management of security function - usalearning · management of security function. table of contents...

Management of Security Function

Table of Contents

Management of Security Function ................................................................................................. 2

Security Strategy -1 ......................................................................................................................... 3

Security Strategy -2 ......................................................................................................................... 4

Levels of Information Security ........................................................................................................ 5

Cost Budgeting .............................................................................................................................. 10

Resources ...................................................................................................................................... 12

Measuring the Effectiveness ......................................................................................................... 15

Quantitative Metrics ..................................................................................................................... 16

Qualitative Measures .................................................................................................................... 19

Management Summary ................................................................................................................ 20

Notices .......................................................................................................................................... 22

of 22


55


**055 All right, so how do you manage security overall for the organization?

of 22

Security Strategy -1

56


Managing the security function requires the development and maintenance of a comprehensive, well-managed security program.

• The program should normally address the following issues.— A security strategy with senior management acceptance and support— A security strategy intrinsically linked with business objectives — Security policies that are complete and consistent with strategy— Complete standards for all relevant policies— Complete and accurate procedures for all important operations

**056 Different strategies. You need to have an overall program, as we've been talking about. It should be a result of your governance. It should be dictated by your policy. You need to have a security program for the organization. Again, you need senior management buy- in. It's got to have strategic alignment. Your policies dictate what those things are. You have those standards, the procedures, the guidelines. All of those things that we've already discussed as part of your governance.

of 22


57


Areas that an effective security management program should focus on delivering include

• Strategic, long-term goals— Governance, risk management, and compliance

• Tactical, short-term goals— Short-term risk, threat intelligence, loss prevention, and support of

organizational initiatives

**057 Again, long-term versus short-term. In security, some of the long-term things are going to be the governance; going to be your appetite for risk; going to be how often you do audits, how often you do reviews. What is your accreditation, how long is your accreditation good for? Short-term. You're going to continually be looking at emerging threats. You're going to be looking at possible theft. You're going to e looking at new programs coming online for your organization.

of 22

Levels of Information Security

58

Levels of Information Security

Thorough, efficient, and effective management is required to achieve adequate levels of information security at a reasonable cost.

When properly designed, implemented and managed• Information security provides critical support for many business

functions that would not be feasible without it.• If an organization’s security program is found to be highly effective,

many risk underwriters offer discounts on insurance premiums.

**058 What is reasonable cost when it comes to security? Five percent? Ten percent? Student: It's a lot easier to determine when you've done a qualitative-- or quantitative risk assessment. Ben Malisow: Good! That's really good. Because now you have a number you can hook it to, right? Good! Good, good, good. Reasonable cost is like acceptable risk. Right? Everybody's got their own appetite for it. And it will be dictated by the organization, by senior management. Good.

of 22

This is what we want to get our message across, too. We want the business, we want the management to be aware that the business could not take place, there could be no business without the strategic alignment of security. Is that true? Or are we just campaigning for ourselves? If the formula for Coke was known, would Coke still be in business? Student: Yes. Ben Malisow: Yeah. Oh, yeah. Yeah. Is the formula itself the thing that they're selling? No. What are they selling, man? Student: Their brand. Ben Malisow: They're selling their brand. You feel good about that red and white can. You feel like you did when you were a kid at the ballgame, right? They're selling America is what they're selling. Yay, Coke! Go! Good for Coke. If their brand was damaged, would they still be in business? Student: Depends on how much damage they've got. You know? Ben Malisow: Who bought a Perrier this week? Who remembers what Perrier was? Student: Water. Ben Malisow: What's that? Student: The water company.

