frequency of executive mgmt review
activities compared to planned
Workbook: Metrics
Metrics Selected
What are the most important areas to monitor in your organization?
Lunatic gunman
FERPA Violation
Major Risks:
Web Availability
Calculation & Collection
Period of
Information Tech. Group
1 year
Cost of incidents
Incident Response totals
6 months
% employees passing FERPA
Annual email requesting
1 year
% employees completing
FERPA training
Two annual trainings with
1 year
. Performance review
# Hours Web unavailable
Incident Response form
6 months
# brute force attacks
Incident Response form
1 month
# malware infections
Incident Response form
1 month
Strategic Cost of security/terminal
Cracking Attempt
SANS: Critical Controls for
Effective Cyber Defense
Metric: Temporarily install unauthorized
software/hardware on a device. It should
 found within 24 hours (or 2 minutes?)
 isolated within one hour confirmed by
 reported every 24 hours until device is
SANS Critical Control 1:
Inventory of Authorized Devices
Ensure all devices (with IP address) on network
are known, configured properly, and patched.
 Scan network daily or use DHCP reports or
passive monitoring.
 Compare results with baseline configuration.
 Metric: Temporarily install unauthorized device.
SANS: Critical Control 2:
Inventory of Authorized Software
Ensure all software is approved and recently patched
 Whitelist defines the permitted list of software.
 Blacklist defines illegal software (e.g., IT tools).
 Endpoint Security Suites (ESS) contain antivirus,
antispyware, firewall, IDS/IPS, s/w white/blacklisting.
 Metric: Temporarily install unauthorized software
on a device.
SANS Critical Control 3:
Secure Configurations for Hardware &
All devices are hardened using recommended security
Illegal software list exists, includes Telnet, VNC, RDP
New software is quarantined and monitored.
Imaged software is maintained in an updated state.
Build secure images, and use configuration checking
tools daily.
Metric: Temporarily attempt to change a set of random
SANS Critical Control 4:
Continuous Vulnerability Assessment
Run vulnerability scans on all systems at least weekly, preferably
daily. Problem fixes are verified through additional scans.
 Vulnerability scanning tools (updated) for: wireless, server,
endpoint, etc.
 Automated patch management tools notify via email when all
systems have been patched.
Metric: If the scan does not complete in 24 hours, an email
notification occurs.
SANS Critical Control 5:
Malware Defense
Antivirus/antispyware is always updated
 Run against all data
Additional controls: blocking social media, limiting
external devices (USB), using web proxy gateways,
network monitoring.
shared files, server data, mobile data.
Endpoint security suites can report tool is updated and active on
all systems
Metric: For benign malware (e.g., security/hacking tool)
install, antivirus prevents installation or execution or
quarantines software
sends an alert/email within one hour indicating specific device
and owner
SANS Critical Control 6:
Application S/W Security
New application software is tested for security vulnerabilities:
 Web vulnerabilities: buffer overflow, SQL injection, cross-site
scripting, cross-site request forgery, clickjacking of code, and
performance during DDOS attacks.
 S/W validates input for size, type
 S/W does not report system error messages directly
 Automated testing includes static code analyzers and automated
web scanning.
 Configurations include application firewalls and hardened
 Metric: An attack on the software generates a log/email within 24
hours (or less).
 Automated web scanning occurs weekly or daily
SANS Critical Control 7:
Wireless Device Control
Wireless access points are securely configured with WPA2 protocol and AES
 Extensible Authentication Protocol-Transport Layer Security (EAP/TLS)
provides mutual authentication.
 Only registered, security-approved devices are able to connect
 Wireless networks are configured for the minimum required radio
 Metrics: Wireless intrusion detection systems detect available wireless
access points and deactivate rogue access points within 1 hour
 Vulnerability scanners can detect unauthorized wireless access points
connected to the Internet.
SANS Critical Control 8:
Data Recovery Capability
Backups are maintained at least weekly and
more often for critical data.
 Backups are encrypted and securely stored.
 Multiple staff can perform backup/recovery.
 Metric: Test backups quarterly for a random
sample of systems. This includes operating
system, software, and data restoration.
SANS Critical Control 9:
Security Skills Assessment
Security awareness training is required for end users,
system owners.
Security training is necessary for programmers, system,
security and network administrators.
 Metric: Test security awareness understanding
Periodically test social engineering tests via phishing
emails and phone call
Employees who fail a test must attend a class
SANS Critical Control 10:
Secure Network Configurations
A configuration db tracks approved configurations in
config. mgmt. for network devices: firewalls, routers,
 Two-factor identification is used for network devices.
 Tools: Tools perform rule set sanity checking for
Access Control Lists.
 Metric: Any change to the configuration of a
network device is reported within 24 hours
SANS Critical Controls
11. Control of Network
Ports, Protocols, and
 Default Deny packets.
 Periodically review for
12. Controlled
 Minimal elevated
 Passwords are
complex, changed
periodically, 2-factor
SANS Critical Controls
13. Boundary
 Use firewall zones to
filter incoming and
outgoing traffic.
 Blacklist & whitelist
network addresses
14. Analysis of
Security Audit Logs:
 Server logs are writeonly and archived for
 Firewalls log all
allowed and blocked
 Unauthorized access
attempts are logged.
SANS Critical Controls
15. Need to Know Access:
Prevent exfiltration of
data to competitors.
 Data classification
 Restrictive firewall
 Logged access to
confidential data
16. Account Monitoring and
Terminated accounts -> removed
Expired password/ disabled/
locked out accounts, ->
Failed logins -> lockouts;
Inactivity -> locked sessions
Unusual time access -> alert.
Data exfiltration recognized by
SANS Critical Controls
17. Data Loss
 Prevent exfiltration of
proprietary or
confidential info.
 Encryption of mobile
and USB devices;
 Disable USB
18. Incident
 Incident Response
Plan defines who
does what for various
 IRP includes contact
information for third
party contractors.
SANS Critical Controls
19. Secure Network
Separate zones: DMZ,
middleware, private network
DMZ accessed through proxy
DMZ DNS is in DMZ; internal
DNS is in internal zone, …
Emergency config. for
restricted network is ready for
quick deployment.
20. Penetration
Penetration tests =
vulnerability tests +
attacker tests.
Red Team exercises
test incident
response team
The difference between where an
organization performs and where they
intend to perform is known as:
1. Gap analysis
2. Quality Control
3. Performance Measurement
4. Benchmarking
The MOST important metrics when
measuring compliance include:
1. Metrics most easily automated
2. Metrics related to intrusion detection
3. Those recommended by best practices
4. Metrics measuring conformance to policy
Slide #
Slide Title
Source of Information
Level 4: Monitoring: Includes Metrics
CISM: page 192 -194
Monitoring Function: Metrics
CISM: page 192