SlideShare una empresa de Scribd logo

Continuous Monitoring 2.0

nCircle - a Tripwire Company
nCircle - a Tripwire Company

Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government GFirst Conference 2012

Empresariales
1 de 29
Descargar para leer sin conexión
Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government Keren Cummins, Director, Federal Programs nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
nCircle at a Glance • More than 6,500 customers worldwide • 10 consecutive years of revenue growth • 150 employees with significant investment in R&D, & continued innovation • Core business is VA, Configuration Compliance, File Integrity Monitoring, PCI, Performance Management • Ranked in Inc. 5000 six years in a row • Ranked one of San Francisco Bay Area’s Top 100 Fastest Growing Private Companies nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Agenda • The evidence for benchmarking as an essential element of success in continuous monitoring • Commercial initiative in cloud-based benchmarking • Mapping this initiative into the federal space • Your feedback! nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Defining Terms • Continuous Monitoring - the context of information security, is defined in 800-137 as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • Benchmarking - the process of comparing one's business processes and performance metrics to industry bests and/or best practices from other industries. Dimensions typically measured are quality, time and cost. nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Game Changers • State Department – 89% risk reduction in the first 12 months across the entire world • USAID – FISMA C- to consistent A+’s for five years • Center for Medicare/Medicaid Services (CMS) – 80% risk reduction at 88 data centers and as high as 95% at one major center nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Common Elements • Breadth of engagement • Simplicity of result • Context • Short cycle time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Why hasn’t everyone done this? • Or, why is this hard? – Metrics are hard – My organizational structure is different – My monitoring solution won’t do that nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
The Challenge for Security Performance Management • How can we replicate benchmarking success effectively? – With the organizations and tools that we already have in place? – For all our security programs (not just vulnerability management and configuration auditing)? nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
https://benchmark.ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
The CISO needs what the CFO has…. • CISO needs a metrics language to describe a company’s security performance just like the CFO describes financial performance • CISO’s can now field a formal security performance management program built on objective, fact based metrics that – Shows how security organization is protecting the company – Benchmarks performance vs. internal goals, and vs. industry peers – Trends performance over time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
With a Security Performance Management Program, CISOs can demonstrate that • There is a comprehensive approach to security that is… – Measured against specific goals & standards – In line with our risk tolerance – Aggregated by meaningful asset groupings – At least equal to or better than our own industry's investment & performance – Controls aligned with GRC objectives • Based on actual data on an ongoing basis that we can rely on to make decisions on: – Investment – Execution – Resource allocation nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Security Metrics & Scorecards– cornerstone of an effective IT GRC assessment • Metrics affirm the existence and effectiveness of security controls • Scorecards enable and evidence management oversight; communicate performance and evaluate corrective actions • Well constructed Metrics and Scorecards: – Continuously monitor controls – Deliver trusted, timely, and actionable decision making information – Identify and communicate concentration of risks – Align security initiatives with business objectives nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
An Effective Security Performance Management Solution Proven Metrics and Scorecards • Measure performance to goals • Cover the entire IT Ecosystem • Objective, Fact- based metrics • Relevant & Actionable • Benchmark with peer groups  How secure and compliant is our enterprise?  How do we compare to others?  Are we investing effectively? IT Security Ecosystem Event Management & Incident Response Antivirus & Network Endpoint Endpoint Protection Encryption Protection Vulnerability Configuration Identity & Access Patch Management Auditing Management Management nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Valuable Peer Benchmarks Benchmark Performance Quadrants Benchmark Performance Standard Participant Results Weekly Performance Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Analyze performance against Benchmarks & Identify underperforming areas nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Over 1,000 companies have joined nCircle Benchmark to-date Financial Services Bellwether Metrics nCircle Benchmark Accounts Benchmark Benchmark As of 7/20/12 Metric Average Median Quartile 1000 900 Top 25%: 0–5 800 Second Quartile: 6 - 33 Average CVSS host 172 33 Third Quartile: 34 - 67 700 score (per host) Bottom 25%: 68 - 700 600 500 Top 25%: 0 – 1 days 400 Second Quartile: 2–9 Average days since last 23 9 Third Quartile: 10 – 32 300 scan Bottom 25%: 33 – 90 200 100 Top 25%: 0 – 2 days 0 Second Quartile: 3 – 22 Virus definition age 29 22 Third Quartile: 23 – 40 (days) Bottom 25%: 41 - 56 Top 25%: .00 - .03% Second Quartile: .040 - .049% Failed logins per .05% .04% Third Quartile .05 - .08% attempt Bottom 25%: .09 - .11% nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Benchmarking in the Federal Space • All the same security domains as commercial, plus… • Agencies generate CyberScope continuous monitoring data, usually from SCAP XML files • Generated using a wide and growing variety of SCAP validated solutions, numerous vendors • Files uploaded to OMB once/month • Files are – Human readable? Not so much – Don’t lend themselves to trending – Don’t lend themselves to comparative analysis – Readily ingested and processed by nCircle Benchmark data collectors nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Cyberscope: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Asset Classification & Departmental Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Vulnerabilities & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
SCAP Output • Continous Monitoring Metrics driven directly from SCAP data – Asset based Compliance, Vulnerability and Classification Scorecards • Asset Grouping identifies areas of improvement and concentration of risk or examines specific critical cyber assets – Intra- and Inter-Agency (Bureau/Service) Benchmark Comparisons nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
SCAP: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Asset Identification & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Compliance & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Vulnerabilities & Benchmark Community nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
HQ Security Performance Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Benchmark Federal Notional Diagram Cyberscope reporting and benchmark comparisons Cyberscope Assets Vulnerabilities Configuration Internal Benchmark Scorecards, by Asset Group, SCAP sources plus Department local agencies bureaus FISMA locations requirements nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
Questions? • Contact information: Keren Cummins, Director Federal and MidAtlantic Programs (301) 379-2493 kcummins@ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
nCircle Company Confidential © 2012 nCircle. All Rights Reserved.

