Dr' J Greg Hanson presents Return on Security Investment Analysis ROSI An IMF Executive Security Cou

1
Dr. J Greg Hanson presents Return on Security
Investment Analysis (ROSI)An IMF Executive
Security Council Web Forum

• Dr. J. Greg Hanson
• Executive Vice President
• Criterion Systems, Inc.
• December 10th, 2008

2
Overview

• Protecting Information at the United States
  Senate A Challenging Operating Environment
• Threats and Challenges
• An Approach for Evaluating Return on Security
  Investment (ROSI)
• Discussion

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
3
A Challenging Operating Environment
The Senates Decentralized, Non-Hierarchical
Structure
No common vision Control who sits in a given seat
at a given point in time Do not determine the
existence of the institution
Constituents
Competition
Multiple Visions, Missions,Strategies
Senator 2
Committee 1
Senator 100
Senator 1

Direction Guidance
Requirements
Common Information Infrastructure
Chief Information Officer
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
4
Lots of Moving Parts
100 Senators
24 Committees
Officers Leadership Organizations
Sergeant at Arms
Secretary of the Senate
14 Others
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
5
The Business of the Senate

• Common Functions
• Constituent Service
• Legislative Functions
• Common High-level Requirements
• Informed
• Secure
• Internal Communication
• External Communication
• Staff Office Operations
• Information Processing

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
6
The Senates CIO Organization
250 Government FTEs 250 Support Contractors
10,000 Customers 450 Disparate Connected LANS
435 State Offices Connected Via WAN

• National Help Desk Operations
• Telephone Central Office
• Capitol Exchange
• Software Development House
• Program Management Office
• Test Assessment Labs
• Multiple Computing Centers
• Network Ops. Ctr.
• Security Ops. Ctr.
• Cyber Security Branch
• Emergency Communications
• COOP

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
7
ChallengeBuilding an Enterprise Anything
My anger goes back to what I have said before
the Senate is not an enterprise and no amount of
wishing will make it so. We are not business
units. We are not a teamAs much as we might get
along personally, ½ of us are working to get the
other ½ thrown out of their jobs. I see the CIO
as a kind of contractor to the offices. We are
each office-Independent from one another, and the
CIO should be there to support US not the other
way around. We are not one big company we are
like 100 little companies who have one ISP. A
Senators System Administrator In response to
message with directions from CIO to
eradicate Welchia Computer Worm 20 August 2003
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
8
Challenge Security How do you protect a high-viz
target?
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
9
Challenge Security

• The Senate Belongs to the Public
• The Senate is a Target
• COOP and COG Preparing for What?
• Data Custody and Control Implications

August 31, 2004
Hackers Hijack Federal Computers By Jon Swartz,
USA Today PITTSBURGH Hundreds of powerful
computers at the Defense Department and U.S.
Senate were hijacked by hackers who used them to
send spam e-mail, federal Authorities say.
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
10
The Challenge Security
Cisco VPN/RSA SecurID SSL VPN
Intrusion Detection Systems
Enterprise Firewall
SPAM Filtering
Senate Office Router ACL
Personal Firewall
Managed Antivirus
A Layered Defense-In-Depth Approach
Managed OS Critical Security Updates
Screen Password Protection
Strong Username and Password
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
11
Challenge Privacy ConfidentialityWhose Data
is it, Anyway?

• Information Custody, Control Impact on IT
  Programs
• Tradeoffs
• Security vs. Privacy
• Emergency Planning vs. Privacy

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
12
The Challenge Privacy Confidentiality Whose
Networks are they, Anyway?

• gt 400 Disparate Networks
• Patch Management Challenges
• Security Policies Practices
• Fighting Cyber Threats Inside and Out

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
13
Challenge Security Whats on the Radar?

