Security Risk ManagementWorld-Class Risk Management

March 8, 2007

March 8, 20072

CONFIDENTIALCONFIDENTIAL

Executive Summary

Risk Management vs. Information Security• Information Security is operationally focused and is driven by Security Product• Risk Management defines strategy and is driven by Business Process

CSO Pain Points• Capability Maturity – Immature processes do not provide business case or ROI justification• Executive Communications – Operational metrics do not enable Decision Support• Risk Management – Confused with Information Security

Security Risk Management Approach• Step 1: Understand Security Risk Management (SRM)• Step 2: Identify risks through applied technology• Step 3: Enable repeatable risk management process through technology• Step 4: Quantify and Qualify Security Risks• Step 5: Continuously Manage Security Risk

"Security is not a Product, it's a Process."

Bruce Schneier, Counterpane Internet Security, Inc.

March 8, 20073

CONFIDENTIALCONFIDENTIAL

Information Security vs. Risk Management

“[T]here is a propensity for organizations to frame security problems intechnical terms, often ignoring the management and operational weaknessesthat are root causes[.]

[R]isk management is a basic business function, and whether it is doneimplicitly or explicitly, it must be performed at an organizational level to bepurposeful.”

– The Challenges of Security Management, Security Engineering Institute

CSO Challenges• Perceived responsibilities are limited to vulnerability scanning and compliance enforcement• Technical focus of Information Security excludes the CSO from business discussions• Without a business platform, the CSO is forced to do more with less• Operational reporting is limited by product capabilities – risk is not quantified or qualified• Security platforms promote operational management – not continuous risk management

March 8, 20074

CONFIDENTIALCONFIDENTIAL

McAfee Security Risk Management (SRM)

Process, not Product

• Risk Management is not a one-time event or a stand-alone product; it is a continuous process

• Risk Management provides Continuity, Repeatability, Efficiency, and Assurance

• SRM is based on the System Security Engineering Capability Maturity Model (SSE-CMM)

Initial stageEvent trigged

Needs definition

Resources allocatedBasic repetitive cycles (find/patch)Rudimentary performance tracking

Ideal state for non-public entity; SMBPolicy implementation

Regulations/compliance starting pointInfo flows to head of security

State of Practice

End goal of regulations/complianceFiduciary responsibilities

Enterprise risk managementWorld-Class Risk Management

Process reviewTuning, perfecting

Maximize effectivenessFull organizational potential

Process : 1. a systematic series of actions directed to some end;2. a continuous action, operation, or series of changes taking place

in a definite manner

March 8, 20075

CONFIDENTIALCONFIDENTIAL

Capabilities Maturity of SRM

According to the SSE-CMM:

“.. higher quality products can be produced more cost-effectively by emphasizing the quality of the processes

that produce them, and the maturity of the organizational practices inherent in those processes.”

Hercules

Foundstone

Intrushield

SIG

DLPHIPS

VSE

PreventsysePO

MPE

McAfee SRM is a Level 5 Capability supported by McAfee Metrics.

McAfee SRMMcAfee Metrics

March 8, 20076

CONFIDENTIALCONFIDENTIAL

Identify and PrioritizeASSETS

Identify and PrioritizeASSETS

Determine AcceptableRISK

Determine AcceptableRISK

ImplementPROTECTION

ImplementPROTECTION

MeasureCOMPLIANCE

MeasureCOMPLIANCE

McAfee SRM Process Enablement

SSE-CMM Level 2:Foundstone

SSE-CMM Level 2:Foundstone

SSE-CMM Level 3:IntrushieldSecure Internet GatewayMPEePO/ToPSVSEHIPSDLP

SSE-CMM Level 2:Hercules

SSE-CMM Level 3:Preventsys

SSE-CMM Level 4:McAfee Metrics

SSE-CMM Level 5:McAfee SRM

March 8, 20077

CONFIDENTIALCONFIDENTIAL

SRM Phase 1, 2 – FoundStone,

• FoundStone identifies and quantifies security risk at an implementation level –configuration/patch based issues

• Hercules provides automated policy and vulnerability remediation• Scans provide for ePO/Preventsys correlation and configuration compliance assessment

SRM Enablers• Asset and Vulnerability Identification• Quantification of Vulnerabilities• Policy Compliance/Enforcement

Hercules

March 8, 20078

CONFIDENTIALCONFIDENTIAL

SRM Phase 3 – ePO

• ePO can report against tactical remediation/implementation efforts (VSE, HIPS, MPE) for bothmanaged and unmanaged systems

• Centralized reports provide actionable reports at the Security Engineer and Security Managementlevel

SRM Enablers• Policy management/enforcement• Security metrics• Remediation metrics

March 8, 20079

CONFIDENTIALCONFIDENTIAL

SRM Phase 4 – Preventsys

• Preventsys can be positioned against specific regulatory or industrial certifications (e.g. SOx, PCI)• Policy Lab reports against the effectiveness of the controls framework supported through

technology

SRM Enablers• Compliance metrics platform• Mapping of technical checks to

regulation & policy frameworks

March 8, 200710

CONFIDENTIALCONFIDENTIAL

McAfee Metrics – Risk Indices

Risk Assessment• Conducts qualified risk analysis against administrative and technical controls• Based on policy/asset qualification and vulnerability scan data• Provides metrics for ROSI analysis that effectively support business justification• Provides modeling capability for effect of security investments (i.e. enables decision support)

Risk Indices

Confidentiality = 61.31 Integrity = 32.83 Availability = 44.60 Audit = 64.28

Risk Profiles Base = Policy Adherence (Industry

Comparison) Current = Policy/Technology Simulated = Tech-Modeling Target = Acceptable Risk

March 8, 200711

CONFIDENTIALCONFIDENTIAL

McAfee Metrics – Compliance• Statistical representation of analyzed data (descriptive statistics) enables

Management to make compliance inferences (inferential statistics).• Compliance can be inferred in ‘seeing’ the deviation from mean.

March 8, 200712

CONFIDENTIALCONFIDENTIAL

SRM Value PropositionDirect BenefitsEstablishes a consistent/standard service approach to quantifying and mitigating riskUnderstanding CIAA risks facing an organization, ROSI efforts are qualified and meaningful to

LeadershipEnables strategic business alignmentJustify security budgets with tangible metrics

Indirect BenefitsSolicits participation of executive teams in risk decisionsCharacterizes and benchmarks enterprise riskProvides direction and support to making objective risk management decision

McAfee SRM: SSE-CMM Level 5, CSO Empowerment.