Measurable Security at ISACA Annual Conference 2012

Transcript

1. Measureable Security Setting the benchmark for continual improvement Shomiron Das

   Gupta Founder, NetMonastery NSPL

2. The Perfect Backdrop -  14,000 Athletes -  205 Olympic Teams

   -  26 Sports in 39 Disciplines -  Lifetime of dreams, years of effort, just for that moment of glory -  So how does it feel to be the best in the world ? The Sports Eval. System Besides the dream our athletes are chasing, the London Olympics 2012 also becomes the theme of this talk!

3. Competition: A Culture Some probable answers We compete to measure

   ourselves, to evaluate our performance against the rest. -  Why do we compete? -  Why do we want to assess our performance every time? -  Does this process help us improve? -  Are we able to set a higher benchmarks for next time? Some questions

4. Measurability: A Process •  Essential to identify each system that

   needs to be measured and improved over time •  Once identified a data collection process needs to be implemented •  Evaluation and constant tracking of the information is key to set benchmarks •  Finally, a rank / percentage / number against each essential process is what is required

5. What we can not measure, 
 we can not Improve

   Conclusion No. 1

6. Few Grey Areas: Attention! •  Vulnerability Assessment –  I already

   have vulnerability assessment systems –  Am I able to review the current risk we are running? •  Attack Detection –  How secure are we? Do we have a number? –  What percentage of attacks can we detect? •  Incident Handling –  Can my team detect attacks effectively? –  Are they able to respond in real-time?

7. Case Study: Attack Detection -  I have everything, Intrusion Prevention,

   SIEM, WAF, the works -  I have application security consulting and my team deploys secure coding practices Scenario -  I may be able to prevent attacks but are we able to detect them? -  How do I know if my systems are able to detect all the attacks? Realization

8. Talk: Application Security •  Microsoft – No more vulnerabilities L

   –  Where are those “heaps” of buffer overflows? –  Next gen attacks – hit only the applications –  You and I have made these apps •  Safe Applications – Tested –  Good coding practices have been adopted –  Applications are tested thoroughly •  No Attack Detection from Apps –  Apps notify exceptions to the app owners –  Apps provide no detection information

9. Attack detection is not possible without help from the Application

   Conclusion No. 2

10. Measuring Detection Capability SCORE LINE 201  of  420  

11. CAPEC – Blind SQL Injection

12. Assurance fails without comprehensiveness Conclusion No. 3

13. Other Issues: Incident Handling Most organizations have invested in developing

    their incident handling processes and procedures Procedures We have built our security operations, but how can we assess the capability of the members of this team. Capability Being available and awake is the first step, but delivering the correct attack analysis at 3 am is the challenge. Preparedness How do we check the preparedness of my team and their capability to consistently deliver the correct analysis. Measurability We have it, we just need to measure its efficiency.

14. Not My Solution: Pointers! A comprehensive list of all the

    different attacks that exist, can be used to measure capability of your detection system CAPEC Common Weakness Enumeration, is already been used by software industry for better coding practices. CWE Security Content Automation Protocol is a family of tools that helps to bring together various aspects of security monitoring. SCAP The CERTIn conducts cyber drills to evaluate the detection capability and response systems of participating teams Cyber Drills Greener pastures for the Consulting Industry!

15. In the Quest for Being No. 1 Best Wishes from

    All of Us!

16. THANK YOU!! Shomiron Das Gupta http://in.linkedin.com/in/shomiron