YOUR FEEDBACK
SOA Feature Story: Real-Time SOA Starts with the Messaging Bus!
Gerardo Pardo-Castellote wrote: Regarding the previous comment about "TCP ...
Jul. 20, 2008 01:57 AM
SOA World Conference
Virtualization Conference
$300 Savings Expire July 25, 2008... – Register Today!
Did you read today's front page stories & breaking news?
SYS-CON.TV: RIA Shoot-Out! AJAX, Flex, Silverlight, and JavaFX

SYS-CON.TV
SYS-CON.TV WEBCASTS
JACKBE The Big A(architecture in AJAX)
INSTANTIATIONS Eclipse Rich Internet Platform with Taylor and Milinkovich
YAHOO! Applying AJAX to Speed User's Journey
ENERJY WEBCAST Java Code Quality Management
APP SERVER SHOOT-OUT with Microsoft, IBM, JBoss, Sun, BEA, and Oracle
TODAY'S TOP SOA & WEBSERVICES LINKS


Book Excerpt
Building a Secure Corporate Environment
Viable business units can make positive contributions to the business

By: Stephen Foster
Dec. 14, 2005 02:00 PM
Digg This!

Page 3 of 4   « previous page   next page »

There is no absolute set of questions to ask vendors, but below are recommended questions to consider when evaluating a new technology purchase:

  1. Do you have a dedicated team to assess and respond to security vulnerability reports concerning your product?
  2. What is your vulnerability response process and track record?
  3. What process improvements have you made as a result of past vulnerabilities reported in your software?
  4. What is your release strategy (are they grouped or individual releases)? In other words, how long do we have to wait for fixes to known software problems?
  5. What training does your development and test organization receive on application information security matters?
  6. What percent of your team is focused just on security issues?
  7. Does your company monitor the latest attack trends in the underground (Cracker) community and consider how those trends affect your software?
  8. Do you patch all currently supported vulnerable versions of your application/ platforms at the same time (or are they released as needed)?
  9. Has a third party conducted an independent security review (code review) and what are the results?
  10. Can you provide independent references that are using this product?
  11. Application RFPs should contain the following:
  • The terms and period of your security support agreements
  • Proof of security testing and vulnerability assessments during deployment
  • Review vendors' Common Criteria certifications or any other software certifications
  • Review application patch records (quality and quantity)
  • Future upgrades should be dependent on vendors' security records
When evaluating any new technology, all company stakeholders should be included in the process. Remember that there will be many cross dependencies and you need all parties involved if you want the project to be successful.

Insider Notes: The two biggest pitfalls to avoid are providing unrealistic expectations and not revealing dangers in real time. Set expectations for both time and funding, with time being the most important.

Building a Security Organization
This section discusses in detail the measuring process employed when constructing a secured environment.

Understanding Metrics
A successful security organization is constructed on a foundation of four pillars: policy, awareness, risk, and metrics. The policy development, awareness, and risk assessment programs required have already been discussed earlier. This section will deal specifically with your security scorecard.

Your metrics should be designed to support business objectives, security operations, security projects, and to measure overall progress. These metrics will be necessary to support four primary areas: on-going security operations, new security projects, supporting internal users, and risk assessments.

Information Collection
The key to good metrics is good information, and the key to good information is a good method for collecting and evaluating that information.

The information collection process starts by identifying all information security work streams, functions, and processes. Policy, systems, users, and other resources are the drivers that will most impact your metrics. The ultimate goal is to develop the capability to automatically collect and track information that will help your team tell the information security story to senior management. Automation of the information collection process is essential if you want accurate and timely information.

Information security metrics are driven by two primary factors: the number of systems in the IT environment and the number of people who use those systems. A good Security Information Management (SIM) tool is a useful technology that allows the collection of logs from server and network devices to monitor, track, and review compliance matters. It can also be leveraged to provide your information security dashboard, which will allow your team to build and compile better metrics, thereby giving management more flexibility to make cost-effective decisions.

Collecting and developing metrics is meaningless without a correlation of events and an action plan. Cleaning viruses as they impact your network is a necessary work effort, but understanding how viruses get through your gateway and why they were able to infect so many systems is even more important. Enterprise correlation of information from many sources is the key to effective security management. By reviewing events from various systems and devices such as intrusion detection alerts, antivirus gateway logs, firewall logs, system logs, etc., you will develop a clear picture of how the virus entered your environment and was able to propagate itself. By making better use of reporting capabilities and correlating security events, you will be more effective at deploying your limited resources to mitigate risk exposures.

