One Failure Leads to Another: Developing Leading Indicators for Security Threats and Risks



Similar documents
HP Cyber Security Control Cyber Insight & Defence

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Be Prepared. For Anything. Cyber Security - Confronting Current & Future Threats The role of skilled professionals in maintaining cyber resilience

Become a hunter: fi nding the true value of SIEM.

IT Risk & Security Specialist Position Description

INFORMATION SECURITY STRATEGIC PLAN

Leveraging Network and Vulnerability metrics Using RedSeal

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Data Quality and Your Digital Reputation. An Experian Data Quality Guide

Cisco IT Technology Tutorial Overview of ITIL at Cisco

Effective Software Security Management

ITIL v3 Service Manager Bridge

FIVE PRACTICAL STEPS

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Real World Application and Usage of IBM Advanced Analytics Technology

Enterprise Cloud Security via DevSecOps

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

LIST OF MAJOR LEADING & LAGGING ECONOMIC INDICATORS

Building Security into the Software Life Cycle

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

Executive Summary. 3 Attracting ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Technology Solutions for NERC CIP Compliance June 25, 2015

Motorola Enterprise Mobility Services. Maximize the value of your mobility solutions

How To Buy Nitro Security

Security Information Management (SIM)

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

So Why on Earth Would You WANT To be a CISO?

THE DELOITTE CFO SURVEY 2015 Q2 RESULTS PATH TO GROWTH

Front Metrics Technologies Pvt. Ltd. Capacity Management Policy, Process & Procedures Document

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

CFIR - Finance IT 2015 Cyber security September 2015

SOLUTION WHITE PAPER. Remedyforce Powerful Platform

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Program Overview and 2015 Outlook

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Cisco Unified Security Metrics: Measuring Your Organization s Security Health

Identifying & Implementing Quick Wins

Information Security Awareness: How to Get Users Asking for More

FnB User Master Class

INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT. Doomed by Design: Unearthing the Problems with Government Security Programs

QRadar SIEM and FireEye MPS Integration

IBM QRadar Security Intelligence April 2013

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

Leveraging a Maturity Model to Achieve Proactive Compliance

COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30

JOB DESCRIPTION CONTRACTUAL POSITION

SECURITY OPERATIONS CENTER (SOC) Implementing Security Monitoring in Small and Mid-Sized Organizations

PCI DSS Top 10 Reports March 2011

ITIL: Service Operation

Scalability in Log Management

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

De-Risking the Supply Chain: Cisco s Risk Intelligence and Analytic Tools

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Data Driven Security Framework to Success

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

Protecting against cyber threats and security breaches

Tivoli Security Information and Event Manager V1.0

how can I improve performance of my customer service level agreements while reducing cost?

Governance, Risk, and Compliance (GRC) White Paper

Defending against modern threats Kruger National Park ICCWS 2015

Security and Privacy Trends 2014

End-user Security Analytics Strengthens Protection with ArcSight

Cloud Infrastructure Security Management

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

When someone asks, How s the economy. A New Look at Economic Indexes for the States in the Third District. Theodore M. Crone*

CYBER SECURITY, A GROWING CIO PRIORITY

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

I D C A N A L Y S T C O N N E C T I O N

WHAT S NEW NAV NEWS VIEW FROM 2 NAV ADD - ONS INDUSTRY FOCUS NAV TIPS VOL 1 ISSUE 1

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Transcription:

One Failure Leads to Another: Developing Leading Indicators for Security Threats and Risks SESSION ID: TRM-W07 Dr. Lance Hayden Solutions Architect & Information Scientist Cisco Global Security Services @hay_lance

What We ll Cover Today Introductions Measures, Metrics and Indicators Leading Indicators in Security Examples Developing Leading Indicators in Your Security Program Concluding Remarks and Open for Questions 2

Introductions

Introducing Myself Dr. Lance Hayden CISSP, CISM, CRISC lhayden@cisco.com www.linkedin.com/in/drhayden www.amazon.com/author/drhayden

