Measuring the Performance and Effectiveness of Critical security - - PowerPoint PPT Presentation

Name Here

Measuring the Performance and Effectiveness of Critical security controls

William Makatiani

About Serianu Limited

Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the African Cybersecurity sector that helps our customers collect, protect, and analyze critical business information.

Our Partnerships

• Paladion Networks - Mumbai, India
• Liquid Telecom - Africa
• Global Honeynet Project – Kenyan chapter founding

members

• USIU-Africa – Research and Data Analysis Partner

24/7 Cyber Security Command Centre Serianu Cyber-Threat Command Centre (SC3)

Africa Cyber Immersion Centre

Top 10 Cyber security Priorities for 2018

 Introduce the inherent risk profiling methodology and approach  Introduce the top critical cyber security controls and metrics measurement approach  Discuss testing the Effectiveness of Critical Cyber Resilience and Visibility Controls  Discuss how metrics can be used to facilitate decision making and improve performance and accountability.  Discuss how to develop metrics that are quantifiable, observable, and objective data supporting metrics.  Discuss how organisations can use metrics to apply corrective actions and improve performance.  Discuss how metrics can be packaged and delivered to different stakeholders - senior management and board members

Objectives

Topic 1: Introduction to Cyber Security metrics and Performance Measurement approach Topic 2: Developing and Implementing monitoring use cases and scenarios Topic 3: Breach scenario analysis Topic 4: Cyber security visibility statements

Content

Topic 1: Introduction to Cyber Security metrics and Effectiveness Monitoring Topic 2: Developing and Implementing monitoring use cases and scenarios Topic 3: Breach scenario analysis Topic 4: Cyber security visibility statements

Content

Metrics are designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Its important to understand the environment you are operating in i.e banking, Insurance, Academia etc. This involves understanding the:  Top Risks  Controls for mitigating these risks  Testing of these controls

Cyber Security Metrics and Performance

 Metrics are designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting

• f relevant performance-related data.

Its important to understand the environment you are operating. This involves understanding the:  Top Risks and Inherent risks  Controls for mitigating these risks  Testing of these controls Cyber Security Metrics and Performance

 These process enables institutions identify their risks and determine their cybersecurity maturity. The approach provides a repeatable process to measure preparedness over time. Cyber Security Metrics and Performance

Various frameworks provide guidelines for assessing security posture and the frequency of these assessment namely:  ISO 27001  PCIDSS  NIST  CBK Guidelines  Africa Cyber Security Framework (ACSF) Cyber Security Metrics and Monitoring

Three step approach:  Inherent Risk Profiling – Semi-Annual  Benchmarking and Maturing Assessment - Annual  Visibility and Resilience Monitoring - Periodical  Incident Trending and Reporting - Continuous Measuring cyber security performance and effectiveness

• Cybersecurity inherent risk is the level of risk posed to the institution by

the following:

• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats

Inherent Risk Profiling

• Inherent risk incorporates the type, volume, and complexity of the

institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls.

• The Inherent Risk Profile includes descriptions of activities across risk

categories with definitions for the least to most levels of inherent risk.

• The profile helps management determine exposure to risk that the

institution’s activities, services, and products individually and collectively pose to the institution. Inherent Risk Profiling

Inherent Risk Profiling and Monitoring

Category Sub-Category Data Point Least Minimal Moderate Significant Most Technology Technologies and Connection Types Total number of Internet service provider (ISP) connections (including branch connections) No connections Minimal Complexity (1-20 Connections) Moderate Complexity (21-100 Connections) Significant Complexity (101- 200 Connections) Substantial Complexity (>200 Connections) Technology Technologies and Connection Types Unsecured external connections, number of connections not users (e.g., file transfer protocol (FTP), Telnet, rlogin) None Few instances of unsecured connections (1–5) Several instances of unsecured connections (6–10) Significant instances of unsecured connections (11– 25) Substantial instances of unsecured connections (>25) Processes Organizational Characteristics Mergers and acquisitions (including divestitures and joint ventures) None planned Open to initiating discussions

• r actively seeking a merger
• r acquisition

In discussions with at least 1 party A sale or acquisition has been publicly announced within the past year, in negotiations with 1 or more parties Multiple ongoing integrations

• f acquisitions are in process

People Organizational Characteristics Direct employees (including information technology and cybersecurity contractors) Number of employees totals <50 Number of employees totals 50– 2,000 Number of employees totals 2,001–10,000 Number of employees totals 10,001–50,000 Number of employees is >50,000 Processes Organizational Characteristics Changes in IT environment (e.g., network, infrastructure, critical applications, technologies supporting new products or services) Stable IT environment Infrequent or minimal changes in the IT environment Frequent adoption of new technologies Volume of significant changes is high Substantial change in

