Hosted by Understand Business Requirements: A Blueprint for Digital Security James Mobley President...
-
Upload
clare-mclaughlin -
Category
Documents
-
view
216 -
download
3
Transcript of Hosted by Understand Business Requirements: A Blueprint for Digital Security James Mobley President...
Hosted by
Understand Business Requirements: A Blueprint for Digital Security
James MobleyPresident & Chief Executive Officer
Hosted by
Security: The Dilemma Security is a “top management priority”
• For CEOs, 7.5 on a 10 point scale(source: 2002 Booz-Allen Hamilton survey of Fortune 1000 CEOs)
• 40% of almost 1000 IT managers surveyed rated IT Security as the highest priority (IDC)
• 200,000 security incidents reported in 2002, up from 100,000 in 2001 (Aberdeen)
• Security analysts widely predicted sky rocketing security incidents in 2003
…yet it remains difficult to secure appropriate funding for key security projects• 2003 IT Security spend up 8% over 2002 levels (CSO)• Spending now largely due to regulatory requirements.• On average, companies spend 0.047% of revenue on security*
Why the disconnect?• The case for security is rarely articulated in business terms.
*Derived from IDC research.
Hosted by
The Need for a New Approach
Fear, Uncertainty and Doubt (FUD) does not work• Senior management not easily swayed by hype• Macro loss statistics (e.g., CSI) too abstract to be useful
Measurement is difficult• How do you prove a negative (no news is good news)?
However, quantitative approaches are possible
Solution: Adopt a Risk Management framework
Hosted by
Portfolio Theory and Risk Management Portfolios balance the risk of multiple investmentsRisk is a commodity that can be:• Classified, Measured, Priced, Traded, Transferred
Applying the Portfolio approach to Security• Prioritize business critical assets• Identify the Threats and Security Risks
People, process and technology connections Unique vs. Systematic Probability Volatility & Correlation
• Determine Risk Management Strategy Diversify, Concentrate, Hedge, Leverage, Insure
• Align spending Link Spending to key assets.
• Use analytics to justify spending
Hosted by
Decision Makers want to know… How secure are we?
Are we better off today than this time last year?
How do we compare against our peers?
What is best practice in our market sector?
Where should spending be focused?
What return can we expect on our investment?
Hosted by
Portfolio Planning: The @stake Security BlueprintTM
Hosted by
Prioritize Business Critical Assets
Business Risk Modeling• Assets@Risk
• Top Three
Highest value is usually tied to those that
impact…• Revenue
• Profit
• Client Satisfaction
• Market reputation
• Competitive Advantage
Hosted by
Portfolio Planning: Identify the Security Risks
CorporateSecurity Policy
RemoteAccess
Services
DigitalForensics
ConfigurationManagement
Monitoring &Logging
IncidentResponse
& Readiness
BusinessContinuity
PhysicalSecurity
SecureOperations
Provisioning &Implementation
Assessment &Compliance
SystemAdministration
Hiring &Screening
Roles &Responsibilities
Employee ExitProcesses
DirectoryServices
AuthenticationSolutions
Product Security
Wireless Authorization &Access Control
SecureOrganization
Training &Awareness
Internal ThreatProfiling
Security Strategy
OperatingSystems
Virus Protection
ApplicationDevelopment
Processes
ApplicationSecurity
Cryptography &Encryption
Data IntegrityPrivacy,
Confidentiality &Segmentation
SecureProgrammingNetwork Design
InfrastructureSecurity
PerimeterDefense
NetworkComponents
StorageSolutions
Partner &Third-partyIntegration
Secure Builds& Host Hardening
OrganizationalSecurity Maturity
EmployeeChange
Management
TradingApplication
Hosted by
Portfolio Planning: Risk Concentration – Service Provider
CorporateSecurity Policy
RemoteAccess
Services
DigitalForensics
ConfigurationManagement
Monitoring &Logging
IncidentResponse
& Readiness
BusinessContinuity
PhysicalSecurity
SecureOperations
Provisioning &Implementation
Assessment &Compliance
SystemAdministration
Hiring &Screening
Roles &Responsibilities
Employee ExitProcesses
DirectoryServices
AuthenticationSolutions
Product Security
