Public Data for Risk Management

Transcript

1. Public  Data  for  Risk  Management   -­‐  Or  –  

   Pu9ng  the  data  in  Data  Driven   Security  

2. Agenda   •  Review  risk  management  lifecycle   •  Cool

    pictures  –  manager  like   •  Risk  models  –  nerds  like   •  Powered  by  data   •  Helping  out  

3. Who  dat?   •  Kevin  Thompson   – Data  Alchemist  at

    Verizon   – Co-­‐author  of  DBIR  (we’ll  see  that  later)   – Fascinated  by  risk   •  Former  board  member  Society  of  InformaPon  Risk   Analysts   •  Member  of  Society  of  Risk  Analysis   – CISSP,  FAIR,  ITIL,  Security+  

4. Talk  to  me   •  I’m  friendly  and  I’ll  answer

    quesPons   – TwiUer:  @bfist   •  I  love  to  look  at  code  too.    Hit  me  up.   – Github:  blackfist   •  Want  these  slides?   – hUps://speakerdeck.com/blackfist/  

5. Risk  Management   •  This  is  how  we  decide  to

    allocate  the  scarce   resources  of  our  security  budget.   •  Generally  consists  of  impact,  frequency,  and   controls  at  the  most  basic  level.  

6. “Risk  is  a  measure  of  adverse  deviaPon  from  the  

   expectaPon,  expressed  at  a  level  of  uncertainty   (probability).”   “A  New  Approach  for  Managing  OperaPon  Risk”  Society  of  Actuaries  2010  

7. Controversial  statement   •  The  ulPmate  goal  of  risk  management

    is  to   reduce  the  cost  of  uncertain  events  happening   to  an  IT  system  and  to  reduce  the  uncertainty   around  those  costs.  

8. “A  New  Approach  for  Managing  OperaPon  Risk”  Society  of  Actuaries

    2010  

9. Risk  Management   •  Impact  of  what  though?  Frequency  of

    what?   •  We  call  that  Risk  IdenPficaPon.   •  I  like  to  describe  loss  scenarios.   •  Later  we’ll  see  why  that  makes  sense.  

10. Risk  Management   •  Acer  risk  idenPficaPon  we  have  risk

      assessment.   •  How  bad  will  this  hurt  us?   •  Helps  in  prioriPzing  stuff.  

11. Risk  Management   •  Then  we  have  risk  control  

    •  Actually  pu9ng  stuff  in  place  to  reduce  either   the  impact  or  frequency  of  bad  stuff.    

12. Risk  Management   •  All  3  phases  are  present  in

     any  org  that  does   not  have  infinite  budget.   •  Lot  of  variaPon  in  the  maturity  of  these   phases  from  org  to  org.  

13. Our  task   •  Make  it  more  mature.   • 

    Reduce  uncertainty   •  Reduce  cost  

14. WHAT  CAN  YOU  DO  WITH  DATA   ANYWAY?  

15. Truth:  Managers  love  pictures  

16. None
17. None
18. None
19. None
20. None

21. That’s  cool  but  …   •  The  report  gives  you

     a  way  to  sort  the  relaPve   frequency  of  loss  scenarios  

22. Various  Risk  Models   •  ALE   •  Binary  Risk

     Assessment   •  FAIR   •  NIST  800-­‐30  

23. All  of  them   •  Try  to  figure  out  which

     threat  scenarios  will   happen  more  ocen.   •  Ocen  Pmes  we  guess   •  That’s  not  all  bad  

24. Acer  the  guessing   •  A  guess  that  you  write

     down  becomes  a   testable  hypothesis.   •  Now  validate  it  with  informaPon.   •  Use  the  DBIR   •  And  you  could  stop  here  if  you  want  
25. None

26. Y  U  NO  MAKE  PRETTY  PICTURES?  

27. You  need  some  data   •  Vcdb.org  has  your  data.

      •  Detailed   •  Free   •  Growing   •  Community  

28. Detailed   •  Every  incident  in  the  data  set  is

     based  on  the   VERIS  framework.   •  Can  be  very  detailed   •  Can  be  very  general  too  

29. Free   •  All  content  is  CreaPve  Commons  licensed  

    •  No  worrying  that  the  data  will  get  closed  off   and  restricted  down  the  road.   •  Open  source  project,  open  source  data  

30. Growing   •  October  2013  –  fewer  than  2000  records

      •  Today  –  3,148  records  
31. None
32. None

33. That’s  perfect   •  No,  not  quite.   •  Only

     the  detail  found  in  public  reports   •  Not  always  accurate  

34. But  you  can  make  it  beUer   •  This  is

     a  community  project.   •  There  is  a  lot  of  work  that   needs  to  be  done   •  Go  to  vcdb.org  and   volunteer.  
35. None

36. This  is  your  resource  too  

37. Help  out   •  Go  to  vcdb.org   •  Click

     on  the  volunteer  link   •  You  might  get  instrucPons  on  how  to   volunteer   •  You  met  get  presented  an  arPcle  and  asked  to   code  it  right  now  

38. Open  Source  Project   •  Vcdb.org  links  to  github.  

    •  Get  the  firehose.   •  Follow  @verisdb  on  twiUer  

39. Open  Source  Project   “If  you’ve  ever  wanted  to  contribute

     to  an  open   source  project  but  you’re  not  a  good   programmer  then  this  is  the  project  for  you.”     -­‐-­‐  me  

40. Y  U  NO  ASK  QUESTIONS?   Kevin  Thompson   TwiUer:

     @bfist   Github:  blackfist   Speakerdeck:  blackfist