SlideShare uma empresa Scribd logo

Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman

Michael Roytman
Michael Roytman

This document discusses the need for better security metrics and automation. It argues that attackers currently have better automation capabilities than defenders. The document outlines problems with current vulnerability management practices being too manual. It proposes that better security metrics could help drive more effective automation. The document discusses characteristics of good security metrics and evaluates some existing metrics against those criteria. It emphasizes the need for more objective, automated metrics based on real-world data about breaches and exploits.

Internet
1 de 36
Baixar para ler offline
WHO WATCHES THE WATCHERS? METRICS FOR SECURITY STRATEGY @MROYTMAN
ATTACKERS ARE BETTER AT AUTOMATION
ATTACKERS ARE BETTER AT AUTOMATION
2014 Q1 Q2 Q3 Q4
WE NEED BETTER AUTOMATION
WE NEED BETTER AUTOMATION CURRENT VULN MANAGEMENT: AUTOMATED VULN DISCOVERY MANUAL-ISH VULN SCANNING MANUAL THREAT INTELLIGENCE MANUAL VULN SCORING MANUAL REMEDIATION PRIORITIZATION
MANUAL
WE NEED BETTER DATA: BETTER BASE RATES FOR EXPLOITATION BETTER EXPLOIT AVAILABILITY BETTER VULNERABILITY TRENDS BETTER BREACH DATA BETTER M E T R I C S
SOMETIMES WE MAKE BAD DECISIONS SOMETIMES WE HAVE BAD METRICS
METRICS ARE DECISION SUPPORT
GOOD METRICS ARE OBJECTIVE FUNCTIONS FOR AUTOMATION
WHAT MAKES A METRIC GOOD?
HEARTBLEED CVSS 5 SHELLSHOCK CVSS 10
HEARTBLEED CVSS 5 SHELLSHOCK CVSS 10 POODLE CVSS 4.3
CVSS IS NOT THE PROBLEM
CVSS IS NOT THE PROBLEM
CVSS FOR PRIORITIZATION IS A SYSTEMIC PROBLEM
CVSS AS A BREACH VOLUME PREDICTOR:
ATTACKERS CHANGE TACTICS DAILY
WHAT DEFINES A GOOD METRIC? GOOD DATA
WHICH SYSTEM IS MORE SECURE? $1,000 $1,000,000 CONTROL 1 CONTROL 1 ASSET 1 ASSET 2
TYPES OF METRICS -EXCLUDE REAL LIFE THREAT ENVIRONMENT TYPE 1 % FALLING FOR SIMULATED PHISHING EMAIL CVSS SCORE -OCCURANCE RATE CONTROLLED -INTERACTION WITH THREAT ENVIRONMENT TYPE 2 # INFECTED MACHINES OF ISP % VULNS WITH METASPLOIT MODULE -DESCRIBE UNDESIRED EVENTS
WHAT DEFINES A GOOD METRIC? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC - NO GAMING! 7. COMPUTED AUTOMATICALLY
MEAN TIME TO INCIDENT DISCOVERY? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY X ✓ ✓ X ✓ ✓ X
VULNERABILITY SCANNING COVERAGE? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
CVSS FOR REMEDIATION? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ X X X ✓ X ✓
YOU NEED DATA TO MAKE DATA
METASPLOIT PRESENT ON VULN? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
YOU NEED DATA TO MAKE METRICS ! Probability* (You*Will*Be*Breached*On*A*Particular*Open*Vulnerability)? !"#$%&'($#)*+,(,-,#.% /)#*0ℎ#.%!00')#2%3$%4ℎ#,)%5&6) 43-*(%!"#$%&'($#)*+,(,-,#. 6%
PROBABILITY A VULNERABILITY HAVING CVSS SCORE > X HAS OBSERVED BREACHES 0 2 4 6 8 10 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) PROBABILITY A VULNERABILITY HAVING PROPERTY X HAS OBSERVED BREACHES
KENNASECURITY.COM/JOBS @MROYTMAN