• utsourced provider(s) of

critical IT services; large and complex changes to the environment occur frequently Processes Organizational Characteristics Locations of branches/business presence 1 state 1 region 1 country 1-20 countries >20 countries Processes Organizational Characteristics Locations of operations/data centers 1 state 1 region 1 country 1-20 countries >10 countries Technology External Threats Attempted cyber attacks No attempted attacks

• r reconnaissance

Few attempts monthly (<100); may have had generic phishing campaigns received by employees and customers Several attempts monthly (100– 500); phishing campaigns targeting employees or customers at the institution or third parties supporting critical activities; may have experienced an attempted Distributed Denial

• f Service (DDoS) attack

within the last year Significant number of attempts monthly (501– 100,000); spear phishing campaigns targeting high net worth customers and employees at the institution

• r third parties supporting

critical activities; Institution specifically is named in threat reports; may have experienced multiple attempted DDoS attacks within the last year Substantial number of attempts monthly (>100,000); persistent attempts to attack senior management and/or network administrators; frequently targeted for DDoS attacks

Designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following four domains:

• Anticipate Risk – Cyber Risk management
• Detect Vulnerabilities – Cyber Vulnerability Management
• Respond to Incidents – Cyber Incident Management
• Contain Threats – Cyber Threat Management

Benchmarking and Maturing Assessment

Cyber security Benchmarking and Maturity Framework

Cybersecurity Risk Management

Risk Management People & Culture Infrastructure Management Access & Data Management Third Party Management

Cybersecurity Vulnerability Management

Vulnerability Management Patch Management External Dependency Monitoring

Cybersecurity Incident Management

Event Detection Response and Mitigation Threat Intelligence

Cyberthreat Management

Cyber risk Remediation Information Sharing Metrics and Reporting Continuous Improvement

Benchmarking and Maturity Assessment

Overall Maturity Score

8.68

CYBER INFORMED

Anticipate

Domain(s) Not Implemented (0) Ad-Hoc (1) Defined (2) Measurable (3) Optimized (4) Weighted Score Maturity Score

DOMAIN 1: GOVERNANCE AND STRATEGY

1 5 4 23 2.30

DOMAIN 2: RISK MANAGEMENT

1 1 7 2 21 1.91

DOMAIN 3: PEOPLE AND CULTURE

4 1 3 2 13 1.30

DOMAIN 4: INFRASTRUCTURE MANAGEMENT

2 5 19 2.71

DOMAIN 5: ACCESS AND DATA MANAGEMENT

1 1 7 1 28 2.80

DOMAIN 6: THIRD PARTY MANAGEMENT

6 2 18 2.25

DOMAIN 7:BUSINESS CONTINUITY AND INCIDENT RESILIENCE PLANNING

3 2 12 2.40 Total 5 4 27 24 1 134 15.67

Detect

Domain(s) Not Implemented (0) Ad-Hoc (1) Defined (2) Measurable (3) Optimized (4) Weighted Score Maturity Score

DOMAIN 1:VULNERABILITY MANAGEMENT

1 1 6 3 22 2.00

DOMAIN 2: PATCH MANAGEMENT

1 2 8 2.67

DOMAIN 3: EXTERNAL DEPENDENCY MONITORING

1 1 6 21 2.63 Total 1 2 8 11 51 7.29

Respond

Domain(s) Not Implemented (0) Ad-Hoc (1) Defined (2) Measurable (3) Optimized (4) Weighted Score Maturity Score

DOMAIN 1: EVENT DETECTION

2 4 2 16 2.00

DOMAIN 2: RESPONSE AND MITIGATION

6 12 2.00

DOMAIN 3: THREAT INTELLIGENCE

1 2 4 1.33 Total 1 2 12 2 32 5.333333333

Contain

Domain(s) Not Implemented (0) Ad-Hoc (1) Defined (2) Measurable (3) Optimized (4) Weighted Score Maturity Score

DOMAIN 1: CYBER RISK REMEDIATION

4 2 14 2.33

DOMAIN 2: INORMATION SHARING

2 2 2 0.50

DOMAIN 3: METRICS AND REPORTING

3 1 9 2.25

DOMAIN 4: CONTINUOUS IMPROVEMENT

1 2 4 1.33 Total 3 2 9 3 29 6.42 Weighted Score = Sum (Weight of Control * No. of Control) Maturity Score = Weighted Score / No. of Controls E.g. Consider a "Domain X" which has total 6 controls. Assume out of the 6 controls, 1 is "Not Implemented"; 2 is "Defined" and 3 are "Optimized. The Weighted Score of Domain X = 1*0+2*2+3*4=16 and Maturity Score of Domain X = 16/ 6 = 1.66.