Wireless Authorization &Access Control
SecureOrganization
Training &Awareness
Internal ThreatProfiling
SecurityStrategy
OperatingSystems
Virus Protection
ApplicationDevelopment
Processes
ApplicationSecurity
Cryptography &Encryption
Data IntegrityPrivacy,
Confidentiality &Segmentation
SecureProgrammingNetwork Design
InfrastructureSecurity
PerimeterDefense
NetworkComponents
StorageSolutions
Partner &Third-partyIntegration
Secure Builds& Host
Hardening
OrganizationalSecurityMaturity
EmployeeChange
Management
Hosted by
Portfolio Planning: Risk Concentration - Software Vendor
CorporateSecurity Policy
RemoteAccess
Services
DigitalForensics
ConfigurationManagement
Monitoring &Logging
IncidentResponse
& Readiness
BusinessContinuity
PhysicalSecurity
SecureOperations
Provisioning &Implementation
Assessment &Compliance
SystemAdministration
Hiring &Screening
Roles &Responsibilities
Employee ExitProcesses
DirectoryServices
AuthenticationSolutions
Product Security
Wireless Authorization &Access Control
SecureOrganization
Training &Awareness
Internal ThreatProfiling
SecurityStrategy
OperatingSystems
Virus Protection
ApplicationDevelopment
Processes
ApplicationSecurity
Cryptography &Encryption
Data IntegrityPrivacy,
Confidentiality &Segmentation
SecureProgrammingNetwork Design
InfrastructureSecurity
PerimeterDefense
NetworkComponents
StorageSolutions
Partner &Third-partyIntegration
Secure Builds& Host
Hardening
OrganizationalSecurityMaturity
EmployeeChange
Management
Hosted by
Portfolio Planning: Diversifying Risk - Financial Services
CorporateSecurity Policy
RemoteAccess
Services
DigitalForensics
ConfigurationManagement
Monitoring &Logging
IncidentResponse
& Readiness
BusinessContinuity
PhysicalSecurity
SecureOperations
Provisioning &Implementation
Assessment &Compliance
SystemAdministration
Hiring &Screening
Roles &Responsibilities
Employee ExitProcesses
DirectoryServices
AuthenticationSolutions
Product Security
Wireless Authorization &Access Control
SecureOrganization
Training &Awareness
Internal ThreatProfiling
SecurityStrategy
OperatingSystems
Virus Protection
ApplicationDevelopment
Processes
ApplicationSecurity
Cryptography &Encryption
Data IntegrityPrivacy,
Confidentiality &Segmentation
SecureProgrammingNetwork Design
InfrastructureSecurity
PerimeterDefense
NetworkComponents
StorageSolutions
Partner &Third-partyIntegration
Secure Builds& Host
Hardening
OrganizationalSecurityMaturity
EmployeeChange
Management
Hosted by
Portfolio Planning: Align Spending with Risk
CorporateSecurity Policy
RemoteAccess
Services
DigitalForensics
ConfigurationManagement
Monitoring &Logging
IncidentResponse
& Readiness
$6kBusinessContinuity
$184k
PhysicalSecurity
SecureOperations
Provisioning &Implementation
Assessment &Compliance
SystemAdministration
Hiring &Screening
Roles &Responsibilities
Employee ExitProcesses
DirectoryServices
AuthenticationSolutions
$52k
Product Security
WirelessAuthorization &Access Control
$272k
SecureOrganization
Training &Awareness
$22k
Internal ThreatProfiling
Security Strategy
OperatingSystems
Virus Protection
$125k
ApplicationDevelopment
Processes
ApplicationSecurity
Cryptography &Encryption
$35k
Data IntegrityPrivacy,
Confidentiality &Segmentation
SecureProgrammingNetwork Design
InfrastructureSecurity
PerimeterDefense
$66 kNetwork
Components
$120k
StorageSolutions
Partner &Third-partyIntegration
Secure Builds& Host Hardening
OrganizationalSecurity Maturity
EmployeeChange
Management
Unaddressed Areas ofBusiness Risk
Enough Investment?
Unaddressed Areas ofBusiness Risk
Hosted by
Link Spending to Key Assets
text
PEOPLE
TECHNOLOGY PROCESS
ASSET
TradingApplication
Awareness Training
Authorizationand AccessControl
IncidentResponseReadiness
Investment RequiredBusiness Impact
Hosted by
Use Analytics to Justify Investments
Why measure?
• Current state assessment
• “Here to There” Planning
• Determine spending
effectiveness
What can be measured?
• Application defects
• Network vulnerabilities
• Security related downtime
• Intrusions detected
• Password cracks
• Patch costs
• Employee Awareness
How to compare?
• Over time
• Against self, peers, industry
How to quantify benefit?
