Transcript Dr. J Greg Hanson presents Return on Security Investment Analysis (ROSI) An IMF Executive Security Council Web Forum Dr.

Dr. J Greg Hanson presents
Return on Security Investment
Analysis (ROSI)
An IMF Executive Security Council Web Forum
Dr. J. Greg Hanson
Executive Vice President
Criterion Systems, Inc.
December 10th, 2008
Overview
• Protecting Information at the United States
Senate: A Challenging Operating Environment
• Threats and Challenges
• An Approach for Evaluating Return on
Security Investment (ROSI)
• Discussion
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
A Challenging Operating Environment
The Senate’s Decentralized, Non-Hierarchical Structure
No common vision
Control who sits in a given seat at a given point in time
Do not determine the existence of the institution
Constituents
Competition
Multiple
Visions,
Missions,
Strategies
Senator 1
Requirements
Senator 2
Committee 1 …
Direction
&
Guidance
Common Information Infrastructure
Chief Information Officer
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Senator 100
Lots of “Moving Parts”
100
Senators
24
Committees
Officers &
Leadership
Organizations
Sergeant at Arms
Secretary of the
Senate
14 Others
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
The Business of the Senate
• Common Functions:
– Constituent Service
– Legislative Functions
• Common High-level Requirements:
–
–
–
–
–
–
Informed
Secure
Internal Communication
External Communication
Staff & Office Operations
Information Processing
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
The Senate’s CIO Organization
~ 250 Government FTEs
~ 250 Support Contractors
~ 10,000 Customers
~ 450 Disparate Connected LANS
~ 435 State Offices Connected Via WAN
•
•
•
•
•
•
•
•
•
•
•
•
National Help Desk Operations
Telephone Central Office
Capitol Exchange
Software Development House
Program Management Office
Test & Assessment Labs
Multiple Computing Centers
Network Ops. Ctr.
Security Ops. Ctr.
Cyber Security Branch
Emergency Communications
COOP
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Challenge:
Building an Enterprise Anything
“My anger goes back to what I have said before… the Senate is not an
enterprise and no amount of wishing will make it so. … We are not business
units…. We are not a team…As much as we might get along personally, ½ of us are
working to get the other ½ thrown out of their jobs.
I see the CIO as a kind of contractor to the offices. We are – each officeIndependent from one another, and the CIO should be there to support US not the
other way around.
We are not one big company – we are like 100 little companies who have one ISP.”
A Senator’s System Administrator
In response to message with directions from CIO to eradicate
Welchia Computer Worm – 20 August 2003
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Challenge: Security
How do you protect
a high-viz target?
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Challenge: Security
•
•
•
•
The Senate Belongs to the Public
The Senate is a Target
COOP and COG – Preparing for What?
Data Custody and Control Implications
August 31, 2004
Hackers Hijack Federal Computers
By Jon Swartz, USA Today
PITTSBURGH – Hundreds of powerful computers at the Defense Department and U.S. Senate were
hijacked by hackers who used them to send spam e-mail, federal Authorities say.
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
The Challenge: Security
Cisco VPN/RSA SecurID
SSL VPN
Intrusion Detection
Systems
Enterprise Firewall
SPAM Filtering
Senate Office
Router ACL
Personal Firewall
A Layered DefenseIn-Depth Approach
Managed Antivirus
Managed OS Critical
Security Updates
Screen Password Protection
Strong Username and Password
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Challenge: Privacy & Confidentiality
Whose Data is it, Anyway?
• Information Custody,
Control & Impact on
IT Programs
• Tradeoffs:
– Security vs. Privacy
– Emergency Planning
vs. Privacy
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
The Challenge: Privacy & Confidentiality
Whose Networks are they, Anyway?
• > 400 Disparate Networks
• Patch Management Challenges
• Security Policies &
Practices
• Fighting Cyber
Threats Inside and
Out
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Challenge: Security – What’s on the Radar?
