SlideShare una empresa de Scribd logo

ISSA Sacramento: Security Metrics - So What?

A
Allgress, Inc.

ISSA Sacramento chapter presentation on security metrics and communications.

1 de 25
Descargar para leer sin conexión
ISSA SACRAMENTO SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO 09/17/2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Security Metrics – So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
What You Will Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
IT Security’s Job Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
If You Were a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Which Statement for Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Choose Wisely Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk & Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Escape Fire Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Escape Fire Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Naughty Business Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk Reduction Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk Reduction Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Allgress Solution Objectives Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Parting Words of Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Q&A William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com

Recomendados

ISSA Phoenix Security Metrics... So What?
ISSA Phoenix Security Metrics... So What? ISSA Phoenix Security Metrics... So What?
ISSA Phoenix Security Metrics... So What? Allgress, Inc.
 
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutValuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutMarc Vael
 
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏InnovationSprint2011
 
SEO for Photographers (June 2011)
SEO for Photographers (June 2011)SEO for Photographers (June 2011)
SEO for Photographers (June 2011)PhotoShelter, Inc
 
The Manitoba Bar Association The Voice Of The Legal Profession
The Manitoba Bar Association The Voice Of The Legal ProfessionThe Manitoba Bar Association The Voice Of The Legal Profession
The Manitoba Bar Association The Voice Of The Legal Professionlegalcounsel
 
Watson
WatsonWatson
WatsonContract Cities
 
Unit 2 Project
Unit 2 ProjectUnit 2 Project
Unit 2 Projecti Classroom
 
About Business Intelligence
About Business IntelligenceAbout Business Intelligence
About Business IntelligenceAshish Kargwal
 

Recomendados

ISSA Phoenix Security Metrics... So What?
ISSA Phoenix Security Metrics... So What? ISSA Phoenix Security Metrics... So What?
ISSA Phoenix Security Metrics... So What? Allgress, Inc.
 
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutValuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutMarc Vael
 
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏InnovationSprint2011
 
SEO for Photographers (June 2011)
SEO for Photographers (June 2011)SEO for Photographers (June 2011)
SEO for Photographers (June 2011)PhotoShelter, Inc
 
The Manitoba Bar Association The Voice Of The Legal Profession
The Manitoba Bar Association The Voice Of The Legal ProfessionThe Manitoba Bar Association The Voice Of The Legal Profession
The Manitoba Bar Association The Voice Of The Legal Professionlegalcounsel
 
Watson
WatsonWatson
WatsonContract Cities
 
Unit 2 Project
Unit 2 ProjectUnit 2 Project
Unit 2 Projecti Classroom
 
About Business Intelligence
About Business IntelligenceAbout Business Intelligence
About Business IntelligenceAshish Kargwal
 
Conférence Confidentialité des données
Conférence Confidentialité des donnéesConférence Confidentialité des données
Conférence Confidentialité des donnéesMarie-Hélène Thouin
 
ZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business ProporsalZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business ProporsalChacha Htc
 
HAZWOPER 24 HR
HAZWOPER 24 HRHAZWOPER 24 HR
HAZWOPER 24 HRaziz abdayem
 
Obamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive newsObamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive newsAlisha North
 
30 Minute Release11i Security
30 Minute Release11i Security30 Minute Release11i Security
30 Minute Release11i SecuritySecureDBA
 
Decipher Mobile Market Research Services
Decipher Mobile Market Research Services Decipher Mobile Market Research Services
Decipher Mobile Market Research Services Decipher, Inc.
 
Final Design Report
Final Design ReportFinal Design Report
Final Design ReportDylan Manning, LEED GA
 
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...Cleveland HeartLab, Inc.
 
Sbs portfolio of services
Sbs portfolio of servicesSbs portfolio of services
Sbs portfolio of servicesSuperior Business Solutions
 
SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.Schwartz Heslin Group, Inc.
 
CNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-ReportCNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-ReportJames Schmeling
 
The Best Camera Isn't the One With Video
The Best Camera Isn't the One With VideoThe Best Camera Isn't the One With Video
The Best Camera Isn't the One With VideoPhotoShelter, Inc.
 
hCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C PlatformhCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C PlatformAlisha North
 
Celebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial ServiceCelebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial ServiceChris Offer
 
Top 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air EmissionsTop 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air EmissionsLalitha P
 
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)Prabir Saha
 
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threatSafewall - Staying ahead of the threat
Safewall - Staying ahead of the threatVincent Kwon
 
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsFailure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsAmazon Web Services
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsAmazon Web Services
 
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerCleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerClearedJobs.Net
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...Thomas Gross
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net
 

Más contenido relacionado

Destacado

Conférence Confidentialité des données
Conférence Confidentialité des donnéesConférence Confidentialité des données
Conférence Confidentialité des donnéesMarie-Hélène Thouin
 
ZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business ProporsalZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business ProporsalChacha Htc
 
Obamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive newsObamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive newsAlisha North
 
30 Minute Release11i Security
30 Minute Release11i Security30 Minute Release11i Security
30 Minute Release11i SecuritySecureDBA
 
Decipher Mobile Market Research Services
Decipher Mobile Market Research Services Decipher Mobile Market Research Services
Decipher Mobile Market Research Services Decipher, Inc.
 
