Hosted by
Security Budgets:
Getting What You Need
Pete Lindstrom, CISSP
Research Director
[email protected]
Spire Security, LLC
www.spiresecurity.com
Hosted by
The Problem w/ Security Budgets

Success = nothing happens

Nobody knows what = success

We don’t analyze the strategic value of the
security program

We don’t justify our purchases
Hosted by
Agenda

Quantify your asset value. . . and potential
loss

Identify how much you're really spending on
security

Evaluate the effectiveness of security
controls

Measure true success
Hosted by
what are you trying to protect?
The 5 Elements of Value
1.
IT Productivity (time)
2. User Productivity (time)
3.
Legal/Regulatory Costs (fines)
4.
Direct Revenue (dollars)
5.
Stored Asset Value (intellectual property,
financial assets)
Hosted by
Audience: Which element is most important to you?
The 5 Elements of Value
A. IT Productivity (time)
B. User Productivity (time)
C. Legal/Regulatory Costs (fines)
D. Direct Revenue (dollars)
E.
Stored Asset Value (intellectual property,
financial assets)
Hosted by
Which element of value is most
important to you?
1.
IT Productivity (time)
2.
User Productivity (time)
3.
Legal/Regulatory Costs (fines)
4.
Direct Revenue (dollars)
5.
Stored Asset Value (intellectual
property, financial assets)
35%
32%
16%
10%
6%
1
2
3
4
5
Hosted by
Productivity

Where users and IT spend their time.

Time is money philosophy.

Often the only aspect of loss we quantify.

Basic source of ROI.

Hourly rate x hours of effort.
Hosted by
Productivity
IT Security Activities

Managing user accounts
(Identity Management)

Designing security controls
(Trust Management)

Monitoring systems
(Threat Management)

Configuring components
(Exposure Management)
Hosted by
Productivity
End-User Activities

Operational system usage

Revolve around availability

•
Of systems (e.g. email)
•
Of data (recovery)
Automation of business process
•
Reconciliations
•
Digital signatures
Hosted by
Legal/Regulatory Costs


Lawsuits –
•
Privacy suits
•
Downstream Liability
•
Legal fees
Regulatory Issues –
•
Regulatory fines
•
Remediation costs
Hosted by
Direct Revenue

E-Commerce systems

Level of materiality

Seasons, cycles, forecasts drive expected
losses

Some benchmarks: shrinkage; materiality
(internal controls)
Hosted by
Stored Asset Value

Stored Value (financial assets)

Stored Knowledge (intellectual property)

Market Cap (or equivalent) – Book Value =
Goodwill (intangible assets)

Some % of this Goodwill is attributable to
information assets.
•
•
Professional services – higher percentage
Contract manufacturing or retail - lower
Hosted by
how much are you spending?
Spending Philosophies

Generic - risk will decrease incrementally as
spending increases.

Skeptic - risk is low no matter how much you spend.
(ROI unnecesary)

Paranoid - risk is high no matter how much you
spend. (ROI impossible)

Weak Link – risk remains high, until all bases are
covered, then it is drastically reduced.

Just Enough – risk is reduced drastically through
basic measures then hits law of diminishing returns.
Hosted by
Spending Philosophies
Anticipated Loss
(Risk)
“Paranoid”
“Weak Link”
“Generic”
“Good Enough”
“Skeptic”
Security Spending
Hosted by
Which spending
philosophy are you?
1. Generic - risk will decrease incrementally as
spending increases.
2. Skeptic - risk is low no matter how much you
spend. (ROI unnecessary)
3. Paranoid - risk is high no matter how much
you spend. (ROI impossible)
4. Weak Link – risk remains high, until all bases
are covered, then it is drastically reduced.
5. Just Enough – risk is reduced drastically
through basic measures then hits law of
diminishing returns.
36%
23%
18%
14%
9%
1
2
3
4
5
Hosted by
Identity Management
Functions
Product Categories
 Identify users
 Provisioning
 Assign accounts/rights
 Password Management
 Maintain identity
(passwords)
 Single Sign-on
 Validate sessions
 Authorize access
 Authentication
 Web Access Control
Hosted by
Trust Management
Functions
Product Categories
 Write policies
 Policy lifecycle (written)
 Design security
 Public key infrastructure
 Ensure confidentiality
 Data encryption (db &
file)
 Ensure integrity
 Digital Signatures
 VPNs
Hosted by
Threat Management
Functions
Product Categories
 Info Collection
 Intrusion Detection
 Evaluation
 Antivirus
 Response
 Security Event
Management
 Recovery
 Review
 Forensics
Hosted by
Exposure Management
Functions
Product Categories
 Protect systems from being
inappropriately accessed,
 Firewalls
compromised, exploited.
 Control access to system
resources.
 Reduce exposure –
vulnerabilities and future
vulnerabilities
 System Access Control
 Vulnerability Assessment
 Patch Management
 Software security
 Security Resource Planning
Hosted by
Four Disciplines of Security Mgt
Identity
Threat
MANAGEMENT
MANAGEMENT
Identity Validation
Account Management
Password Management
Threat Identification
Security Monitoring
Incident Management
Authentication
User Access
Control
Intrusion
Prevention
Encryption
Integrity
System Access
Control
INLINE
Policy Management
Security Arch. Design
Cert Management
Reduce Exposure
Vulnerability Management
Software Security
Trust
Exposure
MANAGEMENT
MANAGEMENT
Hosted by
Which discipline do you
think is most effective at
reducing risk?
41%
30%
1. Identity Management
2. Exposure/Vulnerability
Management
3. Threat Management
4. Trust Management
22%
6%
1
2
3
4
Hosted by
Calculating Spending


