© 2009 ALLGRESS, INC. 1ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
ISSA SACRAMENTOSECURITY METRICS – SO WHAT?
WILLIAM TANG, CTO09/17/2010
© 2009 ALLGRESS, INC. 2ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 2
Security Metrics – So What?
• Why are we gathering metrics?
• Who are we gathering these metrics for?
• What will we do with the metrics, once we have them?
© 2009 ALLGRESS, INC. 3ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 3
What You Will Learn?
• Techniques to influence business decision makers.
• Simple ways to demonstrate security value.
• How to align security strategy with the business.
© 2009 ALLGRESS, INC. 4ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 4
IT Security’s Job Description
Minimize Security Risk
&
Maximize Business Value
Business and security metrics are needed to demonstrate and communicate both objectives.
© 2009 ALLGRESS, INC. 5ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 5
Presentation Outline
• Introduction Exercise
• Be More Effective
• Demonstrate Security Value
• Conclusion
© 2009 ALLGRESS, INC. 6ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 6
If You Were a CFO, COO, or Exec…
• This is the language you would speak:
–Discount Rate
– Leverage Ratio
–Covenants
–Net Debt Free Cash Flow
– EBITDA, EPS, Beta, etc…
If this sounds like a foreign language, imagine how they feel when we use IT security terms…
© 2009 ALLGRESS, INC. 7ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 7
Which Statement for Exec Mgmt?
A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers.
B. The IT systems that generate 30% of our revenue have critical security vulnerabilities.
© 2009 ALLGRESS, INC. 8ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 8
Presentation Outline
• Introduction Exercise
• Be More Effective
• Demonstrate Security Value
• Conclusion
© 2009 ALLGRESS, INC. 9ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 9
Choose Wisely
Security Metrics
Business Metrics
Useful Metrics (for your intended audience)
© 2009 ALLGRESS, INC. 10ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 10
Example: Risk & Revenue• ‘Bubbles’ represent
business units (BU).
• Size of the bubble represents the BU percentage revenue ($).
• NIST Risk Methodology (tech scans & audits).
IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense?
Low Risk Medium Risk High Risk
This BU generates 30% of revenue, but it has high risk.
© 2009 ALLGRESS, INC. 11ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 11
Example: Escape Fire Fighting Mode
• PCI compliance scans from Qualys.
• Results grouped by operating system or asset type.
For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one.
© 2009 ALLGRESS, INC. 12ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 12
Example: Escape Fire Fighting Mode
• Same Qualys data as before, but now grouped by vulnerability type.
Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place?
© 2009 ALLGRESS, INC. 13ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 13
Example: Naughty Business Unit
• Wedges represent labor hours for fixing security vulnerabilities for each Business Unit.
• Leverage any vulnerability scanning tool.
• Link with estimates for remediation, Remedy trouble tickets or a timesheet system.
If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities?
Boston
Los Angeles
Austin
New York
© 2009 ALLGRESS, INC. 14ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 14
Presentation Outline
• Introduction Exercise
• Be More Effective
• Demonstrate Security Value
• Conclusion
© 2009 ALLGRESS, INC. 15ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 15
Example: Risk Reduction Per $
• ‘Bubble’ can represent any business metric.
• Demonstrate changes in risk over time (trending).
We can calculate the changes in risk and costs to show how effective investments in security reduce risk. Or how reducing investments in security increase risk.
Year 1
Year 2
Year 3
© 2009 ALLGRESS, INC. 16ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 16
Example: Risk Reduction Per $
Demo of Risk Trending
© 2009 ALLGRESS, INC. 17ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 17
Example: Prove Cost Savings
• Web Servers required 1,034 labor hours to mitigate vulnerabilities.
• Mail Service vulnerabilities required 1,014 labor hours.
• Total is 2,048 hours.
• Assume the average labor hour is $100/hr.
Web Servers
Mail Services
© 2009 ALLGRESS, INC. 18ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 18
Example: Prove Cost Savings
October 2009 January 2010
Implement training and awareness to system adminsto prevent vulnerabilities with change control and patching processes.
• Hours = 2,048
• Labor Cost = $100/hr
• Total Cost = $20,480
Scans for this quarter show that vulnerability count has decreased by 40%. As a result labor hours have also decreased by approx 40%
• Hours = 1,200
• Labor Cost = $100/hr
• Total Cost = $12,000
Estimated Cost Savings = $8,480
© 2009 ALLGRESS, INC. 19ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 19
Example: Prove Cost Savings
October 2009 January 2010
CLOSED PENDING OPENNOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs.
© 2009 ALLGRESS, INC. 20ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 20
Example: Align With The Business
© 2009 ALLGRESS, INC. 21ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 21
Example: Align With The Business
© 2009 ALLGRESS, INC. 22ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 22
Presentation Outline
• Introduction Exercise
• Be More Effective
• Demonstrate Security Value
• Conclusion
© 2009 ALLGRESS, INC. 23ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 23
Allgress Solution Objectives
Minimize Security Risk
&
Maximize Business Value
Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with
minimal cost and effort.
© 2009 ALLGRESS, INC. 24ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 24
Parting Words of Wisdom
“Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.”
Full webinar at http://www.allgress.com/webinars
Dave CullinaneCISO
© 2009 ALLGRESS, INC. 25ALLGRESS, INC.
2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com© 2009 ALLGRESS, INC. 25
Q & A
William Tang
Chief Technology Officer
Allgress, Inc.
Email: [email protected]
Direct: 310.383.2783
FAX: 310.496.0426
www.allgress.com