Enviar búsqueda
Cargar
ISSA Sacramento: Security Metrics - So What?
•
1 recomendación
•
446 vistas
A
Allgress, Inc.
Seguir
ISSA Sacramento chapter presentation on security metrics and communications.
Leer menos
Leer más
Vista de diapositivas
Denunciar
Compartir
Vista de diapositivas
Denunciar
Compartir
1 de 25
Descargar ahora
Descargar para leer sin conexión
Recomendados
ISSA Phoenix Security Metrics... So What?
ISSA Phoenix Security Metrics... So What?
Allgress, Inc.
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) Handout
Marc Vael
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏
InnovationSprint2011
SEO for Photographers (June 2011)
SEO for Photographers (June 2011)
PhotoShelter, Inc
The Manitoba Bar Association The Voice Of The Legal Profession
The Manitoba Bar Association The Voice Of The Legal Profession
legalcounsel
Watson
Watson
Contract Cities
Unit 2 Project
Unit 2 Project
i Classroom
About Business Intelligence
About Business Intelligence
Ashish Kargwal
Recomendados
ISSA Phoenix Security Metrics... So What?
ISSA Phoenix Security Metrics... So What?
Allgress, Inc.
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) Handout
Marc Vael
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏
InnovationSprint2011
SEO for Photographers (June 2011)
SEO for Photographers (June 2011)
PhotoShelter, Inc
The Manitoba Bar Association The Voice Of The Legal Profession
The Manitoba Bar Association The Voice Of The Legal Profession
legalcounsel
Watson
Watson
Contract Cities
Unit 2 Project
Unit 2 Project
i Classroom
About Business Intelligence
About Business Intelligence
Ashish Kargwal
Conférence Confidentialité des données
Conférence Confidentialité des données
Marie-Hélène Thouin
ZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business Proporsal
Chacha Htc
HAZWOPER 24 HR
HAZWOPER 24 HR
aziz abdayem
Obamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive news
Alisha North
30 Minute Release11i Security
30 Minute Release11i Security
SecureDBA
Decipher Mobile Market Research Services
Decipher Mobile Market Research Services
Decipher, Inc.
Final Design Report
Final Design Report
Dylan Manning, LEED GA
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Cleveland HeartLab, Inc.
Sbs portfolio of services
Sbs portfolio of services
Superior Business Solutions
SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.
Schwartz Heslin Group, Inc.
CNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-Report
James Schmeling
The Best Camera Isn't the One With Video
The Best Camera Isn't the One With Video
PhotoShelter, Inc.
hCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C Platform
Alisha North
Celebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial Service
Chris Offer
Top 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air Emissions
Lalitha P
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)
Prabir Saha
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threat
Vincent Kwon
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS Systems
Amazon Web Services
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Amazon Web Services
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
ClearedJobs.Net
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
Thomas Gross
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net
Más contenido relacionado
Destacado
Conférence Confidentialité des données
Conférence Confidentialité des données
Marie-Hélène Thouin
ZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business Proporsal
Chacha Htc
HAZWOPER 24 HR
HAZWOPER 24 HR
aziz abdayem
Obamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive news
Alisha North
30 Minute Release11i Security
30 Minute Release11i Security
SecureDBA
Decipher Mobile Market Research Services
Decipher Mobile Market Research Services
Decipher, Inc.
Final Design Report
Final Design Report
Dylan Manning, LEED GA
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Cleveland HeartLab, Inc.
Sbs portfolio of services
Sbs portfolio of services
Superior Business Solutions
SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.
Schwartz Heslin Group, Inc.
CNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-Report
James Schmeling
The Best Camera Isn't the One With Video
The Best Camera Isn't the One With Video
PhotoShelter, Inc.
hCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C Platform
Alisha North
Celebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial Service
Chris Offer
Top 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air Emissions
Lalitha P
Destacado
(15)
Conférence Confidentialité des données
Conférence Confidentialité des données
ZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business Proporsal
HAZWOPER 24 HR
HAZWOPER 24 HR
Obamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive news
30 Minute Release11i Security
30 Minute Release11i Security
Decipher Mobile Market Research Services
Decipher Mobile Market Research Services
Final Design Report
Final Design Report
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Sbs portfolio of services
Sbs portfolio of services
SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.
CNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-Report
The Best Camera Isn't the One With Video
The Best Camera Isn't the One With Video
hCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C Platform
Celebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial Service
Top 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air Emissions
Similar a ISSA Sacramento: Security Metrics - So What?
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)
Prabir Saha
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threat
Vincent Kwon
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS Systems
Amazon Web Services
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Amazon Web Services
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
ClearedJobs.Net
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
Thomas Gross
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
Michael Krigsman
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
Dahamoo GmbH
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)
John Dillard
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
Internap
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are Worth
Enthiosys Inc
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
ClearedJobs.Net
Ti References
Ti References
KeithByrd
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch Deck
Prabir Saha
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Amazon Web Services
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentation
KJR
Peak 10 Overview
Peak 10 Overview
Kelley Hire
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
ClearedJobs.Net
Data security in cloud
Data security in cloud
Interop
Similar a ISSA Sacramento: Security Metrics - So What?
(20)
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threat
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are Worth
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Ti References
Ti References
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch Deck
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentation
Peak 10 Overview
Peak 10 Overview
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Data security in cloud
Data security in cloud
ISSA Sacramento: Security Metrics - So What?
1.
ISSA SACRAMENTO
SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO 09/17/2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
2.
Security Metrics –
So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
3.
What You Will
Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
4.
IT Security’s Job
Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
5.
Presentation Outline
• Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
6.
If You Were
a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
7.
Which Statement for
Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
8.
Presentation Outline
• Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
9.
Choose Wisely
Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
10.
Example: Risk &
Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
11.
Example: Escape Fire
Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
12.
Example: Escape Fire
Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
13.
Example: Naughty Business
Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
14.
Presentation Outline
• Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
15.
Example: Risk Reduction
Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
16.
Example: Risk Reduction
Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
17.
Example: Prove Cost
Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
18.
Example: Prove Cost
Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
19.
Example: Prove Cost
Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
20.
Example: Align With
The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
21.
Example: Align With
The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
22.
Presentation Outline
• Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
23.
Allgress Solution Objectives
Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
24.
Parting Words of
Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
25.
Q&A
William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Descargar ahora