metric matters
play

Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My - PowerPoint PPT Presentation

Mar 08, 2024 •260 likes •560 views

Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My Perspective Information security metrics do not show us how we need to improve our defenses Image:

  1. Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com

  2. My Perspective Information security metrics do not show us how we need to improve our defenses

  3. Image: http://abcnews.go.com/Sports/2014-fifa-world-cup-us-goalie-tim-howard/story?id=24400295 3

  4. 4

  5. You keep using that word… Measure : The size, amount, or degree of something 2000 sessions/min  Metric : meta-data derived from analyzing 50x the average  measurements of a given variable over sessions/min time, or against a specific baseline or target Correlation : the appearance of statistical dependence Summers in NYC:  between measured events, without a causal More Murders relationship More Ice Cream Causation : the direct effect of one measured event on Hotter Temps  another (cause and effect relationship) More Electricity Threat : a malicious attempt to compromise the Malware,  confidentiality, integrity, availability, Targeted Attack, authenticity, utility, or possession of a given DOS, Fraud information asset* Risk : the probability of loss due to a given threat Data Breach  * With thanks to Donn Parker who defined the Parkerian Hexad in his book Fighting Computer Crime. New York, NY: John Wiley & Sons. ISBN 0-471-16378-3.

  6. We’ve got to ask ourselves a question 1) CIS Security Benchmarks 2) GIAC / SANS Unauthorized devices • Number of applications • Total count, avg hours online/device • Mean time to complete changes • IS Budget as % of IT Budget • Infrastructure configurations • # of insecure configs, mean time to repair • 3) 5 Strategic Security Metrics User admin accounts • Comparative spend • Total, %, mean time to remediate • Mean time to compliance • Incident Response • % of emergency changes • Mean time to detect, remediate • Are we measuring the right stuff? http://benchmarks.cisecurity.org/downloads/metrics/ http://www.darkreading.com/analytics/security-monitoring/five-strategic-security-metrics-to-watch/d/d-id/1137170? http://searchsecurity.techtarget.com/tip/Security-that-works-Three-must-have-enterprise-security-fundamentals

  7. Identify the threats  Identify causally significant metrics  Marginal threat levels – immediate feedback  Threat volumes and types – long term  Leverage immediate feedback to address current threat levels  Use long term metrics to refine and improve security posture  Select tools that can best help your team

  8. One more generic note What does Breach Detection address? Residual Risk Its time to start considering these sorts of technologies, and the intel they can provide as part of the whole equation.

  9. Top Level Classifications Recon: find a vulnerability  Initial Exploit: take advantage of recon  Compromise: privilege escalation, spread, etc.  C&C: check in with HQ  Actions: steal, corrupt, interrupt, etc.  Compliance: policy/procedure violations   Hygiene: misconfigured apps, etc. Advanced, targeted, its all the same stuff. The difference comes in the type of recon – specific, or how to hit the most targets.

  10. Threat Identification Tools

  11. Network Behavior Analysis  Volume, Direction, Frequency, and Scale + Ubiquitous, easy to scale + Encryption not an issue + Typically allows asset classification / valuation + Statistical analysis baselines and identifies “abnormal behavior” from various measures + Adds significant troubleshooting, performance analysis capabilities (budget / resource sharing) - May miss smaller attacks or compromises - No packet level analysis - Requires some care and feeding

  12. Network Behavior Anomaly Identification - > Actions Scales well (netflow is everywhere) • Built-in metrics with anomaly detections • Build groups to prioritize assets • Build alerts to monitor compliance • Integrate with authentication, network gear to • immediately identify affected users and devices What Sorts of Metrics? Session count • Volume by port, app, device • Drill down by group, port, • application, or device Malware propagation • Typical connection peers • Riverbed Cascade

  13. Behavior Clues Identify credible threats via Volumetric Analysis DNS • CnC traffic from malware outbreak? • External? -> Block outbound DNS • Internal? -> Check Server • ICMP • DOS, DDOS ?Botnet? • External? -> Block ICMP • Internal? -> Investigate • SMTP • Identify hosts & targets • External? -> Block SMTP • Internal? -> Check policies and reqs • Data Breach Netflow and Packet Analysis • Should that critical asset be • Add application specific data points • communicating with remote countries? Visually significant anomalies with drill Why did Alice’s salesforce connection • • volume increase by 400%? down capabilities allow for quick HTTP Session Count • investigation Increase by 200%? Adware, Click Fraud? • User Ed? Content filtering? • Bad headers? Stealth C&C? • Lancope StealthWatch