References Security Metrics www.securitymetrics.org Society of Information Risk Analysts https://societyinforisk.org/ National Weather Service Research Forum http://www.nws.noaa.gov/mdl/vlab/forum/VLab_forum.php Dan Geer’s Full Day Tutorial On Measuring Security http://geer.tinho.net/measuringsecurity.tutorial.pdf Yasasin, Emrah, and Guido Schryen. "Derivation of Requirements for IT Security Metrics–An Argumentation Theory Based Approach." (2015). Savola, Reijo M. "Towards a taxonomy for information security metrics."Proceedings of the 2007 ACM workshop on Quality of protection. ACM, 2007. Böhme, Rainer, et al. "4.3 Testing, Evaluation, Data, Learning (Technical Security Metrics)–Working Group Report." Socio- Technical Security Metrics(2015): 20. B. Schneier. Attack trees: Modeling security threats. Dr. Dobb’s journal, 24(12):21–29, 1999. T. Dimkov, W. Pieters, and P. H. Hartel. Portunes: representing attack scenarios spanning through the physical, digital and social domain. In Proc. of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA/WITS’10), volume 6186 of LNCS, pp. 112–129. Springer, 2010. A. Beautement, M. A. Sasse, and M. Wonham. The compliance budget: Managing security behaviour in organisations. In Proc. of the 2008 Workshop on New Security Paradigms, NSPW’08, pp. 47–58, New York, NY, USA, 2008. ACM. B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proc. of the 2001 New Security Paradigms Workshop, pp. 97–104, New York, NY, USA, 2001. ACM.
A. Buldas, P. Laud, J. Priisalu, M. Saarepera, and J. Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, volume 4347 of LNCS, pp. 235–248. Springer, 2006. R. Böhme. Security metrics and security investment models. In Isao Echizen, Noboru Kunihiro, and Ryoichi Sasaki, editors, Advances in Information and Computer Security, volume 6434 of LNCS, pp. 10–24. Springer, 2010. P. Finn and M. Jakobsson. Designing ethical phishing experiments. Technology and Society Magazine, IEEE, 26(1):46–58, 2007. M. E. Johnson, E. Goetz, and S. L. Pfleeger. Security through information risk management. IEEE Security & Privacy, 7(3):45–52, May 2009. R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49–51, 2011. E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke. Model-based security metrics using adversary view security evaluation (ADVISE). In Proc. of the 8th Int’l Conf. on Quantitative Evaluation of Systems (QEST’11), pp. 191–200, 2011. B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2(2–3): 211–229, 1993. H. Molotch. Against security: How we go wrong at airports, subways, and other sites of ambiguous danger. Princeton University Press, 2014. S. L. Pfleeger. Security measurement steps, missteps, and next steps. IEEE Security & Privacy, 10(4):5–9, 2012. W. Pieters. Defining “the weakest link”: Comparative security in complex systems of systems. In Proc. of the 5th IEEE Int’l Conf. on Cloud Computing Technology and Science (CloudCom’13), volume 2, pp. 39–44, Dec 2013. W. Pieters and M. Davarynejad. Calculating adversarial risk from attack trees: Control strength and probabilistic attackers. In Proc. of the 3rd Int’l Workshop on Quantitative Aspects in Security Assurance (QASA), LNCS, Springer, 2014. W. Pieters, S. H. G. Van der Ven, and C.W. Probst. A move in the security measurement stalemate: Elo-style ratings to quantify vulnerability. In Proc. of the 2012 New Security Paradigms Workshop, NSPW’12, pages 1–14. ACM, 2012. C.W. Probst and R. R. Hansen. An extensible analysable system model. Information security technical report, 13(4):235–246, 2008. M. J. G. Van Eeten, J. Bauer, H. Asghari, and S. Tabatabaie. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. OECD STI Working Paper 2010/5, Paris: OECD, 2010. Klaus, Tim. "Security Metrics-Replacing Fear, Uncertainty, and Doubt." Journal of Information Privacy and Security 4.2 (2008): 62-63.