Manual functions (4 disciplines – operating expenses)
•
Salaries (allocated for functional %)
•
consulting expenses
•
across all departments
Automated functions (capital expenses)
•
Allocated native functions (security %)
•
Security software and hardware, plus maintenance
Hosted by
how effective is your security?
Calculating Risk
Annual Loss Expectancy = Probability x Asset Value
ALE = P x A
(Insurance Industry)

Basic equation, difficulty in details

Easy to understand letters, very difficult to
determine the numbers
Hosted by
Calculating Potential Loss

No physical goods; reproducible supply

Full asset value is not necessarily lost
•

Could be more, could be less
Look at loss in other ways –
•
Type of loss
•
For each application/system
Hosted by
Calculating Potential Loss

Level One – organization-wide loss

Assume Value = Loss

Calculate overall loss potential for 5
Elements of Value
•
ALE = P x A turns into…
•
ALE = P x L(Assets, Revenue, Fines, IT Prod, EU Prod)
Hosted by
5 Types of Exposure


Information-centric Exposure
1.
Copied/Read data (Confidentiality)
2.
Modified data (Integrity)
3.
Deleted data (Availability)
System/App-centric Exposure
4.
Resource Availability (Productivity)
5.
Resource Misuse (Liability)
Hosted by
Which type of exposure
concerns you the most?
30%
1. Copied Read Data
(Confidentiality)
2. Modified Data (Integrity)
3. Deleted Data (Availability)
4. Resource Availability
(Productivity)
5. Resource Misuse (Liability)
24%
22%
19%
5%
1
2
3
4
5
Hosted by
Loss Potential
Read
Modify
Delete
Avail
Misuse
H
M
M
L
L
Revenue
M
H
H
H
L
Fines
M/H
H
L
L
?
IT Prod.
L
H
M
L
M
EU Prod.
L
L
M
H
M
Asset
Value
Hosted by
Calculating Potential Loss

Level Two – organization-wide loss by
exposure type

Calculate overall loss potential for 5
Elements and 5 Types.
•
•
•
•
ALE =
P x C(A, R, F, I, E) +
P x I(A, R, F, I, E) +
P x A(A, R, F, I, E)…(etc.)
Hosted by
Calculating Potential Loss

Level Three

Calculate overall loss potential for 5
Elements and 5 Types for every application.
•
•
•
ALE =
Supply Chain
 P x C(A, R, F, I, E) + P x I(A, R, F, I, E) + P x A(A, R, F, I,
E)…(etc.)
Financial Systems
 P x C(A, R, F, I, E) + P x I(A, R, F, I, E) + P x A(A, R, F, I,
E)…(etc.)
Hosted by
Probability/Likelihood

The ‘P’ in the equation.

Highly variable.
•

Everyone should consider it ‘1’ initially
Consider using insurance-like estimates.
•
% of potential loss
Hosted by
Measuring Effectiveness

Determine highest impact
•
combination of highest anticipated loss and biggest
risk.

Reduce anticipated loss

Increase productivity

Effectiveness is the before/after change
Hosted by
how effective is your security?
Measuring Success
Identity Management
Trust Management
 Accounts assigned
 Policy testing
 Passwords changed
 Certificates issued
 Authenticated sessions
 VPN sessions
 Failed logins
Hosted by
Measuring Success part II
Threat Management
Exposure Management
 Alerts/incidents
 Failed access attempts
 Failed attacks
 Vulnerabilities identified
 Forensics data collected
 Patches applied
 Vulnerabilities fixed
Hosted by
Security Budget Roundup

Take risk & productivity approach, by

identifying ROI & ROSI opportunities

Conduct complete analysis of security
program – develop strategy

Justify with regulations and incident
information
Hosted by
Security Budgets:
Getting What You Need
Pete Lindstrom, CISSP
Research Director
[email protected]
Spire Security, LLC
www.spiresecurity.com