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...Cleveland HeartLab, Inc.
 
SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.Schwartz Heslin Group, Inc.
 
CNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-ReportCNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-ReportJames Schmeling
 
The Best Camera Isn't the One With Video
The Best Camera Isn't the One With VideoThe Best Camera Isn't the One With Video
The Best Camera Isn't the One With VideoPhotoShelter, Inc.
 
hCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C PlatformhCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C PlatformAlisha North
 
Celebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial ServiceCelebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial ServiceChris Offer
 
Top 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air EmissionsTop 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air EmissionsLalitha P
 

Destacado (15)

Conférence Confidentialité des données
Conférence Confidentialité des donnéesConférence Confidentialité des données
Conférence Confidentialité des données
 
ZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business ProporsalZIHUDESIGN 2010 Business Proporsal
ZIHUDESIGN 2010 Business Proporsal
 
HAZWOPER 24 HR
HAZWOPER 24 HRHAZWOPER 24 HR
HAZWOPER 24 HR
 
Obamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive newsObamacare markets debut as early hurdles may slow signups - hCentive news
Obamacare markets debut as early hurdles may slow signups - hCentive news
 
30 Minute Release11i Security
30 Minute Release11i Security30 Minute Release11i Security
30 Minute Release11i Security
 
Decipher Mobile Market Research Services
Decipher Mobile Market Research Services Decipher Mobile Market Research Services
Decipher Mobile Market Research Services
 
Final Design Report
Final Design ReportFinal Design Report
Final Design Report
 
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
Emad Rizk, MD - Navigating the Complexity of New Value-Based Reimbursement Mo...
 
Sbs portfolio of services
Sbs portfolio of servicesSbs portfolio of services
Sbs portfolio of services
 
SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.SHG: About SHG - History, Team, Methodologies, and more.
SHG: About SHG - History, Team, Methodologies, and more.
 
CNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-ReportCNYREDC-2015-Progress-Report
CNYREDC-2015-Progress-Report
 
The Best Camera Isn't the One With Video
The Best Camera Isn't the One With VideoThe Best Camera Isn't the One With Video
The Best Camera Isn't the One With Video
 
hCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C PlatformhCentive Webinsure Medicare Part D & Part C Platform
hCentive Webinsure Medicare Part D & Part C Platform
 
Celebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial ServiceCelebration of Life - Rotary Zone 24-32 Memorial Service
Celebration of Life - Rotary Zone 24-32 Memorial Service
 
Top 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air EmissionsTop 25 localities in Virginia with Highest toxic Air Emissions
Top 25 localities in Virginia with Highest toxic Air Emissions
 

Similar a ISSA Sacramento: Security Metrics - So What?

iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)Prabir Saha
 
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threatSafewall - Staying ahead of the threat
Safewall - Staying ahead of the threatVincent Kwon
 
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsFailure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsAmazon Web Services
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsAmazon Web Services
 
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerCleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerClearedJobs.Net
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...Thomas Gross
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalMichael Krigsman
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Dahamoo GmbH
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)John Dillard
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthEnthiosys Inc
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VAClearedJobs.Net
 
Ti References
Ti ReferencesTi References
Ti ReferencesKeithByrd
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckPrabir Saha
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...Amazon Web Services
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationKJR
 
Peak 10 Overview
Peak 10 OverviewPeak 10 Overview
Peak 10 OverviewKelley Hire
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerClearedJobs.Net
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 

Similar a ISSA Sacramento: Security Metrics - So What? (20)

iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)
 
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threatSafewall - Staying ahead of the threat
Safewall - Staying ahead of the threat
 
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsFailure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS Systems
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
 
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerCleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Pricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are WorthPricing, Business Models, and What Things are Worth
Pricing, Business Models, and What Things are Worth
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
 
Ti References
Ti ReferencesTi References
Ti References
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch Deck
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentation
 
Peak 10 Overview
Peak 10 OverviewPeak 10 Overview
Peak 10 Overview
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 

ISSA Sacramento: Security Metrics - So What?

  • 1. ISSA SACRAMENTO SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO 09/17/2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 2. Security Metrics – So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 3. What You Will Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 4. IT Security’s Job Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 5. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 6. If You Were a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 7. Which Statement for Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 8. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 9. Choose Wisely Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 10. Example: Risk & Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 11. Example: Escape Fire Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 12. Example: Escape Fire Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 13. Example: Naughty Business Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 14. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 15. Example: Risk Reduction Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 16. Example: Risk Reduction Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 17. Example: Prove Cost Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 18. Example: Prove Cost Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 19. Example: Prove Cost Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 20. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 21. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 22. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 23. Allgress Solution Objectives Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 24. Parting Words of Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 25. Q&A William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com