25

5

10 15 20

Score: 8.68

Cyber Security Visibility and Resilience Monitoring

• Cyber Security Visibility Monitoring is an innovative approach to enable
• rganisations to measure, map and enhance their evolving cyber security

posture, with the objective of providing senior business leadership with the appropriate understanding of the state of their information security efforts.

• The approach provides organisations with a guide they can implement to

capture an overall view of their security posture and helps to identify significant risks. The components map to the different controls that have been identified as being weak.

Top 10 Critical Cyber security Controls - Monitoring

• 1.0 ASSET MANAGEMENT
• 2.0 USER MANAGEMENT
• 3.0 PRIVILEGED ACCOUNTS
• 4.0 CHANGE MANAGEMENT
• 5.0 VULNERABILITY MANAGEMENT
• 6.0 MALWARE MANAGEMENT
• 7.0 BREACH SCENARIO ANALYSIS
• 8.0 MONITORING AND ANALYSIS
• 9.0 INCIDENT RESPONSE AND RECOVERY
• 10.0 TRAINING AND AWARENESS

Visibility and Resilience Monitoring

EXISTENCE (0.3) COMPLETENESS (0.3) TIMELINESS (0.2) REPORTING (0.2) VISIBILITY SCORE 1.0 ASSET MANAGEMENT 2.0 USER MANAGEMENT 3.0 PRIVILEGED ACCOUNTS 4.0 CHANGE MANAGEMENT 5.0 VULNERABILITY MANAGEMENT 6.0 MALWARE MANAGEMENT 7.0 BREACH SCENARIO ANALYSIS 8.0 MONITORING AND ANALYSIS 9.0 INCIDENT RESPONSE AND RECOVERY 10.0 TRAINING AND AWARENESS

Existence and Completeness

Perimeter and Boundary Network and Applications Database and Transactions Websites and Portals Employees and Third Parties

• 1. Attempt to configure weak user account passwords that are non-

compliant with established policy. Verify that the system does not allow weak passwords to be used. Fully Implemented

• 2. Attempt to re-use a user account password that was previously

used for the account. Verify that the system requires unique new passwords during each update. Not Implemented

• 4. Attempt to gain access to password files stored on the system. If

successful, identify whether passwords are cryptographically secured. Fully Implemented N/A

Access Management

Timeliness and Effectiveness

Perimeter and Boundary Network and Applications Database and Transactions Websites and Portals Employees and Third Parties

• 1. Does the system audit and report on valid and invalid log-ins to

user accounts? Effective

• 2. Does the system audit and report on valid and invalid log-ins to

network and security device user accounts? Not Effective

• 3. Does the system lock users out after five (5) invalid attempts?

Partially Effective

• 4. Do user account passwords expire at least every 90 days?

Not Effective

Access Management

Reporting and Trending Perimeter and Boundary Network and Applications Database and Transactions Websites and Portals Employees and Third Parties

• 1. How many invalid attempts to access user accounts have been

detected within a period of time?

Fully Reports

• 2. How many accounts have been locked out within a period of

time?

Does not Report

• 3. How many attempts to gain access to password files in the

system have been detected within a period of time?

Partially Reports

• 4. What is the percentage of systems on the organization's

network that are not utilizing Network Access Control (NAC) with client certificates to authenticate to the organization's network (by business unit)?

Not Available

Access Management

Automated Metrics Perimeter and Boundary Network and Applications Database and Transactions Websites and Portals Employees and Third Parties

• 1. How many invalid attempts to access user accounts have

been detected within a period of time?

Fully Reports

• 2. How many accounts have been locked out within a

period of time?

Does not Report

• 3. How many attempts to gain access to password files in

the system have been detected within a period of time?

Partially Reports

• 4. What is the percentage of systems on the organization's

network that are not utilizing Network Access Control (NAC) with client certificates to authenticate to the

• rganization's network (by business unit)?

Not Available

Access Management

This focuses on the following areas: Incident Trending and Reporting

• 1.0 ASSET MANAGEMENT
• 2.0 USER MANAGEMENT
• 3.0 PRIVILEGED ACCOUNTS
• 4.0 CHANGE MANAGEMENT
• 5.0 VULNERABILITY MANAGEMENT
• 6.0 MALWARE MANAGEMENT
• 7.0 BREACH SCENARIO ANALYSIS
• 8.0 MONITORING AND ANALYSIS
• 9.0 INCIDENT RESPONSE AND RECOVERY
• 10.0 TRAINING AND AWARENESS

Incident Trending and Reporting

DESIGN OPERATING SIGNIFICANT MATERIAL TOTALS

1.0 ASSET MANAGEMENT 2.0 USER MANAGEMENT 3.0 PRIVILEGED ACCOUNTS 4.0 CHANGE MANAGEMENT 5.0 VULNERABILITY MANAGEMENT 6.0 MALWARE MANAGEMENT 7.0 BREACH SCENARIO ANALYSIS 8.0 MONITORING AND ANALYSIS 9.0 INCIDENT RESPONSE AND RECOVERY 10.0 TRAINING AND AWARENESS

Topic 1: Introduction to Cyber Security metrics and Performance Measurement approach Topic 2: Developing and Implementing monitoring use cases and scenarios Topic 3: Breach scenario analysis Topic 4: Cyber security visibility statements

Content

Key performance and effectiveness metrics

Regardless of the size, architecture or industry, a security analyst succeeds or fails by their ability to collect and understand:

The right data at the right time in the right context.