Recomendados

Novell Access Governance Suite
Novell Access Governance SuiteNovell Access Governance Suite
Novell Access Governance Suite
Novell
 
Risk Advisory Services
Risk Advisory ServicesRisk Advisory Services
Risk Advisory Services
EW Consultants India
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
Sunera
 
Basel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologiesBasel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologies
Lera Technologies
 
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
OnTechnicalDebt
 
IT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGIT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCING
Arul Nambi
 
IT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionIT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product Solution
Arul Nambi
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
 

Recomendados

Novell Access Governance Suite
Novell Access Governance SuiteNovell Access Governance Suite
Novell Access Governance Suite
Novell
 
Risk Advisory Services
Risk Advisory ServicesRisk Advisory Services
Risk Advisory Services
EW Consultants India
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
Sunera
 
Basel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologiesBasel II Risk Compliance Solution(Tasso ): Lera technologies
Basel II Risk Compliance Solution(Tasso ): Lera technologies
Lera Technologies
 
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
Estimating the principal of Technical Debt - Dr. Bill Curtis - WTD '12
OnTechnicalDebt
 
IT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCINGIT GOVERNANCE OUTSOURCING
IT GOVERNANCE OUTSOURCING
Arul Nambi
 
IT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product SolutionIT Governance Assessment / Audit - Product Solution
IT Governance Assessment / Audit - Product Solution
Arul Nambi
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
 
About graycon
About grayconAbout graycon
About graycon
martyrj
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
Rahul Bhan (CA, CIA, MBA)
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
Manoj Jain
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
Carl Booth
 
Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1
Nadir Hussain
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
Rahul Bhan (CA, CIA, MBA)
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
Rahul Bhan (CA, CIA, MBA)
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk management
Rahul Bhan (CA, CIA, MBA)
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
guest8a430d
 
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKSOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
Arul Nambi
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
Sasha Nunke
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
Rahul Bhan (CA, CIA, MBA)
 
Retail Security solution
Retail Security solutionRetail Security solution
Retail Security solution
Ssgstubbs
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk Services
Rahul Bhan (CA, CIA, MBA)
 
TA security
TA securityTA security
TA security
kesavars
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
Rahul Bhan (CA, CIA, MBA)
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
nCircle - a Tripwire Company
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
nCircle - a Tripwire Company
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
nCircle - a Tripwire Company
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
nCircle - a Tripwire Company
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
Robert Rowley
 
Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import export
Benno Lippert
 

Más contenido relacionado

La actualidad más candente

About graycon
About grayconAbout graycon
About graycon
martyrj
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
Carl Booth
 
Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1
Nadir Hussain
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
Rahul Bhan (CA, CIA, MBA)
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk Services
Rahul Bhan (CA, CIA, MBA)
 

La actualidad más candente (16)

About graycon
About grayconAbout graycon
About graycon
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
 
Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1Feb2008 Monthly Slides 1
Feb2008 Monthly Slides 1
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk management
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
 
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORKSOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
SOFTWARE PRODUCT DEVELOPMENT GOVERNANCE FRAMEWORK
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
 
Retail Security solution
Retail Security solutionRetail Security solution
Retail Security solution
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk Services
 
TA security
TA securityTA security
TA security
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
 

Destacado

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
nCircle - a Tripwire Company
 

Destacado (6)

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
Magento 2 product import export
Magento 2 product import exportMagento 2 product import export
Magento 2 product import export
 

Similar a Continuous Monitoring 2.0

Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Consortium for Information & Software Quality (CISQ)
 
CCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QACCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QA
Rebecca Gibson
 
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
proaxissolutions
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
ID Tech PPT.pdf
ID Tech PPT.pdfID Tech PPT.pdf
ID Tech PPT.pdf
CReddy7
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
jamesholler
 
IDC Technologies Presentation New
IDC Technologies Presentation NewIDC Technologies Presentation New
IDC Technologies Presentation New
Vineet Mahajan
 

Similar a Continuous Monitoring 2.0 (20)

Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
Agile Team Autonomy – Don’t Just Give It Away Make Teams Earn It
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...
 
CCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QACCA 2013 Harness the Potential of QA
CCA 2013 Harness the Potential of QA
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systems
 
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
I N F O R M A T I O N & C Y B E R S E C U R I T Y A U D I T S
 
Why Managed Services
Why Managed ServicesWhy Managed Services
Why Managed Services
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIs
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
ID Tech PPT.pdf
ID Tech PPT.pdfID Tech PPT.pdf
ID Tech PPT.pdf
 
Abidance Cip Presentation
Abidance Cip PresentationAbidance Cip Presentation
Abidance Cip Presentation
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the Cloud
 
IDC Technologies Presentation New
IDC Technologies Presentation NewIDC Technologies Presentation New
IDC Technologies Presentation New
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
 
Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101Standardized Risk Measurement for IT Executives 101
Standardized Risk Measurement for IT Executives 101
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV Ready
 

Último

Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
laloo_007
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
instagramfab782445
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 

Último (20)

Power point presentation on enterprise performance management
Power point presentation on enterprise performance managementPower point presentation on enterprise performance management
Power point presentation on enterprise performance management
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdfTVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 

