Risk Management - Time to blow it up and start over? - Alex Hutton
-
Upload
security-b-sides -
Category
Business
-
view
2.475 -
download
2
description
Transcript of Risk Management - Time to blow it up and start over? - Alex Hutton
![Page 1: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/1.jpg)
Risk ManagementTime to blow it up and start over?
@alexhutton
![Page 2: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/2.jpg)
Met E.T. Jaynesprobability theory, the logic of science
![Page 3: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/3.jpg)
Kuhn’s Protoscience A stage in the development of a science that is described by:
• somewhat random fact gathering (mainly of readily accessible data)
• a “morass” of interesting, trivial, irrelevant observations
• A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering
![Page 4: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/4.jpg)
only the wisest and stupidest of men never changeConfucius
![Page 5: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/5.jpg)
Destroy GRCMusings of a Risk Management Deconstructivist
![Page 6: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/6.jpg)
A feeling of diss-connect between GRC and Security
![Page 7: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/7.jpg)
let’s talk governance
![Page 8: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/8.jpg)
governance, without metrics & models, is superstitiongovernance, with metrics & models, describes capability to manage risk
![Page 9: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/9.jpg)
Why does what you execute on and how you execute matter?
![Page 10: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/10.jpg)
![Page 11: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/11.jpg)
![Page 12: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/12.jpg)
governance, without metrics & models, is superstitiongovernance, with metrics & models, describes capability to manage risk
measurably good governance practices (can/will) reduce riskmeasurably good governance is simply a description of capability to manage risk
![Page 13: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/13.jpg)
not sucking eggs at security is a good idea
![Page 14: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/14.jpg)
compliance*, without metrics, is superstitioncompliance*, with metrics, is risk management
*(regulatory)
![Page 15: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/15.jpg)
But “GRC” Risk Management
Find issue, call issue bad, fix issue, hope you don’t find it again...
![Page 16: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/16.jpg)
What is risk?
![Page 17: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/17.jpg)
a. Risk is notionalb. Risk is tangible
![Page 18: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/18.jpg)
Problems with “tangible”
- complex systems, complexity science
- usefulness outside of the very specific
- measurements
- lots of belief statements
![Page 19: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/19.jpg)
How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety)
Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago
http://www.ctlab.org/documents/How%20Complex%20Systems%20Fail.pdf
![Page 20: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/20.jpg)
Catastrophe requires multiple failures single point failures are not enough..
The array of defenses works. System operations are generally successful. Overt catastrophic failure occurs when small, apparently innocuous failures join to create opportunity for a systemic accident. Each of these small failures is necessary to cause catastrophe but only the combination is sufficient to permit failure. Put another way, there are many more failure opportunities than overt system accidents. Most initial failure trajectories are blocked by designed system safety components. Trajectories that reach the operational level are mostly blocked, usually by practitioners.
Complex systems contain changing mixtures of failures latent within them.
The complexity of these systems makes it impossible for them to run without multiple flaws being present. Because these are individually insufficient to cause failure they are regarded as minor factors during operations. Eradication of all latent failures is limited primarily by economic cost but also because it is difficult before the fact to see how such failures might contribute to an accident. The failures change constantly because of changing technology, work organization, and efforts to eradicate failures.
![Page 21: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/21.jpg)
Complex systems run in degraded mode.
Post-accident attribution accident to a ‘root cause’ is fundamentally wrong. All practitioner actions are gambles.
Human expertise in complex systems is constantly changing
Change introduces new forms of failure.
Views of ‘cause’ limit the effectiveness of defenses against future events.
![Page 22: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/22.jpg)
Problems with “notional”
- becomes difficult to extract wisdom - we want a “Gross Domestic Product”
- unable to be defended
- pseudo-scientific
- lots of belief statements
![Page 23: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/23.jpg)
from Mark Curphey’s SecurityBullshit
![Page 24: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/24.jpg)
What is risk?
![Page 25: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/25.jpg)
uses of “risk”
- engineering - complex systems says “no”
- financial - no 110% return on your firewall
- medical - requires data
![Page 26: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/26.jpg)
our standards say:
Find issue, call issue bad, fix issue, hope you don’t find it again...