Recomendados

Cyb 690 security architecture scoring guide performance level
Cyb 690 security architecture scoring guide performance level Cyb 690 security architecture scoring guide performance level
Cyb 690 security architecture scoring guide performance level ANIL247048
 
Customer case study © 2010 cisco systems, inc. all rig
Customer case study © 2010 cisco systems, inc. all rigCustomer case study © 2010 cisco systems, inc. all rig
Customer case study © 2010 cisco systems, inc. all rigANIL247048
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...
NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...
NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...North Texas Chapter of the ISSA
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity laurieannwilliams
 
Some insights from a Systematic Mapping Study and a Systematic Review Study: ...
Some insights from a Systematic Mapping Study and a Systematic Review Study: ...Some insights from a Systematic Mapping Study and a Systematic Review Study: ...
Some insights from a Systematic Mapping Study and a Systematic Review Study: ...Phu H. Nguyen
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsDinis Cruz
 
Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Ricardo Gutiérrez
 

Recomendados

Cyb 690 security architecture scoring guide performance level
Cyb 690 security architecture scoring guide performance level Cyb 690 security architecture scoring guide performance level
Cyb 690 security architecture scoring guide performance level ANIL247048
 
Customer case study © 2010 cisco systems, inc. all rig
Customer case study © 2010 cisco systems, inc. all rigCustomer case study © 2010 cisco systems, inc. all rig
Customer case study © 2010 cisco systems, inc. all rigANIL247048
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...
NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...
NTXISSACSC3 - Collin College's Security Management Practices Capstone Course ...North Texas Chapter of the ISSA
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity laurieannwilliams
 
Some insights from a Systematic Mapping Study and a Systematic Review Study: ...
Some insights from a Systematic Mapping Study and a Systematic Review Study: ...Some insights from a Systematic Mapping Study and a Systematic Review Study: ...
Some insights from a Systematic Mapping Study and a Systematic Review Study: ...Phu H. Nguyen
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsDinis Cruz
 
Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Ricardo Gutiérrez
 
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...Willy Marroquin (WillyDevNET)
 
Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Arpit Singh
 
Threat landscape 4.0
Threat landscape 4.0Threat landscape 4.0
Threat landscape 4.0Dr. C.V. Suresh Babu
 
Operar con alertas, dashboards customizados y cronología
Operar con alertas, dashboards customizados y cronologíaOperar con alertas, dashboards customizados y cronología
Operar con alertas, dashboards customizados y cronologíaElasticsearch
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
Insider threatsystemdynamics 2
Insider threatsystemdynamics 2Insider threatsystemdynamics 2
Insider threatsystemdynamics 2Fred Kautz
 
Seismic Analysis of High-raised Building under Floating Foundation
Seismic Analysis of High-raised Building under Floating FoundationSeismic Analysis of High-raised Building under Floating Foundation
Seismic Analysis of High-raised Building under Floating FoundationShanmuga Priyan Thiagarajan
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
 
#%! My CISO Says
#%! My CISO Says#%! My CISO Says
#%! My CISO SaysArgyle Executive Forum
 
IGPC Data Breach Planning braindump
IGPC Data Breach Planning braindumpIGPC Data Breach Planning braindump
IGPC Data Breach Planning braindumpJames '​-- Mckinlay
 
Metrics evolution breakfast edition
Metrics evolution breakfast editionMetrics evolution breakfast edition
Metrics evolution breakfast editionJames '​-- Mckinlay
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Introducing KRI model know your customers
Introducing KRI model know your customersIntroducing KRI model know your customers
Introducing KRI model know your customersBaby Sirota
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITMax Neira Schliemann
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTripwire
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive ActionMighty Guides, Inc.
 

