Security Performance Metrics<br />Nabil A. Malik<br />nabil.malik@gmail.com<br />
Agenda<br />Background<br />Security Evolution<br />Security Metrics<br />Measuring Technical Security<br />Measuring Secu...
1 - Background<br />What is Information Security?<br />What is Risk Management?<br />Why do we need Security Measurements?...
2- Security Evolution<br />The Past<br />A Technical Function<br />Technical Security – Firewall, IDS, Access Control<br /...
2 - Security Evolution<br />
2- Security Evolution<br />Assessment<br />Reporting<br />Prioritization<br />Mitigation<br />Follow them, and you got ris...
2- Security Evolution<br />The Problem:<br />Captures the easy part (identification and fixing)<br />Misses on the hard pa...
2- Security Evolution<br />FUD is the old-model (Past and Present)<br />FEAR, UNCERTAINTY, and DOUBT (FUD)<br />The FEAR o...
3 - Security Metrics<br />Business Questions:<br />Is my security better this year?<br />What am I getting out of my secur...
3 - Security Metrics<br />Good Metrics are:<br />Consistently measured<br />Cheap to gather<br />Expressed as a cardinal n...
4 – Measuring Technical SecurityPerimeter Defense - Email<br />
4 – Measuring Technical SecurityPerimeter Defense – Anti-Malware<br />
4 – Measuring Technical SecurityCoverage and Control<br />
4 – Measuring Technical SecurityAvailability and Reliability<br />
5 – Measuring Security Program<br />Frameworks: COBIT, ISO 2700X, NIST..<br />Security Program contains Controls<br />Som...
5 – Measuring Security Program- Planning and Organization-<br />
5 – Measuring Security Program- Acquisition and Implementation -<br />
5 – Measuring Security Program- Delivery and Support -<br />
5 – Measuring Security Program- Delivery and Support -<br />
5 – Measuring Security Program- Monitor and Evaluate -<br />
Questions?<br />Nabil A. Malik<br />nabil.malik@gmail.com<br />
of 21

Nabil Malik - Security performance metrics

Published on: Mar 3, 2016
Source: www.slideshare.net


Transcripts - Nabil Malik - Security performance metrics

  • 1. Security Performance Metrics<br />Nabil A. Malik<br />nabil.malik@gmail.com<br />
  • 2. Agenda<br />Background<br />Security Evolution<br />Security Metrics<br />Measuring Technical Security<br />Measuring Security Program<br />
  • 3. 1 - Background<br />What is Information Security?<br />What is Risk Management?<br />Why do we need Security Measurements?<br />Objectives:<br />Understanding Security Evolution<br />Measuring Security<br />
  • 4. 2- Security Evolution<br />The Past<br />A Technical Function<br />Technical Security – Firewall, IDS, Access Control<br />The Present<br />An Assurance Function – mostly Risk Management<br />Risk Management Process<br />The Doughnut-Shaped Cycle<br />The Future<br />Metrics supplementing Risk Management<br />
  • 5. 2 - Security Evolution<br />
  • 6. 2- Security Evolution<br />Assessment<br />Reporting<br />Prioritization<br />Mitigation<br />Follow them, and you got risk management!<br />Good for Vendors – Service charges at each cycle<br />Unpleasant for Consumers – Never Clean<br />
  • 7. 2- Security Evolution<br />The Problem:<br />Captures the easy part (identification and fixing)<br />Misses on the hard part (quantification and valuation of risk)<br />Vendor tools are agnostic about the organizational context<br />Real Risk Management should be identification, rating, mitigation, and above all, quantification ofthe risks<br />Thus, today’s Risk Management = Identify + Fix<br />
  • 8. 2- Security Evolution<br />FUD is the old-model (Past and Present)<br />FEAR, UNCERTAINTY, and DOUBT (FUD)<br />The FEAR of the catastrophic consequence of an information attack<br />The UNCERTAINTY about Vulnerabilities<br />The DOUBT about the sufficiency of existing controls<br />Shall we continue to rely on Oracles, Fortune Tellers (Vendors!) to give us security advise and hope it will keep us safe?<br />
  • 9. 3 - Security Metrics<br />Business Questions:<br />Is my security better this year?<br />What am I getting out of my security investment?<br />How do I compare to my peers?<br />Answers:<br />Readily answered in other business context<br />Silence and Embarrassment in security context<br />Metric = “A system of measurement”<br />
  • 10. 3 - Security Metrics<br />Good Metrics are:<br />Consistently measured<br />Cheap to gather<br />Expressed as a cardinal number or percentage<br />Expressed using at least one unit of measure<br />Contextually specific<br />
  • 11. 4 – Measuring Technical SecurityPerimeter Defense - Email<br />
  • 12. 4 – Measuring Technical SecurityPerimeter Defense – Anti-Malware<br />
  • 13. 4 – Measuring Technical SecurityCoverage and Control<br />
  • 14. 4 – Measuring Technical SecurityAvailability and Reliability<br />
  • 15. 5 – Measuring Security Program<br />Frameworks: COBIT, ISO 2700X, NIST..<br />Security Program contains Controls<br />Some Controls are also Processes<br />Examples of Security Processes include:<br />Risk Management<br />Policy Development and Compliance<br />Human Resource Security<br />Human Education<br />Incident Management<br />Information Continuity Management<br />
  • 16. 5 – Measuring Security Program- Planning and Organization-<br />
  • 17. 5 – Measuring Security Program- Acquisition and Implementation -<br />
  • 18. 5 – Measuring Security Program- Delivery and Support -<br />
  • 19. 5 – Measuring Security Program- Delivery and Support -<br />
  • 20. 5 – Measuring Security Program- Monitor and Evaluate -<br />
  • 21. Questions?<br />Nabil A. Malik<br />nabil.malik@gmail.com<br />

Related Documents