Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here
About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the African Cybersecurity sector that helps our customers collect, protect, and analyze critical business information. Our Partnerships • Paladion Networks - Mumbai, India • Liquid Telecom - Africa • Global Honeynet Project – Kenyan chapter founding members • USIU-Africa – Research and Data Analysis Partner
Serianu Cyber-Threat Command Centre (SC3) 24/7 Cyber Security Command Centre
Africa Cyber Immersion Centre
Top 10 Cyber security Priorities for 2018
Objectives Introduce the inherent risk profiling methodology and approach Introduce the top critical cyber security controls and metrics measurement approach Discuss testing the Effectiveness of Critical Cyber Resilience and Visibility Controls Discuss how metrics can be used to facilitate decision making and improve performance and accountability. Discuss how to develop metrics that are quantifiable, observable, and objective data supporting metrics. Discuss how organisations can use metrics to apply corrective actions and improve performance. Discuss how metrics can be packaged and delivered to different stakeholders - senior management and board members
Content Topic 1: Introduction to Cyber Security metrics and Performance Measurement approach Topic 2: Developing and Implementing monitoring use cases and scenarios Topic 3: Breach scenario analysis Topic 4: Cyber security visibility statements
Content Topic 1: Introduction to Cyber Security metrics and Effectiveness Monitoring Topic 2: Developing and Implementing monitoring use cases and scenarios Topic 3: Breach scenario analysis Topic 4: Cyber security visibility statements
Cyber Security Metrics and Performance Metrics are designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Its important to understand the environment you are operating in i.e banking, Insurance, Academia etc. This involves understanding the: Top Risks Controls for mitigating these risks Testing of these controls
Cyber Security Metrics and Performance Metrics are designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Its important to understand the environment you are operating. This involves understanding the: Top Risks and Inherent risks Controls for mitigating these risks Testing of these controls
Cyber Security Metrics and Performance These process enables institutions identify their risks and determine their cybersecurity maturity. The approach provides a repeatable process to measure preparedness over time.
Cyber Security Metrics and Monitoring Various frameworks provide guidelines for assessing security posture and the frequency of these assessment namely: ISO 27001 PCIDSS NIST CBK Guidelines Africa Cyber Security Framework (ACSF)
Measuring cyber security performance and effectiveness Three step approach: Inherent Risk Profiling – Semi-Annual Benchmarking and Maturing Assessment - Annual Visibility and Resilience Monitoring - Periodical Incident Trending and Reporting - Continuous
Inherent Risk Profiling Cybersecurity inherent risk is the level of risk posed to the institution by • the following: • Technologies and Connection Types • Delivery Channels • Online/Mobile Products and Technology Services • Organizational Characteristics • External Threats
Inherent Risk Profiling • Inherent risk incorporates the type, volume, and complexity of the institution’s operations and threats directed at the institution. Inherent risk does not include mitigating controls. • The Inherent Risk Profile includes descriptions of activities across risk categories with definitions for the least to most levels of inherent risk. • The profile helps management determine exposure to risk that the institution’s activities, services, and products individually and collectively pose to the institution.
Inherent Risk Profiling and Monitoring Category Sub-Category Data Point Least Minimal Moderate Significant Most Technology Technologies and Total number of Internet service provider (ISP) No connections Minimal Complexity (1-20 Moderate Complexity (21-100 Significant Complexity (101- Substantial Complexity (>200 Connection Types connections (including branch connections) Connections) Connections) 200 Connections) Connections) Technology Technologies and Unsecured external connections, number of None Few instances of unsecured Several instances of Significant instances of Substantial instances of Connection Types connections not users (e.g., file transfer protocol connections (1–5) unsecured connections (6–10) unsecured connections (11– unsecured connections (>25) (FTP), Telnet, rlogin) 25) Processes Organizational Mergers and acquisitions (including divestitures and None planned Open to initiating discussions In discussions with at least 1 A sale or acquisition has been Multiple ongoing integrations Characteristics joint ventures) or actively seeking a merger party publicly announced within the of acquisitions are in process or acquisition past year, in negotiations with 1 or more parties People Organizational Direct employees (including information technology Number of employees Number of employees totals Number of employees totals Number of employees totals Number of employees is Characteristics and cybersecurity contractors) totals <50 50– 2,000 2,001–10,000 10,001–50,000 >50,000 Processes Organizational Changes in IT environment (e.g., network, Stable IT environment Infrequent or minimal Frequent adoption of new Volume of significant changes Substantial change in Characteristics infrastructure, critical applications, technologies changes in the IT technologies is high outsourced provider(s) of supporting new products or services) environment critical IT services; large and complex changes to the environment occur frequently Processes Organizational Locations of branches/business presence 1 state 1 region 1 country 1-20 countries >20 countries Characteristics Processes Organizational Locations of operations/data centers 1 state 1 region 1 country 1-20 countries >10 countries Characteristics Technology External Threats Attempted cyber attacks No attempted attacks Few attempts monthly Several attempts monthly Significant number of Substantial number of or reconnaissance (<100); may have had generic (100– 500); phishing attempts monthly (501– attempts monthly (>100,000); phishing campaigns received campaigns targeting 100,000); spear phishing persistent attempts to attack by employees and customers employees or customers at campaigns targeting high net senior management and/or the institution or third parties worth customers and network administrators; supporting critical activities; employees at the institution frequently targeted for DDoS may have experienced an or third parties supporting attacks attempted Distributed Denial critical activities; Institution of Service (DDoS) attack specifically is named in threat within the last year reports; may have experienced multiple attempted DDoS attacks within the last year
Benchmarking and Maturing Assessment Designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness within the following four domains: Anticipate Risk – Cyber Risk management Detect Vulnerabilities – Cyber Vulnerability Management Respond to Incidents – Cyber Incident Management Contain Threats – Cyber Threat Management
Cyber security Benchmarking and Maturity Framework Cybersecurity Cybersecurity Cybersecurity Cyberthreat Risk Vulnerability Incident Management Management Management Management Risk Vulnerability Management Cyber risk Management Remediation Event Detection People & Culture Information Patch Sharing Management Response and Infrastructure Mitigation Management Metrics and Reporting External Access & Data Dependency Management Monitoring Threat Continuous Intelligence Improvement Third Party Management
Recommend
More recommend