• State-sponsored cyber terrorism
• Privacy and personal information
• Malware, Spam, Adware
• Internal Threats/Education
• Emergency communications
• Data Manipulation/Extraction
• Innovative ways to leverage
• SOCs to provide
• value to our customers

Senate SOC saw RinBot 8 days before U.S. CERT
sent a bulletin!
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
14
Challenge Security Special Events

• Elections Transitions
• Conventions
• Inaugurations
• State Funerals

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
15
Challenge Security The Unexpected
Impact of July 2004 Intel Committee 9/11 Report
on Network Traffic
Pandemic Planning
Report Released
August 2005 Hurricane Katrina Wiped out 11 State
Offices
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
16
Challenge Security Supporting a Mobile/Enabled
User Base
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
17
Challenge Security and Emerging Technologies
Cultural Changes

• Social computing/collaboration technologies
• Information security issues and technologies
• Sophistication of adversaries
• Ability to track vs. desire for privacy
• Web 2.0
• Convergence technologies
• Remote computing teleworking
• Expectation that bandwidth
• is infinite

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
18
During My Tenure as CIOInformation Security Was
HIGH PRIORITY

• Tied to virtually EVERYTHING
• One of five pillars of Senate Information
  Technology Strategic Plan
• Major component of annual CIO budget
• Major oversight and interest from
• Senate Leadership
• Senate Appropriations Committee
• Senate Rules Committee

• A Cost Analysis Tool to Assess
• vs Capability
• Requirements vs Capability
• Would Have Been Extremely Useful

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
19
A Practical Quantitative Model ForAnswering

• How much is the lack of security costing the
  enterprise?
• What impact is lack of security having on people
  (productivity)?
• What impact would a catastrophic breach have?
• What are the most cost-effective solutions?
• What impact will the solutions have on
  productivity?

RISK
COST
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
20
Return on Security Investment (ROSI)(Wes
Sonnenreich, SageSecure LLC, 2004)
ROSI
(Risk Exposure x Risk Mitigated by Solution)
Cost of Security Investment
Cost of Security Investment
Determining values for these is the difficult task
Determining values for these is the difficult task
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
21
Determining Risk Exposure
(Risk Exposure x Risk Mitigated by Solution)
Cost of Security Investment
ROSI
Cost of Security Investment

• Risk Exposure Average Cost per Incident x
  Number of Incidents
• Average Cost per Incident
• Estimated incident cost From empirical
  organization data -- At the
• Senate this could be collected at the SOC
• Verified using vendor and government sources
  (e.g. NIST, Computer
• Security Institute, FBI, Microsoft, Oracle,
  etc.)

Accuracy of incident cost is less important than
consistency of the method for calculating and
reporting the cost.
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
22
Losses In the Context of the Enterprise

• Loss of highly confidential information (how much
  is intellectual property worth?)
• Loss of productivity associated with an incident
• Loss of business advantage
• Loss of customer confidence
• All would be considered critical and unacceptable
  in the Senate environment

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
23
Determining Risk Mitigated by Solution
(Risk Exposure x Risk Mitigated by Solution)
Cost of Security Investment
ROSI
Cost of Security Investment
The Problem Security doesnt create anything
tangible, but rather prevents loss. A loss that
is prevented, may not have been known or
anticipated.

• Risk Mitigated by Solution One Approach
• Conduct and score a risk assessment based on a
  consistent algorithm to ascertain the amount of
  risk currently being mitigated
• Conduct another risk assessment based on same
  algorithm as if the solution is already in place
• Difference between the results is the risk
  mitigated by the solution

Accuracy of result fully dependent of quality of
assessment and scoring algorithm.
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
24
Cost of Security Investment
(Risk Exposure x Risk Mitigated by Solution)
Cost of Security Investment
ROSI
Cost of Security Investment

• Products
• Implementation Costs
• Opportunity Costs
• Productivity Impacts (Does the solution increase
  productivity?)

J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008
25
Conclusions
Not Viable Solutions
Viable Solutions
Too Little Risk Mitigation
Acceptable Risk Mitigation
J. Greg Hanson, Executive Vice President Defense
Homeland Security, Criterion Systems Inc. 2008