of 22

Ben Malisow: The water company! They were really huge. They were bigger than Aquafina, and Smart Water and Vitamin Water all put together. Why aren't they around anymore? Student: I didn't know they weren't. Ben Malisow: They are. They have this much market share. I mean, but why don't you see them? If you go and look at any movie from the 1980s, those little green glass bottles are ubiquitous. Why aren't they around anymore? What happened? They slit the throat of their brand. They had some benzene in their water. And they lied about it, and they denied it, and they got caught several times, and people stopped trusting them. Instead of looking at a red and white can going, "That's America!" They looked at a green glass bottle and said, "You're poisoning me." Is security an element of branding? Student: Maybe. Ben Malisow: Yes, to some extent it is. Because that good will, that faith-- when we were talking about losing your vendor's data, losing your customer's data, making them feel bad about your company, making them distrust you? Yes, that's a vital element of what you do. That's a vital element of protecting the data. Gabriel, I think I used this example already, so I'm not going to let you answer this one. What happened with Tylenol in the 1980s?

of 22

Student: It had a similar, and only they were tampered with, basically. It wasn't their fault, necessarily. But... Ben Malisow: Excellent! Absolutely. They were literally-- some-- with the benzene thing, in terms of Perrier, it just made-- it just exceeded levels of contamination. Nobody really got sick; nobody got hurt by it. With Tylenol, people died. There was cyanide put into Tylenol capsules that killed people! Who's had Tylenol in the past month? Me, too! Why are they still around? Why are they still around? If Perrier didn't even make anybody sick, why aren't they still around, and Tylenol, who killed people, is? Student: They did their tamper-proof stuff. Student: Safety packaging. Student: Yeah. Ben Malisow: Yes, they did. What else did they do? Student: They were also really aggressive about recalling all the medicine even if they thought it wasn't tainted. Ben Malisow: Thank you. They didn't lie. Student: Under the chair. Student: That's why you can't get it right now.

of 22

Ben Malisow: Chair candy! Okay. They didn't lie. Not only didn't they lie, they went on television. The CEO of Johnson & Johnson went on television, and said, "We're sorry. We accept full responsibility for this. Don't take any Tylenol till you feel comfortable taking Tylenol again." That's the best example of brand management I can think of! They stepped out ahead of it. They pulled everything off the shelf. They offered people money for their almost empty bottles of Tylenol without receipts. And they spent a lot of money and they lost a lot of money. And then their market share came back. They put the tamper-proof stuff on it. They sealed the top. They were the market leaders in that. And we all eat Tylenol now, right? That's impressive! That's part of security as well. Did they probably also beef up security in their distribution process? Yeah, I can imagine they did! I can imagine they beefed up security at their plants as well. Yeah, that's huge, that's huge.

of 22

Cost Budgeting

59

Cost Budgeting

A process that begins with accurate cost forecasting and budgeting

• The success of this activity is generally established by monitoring budget utilization vs. original projections that help identify issues with security cost planning.

Implement procedures to measure the ongoing cost-effectiveness of security components

• Often accomplished by tracking cost and result ratios— By measuring the total cost of producing a specific result, this approach

establisheso Cost-efficiency goals for new technologieso Improvement goals for existing technologies

**059 Cost budgeting in terms of security. Why do you need to do this? Again, because if you're spending money in places that's not really securing you, you're not securing the organization. You're wasting money, and you're making the company, or the organization less secure. You become a sinkhole, a money pit. And that doesn't help. You want to make sure that you're got some metrics. That you have some way of measuring whether or not your controls are doing what they say. That's sometimes difficult to do, because again, you're measuring in negatives.

of 22

If you have a guard with a gun at the front door of the building, and you say, "We didn't get robbed this year." Do you know that it was the guard that kept the robbers away? No. You can't measure a negative. That's sometimes difficult to do. What you can do is compare yourself to your competitors, other industries in the field. What you can do is sometimes see the levels of attacks, the levels of detects, as we talked about on failed attacks. That can be used sometimes. And you should be able to try to get to a result. Should you get to zero intrusions? Should you get to zero threats? Should you get to zero risk? No. That's both ridiculous and not cost-effective. But you should try to be able to get to that result in a cost-effective way, based on the controls you've picked and the systems you have in place.

of 22

Resources

60

Resources

Efforts must be prioritized because the optimal number of resources is almost never available