Mais conteúdo relacionado

Mais procurados

The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...Willy Marroquin (WillyDevNET)
 
Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Arpit Singh
 
Operar con alertas, dashboards customizados y cronología
Operar con alertas, dashboards customizados y cronologíaOperar con alertas, dashboards customizados y cronología
Operar con alertas, dashboards customizados y cronologíaElasticsearch
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
Insider threatsystemdynamics 2
Insider threatsystemdynamics 2Insider threatsystemdynamics 2
Insider threatsystemdynamics 2Fred Kautz
 
Seismic Analysis of High-raised Building under Floating Foundation
Seismic Analysis of High-raised Building under Floating FoundationSeismic Analysis of High-raised Building under Floating Foundation
Seismic Analysis of High-raised Building under Floating FoundationShanmuga Priyan Thiagarajan
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Aaron Rinehart
 

Mais procurados (8)

The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and...
 
Coursera Cybersecurity 2015
Coursera Cybersecurity 2015Coursera Cybersecurity 2015
Coursera Cybersecurity 2015
 
Threat landscape 4.0
Threat landscape 4.0Threat landscape 4.0
Threat landscape 4.0
 
Operar con alertas, dashboards customizados y cronología
Operar con alertas, dashboards customizados y cronologíaOperar con alertas, dashboards customizados y cronología
Operar con alertas, dashboards customizados y cronología
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
Insider threatsystemdynamics 2
Insider threatsystemdynamics 2Insider threatsystemdynamics 2
Insider threatsystemdynamics 2
 
Seismic Analysis of High-raised Building under Floating Foundation
Seismic Analysis of High-raised Building under Floating FoundationSeismic Analysis of High-raised Building under Floating Foundation
Seismic Analysis of High-raised Building under Floating Foundation
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
 

Destaque

Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Introducing KRI model know your customers
Introducing KRI model know your customersIntroducing KRI model know your customers
Introducing KRI model know your customersBaby Sirota
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTripwire
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive ActionMighty Guides, Inc.
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIsH Contrex
 

Destaque (15)

#%! My CISO Says
#%! My CISO Says#%! My CISO Says
#%! My CISO Says
 
IGPC Data Breach Planning braindump
IGPC Data Breach Planning braindumpIGPC Data Breach Planning braindump
IGPC Data Breach Planning braindump
 
Metrics evolution breakfast edition
Metrics evolution breakfast editionMetrics evolution breakfast edition
Metrics evolution breakfast edition
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Introducing KRI model know your customers
Introducing KRI model know your customersIntroducing KRI model know your customers
Introducing KRI model know your customers
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslide
 
KRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & ITKRI (Key Risk Indicators) & IT
KRI (Key Risk Indicators) & IT
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive Action
 
Measuring Success - Security KPIs
Measuring Success - Security KPIsMeasuring Success - Security KPIs
Measuring Success - Security KPIs
 

Semelhante a Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman

Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Michael Roytman
 
Who Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyWho Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyKenna
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Michael Roytman
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxhealdkathaleen
 
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...Rihab Rahman
 
Jackie Rees
Jackie ReesJackie Rees
Jackie Reesbutest
 
Nse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerNse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerKim Hammar
 
Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020IJNSA Journal
 
Most trending articles 2020 - International Journal of Network Security & Its...
Most trending articles 2020 - International Journal of Network Security & Its...Most trending articles 2020 - International Journal of Network Security & Its...
Most trending articles 2020 - International Journal of Network Security & Its...IJNSA Journal
 
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017Maurice Dawson
 
ISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxbagotjesusa
 
Review Questions What is the difference between a threat agent and a t.pdf
Review Questions What is the difference between a threat agent and a t.pdfReview Questions What is the difference between a threat agent and a t.pdf
Review Questions What is the difference between a threat agent and a t.pdfvkawtia
 
METRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMS
METRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMSMETRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMS
METRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMSIJNSA Journal
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseShujun Li
 
May 2022: Most Downloaded Articles in Computer Science &Information Technology
May 2022: Most Downloaded Articles in Computer Science &Information TechnologyMay 2022: Most Downloaded Articles in Computer Science &Information Technology
May 2022: Most Downloaded Articles in Computer Science &Information TechnologyAIRCC Publishing Corporation
 
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...IJCSES Journal
 
Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestrationChadni Islam
 
Deep Learning Approach for Enhanced Cyber Threat Indicators in Twitter Stream
Deep Learning Approach for Enhanced Cyber Threat Indicators in Twitter StreamDeep Learning Approach for Enhanced Cyber Threat Indicators in Twitter Stream
Deep Learning Approach for Enhanced Cyber Threat Indicators in Twitter StreamSimranKetha
 
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docxRunning head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docxjeanettehully
 

Semelhante a Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman (20)

Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
 
Who Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security StrategyWho Watches the Watchers? Metrics for Security Strategy
Who Watches the Watchers? Metrics for Security Strategy
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
 
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docxRunning head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
Running head ANNOTATED BIBLIOGRAPHYANNOTATED BIBLIOGRAPHY2.docx
 
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
Study on Cyber Security:Establishing a Sustainable Cyber Security Framework f...
 
Jackie Rees
Jackie ReesJackie Rees
Jackie Rees
 
Nse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadlerNse seminar 4_dec_hammar_stadler
Nse seminar 4_dec_hammar_stadler
 
Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020Trends in Network and Wireless Network Security in 2020
Trends in Network and Wireless Network Security in 2020
 
Most trending articles 2020 - International Journal of Network Security & Its...
Most trending articles 2020 - International Journal of Network Security & Its...Most trending articles 2020 - International Journal of Network Security & Its...
Most trending articles 2020 - International Journal of Network Security & Its...
 
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
 
ISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docxISSA Journal September 2008Article Title Article Author.docx
ISSA Journal September 2008Article Title Article Author.docx
 
Presentation to GFCE 2019 in Addis Ababa, Ethiopia
Presentation to GFCE 2019 in Addis Ababa, EthiopiaPresentation to GFCE 2019 in Addis Ababa, Ethiopia
Presentation to GFCE 2019 in Addis Ababa, Ethiopia
 
Review Questions What is the difference between a threat agent and a t.pdf
Review Questions What is the difference between a threat agent and a t.pdfReview Questions What is the difference between a threat agent and a t.pdf
Review Questions What is the difference between a threat agent and a t.pdf
 
METRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMS
METRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMSMETRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMS
METRICS FOR EVALUATING ALERTS IN INTRUSION DETECTION SYSTEMS
 
Human Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use caseHuman Factors in Cyber Security: User authentication as a use case
Human Factors in Cyber Security: User authentication as a use case
 
May 2022: Most Downloaded Articles in Computer Science &Information Technology
May 2022: Most Downloaded Articles in Computer Science &Information TechnologyMay 2022: Most Downloaded Articles in Computer Science &Information Technology
May 2022: Most Downloaded Articles in Computer Science &Information Technology
 
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...
 
Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestration
 
Deep Learning Approach for Enhanced Cyber Threat Indicators in Twitter Stream
Deep Learning Approach for Enhanced Cyber Threat Indicators in Twitter StreamDeep Learning Approach for Enhanced Cyber Threat Indicators in Twitter Stream
Deep Learning Approach for Enhanced Cyber Threat Indicators in Twitter Stream
 
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docxRunning head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
Running head SECURITY RISKS IN DATABASE MIGRATION1SECURITY RIS.docx
 

Mais de Michael Roytman

O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsMichael Roytman
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting ExploitabilityMichael Roytman
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Michael Roytman
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Michael Roytman
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeMichael Roytman
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementMichael Roytman
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMichael Roytman
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OMichael Roytman
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementMichael Roytman
 