![Page 27: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/27.jpg)
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners
- Jack Jones
![Page 28: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/28.jpg)
evidence based medicine, meet information security
What is evidence-based risk management?
a deconstructed, notional view of risk
![Page 29: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/29.jpg)
Threat Landscape
Controls Landscape
Loss Landscape
Asset Landscape
risk
![Page 30: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/30.jpg)
Threat Landscape
Controls Landscape
Loss Landscape
Asset Landscape
risk
a balanced scorecard?
![Page 31: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/31.jpg)
Threat Landscape
Controls Landscape
Loss Landscape
Asset Landscape
risk
a balanced scorecard?
capability (destroys “g” introducing quality management & mgmt. science elements into infosec)
exposure
change
“compliance” simply becomes a factor of loss landscape and/or operating as a control group for comparative data
![Page 32: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/32.jpg)
The Achilles heel again, lack of data
![Page 33: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/33.jpg)
Models and data sharingGood Lord Of The Dance, something a vendor might actually help you with
![Page 34: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/34.jpg)
Verizon Incident Sharing Frameworkit’s open*!
* kinda
![Page 35: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/35.jpg)
Verizon has shared data
![Page 36: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/36.jpg)
- 2009 – over 600 cases
- 2010 – between 1000 & 1400
![Page 37: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/37.jpg)
Verizon is sharing our framework
![Page 38: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/38.jpg)
What is the Verizon Incident Sharing (VerIS) Framework?
- A means to create metrics from the incident narrative
- how Verizon creates measurements for the DBIR
- how *anyone* can create measurements from an incident
- http://securityblog.verizonbusiness.com/wp-content/uploads/2010/03/VerIS_Framework_Beta_1.pdf
![Page 39: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/39.jpg)
What makes up the VerIS framework?
- Demographics- Incident Classification
- Event Modeling (a4)
- Discovery & Mitigation- Impact Classification
- Impact Modeling
![Page 40: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/40.jpg)
Cybertrust Security
demographics - company industry
- company size
- geographic location
- of business unit in incident
- size of security department
![Page 41: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/41.jpg)
Cybertrust Security
incident classification - agent- what acts against us
- asset- what the agent acts
against
- action- what the agent does to the
asset
- attribute- the result of the agent’s
action against the asset
agent
action
asset
attribute
external
partner
internal
hackingmalware
socialphysical
misuseerror
environmental
typefunction
confidentiality
availability
integrity
possession
utility
authenticity
![Page 42: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/42.jpg)
Cybertrust Security
the series of events (a4) creates an “attack model”
1 2 3 4 5> > > >
incident classification a4 event model
![Page 43: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/43.jpg)
Cybertrust Security
discovery & mitigation - incident timeline
- discovery method
- evidence sources
- control capability
- corrective action- most straightforward manner
in which the incident could be prevented
- the cost of preventative controls
+
![Page 44: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/44.jpg)
Cybertrust Security
Impact classification - impact categorization- sources of Impact
(direct, indirect)
- similar to iso 27005/FAIR
- impact estimation- distribution for
amount of impact
- impact qualification- relative impact
rating
$
![Page 45: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/45.jpg)
Cybertrust Security
$ $ $+demographics incident classification (a4) discovery
& mitigation impact classification
1 2 3 4 5> > > >
incident narrative incident metrics
![Page 46: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/46.jpg)
Cybertrust Security
$ $ $+demographics incident classification (a4) discovery
& mitigation impact classification
1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
case studies data set
a
b
c
d
e
f
![Page 47: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/47.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
data set knowledge & wisdom
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 48: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/48.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
threat modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 49: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/49.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
threat modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 50: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/50.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
impact modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 51: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/51.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
impact modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 52: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/52.jpg)
Problems:
Data sharing, incidents, privacy
Failures vs. Successes(where management capability helps)
Talking to the business owner(might still need a “tangible approach here, but pseudo-actuarial data can help - we still want a GDP)
![Page 53: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/53.jpg)
Successes:
Bridge the gap(IRM becomes tactically actionable based on threat/attack modeling)
(Capability measurements bridged to notional increase/decrease in risk)
(complex system problems addressed by showing multiple sources of causes)
Accurate, notional likelihood
Accurate tangible impact
![Page 54: Risk Management - Time to blow it up and start over? - Alex Hutton](https://reader033.fdocuments.us/reader033/viewer/2022052619/5555cf3cd8b42a711f8b4961/html5/thumbnails/54.jpg)
Requirements:Data Sets
Models
Technology
Sciences - complexity, management/TQM/Probability/Game Theory, biomimicry...