• The ISM should work with the steering committee and senior management

— To determine priorities— To establish consensus on what project items to delay because of

resource constraints• Spikes in activity and unexpected project efforts can often be

addressed with third-party resources

**060 We prioritize, because you can't do everything. Unless you work in some really, really, really isolated places, you can't do everything you want to do in terms of security. So you have to pick those things that you want to do. Senior management. Not every organization has steering committees, but senior management is going to help dictate what those priorities are. They need to do that based on information that you're giving them. Again, you are the resident expert. You are the consultant to management when it comes time-- when it comes to security. You're going to help them determine what

of 22

those priorities are. And if necessary, you're going to help them make those tough choices, based on those priorities. This puts security in the bad position of becoming the scapegoat sometimes. But that's okay. We should be willing to take that political hit in order to actually secure the organization. And, if something unexpected crops up, maybe you can bring in resources from the outside. Is Sony a pretty good-- pretty knowledgeable company when it comes to IT? Yeah! It's kind of their business, isn't it? I mean, a lot of it? When they got hacked, did they just turn it over to their internal team? Did they just respond to it themselves? They hired a world-premiere, a world-class entity to take over the response for them. Why would you do that? Even if you had people internally who could do it? Why would you hand it over to somebody else? Don't you have internal people for the express reason of responding to incidents? Student: It's kind of an external validation thing, so that people will-- you're not going to say, "Oh, well, they're just covering up. They're doing this internally." So you get an external person to... Ben Malisow: I like that! I like that. Yeah, it buys you a bit more credence, doesn't it? It makes you look-- especially to your

of 22

external stakeholders, your shareholders, the public your consumers, right? It makes you look as if you're not trying to just keep it in-house. Good. Other things that it affords you? Expertise that might be outside your team's realm. Maybe they weren't familiar with this particular thing, which is why it happened. Maybe some of the other things that it can do is continue to let your team handle day-to-day security operations. Just because there was an incident, doesn't mean all the things that they normally have to do go on hold. It means those things are continuing in addition to this incident. So maybe you need to bring more people into augment that effort, right? And sometimes, it can show your insurers, it can show the court, it can show the regulators that you took that due care. You performed your due diligence by bringing in. You spent this amount of money on this breach, which is why you're not liable. That's a useful thing, all those things are good tools for bringing in other people.

of 22

Measuring the Effectiveness

61

Measuring the Effectiveness

… of Technical Security Architectures• Establish quantitative measures that inform management about the

effectiveness of the technical security architecture• For reporting and analysis purposes, technical security metrics can

be categorized by— Protected resource— Geographic location

**061 How do you measure your security architecture? How do you measure that effectiveness? Quantitative if you can. What other things can you measure? You can measure it according to the resources themselves. How many times was that machine itself? How many times was that data accessed? How many times was it accessed by unauthorized entities. How many times did we have to-- what was the downtime on those machines? We can measure each of the CIA triad, again, on those. We can measure it by geographics. We can say, "Our

of 22

headquarters was only down this amount of time over the year. There's different ways of looking at it and reporting on it.

Quantitative Metrics

62

Quantitative Metrics

Includes• Average time

— To detect, escalate, isolate, and contain incidents— Between vulnerability detection and resolution— Between vendor release of vulnerability patches and patch application

• Quantity, frequency, and severity of incidents discovered post hoc• Percentage of systems audited within a certain period• Number of changes released without full change control and

management approval

**062 Other good metrics? Average time to detect. That one's kind of tricky. Why is that one maybe not such a great metric? What are you measuring? You're measuring all the ones you've detected. You're not measuring all those you haven't detected. So it might give you a false sense of security. Yeah, Jeff?