  14. Network Breach Detection + Typically combine IDS type functions with advanced malware id C&C / DGA analysis, obfuscated comm. channels, etc. + Able to correlate multiple attacks to a single host over time + Able to track small threats as well as more obvious ones - Can combine with other tools for SSL analysis - May require larger investments in architecture for full coverage - Performance reqs. may limit deployment options - Direct remediation available

  15. Breach Analysis Aggregate Measures Risk Based Prioritization Damballa Failsafe

  16. Threat Categorization Alerts by threat type leads to immediate possibilities for focusing remediation AlienVault USM

  17. Suspicious Details Damballa Failsafe

  18. Asset View Alerts by Asset Category Built In Metrics Damballa Failsafe

  19. Intelligent Alert Management Filter and quickly address multiple alerts to minimize information overload Damballa Failsafe

  20. Threat Analysis Alert correlation and detailed threat assessment AlienVault USM

  21. Major Challenges  Focus on the unknown  No CVE, focus is on behavior  Requires understanding of malware communications channels  Scope and Breadth of analysis  Aggregation of metrics, reporting  500 “breaches” are just as difficult to manage as 500 SIEM events  Still immature market & too much FUD

  22. Challenge Accepted Breach Detection -Sans Top 20!  Use behavioral analysis as top incident risk identification  As a front end tool, then leverage with SIEM, etc.  Or pipe detections into existing SIEMs  Review data  Fine detail for individual, credible threats  10km view for general insight into your network  Combine with other tools for more context  Threat feeds, reputations lists, etc.  Firewall / IDS / Sandbox / Server logs

  23. Open Formats "The ideal scenario is that everyone and every vendor uses the same format for indicators of compromise," he says. "You can use it to share threat data, so all of us can benefit .” Jaime Blasco Director, AlienVault http://www.darkreading.com/analytics/security-monitoring/red-october-response-shows-importance-of-threat-indicators/d/d-id/1139034?

  24. Ways to help the transition  Integrate Breach Detection Apply new technologies to mitigate risks before it’s a tool for residual risk   Reporting 500 discrete “Credible Threats” can be much more painful to deal with  than 10,000 identified CVEs  Integration of external intel The more the merrier   Asset Valuation Prioritize alerts based on value of involved assets   Open Integration IOCs, Observables, Veris, etc. 

  25. Malware Types by Remediation Veris threat sources Remediation Ideas  Adware, click fraud,  Better user education, browser attacks, etc. additional content controls  Recon, brute force, SQLi  Tighten admin controls  Command & Control  Leverage threat intel  Spam, DGA, DOS  Tighten Outbound controls  Policy Violation  Address violation, training http://veriscommunity.net

  26. Asset Classification A realistic asset classification system is a must (at least 3 priorities) • Preferably custom groupings to allow Risk based prioritization as • well as group based reporting for remediation focus Even better – ability to tie into existing asset value frameworks • Lancope StealthWatch

  27. Aggregate Metrics How bad are things today? AlienVault USM

  28. Conclusion  We’re losing everyday because we tend to focus on the attacks that we stop – looking at the known issues.  We need to start learning from the new, existing, and evolving threats that are already in our networks and leverage that data to improve across the field of information security Thanks for your time!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Metric Spaces Definition If d is a metric on X , then the metric topology on X induced by d is

Metric Spaces Definition If d is a metric on X , then the metric topology on X induced by d is

Metric Spaces Definition If d is a metric on X , then the metric topology on X induced by d is the topology generated by the basis = { B d ( X , ) : x X and > 0 } . The set X endowed with this topology is called the metric space (

52 views • 4 slides
Welcome back... Metric spaces. Approximate metric using a tree. Tree metric: 16 16 A metric

Welcome back... Metric spaces. Approximate metric using a tree. Tree metric: 16 16 A metric

Welcome back... Metric spaces. Approximate metric using a tree. Tree metric: 16 16 A metric space X , d ( i , j ) where d ( i , j ) d ( i , k )+ d ( k , j ) , X is nodes of tree with edge weights d ( i , j ) = d ( j , i ) , and d ( i , j )

376 views • 4 slides
Multiwavelength UV-metric and pH-metric determination of the dissociation constants of the

Multiwavelength UV-metric and pH-metric determination of the dissociation constants of the

Multiwavelength UV-metric and pH-metric determination of the dissociation constants of the hypoxia-inducible factor prolyl hydroxylase inhibitor Roxadustat * Milan Meloun 1 , Lucie Pilaov 1 , Milan Javrek 2 and Tom Pekrek 3 1

178 views • 15 slides
Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The

Metric Conversions Ladder Method T. Trimpe 2008 http://sciencespot.net/ Metric System The metric system is based on a base unit that corresponds to a certain kind of measurement Length = meter Volume = liter Weight (Mass) =

293 views • 11 slides
When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters Yogesh K. Ramadass, AnanthaGroup Microsystems Technology Laboratory Outline Outline Outline Outline

507 views • 36 slides
A quick review The clustering problem: Different representations homogeneity vs.