Mais de Michael Roytman (13)

CyberTechEurope.pptx
CyberTechEurope.pptxCyberTechEurope.pptx
CyberTechEurope.pptx
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability Final
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With Predictions
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting Exploitability
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach Landscape
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done Right
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What Matters
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability Management
 

Último

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 

Último (20)

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 

Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman

  • 1. WHO WATCHES THE WATCHERS? METRICS FOR SECURITY STRATEGY @MROYTMAN
  • 2.
  • 7. WE NEED BETTER AUTOMATION CURRENT VULN MANAGEMENT: AUTOMATED VULN DISCOVERY MANUAL-ISH VULN SCANNING MANUAL THREAT INTELLIGENCE MANUAL VULN SCORING MANUAL REMEDIATION PRIORITIZATION
  • 9. WE NEED BETTER DATA: BETTER BASE RATES FOR EXPLOITATION BETTER EXPLOIT AVAILABILITY BETTER VULNERABILITY TRENDS BETTER BREACH DATA BETTER M E T R I C S
  • 16.
  • 17. CVSS IS NOT THE PROBLEM
  • 19. CVSS FOR PRIORITIZATION IS A SYSTEMIC PROBLEM
  • 20. CVSS AS A BREACH VOLUME PREDICTOR:
  • 22. WHAT DEFINES A GOOD METRIC? GOOD DATA
  • 23. WHICH SYSTEM IS MORE SECURE? $1,000 $1,000,000 CONTROL 1 CONTROL 1 ASSET 1 ASSET 2
  • 24. TYPES OF METRICS -EXCLUDE REAL LIFE THREAT ENVIRONMENT TYPE 1 % FALLING FOR SIMULATED PHISHING EMAIL CVSS SCORE -OCCURANCE RATE CONTROLLED -INTERACTION WITH THREAT ENVIRONMENT TYPE 2 # INFECTED MACHINES OF ISP % VULNS WITH METASPLOIT MODULE -DESCRIBE UNDESIRED EVENTS
  • 25. WHAT DEFINES A GOOD METRIC? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC - NO GAMING! 7. COMPUTED AUTOMATICALLY
  • 26. MEAN TIME TO INCIDENT DISCOVERY? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY X ✓ ✓ X ✓ ✓ X
  • 27. VULNERABILITY SCANNING COVERAGE? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
  • 28. CVSS FOR REMEDIATION? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ X X X ✓ X ✓
  • 29. YOU NEED DATA TO MAKE DATA
  • 30. METASPLOIT PRESENT ON VULN? 1. BOUNDED 2. SCALED METRICALLY 3. OBJECTIVE 4. VALID 5. RELIABLE 6. CONTEXT-SPECIFIC 7. COMPUTED AUTOMATICALLY ✓ ✓ ✓ ✓ ✓ ✓ ✓
  • 31. YOU NEED DATA TO MAKE METRICS ! Probability* (You*Will*Be*Breached*On*A*Particular*Open*Vulnerability)? !"#$%&'($#)*+,(,-,#.% /)#*0ℎ#.%!00')#2%3$%4ℎ#,)%5&6) 43-*(%!"#$%&'($#)*+,(,-,#. 6%
  • 32. PROBABILITY A VULNERABILITY HAVING CVSS SCORE > X HAS OBSERVED BREACHES 0 2 4 6 8 10 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
  • 33. 0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) PROBABILITY A VULNERABILITY HAVING PROPERTY X HAS OBSERVED BREACHES
  • 35. References Security Metrics www.securitymetrics.org Society of Information Risk Analysts https://societyinforisk.org/ National Weather Service Research Forum http://www.nws.noaa.gov/mdl/vlab/forum/VLab_forum.php Dan Geer’s Full Day Tutorial On Measuring Security http://geer.tinho.net/measuringsecurity.tutorial.pdf Yasasin, Emrah, and Guido Schryen. "Derivation of Requirements for IT Security Metrics–An Argumentation Theory Based Approach." (2015). Savola, Reijo M. "Towards a taxonomy for information security metrics."Proceedings of the 2007 ACM workshop on Quality of protection. ACM, 