Post on 21-Jan-2015
description
5 Tips for LeveragingEnterprise Security Intelligence
DWAYNE MELANÇON & CINDY VALLADARES
5 Tips for LeveragingEnterprise Security Intelligence
DWAYNE MELANÇON & CINDY VALLADARES
April 2013
TODAY’S SPEAKERS
Dwayne Melançon
Chief Technology Officer
@ThatDwayne
Cindy Valladares
Sr. Manager Corporate Communications
@cindyv
4
Enterprise Security IntelligenceFrom the Gartner Files
Emerging as a comprehensive and holistic alternative to traditional disjointed security approaches that will enable stronger security enterprise-wide, optimal decision-making and better business results
5
Benefits of Enterprise Security Intelligence
Higher accuracy of security vulnerability detection, remediation and protection based on technology interaction and correlation
Better correlation and impact analysis across all sources of security information
Detailed understanding of enterprise security Improved decision making
1. UNDERSTAND YOUR ORGANIZATION’S RISK APPETITE
2. PRIORITIZE BASED ON HIGHEST RISK & IMPACT
3. ADD CONTEXT TO YOUR INCIDENT DETECTION
4. ESTABLISH KEY SECURITY INDICATORS
5. MEASURE PROGRESS AND COMMUNICATE RESULTS
5 TIPS FOR LEVERAGING
ENTERPRISE SECURITY INTELLIGENCE
7
#1: Understand Organization’s Risk Appetite
8
Pyramid of Pain
9
#2: Prioritize Based on Highest Risk & Impact
Apply risk ranking/scoring methods Better utilization of resources Prioritize security threats Be proactive about security
10
Aligned With Security Policy
11
#3: Add Context to Your Incident Detection
System State Intelligence Provides full awareness of the state of your systems Anchors your system to a ‘known and trusted state’ Monitors continuously for changes and deviations Uses that awareness to detect suspicious events Enables security context and prioritization Know the security state of your systems
IT SECURITY & COMPLIANCE AUTOMATION
SYSTEM STATE INTELLIGENCE
SYSTEM STATEINTELLIGENCE
12
Asset ViewTripwire
Enterprise
Log / Event
Correlation Engine
IT SECURITY & COMPLIANCE AUTOMATION
SYSTEM STATE INTELLIGENCE
SYSTEM STATEINTELLIGENCE
SIEMPLATFORMS
(ArcSight)
GRCSOLUTIONS
(Archer)
CHANGEMANAGEMENT
(Remedy)
13
CMDBAsset Management
Identity
3rd PartySecurity Controls
Asset ViewTripwire
Enterprise
Log / Event
Correlation Engine
14
What About SIEM Alone?
““Most end users believe the [SIEM] technology is at best a hassle and at worst an abject failure. SIEM is widely regarded as too complex, and too slow to implement, without providing enough customer value to justify the investment.”
15
Event Integration Framework Process
16
#4: Establish Key Security Indicators
Visualize risk, policy scoring and trends Combine data from multiple controls Make your security efforts visible, measurable and
accountable
17
Effective Metrics Guidance
Must align to the goals of the business Measure only what you can control Use quantitative, not qualitative data Don’t over research – collection and analytics should not be
complicated Show trends analysis Drive discussion, decisions, and actions Promote healthy competition
18
Examples Of Metrics That Work
Leading or Preparatory Indicators: Intended to drive proactive behaviour and habits
Intended to identify and measure precursors of risk or vulnerability
Configuration Quality: % of configurations compliant with target security standards (risk-aligned)
i.e. >95% in Critical; >75% in Medium
% of unauthorised or undocumented changes
patch compliance by target area based on risk level
i.e. % of systems patched within 72 hours for Critical;
…within 1 week for Medium, etc.
19
Examples Of Metrics That Work
Lagging or Operational Indicators Intended to measure effectiveness of operational controls
Intended to drive improved efficiency & effectiveness
Control effectiveness: % of incidents detected by an automated control
% of incidents resulting in loss
mean time to discover security incidents
% of changes that followed change process
% of incidents detected by each control or process
20
Examples Of Metrics That Work
Program Effectiveness Intended to track and measure non-technical aspects of security efforts
Security program progress: % of staff (by business area) completing security training
average scores (by business area) for security recall test
% of employees (by business area) who responded to “phishing tests”
21
Some Caveats
Keep things manageable Short lists, small numbers, primary colors
Beware of False Flags Is cost a primary measure of security effectiveness?
Don’t sign somebody else’s deal Can you control what you’re being measured against?
22
#5: Measure Progress & Communicate Results
Continuously monitor Nobody can afford 100% secure – cover based on risk Aim for a balanced approach to security
Report On Status & Progress vs. Goals
24
Compare Various Business Units
25
Tripwire Newsletter FeaturingComplimentary Gartner Research
How System State Intelligence fits into Enterprise Security Intelligence
How Tripwire solutions add business context and detect incidents early
http://gtnr.it/129rpPW
tripwire.com | @TripwireInc
DWAYNE MELANÇON -- @THATDWAYNE
CINDY VALLADARES -- @CINDYV
THANK YOU