Changing the Security Game - Webinars and videos for professionals

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

Best Practices of a Metrics-Minded Security Organization

Changing the Security Game

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2

Welcome!• Type in questions using the Ask A Question button

• All audio is streamed over your computer– Having technical issues? Click the ? button

• Click Attachments button to find a printable copy of this presentation

• After the webinar, ISACA members may earn 1 CPE credit– Find a link to the Event Home Page on the Attachments button– Click the CPE Quiz link on the Event Home Page to access the quiz– Once you pass the quiz, you’ll receive a link to a printable CPE Certificate

• Question or suggestion? Email them to [email protected]


Joe Gottlieb

• 25 years in IT (getting old : )

• Security Vendor– Nokia…Firewall Appliances– McAfee…Security Innovation

Alliance– Sensage…Open Security

Intelligence

• IT Analyst/Consultant– Ernst & Young– META Group

• Coach

• Photographer?


Cyber Assaults: We Are Not Winning that War

SOURCE: Verizon Business, 2012 Data Breach Investigations Report, 855 incidents analyzed

174 million compromised records

81% utilized some form of hacking

69% incorporated malware


Typical Timeline for an APT

A bot gains access to an employee laptop via bogus wifi

It lays dormant for months until user logs into corp file server –executable is placed in system

Command and control server watches for admin activity on system

Admin accesses infected server and bot captures permissions, log in patterns, keyboard activity

Months of passive presence until bot starts downloading files undetected

Months after initial breach, 3rd party discovers and reports suspected loss


It’s Not Happening in Real Time

SOURCE: Verizon Business, 2012 Data Breach Investigations Report


97% of breaches were avoidable…

SOURCE: Verizon Business, 2012 Data Breach Investigations Report


Are Processes Broken?

• Sensage wanted to find out…– We surveyed 400+ people in Security / IT– Same questions in 2010, 2011 and 2012

Compliance Reporting

Real-time Monitoring

Log Management

Forensic Investigation

Incident Response


A Quick Poll

• Does your SIEM solution provide the visibility you require to run your security operation?– Yes– No– We don’t have a SIEM solution


You Can’t Defend What You Can’t See

SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)


…No Matter What You are Doing



So How are We Doing?


13%

48%

28%

12%10%

47%

33%

8%13%

57%

26%

5%0%

20%

40%

60%

Ineffective Somewhat effective Effective Very effective

Among internal customer/stakeholder groups, what is the opinion/perception of the effectiveness of these processes?

61%

40%

57%

41%

70%

31%

0%

20%

40%

60%

80%

Ineffective OR Somewhat effective Effective or Very effective

2010 2011 2012


Why?

26%32%

25%17%20%

33% 31%

16%19%

47%

28%

6%

0%

10%

20%

30%

40%

50%

No coordination Reactive "triage" acrossteams

Planned and documentedprocess coordination

Planned, documented andmeasured process

coordination

How coordinated are these processes?

58%

42%53%

47%

66%

34%

0%10%20%30%40%50%60%70%

No coordination OR Reactive "triage" across teams Planned and documented OR Planned, documented andmeasured process coordination

2010 2011 2012



Why?


16%

36%

16% 17% 14%14%

35%

16%24%

12%18%

41%

20%16%

5%

0%

10%

20%

30%

40%

50%

No measurement Light yet inconsistentmeasurement

Heavy yet inconsistentmeasurement

Light yet consistentmeasurement

Heavy and consistentmeasurement

How well are these processes measured for results?

69%

30%

73%

28%

75%

25%

0%

20%

40%

60%

80%

No measurement OR Light measurement Heavy measurement

2010 2011 2012


Why?


15%

32% 35%

18%9%

25%

48%

17%14%

47%

35%

5%0%

10%20%30%40%50%60%

No process improvement Inconsistent processimprovement

Consistent yet understaffedprocess improvement

Consistent and adequatelystaffed process improvement

How proactive is your organization about improving these processes?

47% 53%

34%

65%61%

40%

0%

20%

40%

60%

80%

No process improvement OR Inconsistent processimprovement

Consistent process improvement

2010 2011 2012


Process Coordination Correlates with Effectiveness




Process Measurement Correlates with Effectiveness



Process Improvement Correlates with Effectiveness


The Data Correlation Problem,Correlated



A Quick Poll

• Are you using your SIEM solution to do a lot more than it was originally scoped for?– Yes– No– We don’t have a SIEM solution


SIEM, the “Utility Infielder” of Security



Centralized Event Data Warehouse handles massive volumes of time-stamped data from any source

Massively Parallel Processing (MPP) for linear scalability, handling massive volumes of event data which can be stored indefinitely

Open Interfaces (ODBC/JDBC) provide direct access to data warehouse

Sensage – Advanced SIEM


Standard reports and dashboards meeting compliance requirements(PCI, FISMA, HIPAA, SOX, etc.) .

Open to 3rd party BI tools for familiar data analysis, dashboarding and reporting

Access data from as recent as last hour to views of multi-year history without extracting from archive

Views and query optimization for scalable query performance

Sensage – Advanced SIEM


A Quick Poll

• How “metrics-minded” is your security organization?– Very– Somewhat– Just getting started– Not at all


Ten Tips for the Metrics-Minded Org

• Pre-requisites:– Collect and store all event data– Know your organization’s MQ– Don’t reinvent the wheel

1. Enroll stakeholders early2. Define event system of record3. Emphasize user/asset directories4. Let your service catalog guide you5. Land, then expand6. Be consistent or die7. Be ready to change8. Engage experts, ignite managers9. Test yourself with an MPT10. Innovate for depth but prune as you

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

Questions?

Changing the Security Game - Webinars and videos for professionals

Documents