Editor’s Note: This is the second part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program. In this second installment, we discuss where to begin measuring.
H. James Harrington, noted author of Business Process Improvement, once said “Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” Good piece of wisdom, but where do you start? How do you mine data through the use of metrics in order to provide greater insight into your organization’s security posture, while simultaneously using it as a vehicle to protect your most critical assets?
For Infosec’s Unified Security Metrics (USM) team, there’s plenty of statistical data sources available to mine information from, particularly from IT system logs and dashboards. In fact, early research conducted by the team identified 30 different types of meaningful data to track. Comprehensive, yes, but not realistically feasible, nor sustainable to implement long-term across Cisco. The USM team’s solution centered on the primary outcomes they were trying to achieve, namely, driving security process improvement behaviors and actions within IT. Subsequently, the list was narrowed down to five key measurements:
- Stack compliance: measures vulnerabilities found on the TCP/IP stack (i.e. network devices, operating systems, application servers, middleware, etc.)
- Anti-malware compliance: quantifies whether malware protection software has been properly installed and is up-to-date
- Baseline application vulnerability assessment: computes whether automatic vulnerability system scans have been performed in accordance with Cisco policy and, if post-scan, any open security weaknesses remain
- Deep application vulnerability assessment: computes whether penetration testing has been performed on our most business-critical applications in accordance with Cisco policy and, if post-testing, any open security weaknesses remain
- Design exceptions: measures the total number of open security exceptions, based on deviations from established security standards and best practices
Read More »
Tags: infosec, metrics, security
Today, we released the first Cisco IOS Software Security Advisory Bundled Publication of 2014. Six years ago, Cisco committed to disclosing IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year) in direct response to your feedback. We know this timeline allows your organization to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:
- Session Initiation Protocol
- Network Address Translation
- Internet Key Exchange Version 2
- SSL VPN
- Cisco 7600 RSP720 with 10GE Uplinks
Read More »
Tags: Cisco IOS software, psirt, security, security advisories, vulnerabilities
What does an already innovative company like Cisco do more to innovate? What do we need to do differently to influence or shape the next breakthrough that will fundamentally change our industry and Cisco? As we embark on a journey to transform Cisco into a #1 IT solution provider, we know we must innovate more and faster – and spot the next industry-shaping change before it catches our industry off-guard.
We believe one of the key strategies for reinventing innovation at Cisco is to embrace openness. Open innovation is a concept developed and evangelized by leading organizational experts, including Dr. Henry Chesbrough, the Executive Director of the Program in Open Innovation at UC Berkeley. It focuses on how organizations can and should use external ideas as well as internal ideas – and internal and external paths to market1. Open innovation enables us to stay abreast of and shape the next big change that is going to impact Cisco and our industry.
Read More »
Tags: analytics, Big Data, Cisco, ciscoeir, cloud, entrepreneurship, innovation, Internet of Everything, internet of things, IoE, IoT, Mala Anand, security, startups
Web surfers in February 2014 experienced a median malware encounter rate of 1:341 requests, compared to a January 2014 median encounter rate of 1:375. This represents a 10% increase in risk of encountering web-delivered malware during the second month of the year. February 8, 9, and 16 were the highest risk days overall, at 1:244, 1:261, and 1:269, respectively. Interestingly, though perhaps not unexpectedly, web surfers were 77% more likely to encounter Facebook scams on the weekend compared to weekdays. 18% of all web malware encounters in February 2014 were for Facebook related scams.
Read More »
Tags: CSIRT, malware, security, Threat Metrics 2014, TRAC
This post was also authored by Min-yi Shen and Martin Lee.
Security is all about probability. There is a certain probability that something bad will happen to your networks or your systems over the next 24 hours. Hoping that nothing bad will happen is unlikely to change that probability. Investing in security solutions will probably reduce the chance of something bad happening, but by how much? And where should resources be most profitably directed?
Cyber security is a complex environment with many unknowns and interdependencies. TRAC data scientists research this environment to try and understand how different variables affect security. Bayesian graph models are one of our most useful tools for understanding probabilities in security and to explore how the likelihood of outcomes can be changed. Read More »
Tags: probability, security, TRAC