Cyber Security Automation

1
Cyber Security Automation

• Building Holistic Cybersecurity Metrics Program

2
Introduction

• Understanding the overall security posture of
  your enterprise is determined by creating a
  baseline of select organizational and security
  operations metrics. With baseline numbers
  established, you can then begin to increase
  visibility, education and improvement to both
  technology and processes within your program.

3
Cybersecurity Metrics

• Start by understanding your organization's
  critical assets. This could include everything
  from sensitive customer data and company IP to
  users and devices. I almost always suggest
  starting with anything compliance-related or
  having to do with public assets. These are the
  areas where you should be building metrics first

4
Collecting Cyber Metrics Data

• After you've identified what needs to be
  monitored, you need to start collecting
  information and determining what data points are
  available. The process for collecting metrics is
  an important discussion item, since we want to
  limit as much manual effort as possible.
  Determining what information to collect and how
  you'll gather and analyze this data is a crucial
  step in your metrics journey

5
Determine Cybersecurity Maturity

• Creating baselines is what youll use to
  determine the current cybersecurity maturity of
  your organization overall as well as your SOC.
  Baselines also help you identify any outliers or
  blatant concerns which require urgent attention.
  By creating this foundation and setting standards
  reflecting whats normal within your
  organization, you create a basis for setting
  goals and milestones.

6
Cybersecurity Metrics Measuring Goal

• To set this as an effective goal, you would need
  to have already done the following
• Baseline the current state of your patching
  performance - what is the current time frame for
  new patches to be applied?
• Understand your organization's risk tolerance -
  how long are unpatched systems acceptable?
• Only by understanding these elements can you
  determine if a one-week patching window is
  actually a good, reasonable, achievable goal.

7
Strong Cybersecurity Metrics Program

• The first step in building your enterprise
  cybersecurity metrics and security automation and
  orchestration KPIs is setting clear direction as
  to what you're collecting and why. Youll need
  true vision and stakeholder buy-in on a defined
  path forward. Throughout my career, I've seen
  groups attempt to get stakeholder approval first
  - without having a plan, vision and long-term
  strategy. The result of this approach has been a
  barrage of questions and little in the way of
  support. Particularly when soliciting buy-in from
  executive leadership, you'll reduce the friction
  and expedite approvals by clearly articulating a
  solid plan and the concrete role their support
  plays.

8
Cybersecurity Matrics Program Outcome

• Outside the executive suite, some stakeholders
  may feel a metrics program adds pressure to their
  departments because of the added visibility into
  their day-to-day operations. Also go in prepared
  with a clear outline of stakeholder roles and
  responsibilities. You'll need to answer questions
  like
• If an issue is determined via the metrics what is
  each stakeholder's responsibility with regard to
  remediation efforts?
• How will information be reported to them?
• Will there be SLAs in solving and correcting
  concerns within the metrics?

9
Cybersecurity Metrics Analysis

• Once your cybersecurity metrics program is in
  full swing, youll have to aggregate the data you
  collect to output metrics reports. The reports
  should be sent to stakeholders with a clear
  representation of whats being measured, its
  priority, what its baseline was and how its
  changed over time. Producing these reports
  requires analysis to get a full understanding of
  the numbers have the ability to explain progress,
  shortfalls and fluctuations.

10
Cybersecurity Metrics Report

• Be prepared for your reports to take into account
  exceptions, adjusting variables and areas where
  combining data may muddy the waters. Often, these
  arise from manual and inconsistent processes. The
  ability to automate response and remediation
  processes can limit skewed metrics, streamline
  reporting, improve predictability and allows for
  better data hygiene when speaking with
  stakeholders.

11
Cybersecurity Matrics Result
12
Conclusion

• Metrics are an important part of your
  cybersecurity and cyber security automation
  programs and being able to measure your progress
  shows how well your security program is
  functioning. Having key stakeholders brought to
  review your vision and strategy will assist with
  getting other teams to cooperate in your data
  collection. The more you can automate metric
  collection as well as in broader security
  operations processes, the quicker you can respond
  and produce reports.