Re: [scap_interest] Gaps in Risk Management

<kathleen.moriarty@emc.com> Tue, 14 February 2012 22:48 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF24B21E810B for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 14:48:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.899
X-Spam-Level:
X-Spam-Status: No, score=-9.899 tagged_above=-999 required=5 tests=[AWL=0.699, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXSiBjSgdHF2 for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 14:48:20 -0800 (PST)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id AB55D21E8105 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 14:48:19 -0800 (PST)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q1EMmDAZ026639 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Feb 2012 17:48:17 -0500
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Tue, 14 Feb 2012 17:47:57 -0500
Received: from mxhub08.corp.emc.com (mxhub08.corp.emc.com [128.222.70.205]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q1EMluBD000685; Tue, 14 Feb 2012 17:47:56 -0500
Received: from mx06a.corp.emc.com ([169.254.1.250]) by mxhub08.corp.emc.com ([128.222.70.205]) with mapi; Tue, 14 Feb 2012 17:47:56 -0500
From: <kathleen.moriarty@emc.com>
To: <jerome@netpeas.com>, <scap_interest@ietf.org>
Date: Tue, 14 Feb 2012 17:47:51 -0500
Thread-Topic: [scap_interest] Gaps in Risk Management
Thread-Index: AczraZce0Oy4dHVZQSilSOJHrlxAxAAAFEEQ
Message-ID: <AE31510960917D478171C79369B660FA0E2F547D92@MX06A.corp.emc.com>
References: <CB600937.91DB%amontville@tripwire.com> <4F3AE162.6090801@netpeas.com>
In-Reply-To: <4F3AE162.6090801@netpeas.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-hashedpuzzle: BxLh Ec6Y Ehyt FW5Z GMji GlKX HILo Iz6I KhzR KrNn LRZw NOQN O/ED QgnF UM1a VdLT; 2; agBlAHIAbwBtAGUAQABuAGUAdABwAGUAYQBzAC4AYwBvAG0AOwBzAGMAYQBwAF8AaQBuAHQAZQByAGUAcwB0AEAAaQBlAHQAZgAuAG8AcgBnAA==; Sosha1_v1; 7; {CB989535-629B-4AE0-9862-0FBEECCA5FB3}; awBhAHQAaABsAGUAZQBuAC4AbQBvAHIAaQBhAHIAdAB5AEAAZQBtAGMALgBjAG8AbQA=; Tue, 14 Feb 2012 22:47:51 GMT; UgBFADoAIABbAHMAYwBhAHAAXwBpAG4AdABlAHIAZQBzAHQAXQAgAEcAYQBwAHMAIABpAG4AIABSAGkAcwBrACAATQBhAG4AYQBnAGUAbQBlAG4AdAA=
x-cr-puzzleid: {CB989535-629B-4AE0-9862-0FBEECCA5FB3}
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_AE31510960917D478171C79369B660FA0E2F547D92MX06Acorpemcc_"
MIME-Version: 1.0
X-EMM-MHVC: 1
Subject: Re: [scap_interest] Gaps in Risk Management
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2012 22:48:22 -0000

Hi Jerome,

I think it is a really good idea to start from use cases and what we want to get out of this work to drive the standards efforts.  The work being done here should result in the ability to report on meaningful and actionable metrics.  Brainstorming like this at the RSA Conference and on list would be great.  Activities like this may be tied to the frameworks as well - how do we get good risk metrics against the frameworks in which we want to measure our security programs?

Luis brought up CSA's control matrix, maybe we want to think about what was done for 800-53 and how that could apply out to other frameworks like ISO27002 +ISO27017 (Virtualization/cloud), HIPAA HITECH, etc.  performing checks, assessing risk, and producing metrics are the drivers for these underlying activities.

Dan Greer has some good presentations online related to metrics and is running a series in IEE Security and Privacy on the topic as well.  I do need to admit that I have to catch up on my reading, so I can't tell you too much about that effort :)

Any other thoughts on these topics?

Thanks,
Kathleen

From: scap_interest-bounces@ietf.org [mailto:scap_interest-bounces@ietf.org] On Behalf Of Jerome Athias
Sent: Tuesday, February 14, 2012 5:34 PM
To: scap_interest@ietf.org
Subject: Re: [scap_interest] Gaps in Risk Management

Hi list,

could it be possible to have a brainstorming at the RSA Conference?

or / because i identifed the following talk (at BSides San Francisco, // free event):

Metrics That Don't Suck: A New Way To Measure Security Effectiveness ~ Dr. Mike Lloyd

How does your organization measure and report its security posture and performance?  Do you have spreadsheets that show how many vulnerabilities you found last month, or how many viruses your AV system stopped? Those numbers might pacify your management, but any security pro can tell you that they are no way to benchmark the real work you do - or how much danger your enterprise might be in.

Maybe the problem is that we're all trying to use the data we already have - host metrics, network metrics, applications data - instead of building the data we actually need.  We need metrics that show the current range of threats, and the enterprise's exposure. We need data that shows whether our security tools and programs are actually working or not. We need methods for demonstrating that our security teams are performing well - not only this month, but over a period of time.

In this thought-provoking presentation, we'll describe methods for building an enterprise security metrics program that's completely different from the current, sucky model of counting vulnerabilities or numbers of patches applied. We'll outline methods for monitoring the threat landscape, and your organization's exposure. We'll offer some best practices for measuring the effectiveness of current security tools and systems. Best of all, we'll outline a way to build a maturity model for security, so that you can show your security team's performance on a month-to-month basis, and demonstrate its continuing improvement over time.

Want to stop reporting a bunch of crap and start building a real set of data that accurately measures your organization's risk and its effectiveness in controlling it?  Want to learn how to integrate security data across hosts, networks, and applications?  Want your performance - and your company's security posture - to be monitored using metrics that don't suck?  Here's a chance to look at the picture from a whole new angle.
(ref: http://www.infosecisland.com/blogview/20057-Security-BSides-San-Francisco-Speakers-and-Topics-Lineup.html )

I see these events as a good place to exchange our ideas.

Just my 2 cents

/JA