A quick review The clustering problem: Different representations homogeneity vs.

A quick review The clustering problem: Different representations homogeneity vs. separation Many possible distance metrics Many possible linkage approaches Method matters; metric matters; definitions matter; A quick review

851 views • 46 slides
Dynamical Systems Continuous maps of metric spaces We work with metric spaces, usually a

Dynamical Systems Continuous maps of metric spaces We work with metric spaces, usually a

Dynamical Systems Continuous maps of metric spaces We work with metric spaces, usually a subset of R n with the Euclidean norm. A map of metric spaces F : X Y is continuous at x X if it preserves the limits of convergent sequences,

409 views • 17 slides
Some remarks about metric spaces, 1 Stephen William Semmes Of course various kinds of metric

Some remarks about metric spaces, 1 Stephen William Semmes Of course various kinds of metric

Some remarks about metric spaces, 1 Stephen William Semmes Of course various kinds of metric spaces arise in various contexts and are viewed in various ways. In this brief survey we hope to give some modest indications of this. In particular,

566 views • 10 slides
Titus 1:5-9 It matters who you are as a leader and it matters what you do as a leader. God is

Titus 1:5-9 It matters who you are as a leader and it matters what you do as a leader. God is

Leadership Matters (Verb) I Titus 1:5-9 It matters who you are as a leader and it matters what you do as a leader. God is primarily interested in who you are and then what you do (Daniel Akin). The Pastoral Crucible I.

600 views • 23 slides
Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

Shortest Path Similar Routing 2 A New Metric A new metric path- based metric that can use used

R outing S tate D istance: A Path-based Metric for Network Analysis Gonca Grsun joint work with joint work with Natali Ruchansky, Evimaria Terzi, Mark Crovella Distance Metrics for Analyzing Routing Shortest Path Similar Routing 2 A New

1.43k views • 48 slides
Information Theoretic Metric Learning Instructor: Sham Kakade 1 Metric Learning In k -nearest

Information Theoretic Metric Learning Instructor: Sham Kakade 1 Metric Learning In k -nearest

CSE 547/Stat 548: Machine Learning for Big Data Lecture by Adam Gustafson Information Theoretic Metric Learning Instructor: Sham Kakade 1 Metric Learning In k -nearest neighbors ( k -nn) and other classification algorithms, one crucial choice

221 views • 8 slides
S et the Bar Low. Be a WINNER every time. Public Power Matters Public Power Matters Innovation

S et the Bar Low. Be a WINNER every time. Public Power Matters Public Power Matters Innovation

S et the Bar Low. Be a WINNER every time. Public Power Matters Public Power Matters Innovation Workforce Advocacy Y our S tory Rates Matter Matters Matters Matters Matters Its the Rates, S tupid! Innovation Matters We must

280 views • 26 slides
GENERAL RULES OF MEASUREMENT All measurements are METRIC! Use the correct piece of

GENERAL RULES OF MEASUREMENT All measurements are METRIC! Use the correct piece of

November 05, 2015 GENERAL RULES OF MEASUREMENT All measurements are METRIC! Use the correct piece of equipment All measurements are METRIC! Make all readings at eye level All measurements are METRIC! If your measurement

287 views • 6 slides
+ + Technical tax update Various issues covered FRS 102 tax matters Practical matters

+ + Technical tax update Various issues covered FRS 102 tax matters Practical matters

+ + Technical tax update Various issues covered FRS 102 tax matters Practical matters re Pay and file tax deadline 2014 Research and development tax credits 1 + FRS 102 Tax matters The technical side Chapter 29 FRS 102

285 views • 26 slides
Distance Metric Learning: Beyond 0/1 Loss Praveen Krishnan CVIT, IIIT Hyderabad June 14, 2017 1

Distance Metric Learning: Beyond 0/1 Loss Praveen Krishnan CVIT, IIIT Hyderabad June 14, 2017 1

Distance Metric Learning: Beyond 0/1 Loss Praveen Krishnan CVIT, IIIT Hyderabad June 14, 2017 1 Outline Distances and Similarities Distance Metric Learning Mahalanobis Distances Metric Learning Formulation Mahalanobis metric for clustering