•
•
•
•
•
•
•
State-sponsored cyber terrorism
Privacy and personal information
Malware, Spam, & Adware
Internal Threats/Education
Emergency communications
Data Manipulation/Extraction
Innovative ways to leverage
SOCs to provide
value to our customers
Senate SOC saw RinBot
8 days before U.S.
CERT sent a bulletin!
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Challenge: Security & Special Events
•
•
•
•
Elections & Transitions
Conventions
Inaugurations
State Funerals
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Challenge: Security &The Unexpected
Impact of July 2004 Intel Committee 9/11 Report on Network Traffic
Pandemic Planning
Report Released
August 2005 Hurricane Katrina
Wiped out 11 State Offices
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
8000
Challenge: Security & Supporting a
Mobile/Enabled User Base
Senate Trends in Mobility
(2002 - 2006)
4000
RSA SecurID
2000
Laptops
1000
500
VTC
250
2002
2003
2004
2005
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
2006
Challenge: Security and Emerging Technologies &
Cultural Changes
• Social computing/collaboration technologies
• Information security issues and technologies
– Sophistication of adversaries
– Ability to track vs. desire for privacy
•
•
•
•
Web 2.0
Convergence technologies
Remote computing & teleworking
Expectation that bandwidth
is infinite
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
During My Tenure as CIO:
Information Security Was HIGH PRIORITY
•
•
•
•
Tied to virtually EVERYTHING
One of five pillars of Senate Information Technology Strategic Plan
Major component of annual CIO budget
Major oversight and interest from:
– Senate Leadership
– Senate Appropriations Committee
– Senate Rules Committee
A Cost Analysis Tool to Assess:
• $$ vs Capability
• Requirements vs Capability
Would Have Been Extremely Useful
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
A Practical Quantitative Model For
Answering:
• How much is the lack of security costing the enterprise?
• What impact is lack of security having on people
(productivity)?
• What impact would a catastrophic breach have?
• What are the most cost-effective solutions?
• What impact will the solutions have on productivity?
RISK
COST
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Return on Security Investment (ROSI)
(Wes Sonnenreich, SageSecure LLC, 2004)
ROSI =
(Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment
Cost of Security Investment
Determining values
for these is the
difficult task
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Determining Risk Exposure
ROSI =
(Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment
Cost of Security Investment
Risk Exposure = Average Cost per Incident x Number of Incidents
Average Cost per Incident:
• Estimated incident cost: From empirical organization data -- At the
Senate this could be collected at the SOC
• Verified using vendor and government sources (e.g.: NIST, Computer
Security Institute, FBI, Microsoft, Oracle, etc.)
Accuracy of incident cost is less important than consistency of the method for
calculating and reporting the cost….
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Losses – In the Context of the Enterprise
• Loss of highly confidential information (how
much is intellectual property worth?)
• Loss of productivity associated with an incident
• Loss of “business advantage”
• Loss of customer confidence
All would be considered critical and unacceptable in
the Senate environment
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Determining % Risk Mitigated by Solution
ROSI =
(Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment
Cost of Security Investment
The Problem: Security doesn’t create anything tangible, but rather prevents loss. A
loss that is prevented, may not have been known or anticipated.
% Risk Mitigated by Solution – One Approach:
• Conduct and score a risk assessment based on a consistent
algorithm – to ascertain the amount of risk currently being
mitigated
• Conduct another risk assessment based on same algorithm as
if the solution is already in place
• Difference between the results is the risk mitigated by the
solution
Accuracy of result fully dependent of quality of assessment and scoring algorithm.
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Cost of Security Investment
ROSI =
•
•
•
•
(Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment
Cost of Security Investment
Products
Implementation Costs
Opportunity Costs
Productivity Impacts (Does the solution
increase productivity?)
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008
Conclusions
Not Viable Solutions
Option
0
Option
1
Option
2
Too Little Risk Mitigation
Viable Solutions
Option
3
Option
4
Option
…
Option
n
Acceptable Risk Mitigation
J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008