In today's Whiteboard Wednesday, Jane Man will discuss proper security controls effectiveness. She will talk about what it takes to assess your current security controls today and how to harden these control even more for security. She also talks about how you can go about choosing the most important security controls to assess.
Managing your controls effectiveness can be tough. We have come out with a new product called ControlsInsight that help assess, harden, and monitor your controls effectiveness over time.
Read Video Transcript
Welcome to Whiteboard Wednesday. I'm Jane Mane; I am the Product Marketing Manager here at Rapid7 for our new product, ControlsInsight. Today, I'm going to talk about control effectiveness. What is control effectiveness and why should you care? Control effectiveness is basically an assessment of how much implementing a particular security control will reduce the likely hood of security breach or attack happening. To give you an example, having a patch management process as a control that reduces the likelihood of an attacking exploiting an software vulnerability in your network and getting access to your assets. Another example is having a strong password policy. That's a control that reduces the likelihood of someone cracking your password and getting unauthorized access to your network.
Why should you care? Most companies make significant investments in implementing and deploying controls. You really want to understand whether you're getting return on that investment. Also getting an idea of control effectiveness means that you can identify the gaps and where you're most at risk. This will help you to plan and budget for new controls or improvements to existing controls.
How do you measure it? There are many ways. This is just one way, but there are 3 main factors: How important or critical control is. That means how important it is to protecting your assets that you care about. How broadly the control is deployed and how well a particular control is configured. Let's look at the first factor: How critical control is. There are lots of industry resources out there like 'The Top 20 Critical Security Controls', published by San's Institute that tells you how important controls are. That list is massive and tends to be very comprehensive and gives you all the important controls that you can put in your organization. We think that's great idea to go through that list and identify that ones that are really important to you so you can get a list that applies to your organization.
Once you have that list of critical controls for your organization, you need to measure how broadly it's deployed. That means for example if we use antivirus, it means what percentage of machines has antivirus deployed towards? That gives you idea of how many machines antivirus is protecting. It's not enough to just have antivirus installed, you also need to know that that particular control is being configured in a way that maximizes its ability to protect your assets. If we're using antivirus as an example, it's about making sure that antivirus are enabled. Every time you turn on your machine, it's protecting your machine and also making sure the DAT file's up-to-date so you're being protected against the latest threats.
Once you got all these 3 factors, it's all about putting it together. We've seen organizations put together in many different ways: They take Excel spreadsheets, they put in heat maps, and do a checklist or scorecards. They may even do even slides on PowerPoint. We really see this as a concern for customers and a real problem. What we've done with ControlsInsight is we automate this whole process, we put in all these 3 factors; the data that you collect for these 3 factor and we presented it in a very simple, easy-to-understand dashboard that has each metric clearly identified, and then we give you an overall score that tells you overall how are you doing with control effectiveness?
If you want to know more or you want to give this a go, you can go onto our website and you can get free 7-day trial of ControlsInsight. Thanks for joining us.