Security Metrics and Their Importance

Transcription

1 Security Metrics and Their Importance Dave Losen Sr Security Engineer Sergeant Laboratories

2 Why Metrics? Drive and improve your security process Give management meaningful trends to manage the security process Quickly highlight actionable items and tweak the security process Measure to Manage

3 Collecting Data: Typically you. Pull in logs, mine AD data, collect inventory reports..etc Then... Organize data with spreadsheets, databases and/or other report tools Ultimately you re trying to find trends in that data to make decisions

4 Common Issues With Metrics Collecting and organizing the data is time consuming Producing consistent results is nearly impossible Limited direction - there are no indications on what the next steps should be What should we collect, measure or keep track of? Typically: Collecting is not organized if it s not a process, it s manual

5 Where to Start? Pick metrics that reference your applicable frameworks such as - FISMA HIPAA NIST CSC Top 20 Controls PCI Review the frameworks that best meet your industry, start collecting.

6 How to Start? Find a technology that can collect the metrics. Asset Inventory -> CSC Control 1 & 2 Active Directory -> Privilege User Management (NIST AC2) Log Aggregation -> NIST AU 6 / CSC Control 6 User Behavior / Access -> NIST PL 4 (Acceptable Use) Risk Assessment - > NIST RA 1-5 Configuration Change Management NIST CM 1-11 Tools need to provide consistent results and have the ability to be repeatable.

7 Examples of Key Security Metrics to Manage Privileged User Management Failed Logons and Lockouts Outside Vendors VPN & Remote Sessions Activity Critical Files Accessed Personal Identifiable Data Risk Enumeration Configuration / Misconfigurations / Asset Inventory

8 Privilege User Management Principles of Least Privileges NIST AC-6(7) Least Privileges / Review Privileges Metric Relationships - Privilege Change = New Administrator Remote Access by Privileged Account Concurrency of Privileged Accounts - NIST AC 10

9 Privileged User Management

10 Account Access: Failed Logon / Lockouts Security Issue or IT Problem NIST AC 7 Unsuccessful Login Attempts Metric Relationships - Failed Count vs. Lockout count Console vs Remote Access Type of account failing to login / locked out

11 Failed Logons and Lockouts

12 Remote Access: Outside Vendor / VPN Access Need to know who connects remotely to devices NIST AC 17 Verify Allowed Remote Access Metric Relationships - Remote Connect - Known Client Device VPN - RDP - Travel East / West NIST Guide to Enterprise Telework

13 Vendors VPN and Remote Sessions

14 Critical File Access: Data Loss Prevention Access to Devices, Files and Programs programs NIST AC Metric Relationships - File / Directory Read, Writes & Deletions Print Jobs - Who prints large volume of documents Use of Removable Storage Devices

15 Critical File Access

16 Personal Identifiable Data Access Control of SSN, Account Numbers, Credit Card Numbers NIST SP , HIPPA, PCI Metric Relationships - User Behavior - Forensic Audits Keywords, numeric sequences

17 Personal Identifiable Data

18 Risk Assessment NIST RA 1-6 Metrics to define a Risk Assessment Policy Metric Relationships - Critical, Cyber Hygiene or End of Life Patchable vs Not Patchable / Not Available Identify - Host, Ports, Applications, OS Version, Patches, Configurations Acceptable Risk Audit Risk Assessment - Repeatable Process

19 Risk and Patch Management

20 Auditing the Risk Process

21 Asset Inventory Practical Approach is the best - What do we have and who uses it. CIS - Critical Security Controls 1 & 2 Metric Relationships - Hardware, OS & Role Software, Usage & Role User Accounts, Cyber Hygiene & Utilization

22 Asset Inventory

23 Configuration Most Secure Network is a well Configured Network - Rob Joyce NSA Chief Hacker NIST CM 1-11 Configuration Management Metric Relationships - AD Changes, Privilege / User Rights Group Policy, Audit Policy Changes Firewall, Switches and Router Changes CIS - Benchmarks

24 Configurations / Misconfigurations

25 Security Metrics - Summary Identify metrics that meet your business needs Utilize a proven methodology for success. (Double Accounting) Start by selecting a few specific key metrics and expand from there Organize into a meaningful, actionable and repeatable process. Manage the process, not the technology

26 Questions & Comments Thank you for attending this session on security metrics