The Importance of Being Proactive
Get out in front of your primary risk exposures. To be proactive, an organization must not only be able to collect systems and device logs real time, but collate them into meaningful reports and take action on them. By collecting these logs and sorting them into meaningful reports, you may discover 25 failed logon attempts to your active directory. This should set off alarms and an investigation should be initiated to find out what took place. Maybe the twenty-sixth time the user was successful. Security departments need to be proactively looking at security metrics and making recommendations to senior management so corrective action can be taken.

A process to collect metrics can be developed, but it does little good if it isn't reviewed and acted upon.

Insider Notes: When researching these technologies, all stakeholders should be given a "say," from the network architects and engineers to the risk people. If it involves a security management product, a decision should not be made in a silo.

For example, one indication of a problem might be having a high number of password resets. You can usually predict that your call center, depending on whether it is in-house or outsourced, is probably receiving a lot of calls.

This costs money. You should be asking why are we having so many password resets? Is it that passwords are too complex and people can't remember them? Is it because employees are just forgetful, lazy, or not paying attention to their work? What is driving the password resets? You may have to employ a security awareness program to educate and train users on password usage, which is much more cost-effective than burdening the helpdesk with a deluge of calls.

Another example: correlation of internal maintenance scans reveals that a number of servers have high vulnerabilities. Your team has worked hard to develop good hardening standards, but you know there is always going to be the human factor to consider. IT organizations are always making changes to production, and new security patches are always being announced. Investigation of these vulnerabilities may indicate a poor patch management process or maybe a breakdown in your change control process. Regardless, metrics are not just for gathering information and generating reports, they are tools to solve security problems and reduce costs.

When Are Metrics Successful?
Developing a security dashboard and measuring your success through good quality metrics is another step toward achieving your information security maturity model. Achieving a full level of maturity is probably not possible since conditions will constantly change, and the same is true about metrics.

Probably the best measure of success is your ability to solve security problems and empower business processes through good metrics.

In order for senior management to understand the continuing value that your team adds to the organization and their return on investment, the CISO must continue to effectively communicate a strong information security posture, and that is accomplished by providing good strong metrics.

Presenting for Success
Develop your security "roadmap" early and provide good metrics to support that story. While the credibility and demeanor of the CISO is important, the presentation of your metrics to senior management will require simplicity and meaningful information that can be translated into cost-effective solutions. Using too many bar and pie charts may not communicate your story effectively, especially to non-technology managers. It has to be simple, but effective. Senior management will undoubtedly ask hard and challenging questions, so be prepared to support your metrics.

Periodically, your metrics are going to tell a negative story, and while that will be understood, also be prepared to provide a corrective plan of action.


Page 3 of 4   « previous page   next page »

Published Dec. 14, 2005 — Reads 5,054
Copyright © 2008 SYS-CON Media. All Rights Reserved.
About Stephen Foster
Stephen W. Foster was Chief Information Security Officer at Avaya Inc. He joined Avaya after a distinguished 20-year career with the Federal Bureau of Investigation.

SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
SYS-CON FEATURED WHITEPAPERS


MOST READ THIS WEEK
Disaster Recovery: Re-Thinking Your Strategy
By Dan Lamorena
Virtualization: Feature or Platform?
By Ilya Baimetov
VMware CTO Keynotes SYS-CON's 3rd International Virtualization Conference & Expo
By Virtualization News Desk
Virtualization - VMware Suffers Meltdown
By Maureen O'Gara
Workspace Virtualization: A Low-Cost, High-performance Approach to Deploying Enterprise Computing
By Virtualization News Desk
Microsoft's Hypervisor Technology Gives Customers Combined Benefits of Virtualization and Windows Server 2008
By Virtualization News Desk
SYS-CON's 4th International Virtualization Conference & Expo Call For Papers Open Through July 31
By Virtualization News Desk
ParAccel and Pentaho Partner to Deliver End-to-End Analytic Database and BI Solution Set
By SOA World Magazine News Desk
Defining Cloud Computing
By Yan Pritzker
DreamFace Interactive Delivers Mashup Kit: DreamFace-Fx for Adobe Flex
By RIA News Desk
Univa UD Unveils New Virtualization Data Center Automation Strategy
By Virtualization News Desk
VKernel and Xcedex Enter a Virtualization Partnership
By Virtualization News Desk
ADS BY GOOGLE