716 views • 44 slides
The Metric Coalescent joint with David Aldous Daniel Lanoue University of California, Berkeley

The Metric Coalescent joint with David Aldous Daniel Lanoue University of California, Berkeley

Introduction The Metric Coalescent The Metric Coalescent joint with David Aldous Daniel Lanoue University of California, Berkeley June 25, 2014 Daniel Lanoue The Metric Coalescent Introduction FMIE Processes The Metric Coalescent The

862 views • 33 slides
An R Primer Read dataframes Compiled Jun 04, 2020 (R 3.6.2) 16 R help fjles 15 Control

An R Primer Read dataframes Compiled Jun 04, 2020 (R 3.6.2) 16 R help fjles 15 Control

An R Primer Read dataframes Compiled Jun 04, 2020 (R 3.6.2) 16 R help fjles 15 Control Structures 14 Creating functions 13 Applying functions 12 Data types and structures in R 11 9 preparing for data manipulation and visualization

208 views • 16 slides
BOLD fMRI and fcMRI fcMRI in the Pediatric in the Pediatric BOLD fMRI and Brachial Plexus

BOLD fMRI and fcMRI fcMRI in the Pediatric in the Pediatric BOLD fMRI and Brachial Plexus

BOLD fMRI and fcMRI fcMRI in the Pediatric in the Pediatric BOLD fMRI and Brachial Plexus Injury Population Population Brachial Plexus Injury Jacques A. Machol IV, MD, 1,2 Rupeng Li, MD, PhD, 2 Nicholas A. Flugstad,MD, 1,2 Ji-Geng Yan, MD,

161 views • 14 slides
Recurrent Stroke In 34 Year-Old, Unusual Presentation of Non- Bacterial Endocarditis Zhang Y,

Recurrent Stroke In 34 Year-Old, Unusual Presentation of Non- Bacterial Endocarditis Zhang Y,

Arch Clin Med Case Rep 2020; 4 (2): 192-196 DOI: 10.26502/acmcr.96550185 Case Report Recurrent Stroke In 34 Year-Old, Unusual Presentation of Non- Bacterial Endocarditis Zhang Y, Klarich KW, Cicek S, Maleszewski J, Casanegra AI * Department of

328 views • 5 slides
Mostly typical simple arrangements like square or S S V , (1) ij hexagonal pattern have

Mostly typical simple arrangements like square or S S V , (1) ij hexagonal pattern have

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS AN EXTENDED NUMERICAL HOMOGENIZATION APPROACH FOR COMPOSITES WITH RHOMBIC FIBER ARRANGEMENTS H. Berger * , M. Wrkner, U. Gabbert Institute of Mechanics, University of Magdeburg,

216 views • 4 slides
WAVERL Y ELEMENTARY SCHOOL Design Development Report Scott W. Washington Director, School

WAVERL Y ELEMENTARY SCHOOL Design Development Report Scott W. Washington Director, School

Waverly Elementary School WAVERL Y ELEMENTARY SCHOOL Design Development Report Scott W. Washington Director, School Construction November 5, 2015 PARTNERS IN LEARNING Waverly Elementary School Project Update Existing gymnasium and main

415 views • 15 slides
Jackson Heights Landmarks Preservation Commission LPC# Request For Certificate of

Jackson Heights Landmarks Preservation Commission LPC# Request For Certificate of

3447 87 th St Jackson Heights Landmarks Preservation Commission LPC# Request For Certificate of Appropriateness For: Retroactive Permission for HVAC, Window Replacement, Front Walkway Replacement Context Photograph Historic District or Site

479 views • 10 slides
State of Illinois Addressing Healthcare Needs of the ABD Medicaid Population Jim Parker, Deputy

State of Illinois Addressing Healthcare Needs of the ABD Medicaid Population Jim Parker, Deputy

State of Illinois Addressing Healthcare Needs of the ABD Medicaid Population Jim Parker, Deputy Administrator Illinois Department of Healthcare and Family Services Division of Medical Programs Illinois Population Facts Total State

484 views • 19 slides
Monitoring Framework for NHSScotland National Cleaning Services Specification and Estates HAI

Monitoring Framework for NHSScotland National Cleaning Services Specification and Estates HAI

Monitoring Framework for NHSScotland National Cleaning Services Specification and Estates HAI Issues The NHSScotland Domestic Monitoring Tool (DMT) Chris Everden Project Manager - HFS Context Healthcare Associated Infection (HAI) remains

267 views • 13 slides

More recommend