SlideShare ist ein Scribd-Unternehmen logo

Security Metrics

Conferencias FIST
Conferencias FIST
Technologie
1 von 30
Downloaden Sie, um offline zu lesen
Conferencia FIST Marzo/Madrid 2008 @ Sponsored by: Security Management Metrics Vicente Aceituno, 2008
About me Vice president of the ISSA Spain chapter. www.issa-spain.org Vice president of the FIST Conferences association. www.fistconference.org Author of a number of articles: Google: vaceituno wikipedia Director of the ISM3 Consortium The consortium promotes ISM3, an ISMS standard ISM3 is the main source for this presentation. www.ism3.com
Management vs Engineering Security Engineering: Design and build systems than can be used securely. Security Management: Employ people and systems (that can be well or badly engineered) safely.
Targets vs Outcomes Activity and Targets are weakly linked. Targets: +Security / -Risk Trust Activity: Keep systems updated Assign user accounts Inform users of their rights
Definition Metrics are quantitative measurements that can be interpreted in the context of a series of previous or equivalent measurements. Metrics make management possible: 1. Measurement – Some call this “metrics” too. 2. Interpretation – Some call this “indicator”. 3. Investigation – (When appropriate, logs are key here) Common cause Special cause 4. Rationalization 5. Informed Decision
Qualitative vs Quantitative Measurement William Thomson (Lord Kelvin): “I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be”: “What can’t be measured, can’t Meaning: be managed”
Interpretation It doesn’t make sense to set thresholds beforehand. You have to learn what is normal to find out what is abnormal. Thresholds can be fuzzy. False positives and false negatives. Example: 1000 students tested for HIV, 10 have it. HIV Have HIV Don’t have HIV Test positive for HIV 9 99 Test negative for HIV 1 891
Interpretation Is it successful? Is it normal? How does it compare against peers?
Interpretation Are outcomes better fit to their purpose? Are outcomes getting closer or further from target? Are we getting fewer false positives and false negatives? Are we using resources more efficiently?
Rationalization Is the correction/change working? Is it cost effective? Can we meet our targets with the resources we have? Are we getting the same outputs with fewer resources?
Decisions
Good Metrics are SMARTIED S.M.A.R.T Specific: The metric is relevant to the process being measured. Measurable: Metric measurement is feasible with reasonable cost. Actionable: It is possible to act on the process to improve the metric. Relevant: Improvements in the metric meaningfully enhances the contribution of the process towards the goals of the management system. Timely: The metric measurement is fast enough for being used effectively. +Interpretable: Interpretation is feasible (there is comparable data) with reasonable cost (false positives or false negatives rates are low enough) +Enquirable: Investigation is feasible with reasonable cost. +Dynamic: The metric values change over time.
Fashion vs Results Real Time vs Continuous Improvement Management is far more than Incident Response. Risk Assessment as a Metric Only as useful as Investigation results. Certification / Audit Compliant / Not compliant is NOT a Metric.
What are good Metrics? Activity: The number of outcomes produced in a time period; Scope: The proportion of the environment or system that is protected by the process. Update: The time since the last update or refresh of process outcomes. (Are outcomes recent enough to be valid?) Availability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions, and the time interval between interruptions. Efficiency / ROSI: Ratio of outcomes to the cost of the investment in the process. (Are we getting the same outcomes with fewer resources? Are we getting more/better outcomes with the same resources?)
