Average Reviews:
(More customer reviews)I read Security Metrics right after finishing Managing Cybersecurity Resources, a book by economists arguing that security decisions should be made using cost-benefit analysis. On the face of it, cost-benefit analysis makes perfect sense, especially given the authors' analysis. However, Security Metrics author Andy Jaquith quickly demolishes that approach (confirming the problem I had with the MCR plan). While attacking the implementation (but not the idea) of Annual Loss Expectancy for security events, Jaquith writes on p 33 "[P]ractitioners of ALE suffer from a near-complete inability to reliably estimate probabilities [of occurrence] or losses." Bingo, game over for ALE and cost-benefit analysis. It turns out the reason security managers "herd" (as mentioned in MCR) is that they have no clue what else to do; they seek safety in numbers by emulating peers and then claim that as a defense when they are breached.
Fortunately, Security Metrics offers another solution. The book gives readers three sets of information: theory, metrics, and tools (concepts, not programs). The theory chapters (1 and 2) were so concise yet insightful I was tempted to underline every sentence. (I am not kidding.) Even the Preface made me glad to be reading the book when it associated "security ROI" with "the Macarena" and called it a "needless distraction." I laughed in agreement when I saw Andy call "security enablement" the "Abominable Snowman: it is rarely spotted, but legions of people swear it exists. After all, as my friend Dan geer puts it, 'You don't usually see airlines advertising how their planes fall out of the sky less often than their competitors.'" Why is that? My answer is simple: security is assumed and expected. Advertising anything else has no effect or makes people suspicious. I knew this book would be good.
The metrics chapters probably list hundreds of metrics you can extract verbatim and apply to your own environment. To the reviewer who wanted to reprint them in an appendix: they're called chapters 3 and 4. My main concern with the metrics was the focus on input-centric measurements instead of results. I would have liked to read more metrics on measuring whether security programs are working, rather than what techniques and tools are applied up front.
The tools chapters were helpful to anyone needing a statistics refresher. The visualization sections were especially helpful. (Feel free to dismiss yet another ignorant review from WB, who thinks a "review" means writing a few paragraphs after flipping through the pages of five books a day.) Andy's examples of turning lousy graphs and charts into information visualization vehicles should be followed by all managers.
Security Metrics is strengthened by the many stories from the author's consulting experience. I sensed that his techniques work and are not the product of the thought laboratory alone. I found his "Balanced Scorecard" approach to be interesting, especially to the degree it ties real metrics to business operations.
I had a few issues with terminology, such as using the term "threats" on p 231 when "attacks" is more accurate. (The football analogy is correct, however.) I semi-agreed with the author's suggestion to abandon "risk management" in favor of metrics-based approaches, but I didn't think two pages (4-5) were really enough to make the case. On p 264, threats are not risks, but they help instantiate risks. On pp 78-7, "risk of exploit" should be "ease of exploitation."
These are minor concerns, given the overwhelming concentration of practical and implementation-worthy pieces of information in Security Metrics. You must read this book if you care to measure security progress. Now we need Dan Geer to extend beyond writing wise forewords and articles into the world of his own book!
Click Here to see more reviews about: Security Metrics: Replacing Fear, Uncertainty, and Doubt
The Definitive Guide to Quantifying, Classifying, and Measuring Enterprise IT Security Operations
Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise.
Usingsample charts, graphics, case studies, and war stories, Yankee GroupSecurity Expert Andrew Jaquith demonstrates exactly how to establisheffective metrics based on your organization's unique requirements.You'll discover how to quantify hard-to-measure security activities,compile and analyze all relevant data, identify strengths andweaknesses, set cost-effective priorities for improvement, and craftcompelling messages for senior management.
Security Metrics successfullybridges management's quantitative viewpoint with the nuts-and-boltsapproach typically taken by security professionals. It brings togetherexpert solutions drawn from Jaquith's extensive consulting work in thesoftware, aerospace, and financial services industries, including newmetrics presented nowhere else. You'll learn how to:
• Replace nonstop crisis response with a systematic approach to security improvement
• Understand the differences between "good" and "bad" metrics
•Measure coverage and control, vulnerability management, passwordquality, patch latency, benchmark scoring, and business-adjusted risk
• Quantify the effectiveness of security acquisition, implementation, and other program activities
• Organize, aggregate, and analyze your data to bring out key insights
• Use visualization to understand and communicate security issues more clearly
• Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources
• Implement balanced scorecards that present compact, holistic views of organizational security effectiveness
Whetheryou're an engineer or consultant responsible for security and reportingto management–or an executive who needs better information fordecision-making–Security Metrics is the resource you have been searching for.
Andrew Jaquith, programmanager for Yankee Group's Security Solutions and Services DecisionService, advises enterprise clients on prioritizing and managingsecurity resources. He also helps security vendors develop product,service, and go-to-market strategies for reaching enterprise customers.He co-founded @stake, Inc., a security consulting pioneer acquired bySymantec Corporation in 2004. His application security and metricsresearch has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist.
Foreword
Preface
Acknowledgments
About the Author
Chapter1 Introduction:Escaping the Hamster Wheel ofPain
Chapter2 Defining SecurityMetrics
Chapter 3 Diagnosing Problems and Measuring Technical Security
Chapter4 Measuring ProgramEffectiveness
Chapter 5 Analysis Techniques
Chapter 6 Visualization
Chapter 7 Automating Metrics Calculations
Chapter 8 Designing Security Scorecards
Index
Click here for more information about Security Metrics: Replacing Fear, Uncertainty, and Doubt
No comments:
Post a Comment