Hosted by Understand Business Requirements: A Blueprint for Digital Security James Mobley President...

Hosted by

Understand Business Requirements: A Blueprint for Digital Security

James MobleyPresident & Chief Executive Officer

Hosted by

Security: The Dilemma Security is a “top management priority”

• For CEOs, 7.5 on a 10 point scale(source: 2002 Booz-Allen Hamilton survey of Fortune 1000 CEOs)

• 40% of almost 1000 IT managers surveyed rated IT Security as the highest priority (IDC)

• 200,000 security incidents reported in 2002, up from 100,000 in 2001 (Aberdeen)

• Security analysts widely predicted sky rocketing security incidents in 2003

…yet it remains difficult to secure appropriate funding for key security projects• 2003 IT Security spend up 8% over 2002 levels (CSO)• Spending now largely due to regulatory requirements.• On average, companies spend 0.047% of revenue on security*

Why the disconnect?• The case for security is rarely articulated in business terms.

*Derived from IDC research.

Hosted by

The Need for a New Approach

Fear, Uncertainty and Doubt (FUD) does not work• Senior management not easily swayed by hype• Macro loss statistics (e.g., CSI) too abstract to be useful

Measurement is difficult• How do you prove a negative (no news is good news)?

However, quantitative approaches are possible

Solution: Adopt a Risk Management framework

Hosted by

Portfolio Theory and Risk Management Portfolios balance the risk of multiple investmentsRisk is a commodity that can be:• Classified, Measured, Priced, Traded, Transferred

Applying the Portfolio approach to Security• Prioritize business critical assets• Identify the Threats and Security Risks

People, process and technology connections Unique vs. Systematic Probability Volatility & Correlation

• Determine Risk Management Strategy Diversify, Concentrate, Hedge, Leverage, Insure

• Align spending Link Spending to key assets.

• Use analytics to justify spending

Hosted by

Decision Makers want to know… How secure are we?

Are we better off today than this time last year?

How do we compare against our peers?

What is best practice in our market sector?

Where should spending be focused?

What return can we expect on our investment?

Hosted by

Portfolio Planning: The @stake Security BlueprintTM

Hosted by

Prioritize Business Critical Assets

Business Risk Modeling• Assets@Risk

• Top Three

Highest value is usually tied to those that

impact…• Revenue

• Profit

• Client Satisfaction

• Market reputation

• Competitive Advantage

Hosted by

Portfolio Planning: Identify the Security Risks

CorporateSecurity Policy

RemoteAccess

Services

DigitalForensics

ConfigurationManagement

Monitoring &Logging

IncidentResponse

& Readiness

BusinessContinuity

PhysicalSecurity

SecureOperations

Provisioning &Implementation

Assessment &Compliance

SystemAdministration

Hiring &Screening

Roles &Responsibilities

Employee ExitProcesses

DirectoryServices

AuthenticationSolutions

Product Security

Wireless Authorization &Access Control

SecureOrganization

Training &Awareness

Internal ThreatProfiling

Security Strategy

OperatingSystems

Virus Protection

ApplicationDevelopment

Processes

ApplicationSecurity

Cryptography &Encryption

Data IntegrityPrivacy,

Confidentiality &Segmentation

SecureProgrammingNetwork Design

InfrastructureSecurity

PerimeterDefense

NetworkComponents

StorageSolutions

Partner &Third-partyIntegration

Secure Builds& Host Hardening

OrganizationalSecurity Maturity

EmployeeChange

Management

TradingApplication

Hosted by

Portfolio Planning: Risk Concentration – Service Provider


RemoteAccess

Services

DigitalForensics


Monitoring &Logging

IncidentResponse

& Readiness

BusinessContinuity

PhysicalSecurity

SecureOperations




Hiring &Screening



DirectoryServices


Product Security


SecureOrganization

Training &Awareness


SecurityStrategy

OperatingSystems

Virus Protection


Processes

ApplicationSecurity






PerimeterDefense

NetworkComponents

StorageSolutions


Secure Builds& Host

Hardening

OrganizationalSecurityMaturity

EmployeeChange

Management

Hosted by

Portfolio Planning: Risk Concentration - Software Vendor


RemoteAccess

Services

DigitalForensics


Monitoring &Logging

IncidentResponse

& Readiness

BusinessContinuity

PhysicalSecurity

SecureOperations




Hiring &Screening



DirectoryServices


Product Security


SecureOrganization

Training &Awareness


SecurityStrategy

OperatingSystems

Virus Protection


Processes

ApplicationSecurity






PerimeterDefense

NetworkComponents

StorageSolutions


Secure Builds& Host

Hardening


EmployeeChange

Management

Hosted by

Portfolio Planning: Diversifying Risk - Financial Services


RemoteAccess

Services

DigitalForensics


Monitoring &Logging

IncidentResponse

& Readiness

BusinessContinuity

PhysicalSecurity

SecureOperations




Hiring &Screening



DirectoryServices


Product Security


SecureOrganization

Training &Awareness


SecurityStrategy

OperatingSystems

Virus Protection


Processes

ApplicationSecurity






PerimeterDefense

NetworkComponents

StorageSolutions


Secure Builds& Host

Hardening


EmployeeChange

Management

Hosted by

Portfolio Planning: Align Spending with Risk


RemoteAccess

Services

DigitalForensics


Monitoring &Logging

IncidentResponse

& Readiness

$6kBusinessContinuity

$184k

PhysicalSecurity

SecureOperations




Hiring &Screening



DirectoryServices


$52k

Product Security

WirelessAuthorization &Access Control

$272k

SecureOrganization

Training &Awareness

$22k


Security Strategy

OperatingSystems

Virus Protection

$125k


Processes

ApplicationSecurity


$35k





PerimeterDefense

$66 kNetwork

Components

$120k

StorageSolutions


Secure Builds& Host Hardening

OrganizationalSecurity Maturity

EmployeeChange

Management

Unaddressed Areas ofBusiness Risk

Enough Investment?