What should we then focus on?

When it comes down to it, we have two things: Assets and Users.

.

Key performance and effectiveness metrics

.

Key performance and effectiveness metrics

.

Key Static Metrics

Unauthorized Access Vulnerabilities Changes Configurations

Key performance and effectiveness metrics

.

An Analysts key focus should revolve around the following:

Threshold Analysis  Volume  Velocity  Limits  Multiplicity Profile Analysis Correlation

Perimeter and Boundary

Control Devices Control Metric Source for the log Is the source collecting the log Log retention

• n the

device Status Reports Rules Alerts Tested? Comments

Firewall, NAC, NAT, VPN, routers, proxy systems, wireless Access Point (WAP), attacks and violations, ports, anomalous request types, denial of service and false positives, Network and host IDS/IPS WIDS Malware Partially Pending Pending Pending Pending Pending IPS Implementation Authentication Closed a a a a Pending DLP implementation Exploits Partially Pending Pending Pending Pending Pending IPS Implementation Access Closed a a a a N/A Scanning Closed a a a a N/A Performance Closed a a a a N/A Availability Closed a a a a N/A Data Loss Prevention Pending Pending Pending Pending Pending Pending DLP implementation Configuration changes Closed a a a a N/A Network and Applications

Topic 1: Introduction to Cyber Security metrics and Performance Measurement approach Topic 2: Developing and Implementing monitoring use cases and scenarios Topic 3: Breach scenario analysis Topic 4: Cyber security visibility statements

Content

Breach Scenario Analysis

What can go wrong in with our current business processes? Which systems are most likely to be used to leverage the attack? Who is most likely to attack us? Insider? How will the attack us?

Topic 1: Introduction to Cyber Security metrics and Performance Measurement approach Topic 2: Developing and Implementing monitoring use cases and scenarios Topic 3: Breach scenario analysis Topic 4: Cyber security visibility statements

Content

 Cyber security Resilience and Visibility Statement

The cyber security balance sheet. Reports the level of visibility that management have into cyber security posture of the organisation It is based on the cyber security resources, investments and details of a company security posture on a specific day. This is a snapshot of what the company looked like at a certain time in history.

 Cyber security Deficiency and Incident Statement

‘the cyber security income statement’

Report incidents, activities, and resulting impact positive or negative of an

• rganisation during a specific time period.

Compares the number of incidents in a certain period over a previous period. Shows key stakeholders and shareholders how efficiently the company is at mitigating cyber security threats from available resources.

Visibility as at March 30, 2018 Asset Management Control Devices Year Existence Completeness Timeliness Reporting Visibility Score 2018 80% 80% 60% 60% 70% 2017 70% 70% 60% 50% 63% Control Devices Year Existence Completeness Timeliness Reporting Visibility Score 2018 60% 50% 40% 30% 45% 2017 30% 30% 25% 25% 28% Control Devices Year Existence Completeness Timeliness Reporting Visibility Score 2018 70% 66% 70% 70% 69% 2017 40% 40% 33% 40% 38% Control Devices Year Existence Completeness Timeliness Reporting Visibility Score 2018 80% 78% 71% 78% 77% 2017 68% 63% 63% 40% 59% Monitoring and Analysis 1) Logging 2) Static Metric Analysis 3) Threshold Analysis 4) Profiling 5) Correlation

THE CYBER SECURITY RESILIENCE AND VISIBILITY STATEMENT

Hardware and Software (Databases, Servers, Laptops, Routers) User Management 1) Employees 2) Vendors 3) System Accounts 4) Customer Accounts Breach Scenarios 1) Insider Threats 2) External Threats

User Management Design Operating Significant Material

2018

30 60 58 60

2017

66 56 53 56

2016

56 46 36 46 Privileged Accounts Design Operating Significant Material

2018

80 75 70 75

2017

77 70 67 70

2016

70 65 60 65 Malware and Viruses Design Operating Significant Material

2018

56 42 33 42

2017

55 40 30 40

2016

20 32 26 32 Monitoring and Analysis Design Operating Significant Material

2018

68 63 61 63

2017

63 60 55 60

2016

60 55 51 55 THE CYBER SECURITY DEFICIENCY AND INCIDENT STATEMENT

Our Contacts: