security risk management vsales4 - cdw
TRANSCRIPT
Security Risk ManagementWorld-Class Risk Management
March 8, 2007
March 8, 20072
CONFIDENTIALCONFIDENTIAL
Executive Summary
Risk Management vs. Information Security• Information Security is operationally focused and is driven by Security Product• Risk Management defines strategy and is driven by Business Process
CSO Pain Points• Capability Maturity – Immature processes do not provide business case or ROI justification• Executive Communications – Operational metrics do not enable Decision Support• Risk Management – Confused with Information Security
Security Risk Management Approach• Step 1: Understand Security Risk Management (SRM)• Step 2: Identify risks through applied technology• Step 3: Enable repeatable risk management process through technology• Step 4: Quantify and Qualify Security Risks• Step 5: Continuously Manage Security Risk
"Security is not a Product, it's a Process."
Bruce Schneier, Counterpane Internet Security, Inc.
March 8, 20073
CONFIDENTIALCONFIDENTIAL
Information Security vs. Risk Management
“[T]here is a propensity for organizations to frame security problems intechnical terms, often ignoring the management and operational weaknessesthat are root causes[.]
[R]isk management is a basic business function, and whether it is doneimplicitly or explicitly, it must be performed at an organizational level to bepurposeful.”
– The Challenges of Security Management, Security Engineering Institute
CSO Challenges• Perceived responsibilities are limited to vulnerability scanning and compliance enforcement• Technical focus of Information Security excludes the CSO from business discussions• Without a business platform, the CSO is forced to do more with less• Operational reporting is limited by product capabilities – risk is not quantified or qualified• Security platforms promote operational management – not continuous risk management
March 8, 20074
CONFIDENTIALCONFIDENTIAL
McAfee Security Risk Management (SRM)
Process, not Product
• Risk Management is not a one-time event or a stand-alone product; it is a continuous process
• Risk Management provides Continuity, Repeatability, Efficiency, and Assurance
• SRM is based on the System Security Engineering Capability Maturity Model (SSE-CMM)
Initial stageEvent trigged
Needs definition
Resources allocatedBasic repetitive cycles (find/patch)Rudimentary performance tracking
Ideal state for non-public entity; SMBPolicy implementation
Regulations/compliance starting pointInfo flows to head of security
State of Practice
End goal of regulations/complianceFiduciary responsibilities
Enterprise risk managementWorld-Class Risk Management
Process reviewTuning, perfecting
Maximize effectivenessFull organizational potential
Process : 1. a systematic series of actions directed to some end;2. a continuous action, operation, or series of changes taking place
in a definite manner
March 8, 20075
CONFIDENTIALCONFIDENTIAL
Capabilities Maturity of SRM
According to the SSE-CMM:
“.. higher quality products can be produced more cost-effectively by emphasizing the quality of the processes
that produce them, and the maturity of the organizational practices inherent in those processes.”
Hercules
Foundstone
Intrushield
SIG
DLPHIPS
VSE
PreventsysePO
MPE
McAfee SRM is a Level 5 Capability supported by McAfee Metrics.
McAfee SRMMcAfee Metrics
March 8, 20076
CONFIDENTIALCONFIDENTIAL
Identify and PrioritizeASSETS
Identify and PrioritizeASSETS
Determine AcceptableRISK
Determine AcceptableRISK
ImplementPROTECTION
ImplementPROTECTION
MeasureCOMPLIANCE
MeasureCOMPLIANCE
McAfee SRM Process Enablement
SSE-CMM Level 2:Foundstone
SSE-CMM Level 2:Foundstone
SSE-CMM Level 3:IntrushieldSecure Internet GatewayMPEePO/ToPSVSEHIPSDLP
SSE-CMM Level 2:Hercules
SSE-CMM Level 3:Preventsys
SSE-CMM Level 4:McAfee Metrics
SSE-CMM Level 5:McAfee SRM
March 8, 20077
CONFIDENTIALCONFIDENTIAL
SRM Phase 1, 2 – FoundStone,
• FoundStone identifies and quantifies security risk at an implementation level –configuration/patch based issues
• Hercules provides automated policy and vulnerability remediation• Scans provide for ePO/Preventsys correlation and configuration compliance assessment
SRM Enablers• Asset and Vulnerability Identification• Quantification of Vulnerabilities• Policy Compliance/Enforcement
Hercules
March 8, 20078
CONFIDENTIALCONFIDENTIAL
SRM Phase 3 – ePO
• ePO can report against tactical remediation/implementation efforts (VSE, HIPS, MPE) for bothmanaged and unmanaged systems
• Centralized reports provide actionable reports at the Security Engineer and Security Managementlevel
SRM Enablers• Policy management/enforcement• Security metrics• Remediation metrics
March 8, 20079
CONFIDENTIALCONFIDENTIAL
SRM Phase 4 – Preventsys
• Preventsys can be positioned against specific regulatory or industrial certifications (e.g. SOx, PCI)• Policy Lab reports against the effectiveness of the controls framework supported through
technology
SRM Enablers• Compliance metrics platform• Mapping of technical checks to
regulation & policy frameworks
March 8, 200710
CONFIDENTIALCONFIDENTIAL
McAfee Metrics – Risk Indices
Risk Assessment• Conducts qualified risk analysis against administrative and technical controls• Based on policy/asset qualification and vulnerability scan data• Provides metrics for ROSI analysis that effectively support business justification• Provides modeling capability for effect of security investments (i.e. enables decision support)
Risk Indices
Confidentiality = 61.31 Integrity = 32.83 Availability = 44.60 Audit = 64.28
Risk Profiles Base = Policy Adherence (Industry
Comparison) Current = Policy/Technology Simulated = Tech-Modeling Target = Acceptable Risk
March 8, 200711
CONFIDENTIALCONFIDENTIAL
McAfee Metrics – Compliance• Statistical representation of analyzed data (descriptive statistics) enables
Management to make compliance inferences (inferential statistics).• Compliance can be inferred in ‘seeing’ the deviation from mean.
March 8, 200712
CONFIDENTIALCONFIDENTIAL
SRM Value PropositionDirect BenefitsEstablishes a consistent/standard service approach to quantifying and mitigating riskUnderstanding CIAA risks facing an organization, ROSI efforts are qualified and meaningful to
LeadershipEnables strategic business alignmentJustify security budgets with tangible metrics
Indirect BenefitsSolicits participation of executive teams in risk decisionsCharacterizes and benchmarks enterprise riskProvides direction and support to making objective risk management decision
McAfee SRM: SSE-CMM Level 5, CSO Empowerment.