SlideShare ist ein Scribd-Unternehmen logo

ISSA Phoenix Security Metrics... So What?

A
Allgress, Inc.

The document discusses techniques for communicating the value of security to business decision makers using metrics. It suggests gathering metrics on risk and business impact to demonstrate how security strategies minimize risk and maximize business value. Examples show how to present metrics on reducing vulnerabilities, compliance costs, and aligning security with business objectives. The goal is to translate technical security information for non-technical executives using relevant financial and risk terminology.

Technologie
1 von 25
ISSA PHOENIX SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO JULY 13, 2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
What You Will Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Security Metrics – So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
IT Security’s Job Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
If You Were a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Which Statement for Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Choose Wisely Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk & Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Escape Fire Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Escape Fire Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Naughty Business Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk Reduction Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk Reduction Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Allgress Solution Objectives Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Parting Words of Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Q&A William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com

Empfohlen

ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?Allgress, Inc.
 
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutValuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutMarc Vael
 
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏InnovationSprint2011
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threatSafewall - Staying ahead of the threat
Safewall - Staying ahead of the threatVincent Kwon
 
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)Prabir Saha
 
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerCleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerClearedJobs.Net
 
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsFailure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsAmazon Web Services
 

Empfohlen

ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?Allgress, Inc.
 
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutValuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutMarc Vael
 
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏InnovationSprint2011
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threatSafewall - Staying ahead of the threat
Safewall - Staying ahead of the threatVincent Kwon
 
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)Prabir Saha
 
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerCleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerClearedJobs.Net
 
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsFailure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsAmazon Web Services
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Dahamoo GmbH
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsAmazon Web Services
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)John Dillard
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalMichael Krigsman
 
Creating effective security controls
Creating effective security controlsCreating effective security controls
Creating effective security controlsInterop
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...Thomas Gross
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VAClearedJobs.Net
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerClearedJobs.Net
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationKJR
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionEnterprise Management Associates
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...Amazon Web Services
 
Cloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchCloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchRugby7277
 
Fad final print
Fad final printFad final print
Fad final printavelinakauffman
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckPrabir Saha
 
Financial Analyst Day 2013
Financial Analyst Day 2013Financial Analyst Day 2013
Financial Analyst Day 2013avelinakauffman
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Weitere ähnliche Inhalte

Ähnlich wie ISSA Phoenix Security Metrics... So What?

Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Dahamoo GmbH
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsAmazon Web Services
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)John Dillard
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalMichael Krigsman
 
Creating effective security controls
Creating effective security controlsCreating effective security controls
Creating effective security controlsInterop
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...Thomas Gross
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VAClearedJobs.Net
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerClearedJobs.Net
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationKJR
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionEnterprise Management Associates
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...Amazon Web Services
 
Cloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchCloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchRugby7277
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckPrabir Saha
 
Financial Analyst Day 2013
Financial Analyst Day 2013Financial Analyst Day 2013
Financial Analyst Day 2013avelinakauffman
 

Ähnlich wie ISSA Phoenix Security Metrics... So What? (20)

Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
 
Creating effective security controls
Creating effective security controlsCreating effective security controls
Creating effective security controls
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentation
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
 
Cloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchCloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 Research
 
Fad final print
Fad final printFad final print
Fad final print
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch Deck
 
Financial Analyst Day 2013
Financial Analyst Day 2013Financial Analyst Day 2013
Financial Analyst Day 2013
 

Kürzlich hochgeladen

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Kürzlich hochgeladen (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

ISSA Phoenix Security Metrics... So What?

  • 1. ISSA PHOENIX SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO JULY 13, 2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 2. What You Will Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 3. Security Metrics – So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 4. IT Security’s Job Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 5. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 6. If You Were a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 7. Which Statement for Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 8. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 9. Choose Wisely Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 10. Example: Risk & Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 11. Example: Escape Fire Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 12. Example: Escape Fire Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 13. Example: Naughty Business Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 14. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 15. Example: Risk Reduction Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 16. Example: Risk Reduction Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 17. Example: Prove Cost Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 18. Example: Prove Cost Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 19. Example: Prove Cost Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 20. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 21. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 22. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 23. Allgress Solution Objectives Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 24. Parting Words of Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 25. Q&A William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com