Data-Driven Security
-
Upload
david-severski -
Category
Health & Medicine
-
view
347 -
download
0
Transcript of Data-Driven Security
Data-Driven SecurityThe Key to Determining What Works
– and What Doesn’t
Who We Are
• Specialty non-profit academic pediatric institution
• 371 licensed beds• $2 billion annual revenue• Seattle Children’s Research
Institute - #5 in NIH pediatric funding
Who We Are Not
• In the business of information security
• Flush with resources• Security is waste
How Information Security Management is Typically
Performed
• Compliance-driven static checklists
• “Best Practices”• Crisis-driven culture that lauds
breakers over builders
We Know A Better Way
• Apply scientific rigor to security risk management
• Provide decision makers with credible information
“…the conscientious, explicit, and judicious use of current best evidence in making decisions about the care of individual patients” – Sacket, et all.
What is Data-Driven Security?
Domain Expertise
Data Management Programming Statistics Visualization
Framing the Question
• Identify stakeholders• Clarify problem to solve• Understand constraints and
limitations• Identify resources available
Performing the Analysis
• Open methodology• Search for insight vs. The Truth™
Presenting the Results
• First principles – Do No Harm• Understand and Communicate the
Story• The “So What” moment
Applied Examples
Vulnpryer Atlas Evaluator
Vulnpryer
• Vulnerability Prioritization• “Patch This Before That”• Tailored to our threat model
Open Source!https://github.com/SCH-CISM/vulnpryer
Atlas
• Source of truth for application risk• FAIR-based application risk
assessment• Enables prioritization across
• Team• Directorate• Departmental
• Both strategic and tactical
Evaluator
• Program level security risk assessment
• FAIR-based strategic risk assessment
• Combines• Expert opinion• Real world data• Statistical sampling
Outcomes
• Improved response capabilities• Standardized conversations on risk• Prioritized resource allocation• Reduced work on non-productive
activities
How to Get Started
• Identify your pain points• Formulate the question• Create a hypothesis• Gather data• Test your hypothesis• Act with your increased knowledge!
David F. SeverskiSeattle Children’s
@DSeverski
References
Internal• CPI and Lean efforts• Biostatisticians
External• The New School of Information Security• Visualization Workshops• Stephen Few, Perceptual Edge
• Data-Driven Security• The Book!• The Podcast!
• How to Measure Anything & The Failure of Risk Management