Download - August 17, 2010
August 17, 2010
Opening Remarks:Five Years of MetricsAndrew JaquithSenior AnalystForrester Research
3Entire contents © 2009 Forrester Research, Inc. All rights reserved.
About Andrew Jaquith
• Senior analyst at Forrester since October 2008
• Coverage: client security, data security, mobile security
• Recent research:
– Apple’s iPhone and iPad: Secure Enough for Business? (Aug 2010)
– Market Overview: Enterprise Rights Management (June 2010)
– Own Nothing. Control Everything (January 2010)
– Data-Centric Security Requires Devolution, Not a Revolution (2009)
• Senior analyst at Yankee Group 2005-2008
• Co-founder of pioneering security consultancy @stake
• Author of best-selling security book, Security Metrics
• Founder, securitymetrics.org. Co-developer of Apache JSPWiki
Andrew and Khalid Kark will be facilitating a Security Metrics Workshopat Forrester’s IT Security Forum in Boston, September 15th-16th 2010
4Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Five Years Later, Are Security Metrics Still a Fad?
5Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Agenda
• Welcome
• Five Years of Metrics
• Nuts and Bolts
6Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Metricon 2.0: Jeremiah Grossman (2007)
• Excellent “texture and depth” on prevailing practices
– 18 month snapshot: Jan 2006-August 2007
– 128m websites
• Factoid I scribbled down: 7 out of 10 sites have “critical” or “urgent” vulns
7Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Mini-Metricon 2.5: Verizon’s 1st DBIR
• First look at “curated” enterprise metrics about intrusions and data breach incidents
• Terrific insights about attacker paths
• Disabused the insider threat argument
8Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Metricon 3.0: Caroline Wong, eBay (2008)
• Gosh, a real live enterprise! And a household name…
• Great snapshot of how fraud and security relate
• Metrics I scribbled down: eBay watches the number of compromised accounts.
– Also: # of “maliciously compromised” accounts
9Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Mini-Metricon 3.5: Maureen Doyle (2009)
• Analysis of 100 weeks of code commits and code quality for 14 open-source PHP apps
– Vuln density: 8.88 vulns/KLOC
– Some correlation between cyclomatic complexity and security defects
• Neat insight I scribbled down:
– Study found no correlation between security defects and code churn
10Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Metricon 4.0: James Cowie, Renesys (2009)
• Used three metrics to determine the “cluefullness” of organizations connecting to the Internet
– Compliance - are your routing advertisements compliant with what you have
– Availability - how available is your network?
– Diversity - how diverse are your providers?
• Money quote I scribbled down:
– “How do we make people change their behavior? Easy. Cut right to the base emotions: fear and shame.”
11Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Agenda
• Welcome
• Five Years of Metrics
• Nuts and Bolts
12Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Agenda
• Welcome
• Five Years of Metrics
• Nuts and Bolts
13Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Today’s schedule
900 – 9:30 Welcome
9:30 – 10:30 Metrics Present (part 1)
Morning break
11:00 – 12:30 Metrics Present (part 2)
Lunch break
1:45 – 2:45 Metrics Present (part 3)
Afternoon break
3:15 – 4:15 Metrics Future
4:15 – 5:30 Rump session
5:30+ Beer (sponsored by Blue Canopy)
14Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Nuts and Bolts
• Wireless
– SSID: usenix. Password: usenix2010
• Lunch
– 12:30-1:45, Thurgood Marshall South West
• Beers
– 5:30-6:30, Harding (this room)
• USENIX Happy Hour
– 6-7 pm, Thurgood Marshall North East
15Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Rules for living
• This is safe environment
• We will publish official (high level) proceedings
• Anything you ask to be “off the record” will stay so
• Save your e-mail for break times
• Assertiveness is welcome. Rudeness is not
• Stay engaged
• Have fun
16Entire contents © 2009 Forrester Research, Inc. All rights reserved.
Enjoy the Day
Andrew Jaquith
Senior Analyst, Security and Risk
+1 617.613.6410
www.forrester.com
Twitter: arj