Continuous Monitoring 2.0
-
Upload
ncircle-a-tripwire-company -
Category
Business
-
view
448 -
download
0
description
Transcript of Continuous Monitoring 2.0
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government
Keren Cummins, Director, Federal Programs
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
• More than 6,500 customers worldwide
• 10 consecutive years of revenue growth
• 150 employees with significant investment in R&D, & continued innovation
• Core business is VA, Configuration Compliance, File Integrity Monitoring, PCI, Performance Management
• Ranked in Inc. 5000 six years in a row
• Ranked one of San Francisco Bay Area’s Top 100 Fastest Growing Private Companies
nCircle at a Glance
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
• The evidence for benchmarking as an essential element of success in continuous monitoring
• Commercial initiative in cloud-based benchmarking
• Mapping this initiative into the federal space• Your feedback!
Agenda
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Defining Terms
• Continuous Monitoring - the context of information security, is defined in 800-137 as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
• Benchmarking - the process of comparing one's business processes and performance metrics to industry bests and/or best practices from other industries. Dimensions typically measured are quality, time and cost.
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Game Changers
• State Department– 89% risk reduction in the first 12
months across the entire world
• USAID– FISMA C- to consistent A+’s for five
years
• Center for Medicare/Medicaid Services (CMS)– 80% risk reduction at 88 data
centers and as high as 95% at one major center
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Common Elements
• Breadth of engagement• Simplicity of result• Context• Short cycle time
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Why hasn’t everyone done this?
• Or, why is this hard?– Metrics are hard– My organizational structure is different– My monitoring solution won’t do that
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
• How can we replicate benchmarking success effectively?– With the organizations and tools that
we already have in place?– For all our security programs (not just
vulnerability management and configuration auditing)?
The Challenge for Security Performance Management
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
https://benchmark.ncircle.com
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
The CISO needs what the CFO has….
• CISO needs a metrics language to describe a company’s security performance just like the CFO describes financial performance
• CISO’s can now field a formal security performance management program built on objective, fact based metrics that– Shows how security organization is protecting the
company– Benchmarks performance vs. internal goals, and
vs. industry peers– Trends performance over time
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
With a Security Performance Management Program, CISOs can demonstrate that
• There is a comprehensive approach to security that is…– Measured against specific goals & standards– In line with our risk tolerance – Aggregated by meaningful asset groupings– At least equal to or better than our
own industry's investment & performance– Controls aligned with GRC objectives
• Based on actual data on an ongoing basis that we can rely on to make decisions on:– Investment– Execution– Resource allocation
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Security Metrics & Scorecards– cornerstone of an effective IT GRC assessment
• Metrics affirm the existence and effectiveness of security controls
• Scorecards enable and evidence management oversight; communicate performance and evaluate corrective actions
• Well constructed Metrics and Scorecards:– Continuously monitor controls – Deliver trusted, timely, and actionable decision making information– Identify and communicate concentration of risks– Align security initiatives with business objectives
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Proven Metrics and Scorecards
An Effective Security Performance Management Solution
How secure and compliant is our enterprise?How do we compare to others?Are we investing effectively?
EndpointEncryption
Event Management &Incident Response
PatchManagement
Antivirus &Endpoint Protection
VulnerabilityManagement
ConfigurationAuditing
Identity & AccessManagement
IT Security Ecosystem
NetworkProtection
• Measure performance to goals• Cover the entire IT Ecosystem• Objective, Fact- based metrics• Relevant & Actionable• Benchmark with peer groups
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Valuable Peer Benchmarks
BenchmarkPerformance
Quadrants
Benchmark Performance
Standard
Weekly PerformanceBenchmark
Participant Results
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Analyze performance against Benchmarks & Identify underperforming areas
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Over 1,000 companies have joined nCircle Benchmark to-date
0100200300400500600700800900
1000 As of 7/20/12
nCircle Benchmark Accounts
Financial Services Bellwether Metrics
MetricBenchmark
AverageBenchmark
Median Quartile
Average CVSS host score (per host)
172 33
Top 25%:Second Quartile:Third Quartile:Bottom 25%:
0 – 56 - 3334 - 6768 - 700
Average days since last scan
23 9
Top 25%:Second Quartile:Third Quartile:Bottom 25%:
0 – 1 days2 – 9 10 – 32 33 – 90
Virus definition age (days)
29 22
Top 25%:Second Quartile:Third Quartile:Bottom 25%:
0 – 2 days3 – 2223 – 4041 - 56
Failed logins per attempt
.05% .04%
Top 25%:Second Quartile:Third QuartileBottom 25%:
.00 - .03%
.040 - .049%
.05 - .08%
.09 - .11%
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
• All the same security domains as commercial, plus…• Agencies generate CyberScope continuous
monitoring data, usually from SCAP XML files• Generated using a wide and growing variety of SCAP
validated solutions, numerous vendors• Files uploaded to OMB once/month• Files are
– Human readable? Not so much– Don’t lend themselves to trending– Don’t lend themselves to comparative analysis– Readily ingested and processed by nCircle Benchmark
data collectors
Benchmarking in the Federal Space
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Cyberscope: Executive Summary
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Asset Classification & Departmental Benchmark
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Vulnerabilities & Departmental Comparison
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
SCAP Output
• Continous Monitoring Metrics driven directly from SCAP data– Asset based Compliance, Vulnerability and
Classification Scorecards• Asset Grouping identifies areas of improvement and
concentration of risk or examines specific critical cyber assets
– Intra- and Inter-Agency (Bureau/Service) Benchmark Comparisons
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
SCAP: Executive Summary
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Asset Identification & Departmental Comparison
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Compliance & Departmental Comparison
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Vulnerabilities & Benchmark Community
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
HQ Security Performance Comparison
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
Benchmark Federal Notional Diagram
Cyberscope
Assets Vulnerabilities Configuration
Cyberscope reporting and benchmark comparisons
Department
agencies bureaus FISMA locationslocal
requirements
Internal Benchmark Scorecards, by Asset Group, SCAP sources plus
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential
• Contact information:
Keren Cummins, DirectorFederal and MidAtlantic Programs(301) [email protected]
Questions?
© 2012 nCircle. All Rights Reserved.nCircle Company Confidential