June 13, 2015
In this presentation on June 13th, 2015 The Rubicon Advisory Group founder, Edward McCabe, speaks at Circle City Con in Indianapolis, Indiana on the topic of The Answer is 42 – InfoSec Data Visualization (Making Metric Magic Business Decisions) and why a network baseline and relatable business metrics have so much an impact.
The situation is businesses have limited resources considering manpower, time and money. Security professionals are still expected to prevent, detect and respond to “events” and have “TONS” of data at their disposal.
When facing a breach, most organizations refer to it as a result of an Advanced Persistent Threat (APT) when more commonly they are breached by means of commodity attacks, i.e. phishing, and there are very few instances of “Zero” day attacks. Attacks often persist over a period of several months and while spending the organization’s budget on tools sounds to observe logs like a wise idea, it ends up being investment that collects dust on a shelf somewhere (A.K.A. shelf -ware). Bottom line, an organization’s breach can’t be APT when it isn’t patching systems and checking applications against OWASP Top Ten. The business also needs to have monitoring in place in order to establish a baseline for what normal looks like on their network, which will better alert resources when abnormal activity is happening in the logs.
Big data is made of data sets that are so large and complex that it becomes difficult to process using on hand data processing tools. Big data meets security events; When an organization’s staff is constantly being bombarded by alerts, they become desensitized to the bigger picture of what makes an event. It’s important to manage the process of collecting a business’s Big Data in order to more easily identify the “needle in the haystack”.
First, an organization must ask, what is the cost of failure? The analysis of a business’s cost of failure includes investigation & forensics costs, customer & partner costs, public image, damage to reputation, regulatory fines, civil claims, class action, lawyers. Next, the business must ask, “can we (and is the Board okay with) absorbing the costs associated with investigating, remediating, regulatory fines and civil claims? “
Going back to baselines and their importance in defining normal or “good” is on the network. Baselines provides a business with a point of reference for where it’s headed, who it’s communicating with, what’s going on its network’s perimeter, what’s going on within the network and who has access to what (privilege access). The questions that base-lining answers helps a business understand its risks and prevents spinning the wheel of fate.
By developing metrics, we are speaking directly to the facts, not guessing. Addressing the metrics you are dealing with and measuring the problem to justify budget to allocate the appropriate resources to protect the organization. Metrics also helps a business measure its security posture, gives it the ability to show a return on investment, understand its risks, plan and map initiatives and raise awareness of the security program.