2007. Böhme, Rainer, et al. "4.3 Testing, Evaluation, Data, Learning (Technical Security Metrics)–Working Group Report." Socio- Technical Security Metrics(2015): 20. B. Schneier. Attack trees: Modeling security threats. Dr. Dobb’s journal, 24(12):21–29, 1999. T. Dimkov, W. Pieters, and P. H. Hartel. Portunes: representing attack scenarios spanning through the physical, digital and social domain. In Proc. of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA/WITS’10), volume 6186 of LNCS, pp. 112–129. Springer, 2010. A. Beautement, M. A. Sasse, and M. Wonham. The compliance budget: Managing security behaviour in organisations. In Proc. of the 2008 Workshop on New Security Paradigms, NSPW’08, pp. 47–58, New York, NY, USA, 2008. ACM. B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proc. of the 2001 New Security Paradigms Workshop, pp. 97–104, New York, NY, USA, 2001. ACM.
  • 36. A. Buldas, P. Laud, J. Priisalu, M. Saarepera, and J. Willemson. Rational choice of security measures via multi-parameter attack trees. In Critical Information Infrastructures Security, volume 4347 of LNCS, pp. 235–248. Springer, 2006. R. Böhme. Security metrics and security investment models. In Isao Echizen, Noboru Kunihiro, and Ryoichi Sasaki, editors, Advances in Information and Computer Security, volume 6434 of LNCS, pp. 10–24. Springer, 2010. P. Finn and M. Jakobsson. Designing ethical phishing experiments. Technology and Society Magazine, IEEE, 26(1):46–58, 2007. M. E. Johnson, E. Goetz, and S. L. Pfleeger. Security through information risk management. IEEE Security & Privacy, 7(3):45–52, May 2009. R. Langner. Stuxnet: Dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 9(3):49–51, 2011. E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke. Model-based security metrics using adversary view security evaluation (ADVISE). In Proc. of the 8th Int’l Conf. on Quantitative Evaluation of Systems (QEST’11), pp. 191–200, 2011. B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid, and D. Gollmann. Towards operational measures of computer security. Journal of Computer Security, 2(2–3): 211–229, 1993. H. Molotch. Against security: How we go wrong at airports, subways, and other sites of ambiguous danger. Princeton University Press, 2014. S. L. Pfleeger. Security measurement steps, missteps, and next steps. IEEE Security & Privacy, 10(4):5–9, 2012. W. Pieters. Defining “the weakest link”: Comparative security in complex systems of systems. In Proc. of the 5th IEEE Int’l Conf. on Cloud Computing Technology and Science (CloudCom’13), volume 2, pp. 39–44, Dec 2013. W. Pieters and M. Davarynejad. Calculating adversarial risk from attack trees: Control strength and probabilistic attackers. In Proc. of the 3rd Int’l Workshop on Quantitative Aspects in Security Assurance (QASA), LNCS, Springer, 2014. W. Pieters, S. H. G. Van der Ven, and C.W. Probst. A move in the security measurement stalemate: Elo-style ratings to quantify vulnerability. In Proc. of the 2012 New Security Paradigms Workshop, NSPW’12, pages 1–14. ACM, 2012. C.W. Probst and R. R. Hansen. An extensible analysable system model. Information security technical report, 13(4):235–246, 2008. M. J. G. Van Eeten, J. Bauer, H. Asghari, and S. Tabatabaie. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. OECD STI Working Paper 2010/5, Paris: OECD, 2010. Klaus, Tim. "Security Metrics-Replacing Fear, Uncertainty, and Doubt." Journal of Information Privacy and Security 4.2 (2008): 62-63.