Measures, Metrics and Indicators

Measures, Metrics and Indicators What does it mean to measure? [To] ascertain the size, amount, or degree of (something) by using an instrument or device marked in standard units or by comparing it with an object of known size [To] estimate or assess the importance, quality, value, or effect of (something) [To] judge someone or something by comparison with (a certain standard) 1 6

Measures, Metrics and Indicators Output Artifact Independent Output Trend Linked Metric Indicator Measurement Process Activity Context 7

Measures, Metrics and Indicators Leading and Lagging Indicators Concept borrowed from economics Use of indicators dates back to 1930 s National Bureau of Economic Research (NBER) Metrics involving economic processes found to be important in business cycles 2 Types of indicators include: Leading indicators that anticipate future cycles and events Coincident indicators that describe current state Lagging indicators that are evidence of past cycles and events 8

Measures, Metrics and Indicators Examples of Economic Indicators Lagging Indicators GDP drop for two consecutive quarters indicates recession Unemployment rising indicates economy has fared poorly Coincident Indicators Income and wages Leading Indicators Stock prices Retail sales Building permits 9

Measures, Metrics and Indicators It s very difficult to make predictions, especially about the future 3 10

Leading Indicators in Security

Drift Model of Security Failure 12

Leading Indicators in Security Security professionals understand the role of lagging and coincident indicators Event counts (coincident) Telemetry data (coincident) Failed audits (lagging) Security breaches (lagging) Today, security teams are looking for ways to anticipate threats and failures 13

Leading Indicators in Security Requirements for leading security indicators are different Leading indicators require a different approach Data collection prior to the cycle or event Proactive rather than reactive vision Creativity and imagination Leading indicators require different data sources Exploratory rather than forensic data Information investment against future insights Leading Indicators require different analysis Linking past and future measurements Looking for future trends in past data 14

Examples

Example: Making an Exception Many organizations have standard security configurations Deployment guides Standard or secure build policies for production systems Many organizations also have exception processes With approval, some systems may not have to play by the rules Allows flexibility and agility A poorly managed exception process can be a leading indicator of security risk Source: exception process of large retail company 16

Example: Making an Exception 160 140 120 100 80 60 IT Exceptions Security Vulnerabilities Security Incidents 40 20 0 2009 2010 2011 17

Example: Competing Priorities Security must compete with other enterprise priorities Productivity targets Revenue and cost pressures Habits and decisions, not policies, define security posture If the choice is secure or on time which will be chosen? Organizational culture defines what is truly important Changes in everyday decisions can be a leading indicator of increased security risks Source: survey responses & project data of medium ISP 18

Example: Competing Priorities 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Q1 Q2 Q3 Q4 "I feel pressure" Project on schedule Security review complete 19

Developing Leading Indicators in Your Security Program

Developing Leading Indicators in Your Security Program Causation Correlation 21

Developing Leading Indicators in Your Security Program Five rules for leading security indicators One: Big events (almost) always follow small ones Two: Correlation is not causation Three: Patterns are not predictions Four: Analysis can t be (fully) automated Five: If you re sure, then you re sure to be wrong http://xkcd.com/552/ 22

Developing Leading Indicators in Your Security Program Five tips for leading security indicators One: Work back from known events Two: Pay attention to small failures Three: Don t let the perfect be the enemy of the good Four: Surveys make for great data Five: Don t be afraid to experiment 23

Thinking Differently About Indicators Let s examine a few examples Federal Reserve Beige Book 4 Published eight times per year since 1970 Completely anecdotal data Consumer Confidence Indices (Various) Survey-based data collection Responses are variants of positive, neutral, or negative Ontario Leading Indicators Project (OLIP) Designed to identify management practices that improve health and safety performance before injuries and illnesses occur Again, survey based, categorical data collection 24

References 1 Oxford English Dictionary 2 NBER Working Paper No.941: The Leading Indicator Approach to Economic Forecasting Retrospect and Prospect 3 Variously attributed to Yogi Berra, Niels Bohr, and Mark Twain 4 Summary of Commentary on Current Economic Conditions by Federal Reserve District (available at www.federalreserve.gov/monetarypolicy/beigebook/default.htm) 25