Continuous Monitoring 2.0

  • 1. Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government Keren Cummins, Director, Federal Programs nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 2. nCircle at a Glance • More than 6,500 customers worldwide • 10 consecutive years of revenue growth • 150 employees with significant investment in R&D, & continued innovation • Core business is VA, Configuration Compliance, File Integrity Monitoring, PCI, Performance Management • Ranked in Inc. 5000 six years in a row • Ranked one of San Francisco Bay Area’s Top 100 Fastest Growing Private Companies nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 3. Agenda • The evidence for benchmarking as an essential element of success in continuous monitoring • Commercial initiative in cloud-based benchmarking • Mapping this initiative into the federal space • Your feedback! nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 4. Defining Terms • Continuous Monitoring - the context of information security, is defined in 800-137 as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • Benchmarking - the process of comparing one's business processes and performance metrics to industry bests and/or best practices from other industries. Dimensions typically measured are quality, time and cost. nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 5. Game Changers • State Department – 89% risk reduction in the first 12 months across the entire world • USAID – FISMA C- to consistent A+’s for five years • Center for Medicare/Medicaid Services (CMS) – 80% risk reduction at 88 data centers and as high as 95% at one major center nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 6. Common Elements • Breadth of engagement • Simplicity of result • Context • Short cycle time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 7. Why hasn’t everyone done this? • Or, why is this hard? – Metrics are hard – My organizational structure is different – My monitoring solution won’t do that nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 8. The Challenge for Security Performance Management • How can we replicate benchmarking success effectively? – With the organizations and tools that we already have in place? – For all our security programs (not just vulnerability management and configuration auditing)? nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 9. https://benchmark.ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 10. The CISO needs what the CFO has…. • CISO needs a metrics language to describe a company’s security performance just like the CFO describes financial performance • CISO’s can now field a formal security performance management program built on objective, fact based metrics that – Shows how security organization is protecting the company – Benchmarks performance vs. internal goals, and vs. industry peers – Trends performance over time nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 11. With a Security Performance Management Program, CISOs can demonstrate that • There is a comprehensive approach to security that is… – Measured against specific goals & standards – In line with our risk tolerance – Aggregated by meaningful asset groupings – At least equal to or better than our own industry's investment & performance – Controls aligned with GRC objectives • Based on actual data on an ongoing basis that we can rely on to make decisions on: – Investment – Execution – Resource allocation nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 12. Security Metrics & Scorecards– cornerstone of an effective IT GRC assessment • Metrics affirm the existence and effectiveness of security controls • Scorecards enable and evidence management oversight; communicate performance and evaluate corrective actions • Well constructed Metrics and Scorecards: – Continuously monitor controls – Deliver trusted, timely, and actionable decision making information – Identify and communicate concentration of risks – Align security initiatives with business objectives nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 13. An Effective Security Performance Management Solution Proven Metrics and Scorecards • Measure performance to goals • Cover the entire IT Ecosystem • Objective, Fact- based metrics • Relevant & Actionable • Benchmark with peer groups  How secure and compliant is our enterprise?  How do we compare to others?  Are we investing effectively? IT Security Ecosystem Event Management & Incident Response Antivirus & Network Endpoint Endpoint Protection Encryption Protection Vulnerability Configuration Identity & Access Patch Management Auditing Management Management nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 14. Valuable Peer Benchmarks Benchmark Performance Quadrants Benchmark Performance Standard Participant Results Weekly Performance Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 15. Analyze performance against Benchmarks & Identify underperforming areas nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 16. Over 1,000 companies have joined nCircle Benchmark to-date Financial Services Bellwether Metrics nCircle Benchmark Accounts Benchmark Benchmark As of 7/20/12 Metric Average Median Quartile 1000 900 Top 25%: 0–5 800 Second Quartile: 6 - 33 Average CVSS host 172 33 Third Quartile: 34 - 67 700 score (per host) Bottom 25%: 68 - 700 600 500 Top 25%: 0 – 1 days 400 Second Quartile: 2–9 Average days since last 23 9 Third Quartile: 10 – 32 300 scan Bottom 25%: 33 – 90 200 100 Top 25%: 0 – 2 days 0 Second Quartile: 3 – 22 Virus definition age 29 22 Third Quartile: 23 – 40 (days) Bottom 25%: 41 - 56 Top 25%: .00 - .03% Second Quartile: .040 - .049% Failed logins per .05% .04% Third Quartile .05 - .08% attempt Bottom 25%: .09 - .11% nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 17. Benchmarking in the Federal Space • All the same security domains as commercial, plus… • Agencies generate CyberScope continuous monitoring data, usually from SCAP XML files • Generated using a wide and growing variety of SCAP validated solutions, numerous vendors • Files uploaded to OMB once/month • Files are – Human readable? Not so much – Don’t lend themselves to trending – Don’t lend themselves to comparative analysis – Readily ingested and processed by nCircle Benchmark data collectors nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 18. Cyberscope: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 19. Asset Classification & Departmental Benchmark nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 20. Vulnerabilities & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 21. SCAP Output • Continous Monitoring Metrics driven directly from SCAP data – Asset based Compliance, Vulnerability and Classification Scorecards • Asset Grouping identifies areas of improvement and concentration of risk or examines specific critical cyber assets – Intra- and Inter-Agency (Bureau/Service) Benchmark Comparisons nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 22. SCAP: Executive Summary nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 23. Asset Identification & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 24. Compliance & Departmental Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 25. Vulnerabilities & Benchmark Community nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 26. HQ Security Performance Comparison nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 27. Benchmark Federal Notional Diagram Cyberscope reporting and benchmark comparisons Cyberscope Assets Vulnerabilities Configuration Internal Benchmark Scorecards, by Asset Group, SCAP sources plus Department local agencies bureaus FISMA locations requirements nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 28. Questions? • Contact information: Keren Cummins, Director Federal and MidAtlantic Programs (301) 379-2493 kcummins@ncircle.com nCircle Company Confidential © 2012 nCircle. All Rights Reserved.
  • 29. nCircle Company Confidential © 2012 nCircle. All Rights Reserved.