Alex hutton metricon

49
only the wisest and stupidest of men never change Confucius Tuesday, August 10, 2010

Transcript of Alex hutton metricon

Page 1: Alex hutton metricon

only the wisest and stupidest of men never changeConfucius

Tuesday, August 10, 2010

Page 2: Alex hutton metricon

Cybertrust Security

Bridging Risk Modeling, Threat Modeling, and Operational Metrics With the VERIS Frameworkor: Data? WTH do we do now?!

Alex  Hu(on@alexhu(on

Tuesday, August 10, 2010

Page 3: Alex hutton metricon

State of the IndustryRanum: Pseudoscience

Hutton: Kuhn’s Protoscience

• somewhat random fact gathering (mainly of readily accessible data)

• a “morass” of interesting, trivial, irrelevant observations

• A variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering

Tuesday, August 10, 2010

Page 4: Alex hutton metricon

Cybertrust Security

Threat Landscape

Controls Landscape

Impact Landscape

Asset Landscape

risk

including capabilities (skills, resources, decision quality...)

Tuesday, August 10, 2010

Page 5: Alex hutton metricon

Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners

- Jack Jones

Tuesday, August 10, 2010

Page 6: Alex hutton metricon

Cybertrust Security

Verizon RISK Team: Operating Model

√∫∑

Framework

Models Data=

- VERIS is our framework that provides context

Tuesday, August 10, 2010

Page 7: Alex hutton metricon

Cybertrust Security

A Brief Overview of VERIS(the Verizon Enterprise Risk & Incident Sharing Framework)

Tuesday, August 10, 2010

Page 8: Alex hutton metricon

Verizon has shared data

Tuesday, August 10, 2010

Page 9: Alex hutton metricon

- 2010 ~ 900 cases- (900 million

records)

Tuesday, August 10, 2010

Page 10: Alex hutton metricon

Verizon is sharing our framework

Tuesday, August 10, 2010

Page 11: Alex hutton metricon

Verizon Enterprise Risk & Incident Sharing (VERIS) Framework

it’s open*!

* kinda

Tuesday, August 10, 2010

Page 12: Alex hutton metricon

What is the Verizon Incident Sharing (VERIS) Framework?

- A means to create metrics from the incident narrative

- how Verizon creates measurements for the DBIR

- how *anyone* can create measurements from an incident

- http://securityblog.verizonbusiness.com/wp-content/uploads/2010/03/VerIS_Framework_Beta_1.pdf

Tuesday, August 10, 2010

Page 13: Alex hutton metricon

What makes up the VERIS framework?

- Demographics- Incident Classification

- Event Modeling (a4)

- Discovery & Mitigation- Impact Classification

- Impact Modeling

Tuesday, August 10, 2010

Page 14: Alex hutton metricon

14

What VERIS ContainsThe Incident Classification section employs Verizon’s A4 event model

A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s:

Agent: Whose actions affected the assetAction: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected

1 2 3 4 5> > > >Incident as a chain of events>

Tuesday, August 10, 2010

Page 15: Alex hutton metricon

Cybertrust Security

$ $ $+demographics incident classification (a4) discovery

& mitigation impact classification

1 2 3 4 5> > > >

incident narrative incident metrics

Tuesday, August 10, 2010

Page 16: Alex hutton metricon

Cybertrust Security

$ $ $+demographics incident classification (a4) discovery

& mitigation impact classification

1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

case studies data set

a

b

c

d

e

f

Tuesday, August 10, 2010

Page 17: Alex hutton metricon

Cybertrust Security VERIS Data Comes From...

- External Sources- Internal Sources

- DBIR + Secret Service is the start of the VERIS data set.

Tuesday, August 10, 2010

Page 18: Alex hutton metricon

Good Lord Of The Dance,

Models and data sharing!Tuesday, August 10, 2010

Page 19: Alex hutton metricon

Cybertrust Security Using VERIS (DBIR) Data(Verizon’s Internal Model)

- Traditional GRC dictates “likelihood & impact”

- VERIS Data can be used to in “traditional” risk management- weights- distribution development

Tuesday, August 10, 2010

Page 20: Alex hutton metricon

Cybertrust Security Using VERIS (DBIR) Data(Verizon’s Internal Model)

Tuesday, August 10, 2010

Page 21: Alex hutton metricon

Cybertrust Security

What VERIS Does

Data-driven decisions

Tuesday, August 10, 2010

Page 22: Alex hutton metricon

Friederich Hayek invades my dreams to give me visions of a future approach

or, “How Jose Cardenal's sweet afro could change

the industry!”