What are good Metrics? Efficacy / Benchmark: Ratio of outcomes produced in comparison to the theoretical maximum. Measuring efficacy of a process implies the comparison against a baseline. (Are outputs better fit to their purpose?, Compare against industry/peers to show relative position) Load: Ratio of available resources in actual use to produce the outcomes, like CPU load, repositories capacity, bandwidth, licenses and overtime hours per employee. Accuracy: Rate of false positives and false negatives.
Examples Activity: Number of access attempts successful Scope: % Resources protected with Access Control Update: Time elapsed since last access attempt successful Availability: % of Time Access Control is available Efficiency / ROSI: Access attempts successful per euro Efficacy / Benchmark: Malicious access attempts failed vs Malicious access attempts successful. Legitimate access attempts failed vs Legitimate access attempts successful. Load: % mean and peak Gb, Mb/s, CPU and licenses in use.
Metrics and Capability Undefined. The process might be used, but it is not defined. Defined. The process is documented and used. Managed. The process is Defined and the results of the process are used to fix and improve the process. Controlled. The process is Managed and milestones and need of resources is accurately predicted. Optimized. The process is Controlled and improvement leads to a saving in resources
Capability: Undefined Measurement - None Interpretation - None
Capability: Defined Measurement - None Interpretation - None Investigation – (When appropriate, logs are key here) Common cause (changes in the environment, results of management decisions) Special cause (incidents) Rationalization for use of time, budget, people and other resources – Not possible Informed Decision – Not possible
Capability: Managed Measurement: Scope, Activity, Availability Interpretation: Normal?, Successful?, Trends? Benchmarking, How does it compare? Efficacy. Investigation (Common cause, Special cause) Find faults before they produce incidents. Rationalization… – Possible Informed Decision – Possible
Capability: Controlled Measurement: Load, Update Interpretation Can we meet our targets in time with the resources we have? What resources and time are necessary to meet our targets ? Investigation Find bottlenecks. Rationalization…- Possible Informed Decision, Planning – Possible
Capability: Optimized Measurement: Efficiency (ROSI) Interpretation Investigation Rationalization Informed Decision, Planning, Tradeoffs (point of diminishing returns) – Possible
Metric Specification Name of the metric; Description of what is measured; How is the metric measured; How often is the measurement taken; How are the thresholds calculated; Range of values considered normal for the metric; Best possible value of the metric; Units of measurement.
Metrics Representation
Metrics Representation
Metrics Representation Access Rights Granted 16000,0 1800,0 14000,0 1600,0 12000,0 1400,0 10000,0 1200,0 8000,0 1000,0 6000,0 800,0 4000,0 600,0 2000,0 400,0 0,0 200,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 1 4 7 10 13 16 19 22 25 28 31 34 37 40 k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee W Weeks Access Rights Granted Access Rights Granted 1800,0 1600,0 1600,0 1400,0 1400,0 1200,0 1200,0 1000,0 1000,0 800,0 800,0 600,0 600,0 400,0 400,0 200,0 200,0 0,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 6 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 k4 k k k k k k k k k k k k k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee W W Weeks Weeks
Using Metrics Acumulado de Recomendaciones por Responsable (Suma de días) 2500 Mr Blue 2000 Mr Pink Mr Yellow 1500 Mr Purple Mr Soft Blue Mr Red 1000 Mr Green Mr Orange 500 0 o Fe r o o ie e zo pt sto o Ag o O re ic bre e ril ay ni r li er br e Ab N tub b Ju ar Ju Se o En m m br M m M c ie ie ov D
Using security management metrics Key Goal Indicators Key Performance Indicators Services Levels Agreements / Underpinnig Contracts Balanced Scorecard (Customer, Internal, Stakeholder, Innovation - Goals and Measures)
Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
@ with the sponsorship of: THANK YOU www.fistconference.org

