2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. Best Practices of a Metrics-Minded Security Organization Changing the Security Game
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
Best Practices of a Metrics-Minded Security Organization
Changing the Security Game
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2
Welcome!• Type in questions using the Ask A Question button
• All audio is streamed over your computer– Having technical issues? Click the ? button
• Click Attachments button to find a printable copy of this presentation
• After the webinar, ISACA members may earn 1 CPE credit– Find a link to the Event Home Page on the Attachments button– Click the CPE Quiz link on the Event Home Page to access the quiz– Once you pass the quiz, you’ll receive a link to a printable CPE Certificate
• Question or suggestion? Email them to [email protected]
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 3
Joe Gottlieb
• 25 years in IT (getting old : )
• Security Vendor– Nokia…Firewall Appliances– McAfee…Security Innovation
Alliance– Sensage…Open Security
Intelligence
• IT Analyst/Consultant– Ernst & Young– META Group
• Coach
• Photographer?
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 4
Cyber Assaults: We Are Not Winning that War
SOURCE: Verizon Business, 2012 Data Breach Investigations Report, 855 incidents analyzed
174 million compromised records
81% utilized some form of hacking
69% incorporated malware
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 5
Typical Timeline for an APT
A bot gains access to an employee laptop via bogus wifi
It lays dormant for months until user logs into corp file server –executable is placed in system
Command and control server watches for admin activity on system
Admin accesses infected server and bot captures permissions, log in patterns, keyboard activity
Months of passive presence until bot starts downloading files undetected
Months after initial breach, 3rd party discovers and reports suspected loss
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 6
It’s Not Happening in Real Time
SOURCE: Verizon Business, 2012 Data Breach Investigations Report
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 7
97% of breaches were avoidable…
SOURCE: Verizon Business, 2012 Data Breach Investigations Report
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 8
Are Processes Broken?
• Sensage wanted to find out…– We surveyed 400+ people in Security / IT– Same questions in 2010, 2011 and 2012
Compliance Reporting
Real-time Monitoring
Log Management
Forensic Investigation
Incident Response
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 9
A Quick Poll
• Does your SIEM solution provide the visibility you require to run your security operation?– Yes– No– We don’t have a SIEM solution
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 10
You Can’t Defend What You Can’t See
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 11
…No Matter What You are Doing
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 12
So How are We Doing?
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
13%
48%
28%
12%10%
47%
33%
8%13%
57%
26%
5%0%
20%
40%
60%
Ineffective Somewhat effective Effective Very effective
Among internal customer/stakeholder groups, what is the opinion/perception of the effectiveness of these processes?
61%
40%
57%
41%
70%
31%
0%
20%
40%
60%
80%
Ineffective OR Somewhat effective Effective or Very effective
2010 2011 2012
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 13
Why?
26%32%
25%17%20%
33% 31%
16%19%
47%
28%
6%
0%
10%
20%
30%
40%
50%
No coordination Reactive "triage" acrossteams
Planned and documentedprocess coordination
Planned, documented andmeasured process
coordination
How coordinated are these processes?
58%
42%53%
47%
66%
34%
0%10%20%30%40%50%60%70%
No coordination OR Reactive "triage" across teams Planned and documented OR Planned, documented andmeasured process coordination
2010 2011 2012
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 14
Why?
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
16%
36%
16% 17% 14%14%
35%
16%24%
12%18%
41%
20%16%
5%
0%
10%
20%
30%
40%
50%
No measurement Light yet inconsistentmeasurement
Heavy yet inconsistentmeasurement
Light yet consistentmeasurement
Heavy and consistentmeasurement
How well are these processes measured for results?
69%
30%
73%
28%
75%
25%
0%
20%
40%
60%
80%
No measurement OR Light measurement Heavy measurement
2010 2011 2012
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 15
Why?
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
15%
32% 35%
18%9%
25%
48%
17%14%
47%
35%
5%0%
10%20%30%40%50%60%
No process improvement Inconsistent processimprovement
Consistent yet understaffedprocess improvement
Consistent and adequatelystaffed process improvement
How proactive is your organization about improving these processes?
47% 53%
34%
65%61%
40%
0%
20%
40%
60%
80%
No process improvement OR Inconsistent processimprovement
Consistent process improvement
2010 2011 2012
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 16
Process Coordination Correlates with Effectiveness
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 17
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
Process Measurement Correlates with Effectiveness
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 18
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
Process Improvement Correlates with Effectiveness
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 19
The Data Correlation Problem,Correlated
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 20
A Quick Poll
• Are you using your SIEM solution to do a lot more than it was originally scoped for?– Yes– No– We don’t have a SIEM solution
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 21
SIEM, the “Utility Infielder” of Security
SOURCE: Sensage Annual Security Data Management Survey conducted at RSA Conference in 2010, 2011 and 2012 (n=355, 383 and 399)
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 22
Centralized Event Data Warehouse handles massive volumes of time-stamped data from any source
Massively Parallel Processing (MPP) for linear scalability, handling massive volumes of event data which can be stored indefinitely
Open Interfaces (ODBC/JDBC) provide direct access to data warehouse
Sensage – Advanced SIEM
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 23
Standard reports and dashboards meeting compliance requirements(PCI, FISMA, HIPAA, SOX, etc.) .
Open to 3rd party BI tools for familiar data analysis, dashboarding and reporting
Access data from as recent as last hour to views of multi-year history without extracting from archive
Views and query optimization for scalable query performance
Sensage – Advanced SIEM
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 24
A Quick Poll
• How “metrics-minded” is your security organization?– Very– Somewhat– Just getting started– Not at all
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 25
Ten Tips for the Metrics-Minded Org
• Pre-requisites:– Collect and store all event data– Know your organization’s MQ– Don’t reinvent the wheel
1. Enroll stakeholders early2. Define event system of record3. Emphasize user/asset directories4. Let your service catalog guide you5. Land, then expand6. Be consistent or die7. Be ready to change8. Engage experts, ignite managers9. Test yourself with an MPT10. Innovate for depth but prune as you
2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.
Questions?