Implementing a security metrics dashboard in Telefónica España

Transcription

1 Implementing a security metrics dashboard in Telefónica España Vicente Segura (vsg@tid.es) Date: 1/14/2009 4th ETSI Security Workshop 14 January ETSI, Sophia Antipolis, France

2 Index 01 Introduction - Objectives - Main challenges 02 Methods and tools for collecting measures - High level security framework - Methods and tools 03 Composing derived measures - Composing department derived measures - Example of a tree of derived measures 04 Tool screenshots 05 Conclusion 2

3 01 Introduction Objectives To assess compliance and meet some requirements: To adapt to the particular structure of the organization System 1_1 System 1_2 Department 1 System 1_... Organization Department 2 System 1_y Department Department n To assess compliance with as many standards and regulations as needed LOPD ISO CoBIT Telefónica To automate collection of data to assess compliance when possible Data 3

4 01 Introduction Challenges To facilitate (and automate) the collection of measures from existing systems Agent To compose derived measures from the collected base measures We obtain base measures of individual systems, but we want to have an insight of the compliance of an entire department To identify proper derived measures to assess compliance Attribute 1_1_1 Attribute 1_1_2 System 1_1 Attribute 1_1_... System 1_2 Departmen t 1 Attribute 1_1_z System 1_... Organization Departmen t 2 System 1_y Departmen t Departmen t n SBIXX Percentage of systems that implements RBAC to control 4

5 02 Methods and tools for collecting measures High level security framework Security metrics dashboard Policy definition Enforcement Monitoring and responding Measuring and reporting BCP and DRP Risk management Organization security policy BIA Education and awareness Awareness and education assessment User base centralized management Identity and access management Network access control Process People Technology SIM Security configuration management Traffic filtering Patch manage ment Vulnerability management Source: Forrester - Defining a high level security framework 5

6 02 Methods and tools for collecting measures Methods for collecting measures (1/2) Security metrics dashboard Agent Questionnaire Measures managed by existing systems Measures not managed by existing systems Process People Technology 6

7 02 Methods and tools for collecting measures Methods for collecting measures (2/2) Security metrics dashboard Automated attributes collection Manual attributes collection Agent Environment 1 Agent HTTPS Questionnaire DB <xml>.csv Environment 2 DB Agent <xml>.csv DB Agent <xml> Environment 3.csv 7

8 02 Methods and tools for collecting measures Agent configuration We configure its behaviour in an XML file: Environment 1 Agent <xml>.csv It can send measures periodically For each measured attribute we must indicate where to take its: Value Context We also can collect the quality of the measure 8

9 03 Composing derived measures Adaptation to organization requirements But we are also interested in obtaining derived measures at these levels Organization Department 1 Department 2 Department Department n System 1_1 System 1_2 System 1_... System 1_y Attribute 1_1_1 Attribute 1_1_2 Attribute 1_1_... Attribute 1_1_z Most of the measures are obtained at this level 9

10 03 Composing derived measures Composing department derived measures Department 1 System 1_1 System 1_2 4 System 1_ System 1_n Collection agent System attributes measures Department attributes measures 10 Department derived measures

11 03 Composing derived measures Tree of measures for each department Global compliance Authentication and Identification Business Continuity Backup and recovery Software control Network and communications Audit and monitoring records Systems developments and maintenance Information classification Access Control Network segmentation Monitoring Secure management % of systems that have different networks for management, users access and backup % of systems segmented according risk requirements % of systems monitored by IDS % of server which are securely managed Derived measures Number of systems with different networks for management, user access and backup Number of systems rightly segment Number of systems monitored by IDS Number of systems Number of systems securely managed Base measures per department 11

12 04 Tool screenshots Compliance levels for each department * The data contained in this screenshot are not real 12

13 04 Tool screenshots Compliance levels for each department * The data contained in this screenshot are not real 13

14 04 Tool screenshots Historic evolution of compliance * The data contained in this screenshot are not real 14

15 04 Tool screenshots Management of measures and derived measures * The data contained in this screenshot are not real 15

16 04 Tool screenshots Management of measures and derived measures * The data contained in this screenshot are not real 16

17 04 Tool screenshots Management of derived measures tree * The data contained in this screenshot are not real 17

18 05 Conclusion Other uses of security metrics: risk analysis? Organizations have much more information than they think: let s take it and use it Future steps: To extend compliance assessment to other generic contexts (services, business processes). Not just areas and systems To define ontologies to configure the agent 18

19 19

20