Empfohlen

WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...Symantec
 
Ffiec presentation
Ffiec presentationFfiec presentation
Ffiec presentation1stMarinerBank
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Adv Prashant Mali
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android applicationIAEME Publication
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
 

Empfohlen

WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...
WHITE PAPER: How safe is your quantified self? from the Symantec Security Res...Symantec
 
Ffiec presentation
Ffiec presentationFfiec presentation
Ffiec presentation1stMarinerBank
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Legal aspects of IT Security-at ISACA conference 2011
Legal aspects of IT Security-at ISACA conference 2011Adv Prashant Mali
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android applicationIAEME Publication
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
 
Security Metrics
Security MetricsSecurity Metrics
Security MetricsConferencias FIST
 
Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesDr. Mazlan Abbas
 
Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)AIMS Education
 
013 Research Paper Methods Section Social
013 Research Paper Methods Section Social013 Research Paper Methods Section Social
013 Research Paper Methods Section SocialNicole Williams
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Biuspp metrex
Biuspp metrexBiuspp metrex
Biuspp metrexJosé Quintás Alonso
 
Biocatalogue Talk Slides
Biocatalogue Talk SlidesBiocatalogue Talk Slides
Biocatalogue Talk SlidesBioCatalogue
 
WIPAC Monthly - December 2016
WIPAC Monthly - December 2016WIPAC Monthly - December 2016
WIPAC Monthly - December 2016Water Industry Process Automation & Control
 
Sitex orbis a case study
Sitex orbis a case studySitex orbis a case study
Sitex orbis a case studyAbhishek Aggarwal
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptxARESProject1
 
Documentary Essay Definition
Documentary Essay DefinitionDocumentary Essay Definition
Documentary Essay DefinitionTameka Howard
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
RS in the context of Big Data-v4
RS in the context of Big Data-v4RS in the context of Big Data-v4
RS in the context of Big Data-v4Khadija Atiya
 
Invisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesInvisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesTechSoup Canada
 
Analytics in IOT
Analytics in IOTAnalytics in IOT
Analytics in IOTMitesh Gupta
 
Effective monitoring with StatsD
Effective monitoring with StatsDEffective monitoring with StatsD
Effective monitoring with StatsDDatadog
 
WideTag Social Energy Meter
WideTag Social Energy MeterWideTag Social Energy Meter
WideTag Social Energy Meterwidetag
 
How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?Ganes Kesari
 
Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open SolarisConferencias FIST
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 

Weitere ähnliche Inhalte

Ähnlich wie Security Metrics

Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesDr. Mazlan Abbas
 
Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)AIMS Education
 
013 Research Paper Methods Section Social
013 Research Paper Methods Section Social013 Research Paper Methods Section Social
013 Research Paper Methods Section SocialNicole Williams
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationSuperData
 
Biocatalogue Talk Slides
Biocatalogue Talk SlidesBiocatalogue Talk Slides
Biocatalogue Talk SlidesBioCatalogue
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptxARESProject1
 
Documentary Essay Definition
Documentary Essay DefinitionDocumentary Essay Definition
Documentary Essay DefinitionTameka Howard
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414pptgregoryg
 
RS in the context of Big Data-v4
RS in the context of Big Data-v4RS in the context of Big Data-v4
RS in the context of Big Data-v4Khadija Atiya
 
Invisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesInvisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesTechSoup Canada
 
Effective monitoring with StatsD
Effective monitoring with StatsDEffective monitoring with StatsD
Effective monitoring with StatsDDatadog
 
WideTag Social Energy Meter
WideTag Social Energy MeterWideTag Social Energy Meter
WideTag Social Energy Meterwidetag
 
How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?Ganes Kesari
 

Ähnlich wie Security Metrics (20)

Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
Sensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's PerspectivesSensing-as-a-Service - An IoT Service Provider's Perspectives
Sensing-as-a-Service - An IoT Service Provider's Perspectives
 
Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)Factors Effecting the Brand on CPD-(Final Project)
Factors Effecting the Brand on CPD-(Final Project)
 
013 Research Paper Methods Section Social
013 Research Paper Methods Section Social013 Research Paper Methods Section Social
013 Research Paper Methods Section Social
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & Monetization
 
Gaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & MonetizationGaming the Social: Community, Measurement & Monetization
Gaming the Social: Community, Measurement & Monetization
 
Biuspp metrex
Biuspp metrexBiuspp metrex
Biuspp metrex
 
Biocatalogue Talk Slides
Biocatalogue Talk SlidesBiocatalogue Talk Slides
Biocatalogue Talk Slides
 
WIPAC Monthly - December 2016
WIPAC Monthly - December 2016WIPAC Monthly - December 2016
WIPAC Monthly - December 2016
 
Sitex orbis a case study
Sitex orbis a case studySitex orbis a case study
Sitex orbis a case study
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptx
 
Documentary Essay Definition
Documentary Essay DefinitionDocumentary Essay Definition
Documentary Essay Definition
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414ppt
 
Risk And Relevance 20080414ppt
Risk And Relevance 20080414pptRisk And Relevance 20080414ppt
Risk And Relevance 20080414ppt
 
RS in the context of Big Data-v4
RS in the context of Big Data-v4RS in the context of Big Data-v4
RS in the context of Big Data-v4
 
Invisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into StoriesInvisible Narratives: How to Easily and Effectively turn Data into Stories
Invisible Narratives: How to Easily and Effectively turn Data into Stories
 
Analytics in IOT
Analytics in IOTAnalytics in IOT
Analytics in IOT
 
Effective monitoring with StatsD
Effective monitoring with StatsDEffective monitoring with StatsD
Effective monitoring with StatsD
 
WideTag Social Energy Meter
WideTag Social Energy MeterWideTag Social Energy Meter
WideTag Social Energy Meter
 
How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?How to Enter the Data Analytics Industry?
How to Enter the Data Analytics Industry?
 

