Continuous Monitoring 2.0

© 2012 nCircle. All Rights Reserved.nCircle Company Confidential

Continuous Monitoring 2.0: Cloud-based Benchmarking in Industry and the Federal Government

Keren Cummins, Director, Federal Programs


• More than 6,500 customers worldwide

• 10 consecutive years of revenue growth

• 150 employees with significant investment in R&D, & continued innovation

• Core business is VA, Configuration Compliance, File Integrity Monitoring, PCI, Performance Management

• Ranked in Inc. 5000 six years in a row

• Ranked one of San Francisco Bay Area’s Top 100 Fastest Growing Private Companies

nCircle at a Glance


• The evidence for benchmarking as an essential element of success in continuous monitoring

• Commercial initiative in cloud-based benchmarking

• Mapping this initiative into the federal space• Your feedback!

Agenda


Defining Terms

• Continuous Monitoring - the context of information security, is defined in 800-137 as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

• Benchmarking - the process of comparing one's business processes and performance metrics to industry bests and/or best practices from other industries. Dimensions typically measured are quality, time and cost.


Game Changers

• State Department– 89% risk reduction in the first 12

months across the entire world

• USAID– FISMA C- to consistent A+’s for five

years

• Center for Medicare/Medicaid Services (CMS)– 80% risk reduction at 88 data

centers and as high as 95% at one major center


Common Elements

• Breadth of engagement• Simplicity of result• Context• Short cycle time


Why hasn’t everyone done this?

• Or, why is this hard?– Metrics are hard– My organizational structure is different– My monitoring solution won’t do that


• How can we replicate benchmarking success effectively?– With the organizations and tools that

we already have in place?– For all our security programs (not just

vulnerability management and configuration auditing)?

The Challenge for Security Performance Management


https://benchmark.ncircle.com


The CISO needs what the CFO has….

• CISO needs a metrics language to describe a company’s security performance just like the CFO describes financial performance

• CISO’s can now field a formal security performance management program built on objective, fact based metrics that– Shows how security organization is protecting the

company– Benchmarks performance vs. internal goals, and

vs. industry peers– Trends performance over time


With a Security Performance Management Program, CISOs can demonstrate that

• There is a comprehensive approach to security that is…– Measured against specific goals & standards– In line with our risk tolerance – Aggregated by meaningful asset groupings– At least equal to or better than our

own industry's investment & performance– Controls aligned with GRC objectives

• Based on actual data on an ongoing basis that we can rely on to make decisions on:– Investment– Execution– Resource allocation


Security Metrics & Scorecards– cornerstone of an effective IT GRC assessment

• Metrics affirm the existence and effectiveness of security controls

• Scorecards enable and evidence management oversight; communicate performance and evaluate corrective actions

• Well constructed Metrics and Scorecards:– Continuously monitor controls – Deliver trusted, timely, and actionable decision making information– Identify and communicate concentration of risks– Align security initiatives with business objectives


Proven Metrics and Scorecards

An Effective Security Performance Management Solution

How secure and compliant is our enterprise?How do we compare to others?Are we investing effectively?

EndpointEncryption

Event Management &Incident Response

PatchManagement

Antivirus &Endpoint Protection

VulnerabilityManagement

ConfigurationAuditing

Identity & AccessManagement

IT Security Ecosystem

NetworkProtection

• Measure performance to goals• Cover the entire IT Ecosystem• Objective, Fact- based metrics• Relevant & Actionable• Benchmark with peer groups


Valuable Peer Benchmarks

BenchmarkPerformance

Quadrants

Benchmark Performance

Standard

Weekly PerformanceBenchmark

Participant Results


Analyze performance against Benchmarks & Identify underperforming areas


Over 1,000 companies have joined nCircle Benchmark to-date

0100200300400500600700800900

1000 As of 7/20/12

nCircle Benchmark Accounts

Financial Services Bellwether Metrics

MetricBenchmark

AverageBenchmark

Median Quartile

Average CVSS host score (per host)

172 33

Top 25%:Second Quartile:Third Quartile:Bottom 25%:

0 – 56 - 3334 - 6768 - 700

Average days since last scan

23 9


0 – 1 days2 – 9 10 – 32 33 – 90

Virus definition age (days)

29 22


0 – 2 days3 – 2223 – 4041 - 56

Failed logins per attempt

.05% .04%

Top 25%:Second Quartile:Third QuartileBottom 25%:

.00 - .03%

.040 - .049%

.05 - .08%

.09 - .11%


• All the same security domains as commercial, plus…• Agencies generate CyberScope continuous

monitoring data, usually from SCAP XML files• Generated using a wide and growing variety of SCAP

validated solutions, numerous vendors• Files uploaded to OMB once/month• Files are

– Human readable? Not so much– Don’t lend themselves to trending– Don’t lend themselves to comparative analysis– Readily ingested and processed by nCircle Benchmark

data collectors

Benchmarking in the Federal Space


Cyberscope: Executive Summary


Asset Classification & Departmental Benchmark


Vulnerabilities & Departmental Comparison


SCAP Output

• Continous Monitoring Metrics driven directly from SCAP data– Asset based Compliance, Vulnerability and

Classification Scorecards• Asset Grouping identifies areas of improvement and

concentration of risk or examines specific critical cyber assets

– Intra- and Inter-Agency (Bureau/Service) Benchmark Comparisons


SCAP: Executive Summary


Asset Identification & Departmental Comparison


Compliance & Departmental Comparison


Vulnerabilities & Benchmark Community


HQ Security Performance Comparison


Benchmark Federal Notional Diagram

Cyberscope

Assets Vulnerabilities Configuration

Cyberscope reporting and benchmark comparisons

Department

agencies bureaus FISMA locationslocal

requirements

Internal Benchmark Scorecards, by Asset Group, SCAP sources plus


• Contact information:

Keren Cummins, DirectorFederal and MidAtlantic Programs(301) [email protected]

Questions?

Continuous Monitoring 2.0

Business

Transcript of Continuous Monitoring 2.0