of 22

Student: Even when you detect, you don't know when it began. Ben Malisow: Sometimes you do; sometimes you don't. Sometimes you can follow it back; sometimes you can't. Sometimes you don't know how long it's been there. Good. Good. He gets a Twix, man. See that? Ben Malisow: Yeah, good. Average time to pass it up the food chain, contain it. We're going to talk about that in incident response as well. Average time between vulnerability detection and resolution. This is a good metric from a security standpoint, not so good from a political standpoint. Why not? Who you making look bad with that one? Student: IT department. Ben Malisow: IT department, yeah. Yeah. And you already tried to co-opt everybody, including IT into being good little security contributors, and now you're kind of slapping with it. There's got to be trade-offs there, too, as well. Be sensitive to those things. Is this a good metric? Yeah, that one's pretty straightforward. That one's pretty straightforward. And you should have a process in place for doing that as well. And as long as you can report, "We've been in accordance with our process," that's a good thing. That's a good metric to use. After the fact, you're going to look at all of your incidents. Again, these, while they are quantitative measures, they might not

of 22

actually reflect anything that's going to be necessarily of use, but they are things that you can measure. You can measure audits! Is that useful? Sure. Again you should have a policy in place saying how often things are going to be audited, and whether or not you're in compliance with them. This one-- if that number is greater than zero, don't you have a problem already? Yeah, it means that you knowingly put forth a change that didn't go through the process, right? And didn't go through your exception process. So, it's something you can measure. I'm just not sure exactly the efficacy of using that measure.

of 22

Qualitative Measures

63

Qualitative Measures

Includes• Control mechanisms are properly configured and monitored in real-

time• Self-protection implemented• Information security personnel alerted to faults• All critical systems events are reported to information security

personnel, or to event analysis automation tools for real-time threat detection

**063 Good. Other things you can measure! Qualitatively instead of quantitatively. Is everything properly configured and monitored? When we talk about monitoring these things, and the configuration, are we talking about somebody sitting there and watching them? Like the closed-circuit television? No, of course, that's automated processes. There's software that can monitor the baseline, and alarm when something deviates. Self-protection. Are you implementing all of the controls that you said you were going to? You can check and see who's been alerted at any given time.

of 22

Do you have a process in your organization for when these things are detected, are those people informed? Is there a pager-- nobody uses a pager anymore. Is there a mobile device that is informed? Are there people on standby? Is there 24-hour coverage for that? And whether or not critical systems have some sort of instant notification, and whether or not you, as the security office, have been informed of those things.

Management Summary

64

Management Summary

Design and monitoring activities must consider• What senior management wants to know• Needs of business process owners• What is important to IS operations• IT security management requirements

Provide senior management a high-level summary• Progress• Significant changes• Results

May want more detailed metrics data• For Example: policy compliance and

patch management

**064 All right. In terms of management, going over these things. You should be monitoring those things senior management wants to know. How does senior management decide what it is they want to know?

of 22

Student: You tell them. Ben Malisow: You tell them. You help them out. You walk them through that process. You inform them as to what it is they want to be informed on. You should also be helping out the business owners? Why? Strategic alignment. Yeah, security has to dovetail with the business, right? Plus, if you're doing what the business process owners want, you're making them a part of the security program as well. You have made them your buddies instead of your antagonist. Important things for operational capabilities, and of course, your own management requirements. You're going to give them reports on a regular basis of how you're doing, and what you intend to be doing. You might want to get some good numbers, some hard numbers to put on that management dashboard. Has anyone very prepared, or does anyone deliver a security dashboard, or an IT dashboard report? Yeah, you... Student: Not for security. Ben Malisow: Oh, you don't do one? No? Student: We do dashboard, but not for security. Ben Malisow: Okay, okay. What dashboard do you use? Just IT?

of 22

Student: Yeah, service up time, and ticket tracking, dashboards, things like that. Ben Malisow: Okay, and do you have the red light, yellow light, green light stuff? Yeah. Management loves those, don't they? Student: Mm hm. Ben Malisow: Oh, it's so-- it's like a cartoon for them. They love that; good, good.

Notices

NoticesCopyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT® is a registered mark of Carnegie Mellon University..

of 22

management of security function - usalearning · management of security function. table of contents...

Documents