Tuesday, August 10, 2010

Page 23: Alex hutton metricon

Threat Landscape

Controls Landscape

Impact Landscape

Asset Landscape

risk

the synthesis of information creates a “one true risk statement”which overtime becomes a multitude of probabilistic point statements

Tuesday, August 10, 2010

Page 24: Alex hutton metricon

from Mark Curphey’s SecurityBull$#!*

Tuesday, August 10, 2010

Page 25: Alex hutton metricon

Tuesday, August 10, 2010

Page 26: Alex hutton metricon

Tuesday, August 10, 2010

Page 27: Alex hutton metricon

Tuesday, August 10, 2010

Page 28: Alex hutton metricon

These “risk” statements you’re making, I don’t think you’re doing it right.

- (Chillin’ Friederich Hayek)

Tuesday, August 10, 2010

Page 29: Alex hutton metricon

Tuesday, August 10, 2010

Page 30: Alex hutton metricon

Tuesday, August 10, 2010

Page 31: Alex hutton metricon

Tuesday, August 10, 2010

Page 32: Alex hutton metricon

Tuesday, August 10, 2010

Page 33: Alex hutton metricon

Tuesday, August 10, 2010

Page 34: Alex hutton metricon

Cybertrust Security

VERIS Software (shhhhhhh)

- screenshots here-

Tuesday, August 10, 2010

Page 35: Alex hutton metricon

Cybertrust SecurityUsing VERIS (DBIR) Data(data sharing)

- VERIS data can provide comparative analytics

- This would be extremely useful in a notional view of risk management

- Incidents are evidence of (in)effectiveness- hey Richard, time framing VERIS

events might help answer the “why 2 hours” question you get!

Tuesday, August 10, 2010

Page 36: Alex hutton metricon

Threat Landscape

Controls Landscape

Impact Landscape

Asset Landscape

risk

multitude of probabilistic point statements...

Tuesday, August 10, 2010

Page 37: Alex hutton metricon

Threat Landscape

Controls Landscape

impact Landscape

Asset Landscape

risk

the deconstruction of risk information to create a balanced scorecard?

Tuesday, August 10, 2010

Page 38: Alex hutton metricon

Threat Landscape

Controls Landscape

Impact Landscape

Asset Landscape

risk

a VERIS-data based scorecard with synthesis not based on probabilistic point statements, but on correlation to successes and failures (can/should be supplemented with other operational and business metrics).

ThreatsFrequenciesCapabilities

Variety(Patterns of tactics)

AssetsFrequencies in incidentsvulnerability managementcapability & management metrics

Controlscapability & management metricsincidents back to decision management

Impacthistories (internal, external)

Tuesday, August 10, 2010

Page 39: Alex hutton metricon

Threat Landscape

Controls Landscape

Impact Landscape

Asset Landscape

risk

Informative:(We know these traits are more indicative of “failures” or “successes” - esp. if we could ever build on Visible Ops for Security research)

Comparative:(“We rank well” or “We suck eggs”)

Business Relevant:(“Sucking eggs at these things leads to these sorts of compromise which leads to losses somewhere in this distribution.”)

a VERIS-data based scorecard with synthesis not based on probabilistic point statements, but on correlation to successes and failures.

Tuesday, August 10, 2010

Page 40: Alex hutton metricon

evidence based medicine, meet information security

What is evidence-based risk management?

a deconstructed, notional view of risk

Tuesday, August 10, 2010

Page 41: Alex hutton metricon

Risk  Modeling  becomes  Opera;onally  Important

Tuesday, August 10, 2010

Page 42: Alex hutton metricon

Patterns are cool.

- (Chillin’ Friederich Hayek)

Tuesday, August 10, 2010

Page 43: Alex hutton metricon

Cybertrust Security

$ $ $+demographics incident classification (a4) discovery

& mitigation impact classification

1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

case studies data set

a

b

c

d

e

f

Tuesday, August 10, 2010

Page 44: Alex hutton metricon

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

data set knowledge & wisdom

a

b

c

d

e

f

demographics incident classification (a4) discovery& mitigation impact classification

Tuesday, August 10, 2010

Page 45: Alex hutton metricon

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2

3

4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

threat information

a

b

c

d

e

f

demographics incident classification (a4) discovery& mitigation impact classification

3

Tuesday, August 10, 2010

Page 46: Alex hutton metricon

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

threat information - shared data

a

b

c

d

e

f

demographics incident classification (a4) discovery& mitigation impact classification

Tuesday, August 10, 2010

Page 47: Alex hutton metricon

Tuesday, August 10, 2010

Page 48: Alex hutton metricon

evidence-based risk management:

data driven treatment.

Tuesday, August 10, 2010

Page 49: Alex hutton metricon

Cybertrust Security

https://verisframework.wiki.zoho.com@alexhu(on

Tuesday, August 10, 2010