Re: [scap_interest] Gaps in Risk Management

Jerome Athias <> Tue, 14 February 2012 22:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F80621E8143 for <>; Tue, 14 Feb 2012 14:34:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nJXHPt8HR8UC for <>; Tue, 14 Feb 2012 14:34:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BC43C21E8140 for <>; Tue, 14 Feb 2012 14:34:03 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 414C2A8080 for <>; Tue, 14 Feb 2012 23:33:52 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by ( []) (amavisd-new, port 10024) with ESMTP id 8g-iJ-8JaXOt for <>; Tue, 14 Feb 2012 23:33:50 +0100 (CET)
Received: from [] ( []) (Authenticated sender: by (Postfix) with ESMTPSA id DAF57A807B for <>; Tue, 14 Feb 2012 23:33:49 +0100 (CET)
Message-ID: <>
Date: Tue, 14 Feb 2012 22:34:10 +0000
From: Jerome Athias <>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.1) Gecko/20120208 Thunderbird/10.0.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------080603080206090806000502"
Subject: Re: [scap_interest] Gaps in Risk Management
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Feb 2012 22:37:51 -0000

Hi list,

could it be possible to have a brainstorming at the RSA Conference?

or / because i identifed the following talk (at BSides San Francisco, // 
free event):

*Metrics That Don’t Suck: A New Way To Measure Security Effectiveness ~ 
Dr. Mike Lloyd*

How does your organization measure and report its security posture and 
performance?  Do you have spreadsheets that show how many 
vulnerabilities you found last month, or how many viruses your AV system 
stopped? Those numbers might pacify your management, but any security 
pro can tell you that they are no way to benchmark the real work you do 
– or how much danger your enterprise might be in.

Maybe the problem is that we’re all trying to use the data we already 
have – host metrics, network metrics, applications data – instead of 
building the data we actually need.  We need metrics that show the 
current range of threats, and the enterprise’s exposure. We need data 
that shows whether our security tools and programs are actually working 
or not. We need methods for demonstrating that our security teams are 
performing well – not only this month, but over a period of time.

In this thought-provoking presentation, we’ll describe methods for 
building an enterprise security metrics program that’s completely 
different from the current, sucky model of counting vulnerabilities or 
numbers of patches applied. We’ll outline methods for monitoring the 
threat landscape, and your organization’s exposure. We’ll offer some 
best practices for measuring the effectiveness of current security tools 
and systems. Best of all, we’ll outline a way to build a maturity model 
for security, so that you can show your security team’s performance on a 
month-to-month basis, and demonstrate its continuing improvement over time.

Want to stop reporting a bunch of crap and start building a real set of 
data that accurately measures your organization’s risk and its 
effectiveness in controlling it?  Want to learn how to integrate 
security data across hosts, networks, and applications?  Want your 
performance – and your company’s security posture – to be monitored 
using metrics that don’t suck?  Here’s a chance to look at the picture 
from a whole new angle.


I see these events as a good place to exchange our ideas.

Just my 2 cents