• “Hard” dollars
ROSI
• “Soft” Dollars
Accretive
Hosted by
Building the Security Business Case
Measure and present results in a familiar
format
Quantitative
Projected Cost Savings• Improved uptime • Developer re-work• Sys/admin labor• Patch release costs
Cost avoidance (soft costs)• Media•Legal
Qualitative
Intangible Benefits
• Market reputation
• Competitive differentiation
• Operational risk improvements
• Internal threat reduction
• Internal business intelligence
• Regulatory compliance
Future cashflows discounted by cost of funds
Hosted by
Justifying Investment in
APPLICATION SECURITY
Hosted by
Applications are More Vulnerable Than Ever
Distributed applications have multiple security domains
Applications now have more moving parts• Mainframe client-server n-tier Model 2 (J2EE and .Net)
Emerging web services add risk
Firewalls stop nuisance attacks, not application traffic
The threat model is changing• More attacks through HTTP, at application level• More attacks targeted at specific applications
Hosted by
Risk Analytics applied to Application Security
Software and manufacturing quality
frameworks• Defect counting, both static and over time
Management consulting methods• Outlier or quartile analysis of risk assessments
• Performance scorecards, indices, and benchmarking
Insurance techniques• Weighted questionnaires and surveys
• Annual loss expectancy
Hosted by
Performance Measurement: Defect Counting
@stake study of 75 applications
Defects cost $3,000-9,000 to fix in testing stage,
> $100K in implementation
55% of issues found will be fixed
System-wide changes
may be required at
later stages
@stake identified
reduced rework savings,
based on empirical data
Design
5%
10%
15%
20%
25%
Testing Implementation
21%
15%
12%
Security ROI by Phase
Return on SecurityInvestment (NPV)
0%
Hosted by
Performance Measurement: Quartile Benchmarking
Comparing and
contrasting enables
firms to understand
unique risk
Benchmarks can be a
suite of your own
applications, or
external “best in
class” (top quartiles)
Source: 2002 @stake – Internal Research Project (n=23)
0.3
2.7
0.7
6.5
1.2
3.3
0.3 0.5
Administrativeinterfaces
Authentication andaccess control
Configurationmanagement
Cryptographicalgorithms
1.0 1.3
Informationgathering
1.3
3.5
Input validation
0.2
1.80.3
3.3
Parametermanipulation
Sensitive datahandling
4.8
23.0
Overall
Fourthquartile
Firstquartile
0.7
3.3
Sessionmanagement
Average defects per application by risk category
Hosted by
Performance Measurement: Risk Index
Source: 2002 @stake – Internal Research Project (n=23).BAR index = sum of all defects’ individual BAR scores, where each defect’s score = exploit risk (5 point scale) x business impact (5 point scale).
Administrative interfaces
Business-adjusted risk index
Session management
Information gathering
Configuration management
Cryptographic algorithms
Sensitive data handling
Input validation
Parameter manipulation
Authentication/access control
Bottom quartile Top quartile
331.8 score
36.2
85.2
36.3
6.8
11.0
46.3
31.5
44.0
34.5
60 score
4.0
10.3
8.7
2.5
8.8
14.5
3.3
5.3
2.5
Risk reduction
89%
82%
88%
76%
63%
20%
69%
93%
88%
89%
Hosted by
Performance Measurement: Time-series Analysis
41
27
22
13
3127
19
1413
88
5
0
5
10
15
20
25
30
35
40
45
2000 2001 2002
Time (Year)
Nu
mb
er o
f D
efec
ts p
er A
pp
lica
tio
nN
um
be
r o
f D
efe
cts
pe
r A
pp
lic
atio
n
Hosted by
A Broader View
Hosted by
Quartile Ranges as of July 2003
First
Quartile
Second
Quartile
Third
Quartile
Fourth
Quartile
Application
Defect Count0 – 5 6 – 9 10 – 13 14+
Application
BAR Index0 – 81 82 – 120 121 – 331 332+
Network
Vulnerability
Count
0 – 6 7 – 10 11 – 19 20+
Network
BAR Index0 – 53 54 – 91 92 – 259 260+
Hosted by
Applications: Average Defects Quartile Analysis
Hosted by
Applications: Average BAR Index Quartile Analysis
Hosted by
Network: Average Vulnerabilities Quartile Analysis
Hosted by
Network: Average BAR Index Quartile Analysis
Hosted by
What Else is Needed?Risk classification schemes• Establish baseline and measure security risk profile
in an on-going way to facilitate management and the budget process
Cost-Effectiveness• Amount and type of risk reduction per dollar spend
Continued willingness to share data• In general and by industry
For additional information www.atstake.com
Hosted by
Thank You