Mehr von Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

Mehr von Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
Cisco Equipment Security
Cisco Equipment SecurityCisco Equipment Security
Cisco Equipment Security
 

Kürzlich hochgeladen

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Kürzlich hochgeladen (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Security Metrics

  • 1. Conferencia FIST Marzo/Madrid 2008 @ Sponsored by: Security Management Metrics Vicente Aceituno, 2008
  • 2. About me Vice president of the ISSA Spain chapter. www.issa-spain.org Vice president of the FIST Conferences association. www.fistconference.org Author of a number of articles: Google: vaceituno wikipedia Director of the ISM3 Consortium The consortium promotes ISM3, an ISMS standard ISM3 is the main source for this presentation. www.ism3.com
  • 3. Management vs Engineering Security Engineering: Design and build systems than can be used securely. Security Management: Employ people and systems (that can be well or badly engineered) safely.
  • 4. Targets vs Outcomes Activity and Targets are weakly linked. Targets: +Security / -Risk Trust Activity: Keep systems updated Assign user accounts Inform users of their rights
  • 5. Definition Metrics are quantitative measurements that can be interpreted in the context of a series of previous or equivalent measurements. Metrics make management possible: 1. Measurement – Some call this “metrics” too. 2. Interpretation – Some call this “indicator”. 3. Investigation – (When appropriate, logs are key here) Common cause Special cause 4. Rationalization 5. Informed Decision
  • 6. Qualitative vs Quantitative Measurement William Thomson (Lord Kelvin): “I often say that when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be”: “What can’t be measured, can’t Meaning: be managed”
  • 7. Interpretation It doesn’t make sense to set thresholds beforehand. You have to learn what is normal to find out what is abnormal. Thresholds can be fuzzy. False positives and false negatives. Example: 1000 students tested for HIV, 10 have it. HIV Have HIV Don’t have HIV Test positive for HIV 9 99 Test negative for HIV 1 891
  • 8. Interpretation Is it successful? Is it normal? How does it compare against peers?
  • 9. Interpretation Are outcomes better fit to their purpose? Are outcomes getting closer or further from target? Are we getting fewer false positives and false negatives? Are we using resources more efficiently?
  • 10. Rationalization Is the correction/change working? Is it cost effective? Can we meet our targets with the resources we have? Are we getting the same outputs with fewer resources?
  • 12. Good Metrics are SMARTIED S.M.A.R.T Specific: The metric is relevant to the process being measured. Measurable: Metric measurement is feasible with reasonable cost. Actionable: It is possible to act on the process to improve the metric. Relevant: Improvements in the metric meaningfully enhances the contribution of the process towards the goals of the management system. Timely: The metric measurement is fast enough for being used effectively. +Interpretable: Interpretation is feasible (there is comparable data) with reasonable cost (false positives or false negatives rates are low enough) +Enquirable: Investigation is feasible with reasonable cost. +Dynamic: The metric values change over time.
  • 13. Fashion vs Results Real Time vs Continuous Improvement Management is far more than Incident Response. Risk Assessment as a Metric Only as useful as Investigation results. Certification / Audit Compliant / Not compliant is NOT a Metric.
  • 14. What are good Metrics? Activity: The number of outcomes produced in a time period; Scope: The proportion of the environment or system that is protected by the process. Update: The time since the last update or refresh of process outcomes. (Are outcomes recent enough to be valid?) Availability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions, and the time interval between interruptions. Efficiency / ROSI: Ratio of outcomes to the cost of the investment in the process. (Are we getting the same outcomes with fewer resources? Are we getting more/better outcomes with the same resources?)