Unaddressed Areas ofBusiness Risk

Hosted by

Link Spending to Key Assets

text

PEOPLE

TECHNOLOGY PROCESS

ASSET

TradingApplication

Awareness Training

Authorizationand AccessControl

IncidentResponseReadiness

Investment RequiredBusiness Impact

Hosted by

Use Analytics to Justify Investments

Why measure?

• Current state assessment

• “Here to There” Planning

• Determine spending

effectiveness

What can be measured?

• Application defects

• Network vulnerabilities

• Security related downtime

• Intrusions detected

• Password cracks

• Patch costs

• Employee Awareness

How to compare?

• Over time

• Against self, peers, industry

How to quantify benefit?

• “Hard” dollars

ROSI

• “Soft” Dollars

Accretive

Hosted by

Building the Security Business Case

Measure and present results in a familiar

format

Quantitative

Projected Cost Savings• Improved uptime • Developer re-work• Sys/admin labor• Patch release costs

Cost avoidance (soft costs)• Media•Legal

Qualitative

Intangible Benefits

• Market reputation

• Competitive differentiation

• Operational risk improvements

• Internal threat reduction

• Internal business intelligence

• Regulatory compliance

Future cashflows discounted by cost of funds

Hosted by

Justifying Investment in

APPLICATION SECURITY

Hosted by

Applications are More Vulnerable Than Ever

Distributed applications have multiple security domains

Applications now have more moving parts• Mainframe client-server n-tier Model 2 (J2EE and .Net)

Emerging web services add risk

Firewalls stop nuisance attacks, not application traffic

The threat model is changing• More attacks through HTTP, at application level• More attacks targeted at specific applications

Hosted by

Risk Analytics applied to Application Security

Software and manufacturing quality

frameworks• Defect counting, both static and over time

Management consulting methods• Outlier or quartile analysis of risk assessments

• Performance scorecards, indices, and benchmarking

Insurance techniques• Weighted questionnaires and surveys

• Annual loss expectancy

Hosted by

Performance Measurement: Defect Counting

@stake study of 75 applications

Defects cost $3,000-9,000 to fix in testing stage,

> $100K in implementation

55% of issues found will be fixed

System-wide changes

may be required at

later stages

@stake identified

reduced rework savings,

based on empirical data

Design

5%

10%

15%

20%

25%

Testing Implementation

21%

15%

12%

Security ROI by Phase

Return on SecurityInvestment (NPV)

0%

Hosted by

Performance Measurement: Quartile Benchmarking

Comparing and

contrasting enables

firms to understand

unique risk

Benchmarks can be a

suite of your own

applications, or

external “best in

class” (top quartiles)

Source: 2002 @stake – Internal Research Project (n=23)

0.3

2.7

0.7

6.5

1.2

3.3

0.3 0.5

Administrativeinterfaces

Authentication andaccess control

Configurationmanagement

Cryptographicalgorithms

1.0 1.3

Informationgathering

1.3

3.5

Input validation

0.2

1.80.3

3.3

Parametermanipulation

Sensitive datahandling

4.8

23.0

Overall

Fourthquartile

Firstquartile

0.7

3.3

Sessionmanagement

Average defects per application by risk category

Hosted by

Performance Measurement: Risk Index

Source: 2002 @stake – Internal Research Project (n=23).BAR index = sum of all defects’ individual BAR scores, where each defect’s score = exploit risk (5 point scale) x business impact (5 point scale).

Administrative interfaces

Business-adjusted risk index

Session management

Information gathering

Configuration management

Cryptographic algorithms

Sensitive data handling

Input validation

Parameter manipulation

Authentication/access control

Bottom quartile Top quartile

331.8 score

36.2

85.2

36.3

6.8

11.0

46.3

31.5

44.0

34.5

60 score

4.0

10.3

8.7

2.5

8.8

14.5

3.3

5.3

2.5

Risk reduction

89%

82%

88%

76%

63%

20%

69%

93%

88%

89%

Hosted by

Performance Measurement: Time-series Analysis

41

27

22

13

3127

19

1413

88

5

0

5

10

15

20

25

30

35

40

45

2000 2001 2002

Time (Year)

Nu

mb

er o

f D

efec

ts p

er A

pp

lica

tio

nN

um

be

r o

f D

efe

cts

pe

r A

pp

lic

atio

n

Hosted by

A Broader View

Hosted by

Quartile Ranges as of July 2003

First

Quartile

Second

Quartile

Third

Quartile

Fourth

Quartile

Application

Defect Count0 – 5 6 – 9 10 – 13 14+

Application

BAR Index0 – 81 82 – 120 121 – 331 332+

Network

Vulnerability

Count

0 – 6 7 – 10 11 – 19 20+

Network

BAR Index0 – 53 54 – 91 92 – 259 260+

Hosted by

Applications: Average Defects Quartile Analysis

Hosted by

Applications: Average BAR Index Quartile Analysis

Hosted by

Network: Average Vulnerabilities Quartile Analysis

Hosted by

Network: Average BAR Index Quartile Analysis

Hosted by

What Else is Needed?Risk classification schemes• Establish baseline and measure security risk profile

in an on-going way to facilitate management and the budget process

Cost-Effectiveness• Amount and type of risk reduction per dollar spend

Continued willingness to share data• In general and by industry

For additional information www.atstake.com

Hosted by

Thank You

Hosted by Understand Business Requirements: A Blueprint for Digital Security James Mobley President...

Documents

Transcript of Hosted by Understand Business Requirements: A Blueprint for Digital Security James Mobley President...