  • 15. What are good Metrics? Efficacy / Benchmark: Ratio of outcomes produced in comparison to the theoretical maximum. Measuring efficacy of a process implies the comparison against a baseline. (Are outputs better fit to their purpose?, Compare against industry/peers to show relative position) Load: Ratio of available resources in actual use to produce the outcomes, like CPU load, repositories capacity, bandwidth, licenses and overtime hours per employee. Accuracy: Rate of false positives and false negatives.
  • 16. Examples Activity: Number of access attempts successful Scope: % Resources protected with Access Control Update: Time elapsed since last access attempt successful Availability: % of Time Access Control is available Efficiency / ROSI: Access attempts successful per euro Efficacy / Benchmark: Malicious access attempts failed vs Malicious access attempts successful. Legitimate access attempts failed vs Legitimate access attempts successful. Load: % mean and peak Gb, Mb/s, CPU and licenses in use.
  • 17. Metrics and Capability Undefined. The process might be used, but it is not defined. Defined. The process is documented and used. Managed. The process is Defined and the results of the process are used to fix and improve the process. Controlled. The process is Managed and milestones and need of resources is accurately predicted. Optimized. The process is Controlled and improvement leads to a saving in resources
  • 18. Capability: Undefined Measurement - None Interpretation - None
  • 19. Capability: Defined Measurement - None Interpretation - None Investigation – (When appropriate, logs are key here) Common cause (changes in the environment, results of management decisions) Special cause (incidents) Rationalization for use of time, budget, people and other resources – Not possible Informed Decision – Not possible
  • 20. Capability: Managed Measurement: Scope, Activity, Availability Interpretation: Normal?, Successful?, Trends? Benchmarking, How does it compare? Efficacy. Investigation (Common cause, Special cause) Find faults before they produce incidents. Rationalization… – Possible Informed Decision – Possible
  • 21. Capability: Controlled Measurement: Load, Update Interpretation Can we meet our targets in time with the resources we have? What resources and time are necessary to meet our targets ? Investigation Find bottlenecks. Rationalization…- Possible Informed Decision, Planning – Possible
  • 22. Capability: Optimized Measurement: Efficiency (ROSI) Interpretation Investigation Rationalization Informed Decision, Planning, Tradeoffs (point of diminishing returns) – Possible
  • 23. Metric Specification Name of the metric; Description of what is measured; How is the metric measured; How often is the measurement taken; How are the thresholds calculated; Range of values considered normal for the metric; Best possible value of the metric; Units of measurement.
  • 26. Metrics Representation Access Rights Granted 16000,0 1800,0 14000,0 1600,0 12000,0 1400,0 10000,0 1200,0 8000,0 1000,0 6000,0 800,0 4000,0 600,0 2000,0 400,0 0,0 200,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 1 4 7 10 13 16 19 22 25 28 31 34 37 40 k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee W Weeks Access Rights Granted Access Rights Granted 1800,0 1600,0 1600,0 1400,0 1400,0 1200,0 1200,0 1000,0 1000,0 800,0 800,0 600,0 600,0 400,0 400,0 200,0 200,0 0,0 0,0 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 6 W 10 W 13 W 16 W 19 W 22 W 25 W 28 W 31 W 34 W 37 W 40 W 43 W 46 9 k4 k4 k k k k k k k k k k k k k k k k k k k k k k k k k ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee W W Weeks Weeks
  • 27. Using Metrics Acumulado de Recomendaciones por Responsable (Suma de días) 2500 Mr Blue 2000 Mr Pink Mr Yellow 1500 Mr Purple Mr Soft Blue Mr Red 1000 Mr Green Mr Orange 500 0 o Fe r o o ie e zo pt sto o Ag o O re ic bre e ril ay ni r li er br e Ab N tub b Ju ar Ju Se o En m m br M m M c ie ie ov D
  • 28. Using security management metrics Key Goal Indicators Key Performance Indicators Services Levels Agreements / Underpinnig Contracts Balanced Scorecard (Customer, Internal, Stakeholder, Innovation - Goals and Measures)
  • 29. Creative Commons Attribution-NoDerivs 2.0 You are free: •to copy, distribute, display, and perform this work Under the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
  • 30. @ with the sponsorship of: THANK YOU www.fistconference.org